From 6b38531ef2a829e3dab513ae8c679511a848421d Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 14 Jun 2018 16:30:49 +0200 Subject: untested, but without dependency problems --- .../FederatedAuthenticationModuleImpl.java | 6 +- .../tasks/CreateAuthnRequestTask.java | 14 ++-- .../tasks/ReceiveAuthnResponseTask.java | 79 +++++++++++----------- .../utils/FederatedAuthCredentialProvider.java | 19 +++--- 4 files changed, 61 insertions(+), 57 deletions(-) (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main/java/at') diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java index 6bf6652c8..4068d2d99 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java @@ -22,9 +22,9 @@ */ package at.gv.egovernment.moa.id.auth.modules.federatedauth; -import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AuthModule; +import at.gv.egiz.eaaf.core.api.idp.auth.modules.AuthModule; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; /** * @author tlenz @@ -39,7 +39,7 @@ public class FederatedAuthenticationModuleImpl implements AuthModule { public int getPriority() { // TODO Auto-generated method stub return 0; - } + } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java index 4ae255d1d..717099a8d 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java @@ -35,16 +35,16 @@ import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; -import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthnRequestBuilderConfiguration; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildException; @@ -59,7 +59,7 @@ import at.gv.egovernment.moa.util.MiscUtil; */ @Component("CreateFederatedAuthnRequestTask") public class CreateAuthnRequestTask extends AbstractAuthServletTask { - + @Autowired PVPAuthnRequestBuilder authnReqBuilder; @Autowired FederatedAuthCredentialProvider credential; @Autowired(required=true) MOAMetadataProvider metadataProvider; @@ -72,7 +72,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { throws TaskExecutionException { try{ // get IDP entityID - String idpEntityID = pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class); + String idpEntityID = pendingReq.getGenericData(SSOManager.DATAID_INTERFEDERATIOIDP_URL, String.class); if (MiscUtil.isEmpty(idpEntityID)) { Logger.info("Interfederation not possible -> not inderfederation IDP EntityID found!"); @@ -81,7 +81,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { } //load IDP configuration from MOA-ID Configuration - IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(idpEntityID); + IOAAuthParameters idpConfig = authConfig.getServiceProviderConfiguration(idpEntityID, IOAAuthParameters.class); //validate IDP if (!idpConfig.isInderfederationIDP() || !idpConfig.isInboundSSOInterfederationAllowed()) { Logger.info("Requested interfederation IDP " + idpEntityID + " is not valid for interfederation."); @@ -156,7 +156,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { } private String evaluateRequiredQAALevel() { - IOAAuthParameters sp = pendingReq.getOnlineApplicationConfiguration(); + IOAAuthParameters sp = pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class); //check if STORK protocol module is in ClassPath Object storkRequst = null; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index 2fc1ec053..c20342a11 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks; import java.io.IOException; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.List; import java.util.Set; @@ -41,11 +42,12 @@ import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; -import at.gv.egiz.eaaf.core.api.IOAAuthParameters; +import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; +import at.gv.egiz.eaaf.core.exceptions.EAAFConfigurationException; +import at.gv.egiz.eaaf.core.exceptions.EAAFStorageException; import at.gv.egiz.eaaf.core.exceptions.InvalidProtocolRequestException; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; -import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; @@ -53,11 +55,10 @@ import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; -import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; import at.gv.egovernment.moa.id.moduls.SSOManager; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; @@ -65,9 +66,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; @@ -89,7 +88,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { @Autowired private SAMLVerificationEngineSP samlVerificationEngine; - @Autowired private FederatedAuthCredentialProvider credentialProvider; + @Autowired private FederatedAuthCredentialProvider credentialProvider; @Autowired private SSOManager ssoManager; @Autowired private AttributQueryBuilder attributQueryBuilder; @Autowired private AuthenticationDataBuilder authDataBuilder; @@ -133,7 +132,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { comperator); if (MiscUtil.isEmpty(msg.getEntityID())) { - throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); + throw new InvalidProtocolRequestException("sp.pvp2.04", + new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}, + "NO configuration for SP entityID: " + msg.getEntityID()); } @@ -150,8 +151,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); //load IDP and SP configuration - IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); - IOAAuthParameters spConfig = pendingReq.getOnlineApplicationConfiguration(); + IOAAuthParameters idpConfig = authConfig.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class); + IOAAuthParameters spConfig = pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class); //check if response Entity is valid if (!idpConfig.isInderfederationIDP()) { @@ -161,10 +162,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { msg.getEntityID()}); } - - //load MOASession from database - defaultTaskInitialization(request, executionContext); - + //initialize Attribute extractor AssertionAttributeExtractor extractor = new AssertionAttributeExtractor((Response) processedMsg.getResponse()); @@ -187,7 +185,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //SP is real Service-Provider --> check attributes in response // and start Attribute-Query if required - getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(), + getAuthDataFromInterfederation(extractor, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class), idpConfig); //store federatedIDP to MOASession @@ -199,8 +197,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } //store valid assertion into pending-request - pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); - pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID()); + pendingReq.setGenericDataToSession(SSOManager.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); + pendingReq.setGenericDataToSession(SSOManager.