From f441b49a4eadb475396217901bbbc49973ca8107 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 22 Feb 2016 11:35:18 +0100 Subject: add first parts of new federated authentication modul --- .../federatedauth/FederatedAuthConstants.java | 47 ++++ .../FederatedAuthenticationModuleImpl.java | 60 +++++ ...eratedAuthenticationSpringResourceProvider.java | 63 +++++ .../builder/FederatedAuthMetadataBuilder.java | 273 +++++++++++++++++++++ .../FederatedAuthMetadataController.java | 89 +++++++ .../controller/FederatedAuthSignalController.java | 67 +++++ .../utils/FederatedAuthCredentialProvider.java | 123 ++++++++++ ...iz.components.spring.api.SpringResourceProvider | 1 + .../federated.Authentication.process.xml | 18 ++ .../main/resources/moaid_federated_auth.beans.xml | 31 +++ 10 files changed, 772 insertions(+) create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationSpringResourceProvider.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/builder/FederatedAuthMetadataBuilder.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java new file mode 100644 index 000000000..97e4c0a20 --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java @@ -0,0 +1,47 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth; + +/** + * @author tlenz + * + */ +public class FederatedAuthConstants { + + public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; + + public static final String ENDPOINT_POST = "/sp/federated/post"; + public static final String ENDPOINT_REDIRECT = "/sp/federated/redirect"; + public static final String ENDPOINT_METADATA = "/sp/federated/metadata"; + + public static final String CONFIG_PROPS_PREFIX = "modules.federatedAuth."; + public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path"; + public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password"; + public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password"; + public static final String CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.alias"; + public static final String CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.password"; + public static final String CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "request.sign.alias"; + public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password"; + public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias"; + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java new file mode 100644 index 000000000..4a610549d --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java @@ -0,0 +1,60 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth; + +import at.gv.egovernment.moa.id.auth.modules.AuthModule; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; + +/** + * @author tlenz + * + */ +public class FederatedAuthenticationModuleImpl implements AuthModule { + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getPriority() + */ + @Override + public int getPriority() { + // TODO Auto-generated method stub + return 0; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#selectProcess(at.gv.egovernment.moa.id.process.api.ExecutionContext) + */ + @Override + public String selectProcess(ExecutionContext context) { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AuthModule#getProcessDefinitions() + */ + @Override + public String[] getProcessDefinitions() { + return new String[] { "classpath:at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml" }; + } + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationSpringResourceProvider.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationSpringResourceProvider.java new file mode 100644 index 000000000..91d56ebed --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationSpringResourceProvider.java @@ -0,0 +1,63 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth; + +import org.springframework.core.io.ClassPathResource; +import org.springframework.core.io.Resource; + +import at.gv.egiz.components.spring.api.SpringResourceProvider; + +/** + * @author tlenz + * + */ +public class FederatedAuthenticationSpringResourceProvider implements SpringResourceProvider { + + /* (non-Javadoc) + * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getResourcesToLoad() + */ + @Override + public Resource[] getResourcesToLoad() { + ClassPathResource federationAuthConfig = new ClassPathResource("/moaid_federated_auth.beans.xml", FederatedAuthenticationSpringResourceProvider.class); + + return new Resource[] {federationAuthConfig}; + } + + /* (non-Javadoc) + * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getPackagesToScan() + */ + @Override + public String[] getPackagesToScan() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egiz.components.spring.api.SpringResourceProvider#getName() + */ + @Override + public String getName() { + return "MOA-ID Auth-module 'SSO Interfederation'"; + } + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/builder/FederatedAuthMetadataBuilder.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/builder/FederatedAuthMetadataBuilder.java new file mode 100644 index 000000000..45d76d4fe --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/builder/FederatedAuthMetadataBuilder.java @@ -0,0 +1,273 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth.builder; + +import java.util.Arrays; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.xml.security.credential.Credential; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@Service("FederatedAuthMetadataBuilder") +public class FederatedAuthMetadataBuilder extends AbstractPVPMetadataBuilder { + + @Autowired FederatedAuthCredentialProvider credentialProvider; + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil() + */ + @Override + public int getMetadataValidUntil() { + return FederatedAuthConstants.METADATA_VALIDUNTIL_IN_HOURS; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement() + */ + @Override + public boolean buildEntitiesDescriptorAsRootElement() { + return false; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor() + */ + @Override + public boolean buildIDPSSODescriptor() { + return false; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor() + */ + @Override + public boolean buildSPSSODescriptor() { + return true; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix() + */ + @Override + public String getEntityIDPostfix() { + return FederatedAuthConstants.ENDPOINT_METADATA; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName() + */ + @Override + public String getEntityFriendlyName() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation() + */ + @Override + public List getContactPersonInformation() { + try { + return PVPConfiguration.getInstance().getIDPContacts(); + + } catch (ConfigurationException e) { + Logger.warn("Can not load Metadata entry: Contect Person", e); + return null; + + } + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation() + */ + @Override + public Organization getOrgansiationInformation() { + try { + return PVPConfiguration.getInstance().getIDPOrganisation(); + + } catch (ConfigurationException e) { + Logger.warn("Can not load Metadata entry: Organisation", e); + return null; + + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials() + */ + @Override + public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPMetaDataSigningCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials() + */ + @Override + public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPAssertionSigningCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials() + */ + @Override + public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPAssertionEncryptionCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL() + */ + @Override + public String getIDPWebSSOPostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL() + */ + @Override + public String getIDPWebSSORedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL() + */ + @Override + public String getIDPSLOPostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL() + */ + @Override + public String getIDPSLORedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL() + */ + @Override + public String getSPAssertionConsumerServicePostBindingURL() { + return FederatedAuthConstants.ENDPOINT_POST; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL() + */ + @Override + public String getSPAssertionConsumerServiceRedirectBindingURL() { + return FederatedAuthConstants.ENDPOINT_REDIRECT; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL() + */ + @Override + public String getSPSLOPostBindingURL() { + return FederatedAuthConstants.ENDPOINT_POST; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL() + */ + @Override + public String getSPSLORedirectBindingURL() { + return FederatedAuthConstants.ENDPOINT_REDIRECT; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL() + */ + @Override + public String getSPSLOSOAPBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes() + */ + @Override + public List getIDPPossibleAttributes() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes() + */ + @Override + public List getIDPPossibleNameITTypes() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes() + */ + @Override + public List getSPRequiredAttributes() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes() + */ + @Override + public List getSPAllowedNameITTypes() { + return Arrays.asList(NameIDType.PERSISTENT, + NameIDType.TRANSIENT, + NameIDType.UNSPECIFIED); + + } + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java new file mode 100644 index 000000000..d41a25a10 --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java @@ -0,0 +1,89 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth.controller; + +import java.io.IOException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.builder.FederatedAuthMetadataBuilder; +import at.gv.egovernment.moa.id.auth.servlet.AbstractController; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.util.HTTPUtils; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@Controller +public class FederatedAuthMetadataController extends AbstractController { + + @Autowired FederatedAuthMetadataBuilder metadatabuilder; + @Autowired AuthConfiguration authConfig; + + public FederatedAuthMetadataController() { + super(); + Logger.debug("Registering servlet " + getClass().getName() + + " with mappings '" + FederatedAuthConstants.ENDPOINT_METADATA + + "'."); + + } + + @RequestMapping(value = "/sp/federated/metadata", + method = {RequestMethod.GET}) + public void getSPMetadata(HttpServletRequest req, HttpServletResponse resp) throws IOException { + //check PublicURL prefix + try { + String authURL = HTTPUtils.extractAuthURLFromRequest(req); + if (!authConfig.getPublicURLPrefix().contains(authURL)) { + resp.sendError(HttpServletResponse.SC_FORBIDDEN, "No valid request URL"); + return; + + } else { + //build metadata + String xmlMetadata = metadatabuilder.buildPVPMetadata(authURL); + + //write response + resp.setContentType("text/xml"); + resp.getOutputStream().write(xmlMetadata.getBytes("UTF-8")); + resp.getOutputStream().close(); + + } + + } catch (Exception e) { + Logger.warn("Build federated-authentication PVP metadata FAILED.", e); + handleErrorNoRedirect(e, req, resp, false); + + } + + } + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java new file mode 100644 index 000000000..431ed5ef1 --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthSignalController.java @@ -0,0 +1,67 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth.controller; + +import java.io.IOException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.apache.commons.lang3.StringEscapeUtils; +import org.springframework.stereotype.Controller; +import org.springframework.web.bind.annotation.RequestMapping; +import org.springframework.web.bind.annotation.RequestMethod; + +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; +import at.gv.egovernment.moa.id.auth.servlet.AbstractProcessEngineSignalController; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@Controller +public class FederatedAuthSignalController extends AbstractProcessEngineSignalController { + + public FederatedAuthSignalController() { + super(); + Logger.debug("Registering servlet " + getClass().getName() + + " with mappings '" + FederatedAuthConstants.ENDPOINT_POST + + "' and '" + FederatedAuthConstants.ENDPOINT_REDIRECT + "'."); + + } + + @RequestMapping(value = { "/sp/federated/post", + "/sp/federated/redirect" + }, + method = {RequestMethod.POST, RequestMethod.GET}) + public void performCitizenCardAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { + signalProcessManagement(req, resp); + + } + + public String getPendingRequestId(HttpServletRequest request) { + return StringEscapeUtils.escapeHtml4(request.getParameter("RelayState")); + + } +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java new file mode 100644 index 000000000..1168250ad --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java @@ -0,0 +1,123 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth.utils; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider; +import at.gv.egovernment.moa.util.FileUtils; + +/** + * @author tlenz + * + */ +@Service("FederatedAuthCredentialProvider") +public class FederatedAuthCredentialProvider extends AbstractCredentialProvider { + + @Autowired AuthConfiguration authConfig; + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStoreFilePath() + */ + @Override + public String getKeyStoreFilePath() { + return FileUtils.makeAbsoluteURL( + authConfig.getBasicMOAIDConfiguration(FederatedAuthConstants.CONFIG_PROPS_KEYSTORE), + authConfig.getRootConfigFileDir()); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getKeyStorePassword() + */ + @Override + public String getKeyStorePassword() { + return authConfig.getBasicMOAIDConfiguration(FederatedAuthConstants.CONFIG_PROPS_KEYSTOREPASSWORD).trim(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyAlias() + */ + @Override + public String getMetadataKeyAlias() { + return authConfig.getBasicMOAIDConfiguration( + FederatedAuthConstants.CONFIG_PROPS_SIGN_METADATA_ALIAS_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getMetadataKeyPassword() + */ + @Override + public String getMetadataKeyPassword() { + return authConfig.getBasicMOAIDConfiguration( + FederatedAuthConstants.CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyAlias() + */ + @Override + public String getSignatureKeyAlias() { + return authConfig.getBasicMOAIDConfiguration( + FederatedAuthConstants.CONFIG_PROPS_SIGN_SIGNING_ALIAS_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getSignatureKeyPassword() + */ + @Override + public String getSignatureKeyPassword() { + return authConfig.getBasicMOAIDConfiguration( + FederatedAuthConstants.CONFIG_PROPS_SIGN_SIGNING_KEY_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyAlias() + */ + @Override + public String getEncryptionKeyAlias() { + return authConfig.getBasicMOAIDConfiguration( + FederatedAuthConstants.CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getEncryptionKeyPassword() + */ + @Override + public String getEncryptionKeyPassword() { + return authConfig.getBasicMOAIDConfiguration( + FederatedAuthConstants.CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD).trim(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider#getCredentialName() + */ + @Override + public String getFriendlyName() { + return "FederatedAuth-SP"; + } + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider new file mode 100644 index 000000000..28e4ae944 --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/META-INF/services/at.gv.egiz.components.spring.api.SpringResourceProvider @@ -0,0 +1 @@ +at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthenticationSpringResourceProvider \ No newline at end of file diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml new file mode 100644 index 000000000..4ff64e76d --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml @@ -0,0 +1,18 @@ + + + + + + + + + + + + + + + + + + diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml new file mode 100644 index 000000000..3c3dd5b23 --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + \ No newline at end of file -- cgit v1.2.3 From cbdb6946d5af7de63afebf5ad256743303f00935 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 24 Feb 2016 06:21:22 +0100 Subject: refactor PVP protocol implementation to resuse code in other modules --- .../moa/id/auth/MOAIDAuthConstants.java | 4 +- .../id/auth/builder/AuthenticationDataBuilder.java | 50 +- .../id/auth/modules/BKUSelectionModuleImpl.java | 3 +- .../internal/tasks/EvaluateBKUSelectionTask.java | 3 + .../tasks/RestartAuthProzessManagement.java | 10 +- .../moa/id/moduls/AuthenticationManager.java | 12 +- .../id/protocols/pvp2x/AttributQueryAction.java | 5 +- .../id/protocols/pvp2x/AuthenticationAction.java | 12 +- .../moa/id/protocols/pvp2x/MetadataAction.java | 257 +------- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 112 +--- .../moa/id/protocols/pvp2x/binding/IEncoder.java | 24 +- .../id/protocols/pvp2x/binding/PostBinding.java | 35 +- .../protocols/pvp2x/binding/RedirectBinding.java | 43 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 21 +- .../pvp2x/builder/AbstractPVPMetadataBuilder.java | 649 --------------------- .../pvp2x/builder/PVPMetadataBuilder.java | 460 +++++++++++++++ .../pvp2x/builder/SingleLogOutBuilder.java | 3 +- .../pvp2x/config/IDPPVPMetadataConfiguration.java | 288 +++++++++ .../config/IPVPMetadataBuilderConfiguration.java | 217 +++++++ .../pvp2x/verification/SAMLVerificationEngine.java | 236 ++++---- .../tasks/InitializeBKUAuthenticationTask.java | 1 + .../builder/FederatedAuthMetadataBuilder.java | 273 --------- .../config/FederatedAuthMetadataConfiguration.java | 281 +++++++++ 23 files changed, 1513 insertions(+), 1486 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java delete mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/builder/FederatedAuthMetadataBuilder.