From cbfed3f8fb9273155d57b32692b7e577c29a6c8a Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 13 Oct 2015 10:39:06 +0200 Subject: first version of EGIZ MOA-ID SSO session-transfer module --- .../ssotransfer/SSOTransferAuthModuleImpl.java | 76 ++++ .../modules/ssotransfer/SSOTransferConstants.java | 52 +++ .../data/SSOTransferAuthenticationData.java | 387 +++++++++++++++++ .../data/SSOTransferOnlineApplication.java | 444 +++++++++++++++++++ .../ssotransfer/servlet/SSOTransferGUIServlet.java | 144 +++++++ .../servlet/SSOTransferSignalServlet.java | 45 ++ .../servlet/TransferToSmartPhoneServlet.java | 100 +++++ .../task/InitializeRestoreSSOSessionTask.java | 98 +++++ .../ssotransfer/task/RestoreSSOSessionTask.java | 193 +++++++++ .../auth/modules/ssotransfer/utils/GUIUtils.java | 151 +++++++ .../ssotransfer/utils/SSOContainerUtils.java | 480 +++++++++++++++++++++ 11 files changed, 2170 insertions(+) create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthModuleImpl.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferConstants.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/TransferToSmartPhoneServlet.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java create mode 100644 id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java (limited to 'id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthModuleImpl.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthModuleImpl.java new file mode 100644 index 000000000..2a2b7bf80 --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthModuleImpl.java @@ -0,0 +1,76 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer; + +import at.gv.egovernment.moa.id.auth.modules.AuthModule; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; + +/** + * @author tlenz + * + */ +public class SSOTransferAuthModuleImpl implements AuthModule{ + + private int priority = 1; + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority() + */ + @Override + public int getPriority() { + return priority; + } + + /** + * Sets the priority of this module. Default value is {@code 0}. + * @param priority The priority. + */ + public void setPriority(int priority) { + this.priority = priority; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) + */ + @Override + public String selectProcess(ExecutionContext context) { + Object restoreSSOSessionObj = context.get("restoreSSOSession"); + if (restoreSSOSessionObj != null && restoreSSOSessionObj instanceof String) { + boolean restoreSSOSession = (boolean) Boolean.parseBoolean((String)restoreSSOSessionObj); + if (restoreSSOSession) + return "SSOTransferAuthentication"; + + } + + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions() + */ + @Override + public String[] getProcessDefinitions() { + return new String[] { "classpath:at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferAuthentication.process.xml" }; + } + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferConstants.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferConstants.java new file mode 100644 index 000000000..03f3fcdab --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/SSOTransferConstants.java @@ -0,0 +1,52 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer; + +/** + * @author tlenz + * + */ +public class SSOTransferConstants { + + public static final String SERVLET_SSOTRANSFER_GUI = "/TransferSSOSession"; + public static final String SERVLET_SSOTRANSFER_TO_SMARTPHONE = "/TransmitSSOSession"; + public static final String SERVLET_SSOTRANSFER_FROM_SMARTPHONE = "/SSOTransferSignalEndpoint"; + + public static final String REQ_PARAM_GENERATE_QR = "createQR"; + public static final String REQ_PARAM_TOKEN = "token"; + + public static final String SSOCONTAINER_KEY_TYPE = "type"; + public static final String SSOCONTAINER_VALUE_TYPE_TRANSER = "TRANSFER"; + public static final String SSOCONTAINER_VALUE_TYPE_PERSIST = "PERSIST"; + + public static final String SSOCONTAINER_KEY_URL = "url"; + + public static final String SSOCONTAINER_KEY_VALIDTO = "validTo"; + public static final String SSOCONTAINER_KEY_ENTITYID = "entityID"; + public static final String SSOCONTAINER_KEY_USERID = "userID"; + public static final String SSOCONTAINER_KEY_SESSION = "session"; + public static final String SSOCONTAINER_KEY_RESULTENDPOINT = "resultEndPoint"; + + public static final String FLAG_SSO_SESSION_RESTORED = "ssoRestoredFlag"; + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java new file mode 100644 index 000000000..a93412b11 --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -0,0 +1,387 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.data; + +import java.security.cert.CertificateEncodingException; +import java.util.Date; +import java.util.List; + +import org.w3c.dom.Element; + +import eu.stork.peps.auth.commons.IPersonalAttributeList; +import eu.stork.peps.auth.commons.STORKAuthnRequest; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.data.IdentityLink; +import at.gv.egovernment.moa.id.data.AuthenticationRole; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.MISMandate; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class SSOTransferAuthenticationData implements IAuthData { + + private AuthenticationSession authSession = null; + + public SSOTransferAuthenticationData(AuthenticationSession authSession) { + this.authSession = authSession; + + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getIssueInstant() + */ + @Override + public Date getIssueInstant() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getIssuer() + */ + @Override + public String getIssuer() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isBusinessService() + */ + @Override + public boolean isBusinessService() { + return this.authSession.getBusinessService(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isSsoSession() + */ + @Override + public boolean isSsoSession() { + return true; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isInterfederatedSSOSession() + */ + @Override + public boolean isInterfederatedSSOSession() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isUseMandate() + */ + @Override + public boolean isUseMandate() { + return this.authSession.getUseMandate(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getFamilyName() + */ + @Override + public String getFamilyName() { + return this.authSession.getIdentityLink().getFamilyName(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getGivenName() + */ + @Override + public String getGivenName() { + return this.authSession.getIdentityLink().getGivenName(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getDateOfBirth() + */ + @Override + public Date getDateOfBirth() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getFormatedDateOfBirth() + */ + @Override + public String getFormatedDateOfBirth() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getBPK() + */ + @Override + public String getBPK() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getBPKType() + */ + @Override + public String getBPKType() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getSsoSessionValidTo() + */ + @Override + public Date getSsoSessionValidTo() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getInterfederatedIDP() + */ + @Override + public String getInterfederatedIDP() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getIdentificationValue() + */ + @Override + public String getIdentificationValue() { + return this.authSession.getIdentityLink().getIdentificationValue(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getIdentificationType() + */ + @Override + public String getIdentificationType() { + return this.authSession.getIdentityLink().getIdentificationType(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getBkuURL() + */ + @Override + public String getBkuURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getEncbPKList() + */ + @Override + public List getEncbPKList() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getIdentityLink() + */ + @Override + public IdentityLink getIdentityLink() { + return this.authSession.getIdentityLink(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getSignerCertificate() + */ + @Override + public byte[] getSignerCertificate() { + try { + return this.authSession.getSignerCertificate().getEncoded(); + + } catch (CertificateEncodingException e) { + Logger.error("SSO-Transfer: SignerCertificate encoding FAILED.", e); + return null; + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getAuthBlock() + */ + @Override + public String getAuthBlock() { + return this.authSession.getAuthBlock(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getPvpAttribute_OU() + */ + @Override + public String getPvpAttribute_OU() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getAuthenticationRoles() + */ + @Override + public List getAuthenticationRoles() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isPublicAuthority() + */ + @Override + public boolean isPublicAuthority() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getPublicAuthorityCode() + */ + @Override + public String getPublicAuthorityCode() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isQualifiedCertificate() + */ + @Override + public boolean isQualifiedCertificate() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getMISMandate() + */ + @Override + public MISMandate getMISMandate() { + return this.authSession.getMISMandate(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getMandate() + */ + @Override + public Element getMandate() { + return this.authSession.getMISMandate().getMandateDOM(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getMandateReferenceValue() + */ + @Override + public String getMandateReferenceValue() { + return this.authSession.getMandateReferenceValue(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getQAALevel() + */ + @Override + public String getQAALevel() { + return this.authSession.getQAALevel(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getSessionIndex() + */ + @Override + public String getSessionIndex() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getNameID() + */ + @Override + public String getNameID() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getNameIDFormat() + */ + @Override + public String getNameIDFormat() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#isForeigner() + */ + @Override + public boolean isForeigner() { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getCcc() + */ + @Override + public String getCcc() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getStorkAuthnRequest() + */ + @Override + public STORKAuthnRequest getStorkAuthnRequest() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getStorkAuthnResponse() + */ + @Override + public String getStorkAuthnResponse() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.data.IAuthData#getStorkAttributes() + */ + @Override + public IPersonalAttributeList getStorkAttributes() { + // TODO Auto-generated method stub + return null; + } + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java new file mode 100644 index 000000000..9b5005a61 --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java @@ -0,0 +1,444 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.data; + +import java.security.PrivateKey; +import java.util.Collection; +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters; +import at.gv.egovernment.moa.id.config.stork.CPEPS; +import at.gv.egovernment.moa.id.config.stork.StorkAttribute; +import at.gv.egovernment.moa.id.config.stork.StorkAttributeProviderPlugin; + +/** + * @author tlenz + * + */ +public class SSOTransferOnlineApplication implements IOAAuthParameters { + + public SSOTransferOnlineApplication() { + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBusinessService() + */ + @Override + public boolean getBusinessService() { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSO() + */ + @Override + public boolean useSSO() { + return true; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL() + */ + @Override + public List getBKUURL() { + // TODO Auto-generated method stub + return null; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFullConfiguration() + */ + @Override + public Map getFullConfiguration() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getConfigurationValue(java.lang.String) + */ + @Override + public String getConfigurationValue(String key) { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFriendlyName() + */ + @Override + public String getFriendlyName() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPublicURLPrefix() + */ + @Override + public String getPublicURLPrefix() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getOaType() + */ + @Override + public String getOaType() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTarget() + */ + @Override + public String getTarget() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTargetFriendlyName() + */ + @Override + public String getTargetFriendlyName() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInderfederationIDP() + */ + @Override + public boolean isInderfederationIDP() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isSTORKPVPGateway() + */ + @Override + public boolean isSTORKPVPGateway() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifier() + */ + @Override + public String getIdentityLinkDomainIdentifier() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getKeyBoxIdentifier() + */ + @Override + public String getKeyBoxIdentifier() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSAML1Parameter() + */ + @Override + public SAML1ConfigurationParameters getSAML1Parameter() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTemplateURL() + */ + @Override + public List getTemplateURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getAditionalAuthBlockText() + */ + @Override + public String getAditionalAuthBlockText() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUURL(java.lang.String) + */ + @Override + public String getBKUURL(String bkutype) { + // TODO Auto-generated method stub + return null; + } + + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#useSSOQuestion() + */ + @Override + public boolean useSSOQuestion() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getMandateProfiles() + */ + @Override + public List getMandateProfiles() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIdentityLinkDomainIdentifierType() + */ + @Override + public String getIdentityLinkDomainIdentifierType() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowMandateCheckBox() + */ + @Override + public boolean isShowMandateCheckBox() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOnlyMandateAllowed() + */ + @Override + public boolean isOnlyMandateAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isShowStorkLogin() + */ + @Override + public boolean isShowStorkLogin() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFormCustomizaten() + */ + @Override + public Map getFormCustomizaten() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getQaaLevel() + */ + @Override + public Integer getQaaLevel() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isRequireConsentForStorkAttributes() + */ + @Override + public boolean isRequireConsentForStorkAttributes() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getRequestedSTORKAttributes() + */ + @Override + public Collection getRequestedSTORKAttributes() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBKUSelectionTemplate() + */ + @Override + public byte[] getBKUSelectionTemplate() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getSendAssertionTemplate() + */ + @Override + public byte[] getSendAssertionTemplate() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getPepsList() + */ + @Override + public Collection getPepsList() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getIDPAttributQueryServiceURL() + */ + @Override + public String getIDPAttributQueryServiceURL() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInboundSSOInterfederationAllowed() + */ + @Override + public boolean isInboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isInterfederationSSOStorageAllowed() + */ + @Override + public boolean isInterfederationSSOStorageAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isOutboundSSOInterfederationAllowed() + */ + @Override + public boolean isOutboundSSOInterfederationAllowed() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isTestCredentialEnabled() + */ + @Override + public boolean isTestCredentialEnabled() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getTestCredentialOIDs() + */ + @Override + public List getTestCredentialOIDs() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isUseIDLTestTrustStore() + */ + @Override + public boolean isUseIDLTestTrustStore() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isUseAuthBlockTestTestStore() + */ + @Override + public boolean isUseAuthBlockTestTestStore() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getBPKDecBpkDecryptionKey() + */ + @Override + public PrivateKey getBPKDecBpkDecryptionKey() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isPassivRequestUsedForInterfederation() + */ + @Override + public boolean isPassivRequestUsedForInterfederation() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#isPerformLocalAuthenticationOnInterfederationError() + */ + @Override + public boolean isPerformLocalAuthenticationOnInterfederationError() { + // TODO Auto-generated method stub + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getStorkAPs() + */ + @Override + public Collection getStorkAPs() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getReversionsLoggingEventCodes() + */ + @Override + public List getReversionsLoggingEventCodes() { + // TODO Auto-generated method stub + return null; + } + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java new file mode 100644 index 000000000..fa7d59beb --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java @@ -0,0 +1,144 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet; + +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.util.Date; + +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import net.glxn.qrgen.QRCode; +import net.glxn.qrgen.image.ImageType; + +import org.apache.commons.codec.binary.Base64OutputStream; +import org.apache.velocity.VelocityContext; + +import com.google.gson.JsonObject; + +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; +import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.moduls.AuthenticationManager; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.storage.AssertionStorage; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; + + + +/** + * @author tlenz + * + */ +@WebServlet(name = "SSOTransferGUI", value = "/TransferSSOSession") +public class SSOTransferGUIServlet extends AuthServlet { + + private static final long serialVersionUID = 3974201828186450839L; + + public SSOTransferGUIServlet() { + super(); + Logger.debug("Registering servlet " + getClass().getName() + " with mapping '/TransferSSOSession'."); + } + + protected void doGet(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.doGet(req, resp); + + //search SSO session + SSOManager ssomanager = SSOManager.getInstance(); + String ssoid = ssomanager.getSSOSessionID(req); + + VelocityContext context = new VelocityContext(); + + try { + if (ssomanager.isValidSSOSession(ssoid, null)) { + Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR); + if (createQRObj != null && createQRObj instanceof Integer) { + + + + } else { + //create first step of SSO Transfer GUI + String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); + if (MiscUtil.isNotEmpty(moaSessionID)) { + AuthenticationSession authSession = AuthenticationSessionStoreage + .getSession(moaSessionID); + if(authSession != null) { + Date now = new Date(); + String encodedSSOContainer = SSOContainerUtils.generateSignedAndEncryptedSSOContainer(authSession, now); + + String token = Random.nextRandom(); + AssertionStorage.getInstance().put(token, encodedSSOContainer); + + String containerURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + + SSOTransferConstants.SERVLET_SSOTRANSFER_TO_SMARTPHONE + + "?"+ SSOTransferConstants.REQ_PARAM_TOKEN + "=" + token; + + JsonObject qrResult = new JsonObject(); + qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, + SSOTransferConstants.SSOCONTAINER_VALUE_TYPE_PERSIST); + qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_URL, containerURL); + + ByteArrayOutputStream qrStream = + QRCode.from(qrResult.toString()).to(ImageType.GIF).withSize(300, 300).stream(); + String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray()); + context.put("QRImage", base64EncodedImage); + + context.put("successMsg", "Scan the QR-Code with your SSO-Transfer App to start the transfer operation."); + + GUIUtils.printSSOTransferGUI(context, resp); + + } + } + } + + } else { + context.put("errorMsg", + "No active Single Sign-On session found! SSO Session transfer is not possible."); + GUIUtils.printSSOTransferGUI(context, resp); + } + + } catch (MOAIDException | MOADatabaseException e) { + e.printStackTrace(); + resp.sendError(500, e.getMessage()); + + } + + } + + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java new file mode 100644 index 000000000..2f8b8fe2c --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java @@ -0,0 +1,45 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet; + +import javax.servlet.annotation.WebServlet; + +import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@WebServlet(urlPatterns = { "/SSOTransferSignalEndpoint" }, loadOnStartup = 1) +public class SSOTransferSignalServlet extends ProcessEngineSignalServlet { + + private static final long serialVersionUID = 8372275858647807149L; + + public SSOTransferSignalServlet() { + super(); + Logger.debug("Registering servlet " + getClass().getName() + " with mappings '/SSOTransferEndpoint'."); + + } + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/TransferToSmartPhoneServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/TransferToSmartPhoneServlet.java new file mode 100644 index 000000000..8ea15f985 --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/TransferToSmartPhoneServlet.java @@ -0,0 +1,100 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet; + +import java.io.IOException; +import java.io.PrintWriter; + +import javax.servlet.ServletException; +import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; +import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.storage.AssertionStorage; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +@WebServlet(name = "SendSSOSessionEndpoint", value = "/TransmitSSOSession") +public class TransferToSmartPhoneServlet extends AuthServlet { + + private static final long serialVersionUID = 4323605569040872262L; + + private static final long transmisionTimeOut = 90 * 1000; // default 90 secundes + + public TransferToSmartPhoneServlet() { + super(); + Logger.debug("Registering servlet " + getClass().getName() + " with mapping '/TransmitSSOSession'."); + } + + protected void doGet(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + super.doGet(req, resp); + + Object tokenObj = req.getParameter(SSOTransferConstants.REQ_PARAM_TOKEN); + if (tokenObj != null && tokenObj instanceof String) { + String token = (String)tokenObj; + try { + String signedEncSession = AssertionStorage.getInstance().get(token, String.class, transmisionTimeOut); + if (MiscUtil.isNotEmpty(signedEncSession)) { + resp.setContentType("text/html;charset=UTF-8"); + PrintWriter out = new PrintWriter(resp.getOutputStream()); + out.print(signedEncSession); + out.flush(); + + } else { + Logger.info("Servlet " + getClass().getName() + " receive a token:" + + token + ", which references an empty data object."); + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Empty data object."); + + } + + } catch (MOADatabaseException e) { + Logger.info("Servlet " + getClass().getName() + " receive a token:" + + token + ", which is UNKNOWN."); + resp.sendError(HttpServletResponse.SC_NOT_FOUND, "Transfer token is UNKOWN:"); + + + } catch (AuthenticationException e) { + Logger.info("Servlet " + getClass().getName() + " receive a token:" + + token + ", which has a timeout."); + resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Single Sign-On session transfer token is not valid any more."); + + } + + } else { + Logger.info("Servlet " + getClass().getName() + " receive a NOT valid request."); + resp.sendError(HttpServletResponse.SC_NOT_FOUND, "Request not valid."); + + } + + } + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java new file mode 100644 index 000000000..cebf8431b --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java @@ -0,0 +1,98 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.task; + +import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID; + +import java.io.ByteArrayOutputStream; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.velocity.VelocityContext; + +import net.glxn.qrgen.QRCode; +import net.glxn.qrgen.image.ImageType; + +import com.google.gson.JsonObject; + +import at.gv.egovernment.moa.id.auth.BaseAuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; + +/** + * @author tlenz + * + */ +public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public void execute(ExecutionContext executionContext, + HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + + try { + String sessionID = (String) executionContext.get(PARAM_SESSIONID); + String pendingRequestID = (String) executionContext.get("pendingRequestID"); + + // check parameter + if (!ParamValidatorUtils.isValidSessionID(sessionID)) { + throw new WrongParametersException("CreateStorkAuthRequestFormTask", PARAM_SESSIONID, "auth.12"); + } + AuthenticationSession moasession = BaseAuthenticationServer.getSession(sessionID); + IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID); + + VelocityContext context = GUIUtils.buildSSOTransferGUI(moasession); + GUIUtils.printSSOTransferGUI(context, response); + + + } catch (WrongParametersException | AuthenticationException e) { + throw new TaskExecutionException(e.getMessage(), e); + + } catch (Exception e) { + Logger.error(this.getClass().getName() + " has an interal Error.", e); + throw new TaskExecutionException(this.getClass().getName() + " has an interal Error.", e); + + } + + + } + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java new file mode 100644 index 000000000..884633a1e --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -0,0 +1,193 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.task; + +import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID; + +import java.io.BufferedReader; +import java.io.IOException; +import java.util.Enumeration; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.BooleanUtils; +import org.apache.velocity.VelocityContext; +import org.joda.time.DateTime; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Response; + +import com.google.gson.JsonObject; +import com.google.gson.JsonParser; + +import at.gv.egovernment.moa.id.auth.BaseAuthenticationServer; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.RequestStorage; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.ParamValidatorUtils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class RestoreSSOSessionTask extends AbstractAuthServletTask { + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public void execute(ExecutionContext executionContext, + HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + + Logger.debug("Receive " + this.getClass().getName() + " request"); + + StringBuffer sb = new StringBuffer(); + String receivedPostMessage = null; + AuthenticationSession moasession = null; + IRequest pendingReq = null; + try { + String sessionID = (String) request.getParameter(PARAM_SESSIONID); + String pendingRequestID = (String) executionContext.get("pendingRequestID"); + + // check parameter + if (!ParamValidatorUtils.isValidSessionID(sessionID)) { + throw new WrongParametersException("RestoreSSOSessionTask", PARAM_SESSIONID, "auth.12"); + + } + moasession = BaseAuthenticationServer.getSession(sessionID); + pendingReq = RequestStorage.getPendingRequest(pendingRequestID); + + BufferedReader reader = request.getReader(); + String line = null; + while ((line = reader.readLine()) != null) { + sb.append(line); + } + + receivedPostMessage = sb.toString(); + + } catch (IOException e) { + Logger.warn("Received POST-message produce an ERROR.", e); + + } catch (WrongParametersException | AuthenticationException e) { + throw new TaskExecutionException(e.getMessage(), e); + + } + + if (MiscUtil.isNotEmpty(receivedPostMessage)) { + Logger.debug("Receive POST-Message data. Start data-validation process ... "); + try { + JsonParser parser = new JsonParser(); + JsonObject reveivedData = (JsonObject) parser.parse(sb.toString()); + JsonObject reveivedSession = reveivedData.get("session").getAsJsonObject(); + String validTo = reveivedSession.get("validTo").getAsString(); + String entityID = reveivedSession.get("entityID").getAsString(); + String sessionBlob = reveivedSession.get("sessionBlob").getAsString(); + + Logger.trace("Blob:" + sessionBlob + + " | validTo:" + validTo + + " | entityIS:" + entityID); + + if (PVPConfiguration.getInstance().getIDPPublicPath().equals(entityID)) { + // stored SSO session data is from this IDP - start local session reconstruction + Response ssoInformation = SSOContainerUtils.validateReceivedSSOContainer(sessionBlob); + SSOContainerUtils.parseSSOContainerToMOASessionDataObject(moasession, ssoInformation); + + // store MOASession into database + try { + AuthenticationSessionStoreage.storeSession(moasession); + + } catch (MOADatabaseException e) { + Logger.error("Database Error! MOASession is not stored!"); + throw new MOAIDException("init.04", new Object[] { + moasession.getSessionID()}); + } + + executionContext.put(SSOTransferConstants.FLAG_SSO_SESSION_RESTORED, true); + + } else { + Logger.debug("Received SSO session-data is from IDP: " + entityID + + ". Start inderfederation process to restore SSO session ... "); + //change to inderfederated session reconstruction + + } + + } catch (Exception e) { + Logger.error("Parse reveived JSON data-object " + sb.toString() + " FAILED!", e); + throw new TaskExecutionException("JSON data is not parseable.", e); + + } + + } else { + Logger.debug("Reveive NO POST-message data. Start check-session process ... "); + + boolean isSSOSessionRestored = + BooleanUtils.isTrue((Boolean) executionContext.get(SSOTransferConstants.FLAG_SSO_SESSION_RESTORED)); + + if (isSSOSessionRestored) { + Logger.info("Found restored SSO session. Resume authentication process ..."); + executionContext.remove(SSOTransferConstants.FLAG_SSO_SESSION_RESTORED); + executionContext.put("sessionRestoreFinished", true); + + } else { + DateTime moaSessionCreated = new DateTime(moasession.getSessionCreated().getTime()); + if (moaSessionCreated.plusMinutes(3).isBeforeNow()) { + Logger.warn("No SSO session-container received. Stop authentication process after time-out."); + throw new TaskExecutionException("No SSO container received from smartphone app.", null); + + } else { + Logger.debug("No restored SSO session found --> Wait a few minutes and check again."); + executionContext.put("sessionRestoreFinished", false); + + VelocityContext context; + try { + context = GUIUtils.buildSSOTransferGUI(moasession); + GUIUtils.printSSOTransferGUI(context, response); + + } catch (IOException | MOAIDException e) { + throw new TaskExecutionException(e.getMessage(), e); + + } + + } + } + } + } + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java new file mode 100644 index 000000000..1bbaf1dd9 --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java @@ -0,0 +1,151 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils; + +import java.io.BufferedReader; +import java.io.ByteArrayOutputStream; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.StringWriter; +import java.net.URI; + +import javax.servlet.http.HttpServletResponse; + +import net.glxn.qrgen.QRCode; +import net.glxn.qrgen.image.ImageType; + +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; + +import com.google.gson.JsonObject; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.util.VelocityProvider; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; + +/** + * @author tlenz + * + */ +public class GUIUtils { + private static final String HTMLTEMPLATESDIR = "htmlTemplates/"; + private static final String GUI_HTML_TEMPLATE = "sso_transfer_template.html"; + + public