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID()); //store pending-request requestStoreage.storePendingRequest(pendingReq); @@ -225,13 +223,21 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } catch (AssertionValidationExeption | AuthnResponseValidationException e) { Logger.info("PVP response validation FAILED. Msg:" + e.getMessage()); if (msg != null) { - IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); - - //remove federated IDP from SSO session if exists - ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request); + IOAAuthParameters idpConfig = null; + try { + idpConfig = authConfig.getServiceProviderConfiguration(msg.getEntityID(), IOAAuthParameters.class); + //remove federated IDP from SSO session if exists + ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request); + + //select next step + handleAuthnResponseValidationProblem(executionContext, idpConfig, e); + + } catch (EAAFConfigurationException e1) { + Logger.error("Can not handle error during an internal problem. ", e1); + throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e); + + } - //select next step - handleAuthnResponseValidationProblem(executionContext, idpConfig, e); } else throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e); @@ -256,22 +262,25 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { try { Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... "); - Collection requestedAttr = pendingReq.getRequestedAttributes(metadataProvider); + + //TODO!!!!! + //Collection requestedAttr = pendingReq.getRequestedAttributes(metadataProvider); + Collection requestedAttr = Collections.emptyList(); //check if SAML2 Assertion contains a minimal set of attributes //TODO: switch back to correct attribute query if (!extractor.containsAllRequiredAttributes() - && !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) { + && !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList) ) { Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); //build attributQuery request List attributs = attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator()); - //request IDP to get additional attributes - extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), - idpConfig, pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA); +// //request IDP to get additional attributes +// extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), +// idpConfig, pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA); } else { Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. "); @@ -303,29 +312,23 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } } - moasession.setGenericDataToSession(el, value); + pendingReq.setGenericDataToSession(el, value); Logger.debug("Add PVP-attribute " + el + " into MOASession"); } //set validTo from this federated IDP response - moasession.setGenericDataToSession( + pendingReq.setGenericDataToSession( AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO, extractor.getAssertionNotOnOrAfter()); - } catch (AttributQueryException e) { - throw new BuildException("builder.06", null, e); - - } catch (SessionDataStorageException e) { - throw new BuildException("builder.06", null, e); - } catch (AssertionValidationExeption e) { throw new BuildException("builder.06", null, e); - } catch (AssertionAttributeExtractorExeption e) { + } catch (MOAIDException e) { throw new BuildException("builder.06", null, e); - } catch (MOAIDException e) { + } catch (EAAFStorageException e) { throw new BuildException("builder.06", null, e); } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java index aac253083..9ef02935b 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java @@ -27,6 +27,7 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider; import at.gv.egovernment.moa.util.FileUtils; @@ -43,9 +44,9 @@ public class FederatedAuthCredentialProvider extends AbstractCredentialProvider * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath() */ @Override - public String getKeyStoreFilePath() { + public String getKeyStoreFilePath() throws ConfigurationException { return FileUtils.makeAbsoluteURL( - authConfig.getBasicMOAIDConfiguration(FederatedAuthConstants.CONFIG_PROPS_KEYSTORE), + authConfig.getBasicConfiguration(FederatedAuthConstants.CONFIG_PROPS_KEYSTORE), authConfig.getRootConfigFileDir()); } @@ -54,7 +55,7 @@ public class FederatedAuthCredentialProvider extends AbstractCredentialProvider */ @Override public String getKeyStorePassword() { - return authConfig.getBasicMOAIDConfiguration(FederatedAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim(); + return authConfig.getBasicConfiguration(FederatedAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim(); } @@ -63,7 +64,7 @@ public class FederatedAuthCredentialProvider extends AbstractCredentialProvider */ @Override public String getMetadataKeyAlias() { - return authConfig.getBasicMOAIDConfiguration( + return authConfig.getBasicConfiguration( FederatedAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD).trim(); } @@ -72,7 +73,7 @@ public class FederatedAuthCredentialProvider extends AbstractCredentialProvider */ @Override public String getMetadataKeyPassword() { - return authConfig.getBasicMOAIDConfiguration( + return authConfig.getBasicConfiguration( FederatedAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD).trim(); } @@ -81,7 +82,7 @@ public class FederatedAuthCredentialProvider extends AbstractCredentialProvider */ @Override public String getSignatureKeyAlias() { - return authConfig.getBasicMOAIDConfiguration( + return authConfig.getBasicConfiguration( FederatedAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD).trim(); } @@ -90,7 +91,7 @@ public class FederatedAuthCredentialProvider extends AbstractCredentialProvider */ @Override public String getSignatureKeyPassword() { - return authConfig.getBasicMOAIDConfiguration( + return authConfig.getBasicConfiguration( FederatedAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD).trim(); } @@ -99,7 +100,7 @@ public class FederatedAuthCredentialProvider extends AbstractCredentialProvider */ @Override public String getEncryptionKeyAlias() { - return authConfig.getBasicMOAIDConfiguration( + return authConfig.getBasicConfiguration( FederatedAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD).trim(); } @@ -108,7 +109,7 @@ public class FederatedAuthCredentialProvider extends AbstractCredentialProvider */ @Override public String getEncryptionKeyPassword() { - return authConfig.getBasicMOAIDConfiguration( + return authConfig.getBasicConfiguration( FederatedAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD).trim(); } -- cgit v1.2.3