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index d76021bbd..1a9018563 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -174,8 +174,10 @@ public class MOAIDAuthConstants extends MOAIDConstants{ //AuthnRequest IssueInstant validation public static final int TIME_JITTER = 5; //all 5 minutes time jitter - public static final String PROCESSCONTEXT_INTERFEDERATION_ENTITYID = "interfederationIDPEntityID"; + public static final String PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH = "interfederationAuthentication"; public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication"; + public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection"; + public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest"; //General protocol-request data-store keys public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index dbf95f604..8a9999d85 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -104,7 +104,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; -import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.Constants; @@ -127,24 +126,13 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; @Autowired private AttributQueryBuilder attributQueryBuilder; + @Autowired private SAMLVerificationEngine samlVerificationEngine; public IAuthData buildAuthenticationData(IRequest protocolRequest, - AuthenticationSession session, List reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { - - - String oaID = protocolRequest.getOAURL(); - if (oaID == null) { - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.12"); - } - - // check parameter - if (!ParamValidatorUtils.isValidOA(oaID)) - throw new WrongParametersException("StartAuthentication", - PARAM_OA, "auth.12"); - + AuthenticationSession session, List reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { AuthenticationData authdata = null; + //only needed for SAML1 legacy support try { //check if SAML1 authentication module is in Classpath Class saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); @@ -165,15 +153,14 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { authdata = new AuthenticationData(); } - - + } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { authdata = new AuthenticationData(); } - //reuse some parameters if it is a reauthentication - OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, oaID, protocolRequest.requestedModule()); + //reuse some parameters if it is a Service-Provider reauthentication + OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, protocolRequest.getOAURL(), protocolRequest.requestedModule()); if (activeOA != null) { authdata.setSessionIndex(activeOA.getAssertionSessionID()); authdata.setNameID(activeOA.getUserNameID()); @@ -193,7 +180,8 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } } } - + + //search federated IDP information in MOASession InterfederationSessionStore interfIDP = authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); IOAAuthParameters oaParam = null; @@ -201,20 +189,22 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { //get OnlineApplication from MOA-ID-Auth configuration oaParam = protocolRequest.getOnlineApplicationConfiguration(); - //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway + //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway if (oaParam.isSTORKPVPGateway()) oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, protocolRequest); } else { - //build OnlineApplication dynamic from requested attributes + //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP); } - if (interfIDP != null ) { - //IDP is a chained interfederated IDP and Authentication is requested + if (interfIDP != null ) { + //authentication by using a federated IDP if (oaParam.isInderfederationIDP() && protocolRequest instanceof PVPTargetConfiguration && !(((PVPTargetConfiguration)protocolRequest).getRequest() instanceof AttributeQuery)) { + //IDP is a chained interfederated IDP and Authentication is requested + //only set minimal response attributes authdata.setQAALevel(interfIDP.getQAALevel()); authdata.setBPK(interfIDP.getUserNameID()); @@ -290,12 +280,15 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } + //get SAML2 Response from federated IDP Response intfResp = (Response) req.getGenericData( RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, MOAResponse.class).getResponse(); - AssertionAttributeExtractor extractor = - new AssertionAttributeExtractor(intfResp); - + + //initialize Attribute extractor + AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp); + + //check if SAML2 Assertion contains already all required attributes if (!extractor.containsAllRequiredAttributes()) { Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); //collect attributes by using BackChannel communication @@ -323,8 +316,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { //validate PVP 2.1 response try { - SAMLVerificationEngine engine = new SAMLVerificationEngine(); - engine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + samlVerificationEngine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); //TODO: find better solution //SAMLVerificationEngine.validateAssertion(intfResp, false); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/BKUSelectionModuleImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/BKUSelectionModuleImpl.java index 8b02a5bf6..c96167e71 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/BKUSelectionModuleImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/BKUSelectionModuleImpl.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.auth.modules; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.process.api.ExecutionContext; /** @@ -44,7 +45,7 @@ public class BKUSelectionModuleImpl implements AuthModule { @Override public String selectProcess(ExecutionContext context) { boolean performBKUSelection = false; - Object performBKUSelectionObj = context.get("performBKUSelection"); + Object performBKUSelectionObj = context.get(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION); if (performBKUSelectionObj != null && performBKUSelectionObj instanceof Boolean) performBKUSelection = (boolean) performBKUSelectionObj; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateBKUSelectionTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateBKUSelectionTask.java index ed88c2aff..bd8dd709f 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateBKUSelectionTask.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/EvaluateBKUSelectionTask.java @@ -62,6 +62,9 @@ public class EvaluateBKUSelectionTask extends AbstractAuthServletTask { } + //remove BKU-selection flag from context + executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION); + Logger.info("BKU is selected finished -> Start BKU selection evaluation ..."); } catch (Exception e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/RestartAuthProzessManagement.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/RestartAuthProzessManagement.java index e0403f242..ddda86ecc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/RestartAuthProzessManagement.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/RestartAuthProzessManagement.java @@ -64,11 +64,7 @@ public class RestartAuthProzessManagement extends AbstractAuthServletTask { } - //remove BKU selection flag - newec.remove("performBKUSelection"); - - - Logger.debug("Swicht to specific authentication process after BKU is selected"); + Logger.debug("Select new auth.-process and restart restart process-engine ... "); // select and create new process instance String processDefinitionId = ModuleRegistration.getInstance().selectProcess(newec); @@ -91,8 +87,8 @@ public class RestartAuthProzessManagement extends AbstractAuthServletTask { throw new MOAIDException("init.04", new Object[] { pendingReq.getRequestID() }); } - - Logger.info("BKU is selected -> Start BKU communication ..."); + + Logger.info("Restart process-engine with auth.process:" + processDefinitionId); // start process processEngine.start(pendingReq); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 39106dc3b..22561e435 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -99,6 +99,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { @Autowired private MOAReversionLogger revisionsLogger; @Autowired protected AuthConfiguration authConfig; @Autowired private SingleLogOutBuilder sloBuilder; + @Autowired private SAMLVerificationEngine samlVerificationEngine; public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException { @@ -346,13 +347,15 @@ public class AuthenticationManager extends MOAIDAuthConstants { //create authentication process execution context ExecutionContext executionContext = new ExecutionContextImpl(); - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_INTERFEDERATION_ENTITYID, + //set interfederation authentication flag + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH, MiscUtil.isNotEmpty( pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); + //set legacy