static final int REFESH_TIMEOUT = 5 * 1000; //5 sec + + public static VelocityContext buildSSOTransferGUI(AuthenticationSession moasession) throws ConfigurationException, IOException { + String token = moasession.getSessionID(); + String containerURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + + SSOTransferConstants.SERVLET_SSOTRANSFER_FROM_SMARTPHONE + + "?" + MOAIDAuthConstants.PARAM_SESSIONID + "=" + token; + + JsonObject qrResult = new JsonObject(); + qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, + SSOTransferConstants.SSOCONTAINER_VALUE_TYPE_TRANSER); + qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_URL, containerURL); + + ByteArrayOutputStream qrStream = + QRCode.from(qrResult.toString()).to(ImageType.GIF).withSize(300, 300).stream(); + String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray()); + VelocityContext context = new VelocityContext(); + context.put("QRImage", base64EncodedImage); + + context.put("successMsg", "Select the SSO Session in your SSO-Transfer App and scan the QR-Code to start the process."); + + context.put("timeoutURL", containerURL); + context.put("timeout", REFESH_TIMEOUT); + + return context; + + } + + public static void printSSOTransferGUI(VelocityContext context, HttpServletResponse httpResp) throws MOAIDException { + try { + Logger.trace("Initialize VelocityEngine..."); + + InputStream is = null; + String pathLocation = null; + try { + String rootconfigdir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); + pathLocation = rootconfigdir + HTMLTEMPLATESDIR + GUI_HTML_TEMPLATE; + File file = new File(new URI(pathLocation)); + is = new FileInputStream(file); + evaluateTemplate(context, httpResp, is); + + } catch (Exception e) { + Logger.warn("SLO Template is not found in configuration directory (" + + pathLocation + "). Load template from project library ... "); + + try { + pathLocation = GUI_HTML_TEMPLATE; + is = Thread.currentThread() + .getContextClassLoader() + .getResourceAsStream(pathLocation); + evaluateTemplate(context, httpResp, is); + + } catch (Exception e1) { + Logger.error("Single LogOut form can not created.", e); + throw new MOAIDException("Create Single LogOut information FAILED.", null, e); + } + + } finally { + if (is != null) + is.close(); + + } + + } catch (Exception e) { + Logger.error("Single LogOut form can not created.", e); + throw new MOAIDException("Create Single LogOut information FAILED.", null, e); + } + } + + private static void evaluateTemplate(VelocityContext context, HttpServletResponse httpResp, InputStream is) throws Exception { + + VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); + + BufferedReader reader = new BufferedReader(new InputStreamReader(is )); + + //set default elements to velocity context + context.put("contextpath", AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()); + + StringWriter writer = new StringWriter(); + //velocityEngine.evaluate(context, writer, "SLO_Template", reader); + engine.evaluate(context, writer, "SSO Transfer Template", reader); + + + httpResp.setContentType("text/html;charset=UTF-8"); + httpResp.getOutputStream().write(writer.toString().getBytes("UTF-8")); + + } + +} diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java new file mode 100644 index 000000000..8980d3ea7 --- /dev/null +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java @@ -0,0 +1,480 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils; + +import iaik.x509.X509Certificate; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.StringWriter; +import java.security.MessageDigest; +import java.security.cert.CertificateException; +import java.util.ArrayList; +import java.util.Collections; +import java.util.Date; +import java.util.HashMap; +import java.util.List; + +import javax.xml.XMLConstants; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.dom.DOMSource; +import javax.xml.transform.stream.StreamResult; + +import org.joda.time.DateTime; +import org.opensaml.Configuration; +import org.opensaml.saml2.core.Assertion; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml2.core.EncryptedAssertion; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.core.SubjectConfirmationData; +import org.opensaml.saml2.encryption.Encrypter; +import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; +import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.XMLObject; +import org.opensaml.xml.encryption.EncryptionException; +import org.opensaml.xml.encryption.EncryptionParameters; +import org.opensaml.xml.encryption.KeyEncryptionParameters; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.io.Unmarshaller; +import org.opensaml.xml.io.UnmarshallerFactory; +import org.opensaml.xml.io.UnmarshallingException; +import org.opensaml.xml.parse.BasicParserPool; +import org.opensaml.xml.parse.XMLParserException; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.SecurityHelper; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; +import org.opensaml.xml.security.x509.X509Credential; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.SignatureValidator; +import org.opensaml.xml.signature.Signer; +import org.opensaml.xml.validation.ValidationException; +import org.w3c.dom.Document; +import org.w3c.dom.Element; +import org.w3c.dom.NodeList; + +import com.google.gson.JsonObject; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.ParseException; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferAuthenticationData; +import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferOnlineApplication; +import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.MISMandate; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class SSOContainerUtils { + public static final List REQUIRED_ATTRIBUTES; + + static { + List tmp = new ArrayList(); + tmp.add(PVPConstants.EID_AUTH_BLOCK_NAME); + tmp.add(PVPConstants.EID_IDENTITY_LINK_NAME); + tmp.add(PVPConstants.EID_ISSUING_NATION_NAME); + tmp.add(PVPConstants.EID_SIGNER_CERTIFICATE_NAME); + tmp.add(PVPConstants.EID_SOURCE_PIN_NAME); + tmp.add(PVPConstants.EID_SOURCE_PIN_TYPE_NAME); + tmp.add(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); + tmp.add(PVPConstants.MANDATE_FULL_MANDATE_NAME); + tmp.add(PVPConstants.MANDATE_TYPE_NAME); + tmp.add(PVPConstants.MANDATE_PROF_REP_OID_NAME); + tmp.add(PVPConstants.MANDATE_PROF_REP_DESC_NAME); + tmp.add(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); + + REQUIRED_ATTRIBUTES = Collections.unmodifiableList(tmp); + } + + public static void parseSSOContainerToMOASessionDataObject(AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException { + AssertionAttributeExtractor attributeExtractor = new AssertionAttributeExtractor(ssoInformation); + + String authServiceURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + if (authServiceURL.endsWith("/")) + moasession.setAuthURL(authServiceURL); + else + moasession.setAuthURL(authServiceURL + "/"); + + //TODO: maybe change to correct URL + //set dummy BKU URLx + moasession.setBkuURL("http://egiz.gv.at/sso_session-transfer_app"); + + + String qaaLevel = attributeExtractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); + if (MiscUtil.isNotEmpty(qaaLevel)) { + if (qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) + moasession.setQAALevel(qaaLevel); + else + moasession.setQAALevel(PVPConstants.STORK_QAA_PREFIX + qaaLevel); + + + } else { + Logger.warn("SSO session-container contains NO QAA-level"); + + } + + String authBlock = attributeExtractor.getSingleAttributeValue(PVPConstants.EID_AUTH_BLOCK_NAME); + if (MiscUtil.isNotEmpty(authBlock)) + moasession.setAuthBlock(authBlock); + else + Logger.warn("SSO session-container contains NO AuthBlock"); + + try { + String signerCert = attributeExtractor.getSingleAttributeValue(PVPConstants.EID_SIGNER_CERTIFICATE_NAME); + if (MiscUtil.isNotEmpty(signerCert)) + moasession.setSignerCertificate(new X509Certificate(Base64Utils.decode(signerCert, false))); + else + Logger.warn("SSO session-container contains NO SignerCertificate"); + + } catch (CertificateException | IOException e) { + Logger.error("SignerCertificate is not parseable.", e); + + } + + String idlStr = attributeExtractor.getSingleAttributeValue(PVPConstants.EID_IDENTITY_LINK_NAME); + try { + if (MiscUtil.isNotEmpty(idlStr)) { + IdentityLinkAssertionParser idlParser = new IdentityLinkAssertionParser(Base64Utils.decodeToStream(idlStr, false)); + moasession.setIdentityLink(idlParser.parseIdentityLink()); + + } else { + Logger.warn("SSO session-container contains NO IdentityLink"); + throw new AssertionAttributeExtractorExeption("SSO session-container contains NO IdentityLink"); + + } + + } catch (ParseException e) { + Logger.error("IdentityLink is not parseable.", e); + throw new AssertionAttributeExtractorExeption("IdentityLink is not parseable."); + + } + + + String mandateRefValue = attributeExtractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); + if (MiscUtil.isNotEmpty(mandateRefValue)) { + moasession.setMandateReferenceValue(mandateRefValue); + moasession.setUseMandate("true"); + Logger.info("Found mandate information in SSO session-container."); + + try { + MISMandate mandate = new MISMandate(); + + String mandateFull = attributeExtractor.getSingleAttributeValue(PVPConstants.MANDATE_FULL_MANDATE_NAME); + if (MiscUtil.isNotEmpty(mandateFull)) { + mandate.setMandate(Base64Utils.decode(mandateFull, false)); + + } else { + Logger.warn("No Full-Mandate information found in SSO session-container."); + + } + + String oid = attributeExtractor.getSingleAttributeValue(PVPConstants.MANDATE_PROF_REP_OID_NAME); + if (MiscUtil.isNotEmpty(oid)) + mandate.setProfRep(oid ); + + NodeList mandateElements = mandate.getMandateDOM().getChildNodes(); + for (int i=0; i features = new HashMap(); + features.put(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + ppMgr.setBuilderFeatures(features); + ppMgr.setNamespaceAware(true); + + Document document = ppMgr.parse(new ByteArrayInputStream(base64decodedContainer)); + Element domElement = document.getDocumentElement(); + + UnmarshallerFactory saml2UnmarshallerFactory = Configuration.getUnmarshallerFactory(); + Unmarshaller saml2Unmarshaller = saml2UnmarshallerFactory.getUnmarshaller(domElement); + XMLObject responseXMLObj = saml2Unmarshaller.unmarshall(domElement); + + if (responseXMLObj instanceof Response) { + Response ssoContainer = (Response) responseXMLObj; + + try { + SAMLSignatureProfileValidator sigValidator = new SAMLSignatureProfileValidator(); + sigValidator.validate(ssoContainer.getSignature()); + + } catch (ValidationException e) { + Logger.error("Failed to validate Signature", e); + throw new SAMLRequestNotSignedException(e); + } + + Credential credential = CredentialProvider.getIDPAssertionSigningCredential(); + if (credential == null) { + throw new NoCredentialsException("moaID IDP"); + } + + SignatureValidator sigValidator = new SignatureValidator(credential); + try { + sigValidator.validate(ssoContainer.getSignature()); + + } catch (ValidationException e) { + Logger.error("Failed to verfiy Signature", e); + throw new SAMLRequestNotSignedException(e); + } + + if (ssoContainer.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + + //validate PVP 2.1 assertion + SAMLVerificationEngine.validateAssertion(ssoContainer, false); + return ssoContainer; + + } else { + Logger.debug("Receive StatusCode " + ssoContainer.getStatus().getStatusCode().getValue() + + " from interfederated IDP."); + throw new MOAIDException("SSO Container has a not valid Status Code", null); + + } + + } else { + Logger.warn("SSO Container is not of type SAML2 Response"); + throw new MOAIDException("SSO Container is not of type SAML2 Response", null); + + } + } + + + public static String generateSignedAndEncryptedSSOContainer( + AuthenticationSession authSession, Date date) { + try { + String entityID = PVPConfiguration.getInstance().getIDPPublicPath(); + AuthnContextClassRef authnContextClassRef = SAML2Utils + .createSAMLObject(AuthnContextClassRef.class); + authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); + + NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); + String random = Random.nextRandom(); + String nameID = subjectNameID.getValue(); + try { + MessageDigest md = MessageDigest.getInstance("SHA-1"); + byte[] hash = md.digest((random).getBytes("ISO-8859-1")); + subjectNameID.setValue(Base64Utils.encode(hash)); + subjectNameID.setNameQualifier(null); + subjectNameID.setFormat(NameID.TRANSIENT); + + } catch (Exception e) { + Logger.warn("PVP2 subjectNameID error", e); + + } + + SubjectConfirmationData subjectConfirmationData = SAML2Utils + .createSAMLObject(SubjectConfirmationData.class); + long maxSSOSessionTime = AuthConfigurationProviderFactory.getInstance().getSSOCreatedTimeOut() * 1000; + Date ssoSessionValidTo = new Date(authSession.getSessionCreated().getTime() + maxSSOSessionTime); + subjectConfirmationData.setNotOnOrAfter(new DateTime(ssoSessionValidTo.getTime())); + + String sessionIndex = SAML2Utils.getSecureIdentifier(); + + IAuthData authData = new SSOTransferAuthenticationData(authSession); + + Assertion assertion = PVP2AssertionBuilder.buildGenericAssertion( + entityID, + new DateTime(date.getTime()), + authnContextClassRef, + buildSSOAttributeForTransfer(authSession, authData), + subjectNameID, + subjectConfirmationData, + sessionIndex, + subjectConfirmationData.getNotOnOrAfter()); + + String ssoDataBlob = buildSSOContainerObject(assertion, new DateTime(date.getTime())); + + JsonObject container = new JsonObject(); + container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, "SSO"); + container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_VALIDTO, subjectConfirmationData.getNotOnOrAfter().toString()); + container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_ENTITYID, entityID); + container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_USERID, authData.getGivenName() + " " + authData.getFamilyName()); + container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_SESSION, ssoDataBlob); + + //TODO + container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_RESULTENDPOINT, "https://demo.egiz.gv.at"); + + return container.toString(); + + } catch (ConfigurationException | EncryptionException | CredentialsNotAvailableException | SecurityException | ParserConfigurationException | MarshallingException | SignatureException | TransformerFactoryConfigurationError | TransformerException | IOException e) { + Logger.warn("SSO container generation FAILED.", e); + } + + return null; + } + + private static String buildSSOContainerObject(Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException { + Response authResponse = SAML2Utils.createSAMLObject(Response.class); + + Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); + + //change to entity value from entity name to IDP EntityID (URL) + nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setFormat(NameID.ENTITY); + authResponse.setIssuer(nissuer); + + //set responseID + String remoteSessionID = SAML2Utils.getSecureIdentifier(); + authResponse.setID(remoteSessionID); + + + //SAML2 response required IssueInstant + authResponse.setIssueInstant(date); + authResponse.setStatus(SAML2Utils.getSuccessStatus()); + + //encrypt container + X509Credential encryptionCredentials = CredentialProvider.getIDPAssertionEncryptionCredential(); + EncryptionParameters dataEncParams = new EncryptionParameters(); + dataEncParams.setAlgorithm(PVPConstants.DEFAULT_SYM_ENCRYPTION_METHODE); + + List keyEncParamList = new ArrayList(); + KeyEncryptionParameters keyEncParam = new KeyEncryptionParameters(); + + keyEncParam.setEncryptionCredential(encryptionCredentials); + keyEncParam.setAlgorithm(PVPConstants.DEFAULT_ASYM_ENCRYPTION_METHODE); + KeyInfoGeneratorFactory kigf = Configuration.getGlobalSecurityConfiguration() + .getKeyInfoGeneratorManager().getDefaultManager() + .getFactory(encryptionCredentials); + keyEncParam.setKeyInfoGenerator(kigf.newInstance()); + keyEncParamList.add(keyEncParam); + + Encrypter samlEncrypter = new Encrypter(dataEncParams, keyEncParamList); + //samlEncrypter.setKeyPlacement(KeyPlacement.INLINE); + samlEncrypter.setKeyPlacement(KeyPlacement.PEER); + + EncryptedAssertion encryptAssertion = null; + + encryptAssertion = samlEncrypter.encrypt(assertion); + authResponse.getEncryptedAssertions().add(encryptAssertion); + + + //sign container + Credential signingCredential = CredentialProvider.getIDPAssertionSigningCredential(); + Signature signature = CredentialProvider + .getIDPSignature(signingCredential); + SecurityHelper.prepareSignatureParams(signature, signingCredential, null, null); + authResponse.setSignature(signature); + + DocumentBuilder builder; + DocumentBuilderFactory factory = DocumentBuilderFactory + .newInstance(); + + builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + Marshaller out = Configuration.getMarshallerFactory() + .getMarshaller(authResponse); + out.marshall(authResponse, document); + + Signer.signObject(signature); + + Transformer transformer = TransformerFactory.newInstance() + .newTransformer(); + + StringWriter sw = new StringWriter(); + StreamResult sr = new StreamResult(sw); + DOMSource source = new DOMSource(document); + transformer.transform(source, sr); + sw.close(); + + return Base64Utils.encode(sw.toString().getBytes()); + + } + + private static List buildSSOAttributeForTransfer(AuthenticationSession authSession, IAuthData authData) { + List attrList = new ArrayList(); + + IOAAuthParameters oaParam = new SSOTransferOnlineApplication(); + + for (String el : REQUIRED_ATTRIBUTES) { + try { + Attribute attr = PVPAttributeBuilder.buildAttribute( + el, oaParam, authData); + if (attr != null) + attrList.add(attr); + else + Logger.info("SSO-Transfer attribute " + el + " is empty!"); + + } catch (Exception e) { + Logger.warn("Build SSO-Transfer attribute " + el + " FAILED.", e); + + } + } + + return attrList; + } + +} -- cgit v1.2.3 From ef59662475c60c027c698caacd2423b34b3524d3 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 22 Feb 2016 12:57:46 +0100 Subject: update SSO session-transfer to MOA-ID 3.1.x architecture --- .../ssotransfer/servlet/SSOTransferGUIServlet.java | 20 ++++++++++++-------- .../ssotransfer/task/RestoreSSOSessionTask.java | 6 +----- .../ssotransfer/utils/SSOContainerUtils.java | 21 ++++++++++----------- 3 files changed, 23 insertions(+), 24 deletions(-) (limited to 'id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java index fa7d59beb..fae1b6f4d 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java @@ -31,10 +31,6 @@ import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import net.glxn.qrgen.QRCode; -import net.glxn.qrgen.image.ImageType; - -import org.apache.commons.codec.binary.Base64OutputStream; import org.apache.velocity.VelocityContext; import com.google.gson.JsonObject; @@ -46,17 +42,17 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; import at.gv.egovernment.moa.id.auth.servlet.AuthServlet; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.moduls.AuthenticationManager; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.storage.AssertionStorage; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +import net.glxn.qrgen.QRCode; +import net.glxn.qrgen.image.ImageType; @@ -93,13 +89,21 @@ public class SSOTransferGUIServlet extends AuthServlet { } else { //create first step of SSO Transfer GUI + String authURL = HTTPUtils.extractAuthURLFromRequest(req); + if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). + contains(authURL)) { + Logger.warn("Requested URL is not allowed.");; + resp.sendError(500, "Requested URL is not allowed."); + + } + String moaSessionID = AuthenticationSessionStoreage.getMOASessionSSOID(ssoid); if (MiscUtil.isNotEmpty(moaSessionID)) { AuthenticationSession authSession = AuthenticationSessionStoreage .getSession(moaSessionID); if(authSession != null) { Date now = new Date(); - String encodedSSOContainer = SSOContainerUtils.generateSignedAndEncryptedSSOContainer(authSession, now); + String encodedSSOContainer = SSOContainerUtils.generateSignedAndEncryptedSSOContainer(authURL, authSession, now); String token = Random.nextRandom(); AssertionStorage.getInstance().put(token, encodedSSOContainer); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java index 884633a1e..270264099 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -26,8 +26,6 @@ import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID; import java.io.BufferedReader; import java.io.IOException; -import java.util.Enumeration; -import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -35,7 +33,6 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.BooleanUtils; import org.apache.velocity.VelocityContext; import org.joda.time.DateTime; -import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Response; import com.google.gson.JsonObject; @@ -52,7 +49,6 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; @@ -127,7 +123,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { if (PVPConfiguration.getInstance().getIDPPublicPath().equals(entityID)) { // stored SSO session data is from this IDP - start local session reconstruction Response ssoInformation = SSOContainerUtils.validateReceivedSSOContainer(sessionBlob); - SSOContainerUtils.parseSSOContainerToMOASessionDataObject(moasession, ssoInformation); + SSOContainerUtils.parseSSOContainerToMOASessionDataObject(pendingReq, moasession, ssoInformation); // store MOASession into database try { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java index 8980d3ea7..861dcbf58 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java @@ -22,8 +22,6 @@ */ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils; -import iaik.x509.X509Certificate; - import java.io.ByteArrayInputStream; import java.io.IOException; import java.io.StringWriter; @@ -87,7 +85,6 @@ import org.w3c.dom.NodeList; import com.google.gson.JsonObject; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; @@ -100,10 +97,10 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; +import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoCredentialsException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SAMLRequestNotSignedException; @@ -116,6 +113,7 @@ import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; +import iaik.x509.X509Certificate; /** * @author tlenz @@ -142,10 +140,10 @@ public class SSOContainerUtils { REQUIRED_ATTRIBUTES = Collections.unmodifiableList(tmp); } - public static void parseSSOContainerToMOASessionDataObject(AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException { + public static void parseSSOContainerToMOASessionDataObject(IRequest pendingReq, AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException { AssertionAttributeExtractor attributeExtractor = new AssertionAttributeExtractor(ssoInformation); - String authServiceURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); + String authServiceURL = pendingReq.getAuthURL(); if (authServiceURL.endsWith("/")) moasession.setAuthURL(authServiceURL); else @@ -313,10 +311,10 @@ public class SSOContainerUtils { } - public static String generateSignedAndEncryptedSSOContainer( + public static String generateSignedAndEncryptedSSOContainer(String authURL, AuthenticationSession authSession, Date date) { try { - String entityID = PVPConfiguration.getInstance().getIDPPublicPath(); + String entityID = authURL; AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); authnContextClassRef.setAuthnContextClassRef(authSession.getQAALevel()); @@ -347,6 +345,7 @@ public class SSOContainerUtils { IAuthData authData = new SSOTransferAuthenticationData(authSession); Assertion assertion = PVP2AssertionBuilder.buildGenericAssertion( + authURL, entityID, new DateTime(date.getTime()), authnContextClassRef, @@ -356,7 +355,7 @@ public class SSOContainerUtils { sessionIndex, subjectConfirmationData.getNotOnOrAfter()); - String ssoDataBlob = buildSSOContainerObject(assertion, new DateTime(date.getTime())); + String ssoDataBlob = buildSSOContainerObject(authURL, assertion, new DateTime(date.getTime())); JsonObject container = new JsonObject(); container.