mode or BKU-selection flags boolean leagacyMode = (legacyallowed && legacyparamavail); - executionContext.put("isLegacyRequest", leagacyMode); - executionContext.put("performBKUSelection", !leagacyMode + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_ISLEGACYREQUEST, leagacyMode); + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, !leagacyMode && MiscUtil.isEmpty(pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class))); //add leagcy parameters to context @@ -485,8 +488,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { sloContainer.putFailedOA(sloReq.getIssuer().getValue()); } else { - SAMLVerificationEngine engine = new SAMLVerificationEngine(); - engine.verifySLOResponse(sloResp, + samlVerificationEngine.verifySLOResponse(sloResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 36145375b..bd6399377 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -52,6 +52,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; @@ -64,6 +65,7 @@ public class AttributQueryAction implements IAction { @Autowired IAuthenticationSessionStoreage authenticationSessionStorage; @Autowired private AuthenticationDataBuilder authDataBuilder; + @Autowired private IDPCredentialProvider pvpCredentials; private final static List DEFAULTSTORKATTRIBUTES = Arrays.asList( new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); @@ -114,7 +116,8 @@ public class AttributQueryAction implements IAction { try { SoapBinding decoder = new SoapBinding(); - decoder.encodeRespone(httpReq, httpResp, authResponse, null, null); + decoder.encodeRespone(httpReq, httpResp, authResponse, null, null, + pvpCredentials.getIDPAssertionSigningCredential()); return null; } catch (MessageEncodingException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index f64aacc6d..21f505bf1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -35,7 +35,6 @@ import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.context.ApplicationContext; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; @@ -51,13 +50,13 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @Service("PVPAuthenticationRequestAction") public class AuthenticationAction implements IAction { - - @Autowired ApplicationContext context; + @Autowired IDPCredentialProvider pvpCredentials; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { @@ -88,11 +87,11 @@ public class AuthenticationAction implements IAction { if (consumerService.getBinding().equals( SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = context.getBean(RedirectBinding.class); + binding = new RedirectBinding(); } else if (consumerService.getBinding().equals( SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = context.getBean(PostBinding.class); + binding = new PostBinding(); } @@ -102,7 +101,8 @@ public class AuthenticationAction implements IAction { try { binding.encodeRespone(httpReq, httpResp, authResponse, - consumerService.getLocation(), moaRequest.getRelayState()); + consumerService.getLocation(), moaRequest.getRelayState(), + pvpCredentials.getIDPAssertionSigningCredential()); //set protocol type sloInformation.setProtocolType(req.requestedModule()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java index d48603a7c..15fe1e9d7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/MetadataAction.java @@ -22,43 +22,33 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x; -import java.util.Arrays; -import java.util.List; - import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.NameIDType; -import org.opensaml.saml2.metadata.ContactPerson; -import org.opensaml.saml2.metadata.Organization; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.xml.security.credential.Credential; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPMetadataBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.IDPPVPMetadataConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.logging.Logger; @Service("pvpMetadataService") -public class MetadataAction extends AbstractPVPMetadataBuilder implements IAction { +public class MetadataAction implements IAction { - private static final int VALIDUNTIL_IN_HOURS = 24; + @Autowired private MOAReversionLogger revisionsLogger; @Autowired private IDPCredentialProvider credentialProvider; + @Autowired private PVPMetadataBuilder metadatabuilder; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { @@ -66,7 +56,10 @@ public class MetadataAction extends AbstractPVPMetadataBuilder implements IActio revisionsLogger.logEvent(req, MOAIDEventConstants.AUTHPROTOCOL_PVP_METADATA); //build metadata - String metadataXML = buildPVPMetadata(req.getAuthURLWithOutSlash()); + IPVPMetadataBuilderConfiguration metadataConfig = + new IDPPVPMetadataConfiguration(req.getAuthURLWithOutSlash(), credentialProvider); + + String metadataXML = metadatabuilder.buildPVPMetadata(metadataConfig); Logger.debug("METADATA: " + metadataXML); httpResp.setContentType("text/xml"); @@ -87,236 +80,12 @@ public class MetadataAction extends AbstractPVPMetadataBuilder implements IActio return false; } - public String getDefaultActionName() { - return (PVP2XProtocol.METADATA); - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil() - */ - @Override - public int getMetadataValidUntil() { - return VALIDUNTIL_IN_HOURS; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement() - */ - @Override - public boolean buildEntitiesDescriptorAsRootElement() { - return true; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor() - */ - @Override - public boolean buildIDPSSODescriptor() { - return true; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor() - */ - @Override - public boolean buildSPSSODescriptor() { - return false; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityID() - */ - @Override - public String getEntityIDPostfix() { - //TODO: maybe change EntityID to Metadata URL - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName() - */ - @Override - public String getEntityFriendlyName() { - try { - return PVPConfiguration.getInstance().getIDPIssuerName(); - - } catch (ConfigurationException e) { - Logger.error("Can not load Metadata entry: EntityID friendlyName.", e); - return null; - - } - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation() - */ - @Override - public List getContactPersonInformation() { - try { - return PVPConfiguration.getInstance().getIDPContacts(); - - } catch (ConfigurationException e) { - Logger.warn("Can not load Metadata entry: Contect Person", e); - return null; - - } - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation() - */ - @Override - public Organization getOrgansiationInformation() { - try { - return PVPConfiguration.getInstance().getIDPOrganisation(); - - } catch (ConfigurationException e) { - Logger.warn("Can not load Metadata entry: Organisation", e); - return null; - - } - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials() - */ - @Override - public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getIDPMetaDataSigningCredential(); - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials() - */ - @Override - public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getIDPAssertionSigningCredential(); - - } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials() + * @see at.gv.egovernment.moa.id.moduls.IAction#getDefaultActionName() */ @Override - public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getIDPAssertionEncryptionCredential(); - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL() - */ - @Override - public String getIDPWebSSOPostBindingURL() { - return PVPConfiguration.PVP2_IDP_POST; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL() - */ - @Override - public String getIDPWebSSORedirectBindingURL() { - return PVPConfiguration.PVP2_IDP_REDIRECT; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL() - */ - @Override - public String getIDPSLOPostBindingURL() { - return PVPConfiguration.PVP2_IDP_POST; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL() - */ - @Override - public String getIDPSLORedirectBindingURL() { - return PVPConfiguration.PVP2_IDP_REDIRECT; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL() - */ - @Override - public String getSPAssertionConsumerServicePostBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL() - */ - @Override - public String getSPAssertionConsumerServiceRedirectBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL() - */ - @Override - public String getSPSLOPostBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL() - */ - @Override - public String getSPSLORedirectBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL() - */ - @Override - public String getSPSLOSOAPBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes() - */ - @Override - public List getIDPPossibleAttributes() { - return PVPAttributeBuilder.buildSupportedEmptyAttributes(); - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes() - */ - @Override - public List getIDPPossibleNameITTypes() { - return