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, "SSO"); @@ -377,13 +376,13 @@ public class SSOContainerUtils { return null; } - private static String buildSSOContainerObject(Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException { + private static String buildSSOContainerObject(String authURL, Assertion assertion, DateTime date) throws ConfigurationException, EncryptionException, CredentialsNotAvailableException, SecurityException, ParserConfigurationException, MarshallingException, SignatureException, TransformerFactoryConfigurationError, TransformerException, IOException { Response authResponse = SAML2Utils.createSAMLObject(Response.class); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); //change to entity value from entity name to IDP EntityID (URL) - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath()); + nissuer.setValue(authURL); nissuer.setFormat(NameID.ENTITY); authResponse.setIssuer(nissuer); -- cgit v1.2.3 From 40fb77ef20069a54bd348149d04adeb246ec2f86 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 22 Feb 2016 14:26:53 +0100 Subject: fix refactoring problems --- .../ssotransfer/servlet/SSOTransferGUIServlet.java | 2 +- .../servlet/SSOTransferSignalServlet.java | 15 ++++++++++++++ .../task/InitializeRestoreSSOSessionTask.java | 23 ++++++++++----------- .../ssotransfer/task/RestoreSSOSessionTask.java | 24 +++++++++++++++++----- .../auth/modules/ssotransfer/utils/GUIUtils.java | 9 ++++---- 5 files changed, 50 insertions(+), 23 deletions(-) (limited to 'id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa') diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java index fae1b6f4d..0bc4a4839 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferGUIServlet.java @@ -108,7 +108,7 @@ public class SSOTransferGUIServlet extends AuthServlet { String token = Random.nextRandom(); AssertionStorage.getInstance().put(token, encodedSSOContainer); - String containerURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + String containerURL = authURL + SSOTransferConstants.SERVLET_SSOTRANSFER_TO_SMARTPHONE + "?"+ SSOTransferConstants.REQ_PARAM_TOKEN + "=" + token; diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java index 2f8b8fe2c..b82417ae6 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java @@ -22,7 +22,12 @@ */ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.servlet; +import java.io.IOException; + +import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; import at.gv.egovernment.moa.id.auth.servlet.ProcessEngineSignalServlet; import at.gv.egovernment.moa.logging.Logger; @@ -42,4 +47,14 @@ public class SSOTransferSignalServlet extends ProcessEngineSignalServlet { } + protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + Logger.debug("Receive http-POST request."); + super.doPost(req, resp); + + } + + protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { + Logger.debug("Receive http-GET request."); + super.doPost(req, resp); + } } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java index cebf8431b..67566afe5 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java @@ -24,35 +24,25 @@ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.task; import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_SESSIONID; -import java.io.ByteArrayOutputStream; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.velocity.VelocityContext; -import net.glxn.qrgen.QRCode; -import net.glxn.qrgen.image.ImageType; - -import com.google.gson.JsonObject; - import at.gv.egovernment.moa.id.auth.BaseAuthenticationServer; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; -import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Base64Utils; /** * @author tlenz @@ -69,6 +59,15 @@ public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { throws TaskExecutionException { try { + //create first step of SSO Transfer GUI + String authURL = HTTPUtils.extractAuthURLFromRequest(request); + if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). + contains(authURL)) { + Logger.warn("Requested URL is not allowed.");; + response.sendError(500, "Requested URL is not allowed."); + + } + String sessionID = (String) executionContext.get(PARAM_SESSIONID); String pendingRequestID = (String) executionContext.get("pendingRequestID"); @@ -79,7 +78,7 @@ public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { AuthenticationSession moasession = BaseAuthenticationServer.getSession(sessionID); IRequest pendingReq = RequestStorage.getPendingRequest(pendingRequestID); - VelocityContext context = GUIUtils.buildSSOTransferGUI(moasession); + VelocityContext context = GUIUtils.buildSSOTransferGUI(authURL, moasession); GUIUtils.printSSOTransferGUI(context, response); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java index 270264099..006b27167 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -49,11 +49,13 @@ import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestStorage; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.storage.AuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -73,12 +75,13 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { throws TaskExecutionException { Logger.debug("Receive " + this.getClass().getName() + " request"); - + StringBuffer sb = new StringBuffer(); String receivedPostMessage = null; AuthenticationSession moasession = null; IRequest pendingReq = null; - try { + String authURL =null; + try { String sessionID = (String) request.getParameter(PARAM_SESSIONID); String pendingRequestID = (String) executionContext.get("pendingRequestID"); @@ -120,7 +123,7 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { " | validTo:" + validTo + " | entityIS:" + entityID); - if (PVPConfiguration.getInstance().getIDPPublicPath().equals(entityID)) { + if (PVPConfiguration.getInstance().getIDPPublicPath().contains(entityID)) { // stored SSO session data is from this IDP - start local session reconstruction Response ssoInformation = SSOContainerUtils.validateReceivedSSOContainer(sessionBlob); SSOContainerUtils.parseSSOContainerToMOASessionDataObject(pendingReq, moasession, ssoInformation); @@ -138,10 +141,12 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { executionContext.put(SSOTransferConstants.FLAG_SSO_SESSION_RESTORED, true); } else { - Logger.debug("Received SSO session-data is from IDP: " + entityID + Logger.info("Received SSO session-data is from IDP: " + entityID + ". Start inderfederation process to restore SSO session ... "); //change to inderfederated session reconstruction + Logger.warn("Device Session Transfer with interfederation is not implemented, yet!!!!"); + } } catch (Exception e) { @@ -173,7 +178,16 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { VelocityContext context; try { - context = GUIUtils.buildSSOTransferGUI(moasession); + //create first step of SSO Transfer GUI + authURL = HTTPUtils.extractAuthURLFromRequest(request); + if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). + contains(authURL)) { + Logger.warn("Requested URL is not allowed.");; + response.sendError(500, "Requested URL is not allowed."); + + } + + context = GUIUtils.buildSSOTransferGUI(authURL, moasession); GUIUtils.printSSOTransferGUI(context, response); } catch (IOException | MOAIDException e) { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java index 1bbaf1dd9..310b8a813 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java @@ -34,9 +34,6 @@ import java.net.URI; import javax.servlet.http.HttpServletResponse; -import net.glxn.qrgen.QRCode; -import net.glxn.qrgen.image.ImageType; - import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; @@ -51,6 +48,8 @@ import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; +import net.glxn.qrgen.QRCode; +import net.glxn.qrgen.image.ImageType; /** * @author tlenz @@ -62,9 +61,9 @@ public class GUIUtils { public static final int REFESH_TIMEOUT = 5 * 1000; //5 sec - public static VelocityContext buildSSOTransferGUI(AuthenticationSession moasession) throws ConfigurationException, IOException { + public static VelocityContext buildSSOTransferGUI(String authURL, AuthenticationSession moasession) throws ConfigurationException, IOException { String token = moasession.getSessionID(); - String containerURL = AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix() + String containerURL = authURL + SSOTransferConstants.SERVLET_SSOTRANSFER_FROM_SMARTPHONE + "?" + MOAIDAuthConstants.PARAM_SESSIONID + "=" + token; -- cgit v1.2.3