Arrays.asList(NameIDType.PERSISTENT, - NameIDType.TRANSIENT, - NameIDType.UNSPECIFIED); - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes() - */ - @Override - public List getSPRequiredAttributes() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes() - */ - @Override - public List getSPAllowedNameITTypes() { - return null; + public String getDefaultActionName() { + return "IDP - PVP Metadata action"; } - - } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 88f0e3b74..08d9f67b6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -48,7 +48,9 @@ import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.ws.security.SecurityPolicyException; import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.SignableXMLObject; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; @@ -81,6 +83,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator; @@ -96,6 +99,9 @@ import at.gv.egovernment.moa.util.MiscUtil; @Controller public class PVP2XProtocol extends AbstractAuthProtocolModulController { + @Autowired IDPCredentialProvider pvpCredentials; + @Autowired SAMLVerificationEngine samlVerificationEngine; + public static final String NAME = PVP2XProtocol.class.getName(); public static final String PATH = "id_pvp2x"; @@ -182,8 +188,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { req.getRemoteAddr()); //get POST-Binding decoder implementation - PostBinding coder = applicationContext.getBean(PostBinding.class); - InboundMessage msg = (InboundMessage) coder.decode(req, resp, false); + InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp, false); pendingReq.setRequest(msg); //preProcess Message @@ -231,8 +236,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { req.getRemoteAddr()); //get POST-Binding decoder implementation - RedirectBinding coder = applicationContext.getBean(RedirectBinding.class); - InboundMessage msg = (InboundMessage) coder.decode(req, resp, false); + InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp, false); pendingReq.setRequest(msg); //preProcess Message @@ -270,8 +274,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { } if(!msg.isVerified()) { - SAMLVerificationEngine engine = new SAMLVerificationEngine(); - engine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); msg.setVerified(true); } @@ -301,53 +304,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { pendingReq, MOAIDEventConstants.AUTHPROTOCOL_TYPE, PATH); //switch to session authentication - performAuthentication(request, response, pendingReq); - -// else if (msg instanceof MOAResponse && -// ((MOAResponse)msg).getResponse() instanceof Response) { -// //load service provider AuthRequest from session -// -// IRequest obj = RequestStorage.getPendingRequest(msg.getRelayState()); -// if (obj instanceof RequestImpl) { -// RequestImpl iReqSP = (RequestImpl) obj; -// -// MOAReversionLogger.getInstance().logEvent(iReqSP, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE); -// -// MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); -// -// if ( processedMsg != null ) { -// iReqSP.setInterfederationResponse(processedMsg); -// -// MOAReversionLogger.getInstance().logEvent(iReqSP, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED); -// -// Logger.info("Receive a valid assertion from IDP " + msg.getEntityID() -// + ". Switch to original transaction with ID " + iReqSP.getRequestID()); -// TransactionIDUtils.setTransactionId(iReqSP.getRequestID()); -// TransactionIDUtils.setSessionId(iReqSP.getSessionIdentifier()); -// -// } else { -// Logger.info("Interfederated IDP " + msg.getEntityID() + " has NO valid SSO session." -// +". Switch back local authentication process ..."); -// -// SSOManager ssomanager = SSOManager.getInstance(); -// ssomanager.removeInterfederatedSSOIDP(msg.getEntityID(), request); -// -// iReqSP.setRequestedIDP(null); -// -// } -// -// return iReqSP; -// -// } -// -// Logger.error("Stored PVP21 authrequest from service provider has an unsuppored type."); -// return null; - -// } - - - - + performAuthentication(request, response, pendingReq); } public boolean generateErrorMessage(Throwable e, @@ -424,11 +381,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { encoder = new RedirectBinding(); - - } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_ARTIFACT_BINDING_URI)) { - // TODO: not supported YET!! - //binding = new ArtifactBinding(); - + } else if(pvpRequest.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { encoder = new PostBinding(); @@ -445,8 +398,10 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { if (pvpRequest.getRequest() != null) relayState = pvpRequest.getRequest().getRelayState(); + X509Credential signCred = pvpCredentials.getIDPAssertionSigningCredential(); + encoder.encodeRespone(request, response, samlResponse, pvpRequest.getConsumerURL(), - relayState); + relayState, signCred); return true; } @@ -731,43 +686,4 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHREQUEST); } - -// /** -// * PreProcess AuthResponse and Assertion -// * @param msg -// */ -// private MOAResponse preProcessAuthResponse(MOAResponse msg) { -// Logger.debug("Start PVP21 assertion processing... "); -// Response samlResp = (Response) msg.getResponse(); -// -// try { -// if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { -// -// //validate PVP 2.1 assertion -// SAMLVerificationEngine.validateAssertion(samlResp, true); -// -// msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); -// return msg; -// -// } else { -// Logger.debug("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() -// + " from interfederated IDP."); -// -// } -// -// } catch (IOException e) { -// Logger.warn("Interfederation response marshaling FAILED.", e); -// -// } catch (MarshallingException e) { -// Logger.warn("Interfederation response marshaling FAILED.", e); -// -// } catch (TransformerException e) { -// Logger.warn("Interfederation response marshaling FAILED.", e); -// -// } catch (AssertionValidationExeption e) { -// //error is already logged, to nothing -// } -// -// return null; -// } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java index de5548a44..3b2fb3687 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IEncoder.java @@ -29,24 +29,40 @@ import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.credential.Credential; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; public interface IEncoder { + + /** + * + * @param req The http request + * @param resp The http response + * @param request The SAML2 request object + * @param targetLocation URL, where the request should be transmit + * @param relayState token for session handling + * @param credentials Credential to sign the request object + * @throws MessageEncodingException + * @throws SecurityException + * @throws PVP2Exception + */ public void encodeRequest(HttpServletRequest req, - HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState) + HttpServletResponse resp, RequestAbstractType request, String targetLocation, String relayState, Credential credentials) throws MessageEncodingException, SecurityException, PVP2Exception; /** * Encoder SAML Response * @param req The http request * @param resp The http response - * @param response The repsonse object - * @param targetLocation + * @param response The SAML2 repsonse object + * @param targetLocation URL, where the request should be transmit + * @param relayState token for session handling + * @param credentials Credential to sign the response object * @throws MessageEncodingException * @throws SecurityException */ public void encodeRespone(HttpServletRequest req, - HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState) + HttpServletResponse resp, StatusResponseType response, String targetLocation, String relayState, Credential credentials) throws MessageEncodingException, SecurityException, PVP2Exception; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 24bdf4c3c..ebb4b2991 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -46,9 +46,7 @@ import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.x509.X509Credential; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; +import org.opensaml.xml.security.credential.Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; @@ -59,8 +57,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.util.HTTPUtils; @@ -68,18 +64,15 @@ import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; -@Service("PVPPostBindingCoder") public class PostBinding implements IDecoder, IEncoder { - - @Autowired private IDPCredentialProvider credentialProvider; - + public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials) throws MessageEncodingException, SecurityException { try { - X509Credential credentials = credentialProvider - .getIDPAssertionSigningCredential(); +// X509Credential credentials = credentialProvider +// .getIDPAssertionSigningCredential(); //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); @@ -102,9 +95,9 @@ public class PostBinding implements IDecoder, IEncoder { encoder.encode(context); - } catch (CredentialsNotAvailableException e) { - e.printStackTrace(); - throw new SecurityException(e); +// } catch (CredentialsNotAvailableException e) { +// e.printStackTrace(); +// throw new SecurityException(e); } catch (Exception e) { e.printStackTrace(); throw new SecurityException(e); @@ -112,12 +105,12 @@ public class PostBinding implements IDecoder, IEncoder { } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState) + StatusResponseType response, String targetLocation, String relayState, Credential credentials) throws MessageEncodingException, SecurityException { try { - X509Credential credentials = credentialProvider - .getIDPAssertionSigningCredential(); +// X509Credential credentials = credentialProvider +// .getIDPAssertionSigningCredential(); //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); @@ -143,9 +136,9 @@ public class PostBinding implements IDecoder, IEncoder { context.setRelayState(relayState); encoder.encode(context); - } catch (CredentialsNotAvailableException e) { - e.printStackTrace(); - throw new SecurityException(e); +// } catch (CredentialsNotAvailableException e) { +// e.printStackTrace(); +// throw new SecurityException(e); } catch (Exception e) { e.printStackTrace(); throw new SecurityException(e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 7167d8b7d..0ff18d903 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -47,9 +47,7 @@ import org.opensaml.ws.transport.http.HttpServletRequestAdapter; import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.x509.X509Credential; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; +import org.opensaml.xml.security.credential.Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; @@ -60,25 +58,20 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; -@Service("PVPRedirectBindingCoder") public class RedirectBinding implements IDecoder, IEncoder { - - @Autowired private IDPCredentialProvider credentialProvider; public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials) throws MessageEncodingException, SecurityException { - try { - X509Credential credentials = credentialProvider - .getIDPAssertionSigningCredential(); +// try { +// X509Credential credentials = credentialProvider +// .getIDPAssertionSigningCredential(); //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); @@ -100,18 +93,18 @@ public class RedirectBinding implements IDecoder, IEncoder { context.setRelayState(relayState); encoder.encode(context); - } catch (CredentialsNotAvailableException e) { - e.printStackTrace(); - throw new SecurityException(e); - } +// } catch (CredentialsNotAvailableException e) { +// e.printStackTrace(); +// throw new SecurityException(e); +// } } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState) - throws MessageEncodingException, SecurityException { - try { - X509Credential credentials = credentialProvider - .getIDPAssertionSigningCredential(); + StatusResponseType response, String targetLocation, String relayState, + Credential credentials) throws MessageEncodingException, SecurityException { +// try { +// X509Credential credentials = credentialProvider +// .getIDPAssertionSigningCredential(); //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); @@ -133,10 +126,10 @@ public class RedirectBinding implements IDecoder, IEncoder { context.setRelayState(relayState); encoder.encode(context); - } catch (CredentialsNotAvailableException e) { - e.printStackTrace(); - throw new SecurityException(e); - } +// } catch (CredentialsNotAvailableException e) { +// e.printStackTrace(); +// throw new SecurityException(e); +// } } public InboundMessageInterface decode(HttpServletRequest req, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index bd60b7a13..cc3553551 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -46,7 +46,6 @@ import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.signature.SignableXMLObject; import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; @@ -55,12 +54,10 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; -@Service("PVPSOAPBindingCoder") public class SoapBinding implements IDecoder, IEncoder { @Autowired private IDPCredentialProvider credentialProvider; @@ -136,17 +133,17 @@ public class SoapBinding implements IDecoder, IEncoder { } public void encodeRequest(HttpServletRequest req, HttpServletResponse resp, - RequestAbstractType request, String targetLocation, String relayState) + RequestAbstractType request, String targetLocation, String relayState, Credential credentials) throws MessageEncodingException, SecurityException, PVP2Exception { } public void encodeRespone(HttpServletRequest req, HttpServletResponse resp, - StatusResponseType response, String targetLocation, String relayState) + StatusResponseType response, String targetLocation, String relayState, Credential credentials) throws MessageEncodingException, SecurityException, PVP2Exception { - try { - Credential credentials = credentialProvider - .getIDPAssertionSigningCredential(); +// try { +// Credential credentials = credentialProvider +// .getIDPAssertionSigningCredential(); //load default PVP security configurations MOADefaultBootstrap.initializeDefaultPVPConfiguration(); @@ -160,10 +157,10 @@ public class SoapBinding implements IDecoder, IEncoder { context.setOutboundMessageTransport(responseAdapter); encoder.encode(context); - } catch (CredentialsNotAvailableException e) { - e.printStackTrace(); - throw new SecurityException(e); - } +// } catch (CredentialsNotAvailableException e) { +// e.printStackTrace(); +// throw new SecurityException(e); +// } } public String getSAML2BindingName() { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java deleted file mode 100644 index 0212f8f1c..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AbstractPVPMetadataBuilder.java +++ /dev/null @@ -1,649 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.builder; - -import java.io.IOException; -import java.io.StringWriter; -import java.security.PrivateKey; -import java.security.interfaces.RSAPrivateKey; -import java.util.List; - -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerException; -import javax.xml.transform.TransformerFactory; -import javax.xml.transform.TransformerFactoryConfigurationError; -import javax.xml.transform.dom.DOMSource; -import javax.xml.transform.stream.StreamResult; - -import org.joda.time.DateTime; -import org.opensaml.Configuration; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.metadata.AssertionConsumerService; -import org.opensaml.saml2.metadata.AttributeConsumingService; -import org.opensaml.saml2.metadata.ContactPerson; -import org.opensaml.saml2.metadata.EntitiesDescriptor; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.IDPSSODescriptor; -import org.opensaml.saml2.metadata.KeyDescriptor; -import org.opensaml.saml2.metadata.LocalizedString; -import org.opensaml.saml2.metadata.NameIDFormat; -import org.opensaml.saml2.metadata.Organization; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.saml2.metadata.RoleDescriptor; -import org.opensaml.saml2.metadata.SPSSODescriptor; -import org.opensaml.saml2.metadata.ServiceName; -import org.opensaml.saml2.metadata.SingleLogoutService; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.xml.io.Marshaller; -import org.opensaml.xml.io.MarshallingException; -import org.opensaml.xml.security.SecurityException; -import org.opensaml.xml.security.SecurityHelper; -import org.opensaml.xml.security.credential.Credential; -import org.opensaml.xml.security.credential.UsageType; -import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; -import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; -import org.opensaml.xml.signature.Signature; -import org.opensaml.xml.signature.SignatureConstants; -import org.opensaml.xml.signature.SignatureException; -import org.opensaml.xml.signature.Signer; -import org.w3c.dom.Document; - -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * @author tlenz - * - */ - -public abstract class AbstractPVPMetadataBuilder { - - X509KeyInfoGeneratorFactory keyInfoFactory = null; - - /** - * - */ - public AbstractPVPMetadataBuilder() { - keyInfoFactory = new X509KeyInfoGeneratorFactory(); - keyInfoFactory.setEmitEntityIDAsKeyName(true); - keyInfoFactory.setEmitEntityCertificate(true); - - } - - - /** - * Set metadata valid area - * - * @return valid until in hours [h] - */ - public abstract int getMetadataValidUntil(); - - /** - * Build a SAML2 Entities element as metadata root element - * - * @return true, if the metadata should start with entities element - */ - public abstract boolean buildEntitiesDescriptorAsRootElement(); - - /** - * - * - * @return true, if an IDP SSO-descriptor element should be generated - */ - public abstract boolean buildIDPSSODescriptor(); - - /** - * - * - * @return true, if an SP SSO-descriptor element should be generated - */ - public abstract boolean buildSPSSODescriptor(); - - /** - * Set the PVP entityID for this SAML2 metadata. - * The entityID must be a URL and is public-URL prefix of the server, as minimum. - * If this is null or a empty String, the EntityID is the public-url prefix - * - * @return PVP entityID postfix as String - */ - public abstract String getEntityIDPostfix(); - - /** - * Set a friendlyName for this PVP entity - * - * @return - */ - public abstract String getEntityFriendlyName(); - - /** - * Set the contact information for this metadata entity - * - * @return - */ - public abstract List getContactPersonInformation(); - - /** - * Set organisation information for this metadata entity - * - * @return - */ - public abstract Organization getOrgansiationInformation(); - - - /** - * Set the credential for metadata signing - * - * @return - * @throws CredentialsNotAvailableException - */ - public abstract Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException; - - /** - * Set the credential for request/response signing - * IDP metadata: this credential is used for SAML2 response signing - * SP metadata: this credential is used for SAML2 response signing - * - * @return - * @throws CredentialsNotAvailableException - */ - public abstract Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException; - - /** - * Set the credential for response encryption - * - * @return - * @throws CredentialsNotAvailableException - */ - public abstract Credential getEncryptionCredentials() throws CredentialsNotAvailableException; - - /** - * Set the IDP Post-Binding URL-postfix for WebSSO - * - * @return - */ - public abstract String getIDPWebSSOPostBindingURL(); - - /** - * Set the IDP Redirect-Binding URL-postfix for WebSSO - * - * @return - */ - public abstract String getIDPWebSSORedirectBindingURL(); - - /** - * Set the IDP Post-Binding URL-postfix for Single LogOut - * - * @return - */ - public abstract String getIDPSLOPostBindingURL(); - - /** - * Set the IDP Redirect-Binding URL-postfix for Single LogOut - * - * @return - */ - public abstract String getIDPSLORedirectBindingURL(); - - /** - * Set the SP Post-Binding URL-postfix for for the Assertion-Consumer Service - * - * @return - */ - public abstract String getSPAssertionConsumerServicePostBindingURL(); - - /** - * Set the SP Redirect-Binding URL-postfix for the Assertion-Consumer Service - * - * @return - */ - public abstract String getSPAssertionConsumerServiceRedirectBindingURL(); - - /** - * Set the SP Post-Binding URL-postfix for Single LogOut - * - * @return - */ - public abstract String getSPSLOPostBindingURL(); - - /** - * Set the SP Redirect-Binding URL-postfix for Single LogOut - * - * @return - */ - public abstract String getSPSLORedirectBindingURL(); - - /** - * Set the SP SOAP-Binding URL-postfix for Single LogOut - * - * @return - */ - public abstract String getSPSLOSOAPBindingURL(); - - - /** - * Set all SAML2 attributes which could be provided by this IDP - * - * @return - */ - public abstract List getIDPPossibleAttributes(); - - /** - * Set all nameID types which could be provided by this IDP - * - * @return a List of SAML2 nameID types - */ - public abstract List getIDPPossibleNameITTypes(); - - /** - * Set all SAML2 attributes which are required by the SP - * - * @return - */ - public abstract List getSPRequiredAttributes(); - - /** - * Set all nameID types which allowed from the SP - * - * @return a List of SAML2 nameID types - */ - public abstract List getSPAllowedNameITTypes(); - - /** - * - * Build PVP 2.1 conform SAML2 metadata - * - * @param instancePublicURLPrefix - * Public-URL prefix which should be used to generate URLs. - * The URL String must by without trailing / - * - * @return PVP metadata as XML String - * @throws SecurityException - * @throws ConfigurationException - * @throws CredentialsNotAvailableException - * @throws TransformerFactoryConfigurationError - * @throws MarshallingException - * @throws TransformerException - * @throws ParserConfigurationException - * @throws IOException - * @throws SignatureException - */ - public String buildPVPMetadata(String instancePublicURLPrefix) throws CredentialsNotAvailableException, ConfigurationException, SecurityException, TransformerFactoryConfigurationError, MarshallingException, TransformerException, ParserConfigurationException, IOException, SignatureException { - if (MiscUtil.isEmpty(instancePublicURLPrefix)) { - Logger.error("Metadata generation FAILED! --> PublicURL Prefix is null or empty"); - throw new NullPointerException("PublicURL Prefix is null or empty"); - - } - - //remove trailing slash - if (instancePublicURLPrefix.endsWith("/")) - instancePublicURLPrefix.substring(0, instancePublicURLPrefix.length()-1); - - DateTime date = new DateTime(); - EntityDescriptor entityDescriptor = SAML2Utils - .createSAMLObject(EntityDescriptor.class); - - //set entityID - if (MiscUtil.isNotEmpty(getEntityIDPostfix())) - entityDescriptor.setEntityID(instancePublicURLPrefix + getEntityIDPostfix()); - else - entityDescriptor.setEntityID(instancePublicURLPrefix); - - //set contact and organisation information - List contactPersons = getContactPersonInformation(); - if (contactPersons != null) - entityDescriptor.getContactPersons().addAll(contactPersons); - - Organization organisation = getOrgansiationInformation(); - if (organisation != null) - entityDescriptor.setOrganization(organisation); - - //set IDP metadata - if (buildIDPSSODescriptor()) { - RoleDescriptor idpSSODesc = generateIDPMetadata(instancePublicURLPrefix); - if (idpSSODesc != null) - entityDescriptor.getRoleDescriptors().add(idpSSODesc); - - } - - //set SP metadata for interfederation - if (buildSPSSODescriptor()) { - RoleDescriptor spSSODesc = generateSPMetadata(instancePublicURLPrefix); - if (spSSODesc != null) - entityDescriptor.getRoleDescriptors().add(spSSODesc); - - } - - //set metadata signature parameters - Credential metadataSignCred = getMetadataSigningCredentials(); - Signature signature = getIDPSignature(metadataSignCred); - SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null); - - - //initialize XML document builder - DocumentBuilder builder; - DocumentBuilderFactory factory = DocumentBuilderFactory - .newInstance(); - - builder = factory.newDocumentBuilder(); - Document document = builder.newDocument(); - - - //build entities descriptor - if (buildEntitiesDescriptorAsRootElement()) { - EntitiesDescriptor entitiesDescriptor = - SAML2Utils.createSAMLObject(EntitiesDescriptor.class); - entitiesDescriptor.setName(getEntityFriendlyName()); - entitiesDescriptor.setID(SAML2Utils.getSecureIdentifier()); - entitiesDescriptor.setValidUntil(date.plusHours(getMetadataValidUntil())); - entitiesDescriptor.getEntityDescriptors().add(entityDescriptor); - - entitiesDescriptor.setSignature(signature); - - //marshall document - Marshaller out = Configuration.getMarshallerFactory() - .getMarshaller(entitiesDescriptor); - out.marshall(entitiesDescriptor, document); - - } else { - entityDescriptor.setValidUntil(date.plusHours(getMetadataValidUntil())); - - entityDescriptor.setSignature(signature); - - //marshall document - Marshaller out = Configuration.getMarshallerFactory() - .getMarshaller(entityDescriptor); - out.marshall(entityDescriptor, document); - - } - - //sign metadata - Signer.signObject(signature); - - //transform metadata object to XML string - Transformer transformer = TransformerFactory.newInstance() - .newTransformer(); - - StringWriter sw = new StringWriter(); - StreamResult sr = new StreamResult(sw); - DOMSource source = new DOMSource(document); - transformer.transform(source, sr); - sw.close(); - - return sw.toString(); - } - - - private RoleDescriptor generateSPMetadata(String instancePublicURLPrefix) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { - SPSSODescriptor spSSODescriptor = SAML2Utils.createSAMLObject(SPSSODescriptor.class); - spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); - spSSODescriptor.setAuthnRequestsSigned(true); - spSSODescriptor.setWantAssertionsSigned(false); - - KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); - - //Set AuthRequest Signing certificate - Credential authcredential = getRequestorResponseSigningCredentials(); - if (authcredential == null) { - Logger.warn("SP Metadata generation FAILED! --> Builder has NO request signing-credential. "); - return null; - - } else { - KeyDescriptor signKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - signKeyDescriptor.setUse(UsageType.SIGNING); - signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential)); - spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - - } - - //Set assertion encryption credentials - Credential authEncCredential = getEncryptionCredentials(); - - if (authEncCredential != null) { - KeyDescriptor encryKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - encryKeyDescriptor.setUse(UsageType.ENCRYPTION); - encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential)); - spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); - - } else { - Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); - - } - - //check nameID formates - if (getSPAllowedNameITTypes() == null || getSPAllowedNameITTypes().size() == 0) { - Logger.warn("SP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); - return null; - - } else { - for (String format : getSPAllowedNameITTypes()) { - NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - nameIDFormat.setFormat(format); - spSSODescriptor.getNameIDFormats().add(nameIDFormat); - - } - } - - - //add POST-Binding assertion consumer services - if (MiscUtil.isNotEmpty(getSPAssertionConsumerServicePostBindingURL())) { - AssertionConsumerService postassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); - postassertionConsumerService.setIndex(0); - postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - postassertionConsumerService.setLocation(instancePublicURLPrefix + getSPAssertionConsumerServicePostBindingURL()); - postassertionConsumerService.setIsDefault(true); - spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); - - } - - //add POST-Binding assertion consumer services - if (MiscUtil.isNotEmpty(getSPAssertionConsumerServiceRedirectBindingURL())) { - AssertionConsumerService redirectassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); - redirectassertionConsumerService.setIndex(1); - redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - redirectassertionConsumerService.setLocation(instancePublicURLPrefix + getSPAssertionConsumerServiceRedirectBindingURL()); - spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); - - } - - //validate WebSSO endpoints - if (spSSODescriptor.getAssertionConsumerServices().size() == 0) { - Logger.warn("SP Metadata generation FAILED! --> NO SAML2 AssertionConsumerService endpoint found. "); - return null; - - } - - //add POST-Binding SLO descriptor - if (MiscUtil.isNotEmpty(getSPSLOPostBindingURL())) { - SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - postSLOService.setLocation(instancePublicURLPrefix + getSPSLOPostBindingURL()); - postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - spSSODescriptor.getSingleLogoutServices().add(postSLOService); - - } - - //add POST-Binding SLO descriptor - if (MiscUtil.isNotEmpty(getSPSLORedirectBindingURL())) { - SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - redirectSLOService.setLocation(instancePublicURLPrefix + getSPSLORedirectBindingURL()); - redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); - - } - - //add POST-Binding SLO descriptor - if (MiscUtil.isNotEmpty(getSPSLOSOAPBindingURL())) { - SingleLogoutService soapSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - soapSLOService.setLocation(instancePublicURLPrefix + getSPSLOSOAPBindingURL()); - soapSLOService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); - spSSODescriptor.getSingleLogoutServices().add(soapSLOService); - - } - - - //add required attributes - List reqSPAttr = getSPRequiredAttributes(); - AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); - - attributeService.setIndex(0); - attributeService.setIsDefault(true); - ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); - serviceName.setName(new LocalizedString("Default Service", "en")); - attributeService.getNames().add(serviceName); - - if (reqSPAttr != null && reqSPAttr.size() > 0) { - Logger.debug("Add " + reqSPAttr.size() + " attributes to SP metadata"); - attributeService.getRequestAttributes().addAll(reqSPAttr); - - } else { - Logger.debug("SP metadata contains NO requested attributes."); - - } - - spSSODescriptor.getAttributeConsumingServices().add(attributeService); - - return spSSODescriptor; - } - - private IDPSSODescriptor generateIDPMetadata(String instancePublicURLPrefix) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { - //check response signing credential - Credential responseSignCred = getRequestorResponseSigningCredentials(); - if (responseSignCred == null) { - Logger.warn("IDP Metadata generation FAILED! --> Builder has NO Response signing credential. "); - return null; - - } - - //check nameID formates - if (getIDPPossibleNameITTypes() == null || getIDPPossibleNameITTypes().size() == 0) { - Logger.warn("IDP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); - return null; - - } - - // build SAML2 IDP-SSO descriptor element - IDPSSODescriptor idpSSODescriptor = SAML2Utils - .createSAMLObject(IDPSSODescriptor.class); - - idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); - - //set ass default value, because PVP 2.x specification defines this feature as MUST - idpSSODescriptor.setWantAuthnRequestsSigned(true); - - // add WebSSO descriptor for POST-Binding - if (MiscUtil.isNotEmpty(getIDPWebSSOPostBindingURL())) { - SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class); - postSingleSignOnService.setLocation(instancePublicURLPrefix + getIDPWebSSOPostBindingURL()); - postSingleSignOnService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService); - - } - - // add WebSSO descriptor for Redirect-Binding - if (MiscUtil.isNotEmpty(getIDPWebSSORedirectBindingURL())) { - SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class); - postSingleSignOnService.setLocation(instancePublicURLPrefix + getIDPWebSSORedirectBindingURL()); - postSingleSignOnService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService); - - } - - //add Single LogOut POST-Binding endpoing - if (MiscUtil.isNotEmpty(getIDPSLOPostBindingURL())) { - SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - postSLOService.setLocation(instancePublicURLPrefix + getIDPSLOPostBindingURL()); - postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); - idpSSODescriptor.getSingleLogoutServices().add(postSLOService); - - } - - //add Single LogOut Redirect-Binding endpoing - if (MiscUtil.isNotEmpty(getIDPSLORedirectBindingURL())) { - SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); - redirectSLOService.setLocation(instancePublicURLPrefix + getIDPSLORedirectBindingURL()); - redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); - idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService); - - } - - //validate WebSSO endpoints - if (idpSSODescriptor.getSingleSignOnServices().size() == 0) { - Logger.warn("IDP Metadata generation FAILED! --> NO SAML2 SingleSignOnService endpoint found. "); - return null; - - } - - //set assertion signing key - KeyDescriptor signKeyDescriptor = SAML2Utils - .createSAMLObject(KeyDescriptor.class); - signKeyDescriptor.setUse(UsageType.SIGNING); - KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); - signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(getRequestorResponseSigningCredentials())); - idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); - - //set IDP attribute set - idpSSODescriptor.getAttributes().addAll(getIDPPossibleAttributes()); - - //set providable nameID formats - for (String format : getIDPPossibleNameITTypes()) { - NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); - nameIDFormat.setFormat(format); - idpSSODescriptor.getNameIDFormats().add(nameIDFormat); - - } - - return idpSSODescriptor; - - } - - private Signature getIDPSignature(Credential credentials) { - PrivateKey privatekey = credentials.getPrivateKey(); - Signature signer = SAML2Utils.createSAMLObject(Signature.class); - - if (privatekey instanceof RSAPrivateKey) { - signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); - - } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { - signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); - - } else { - Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential."); - - - } - - signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); - signer.setSigningCredential(credentials); - return signer; - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java new file mode 100644 index 000000000..3418ffb69 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java @@ -0,0 +1,460 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.io.IOException; +import java.io.StringWriter; +import java.security.PrivateKey; +import java.security.interfaces.RSAPrivateKey; +import java.util.List; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.dom.DOMSource; +import javax.xml.transform.stream.StreamResult; + +import org.joda.time.DateTime; +import org.opensaml.Configuration; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.AttributeConsumingService; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.EntitiesDescriptor; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.IDPSSODescriptor; +import org.opensaml.saml2.metadata.KeyDescriptor; +import org.opensaml.saml2.metadata.LocalizedString; +import org.opensaml.saml2.metadata.NameIDFormat; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.saml2.metadata.RoleDescriptor; +import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.ServiceName; +import org.opensaml.saml2.metadata.SingleLogoutService; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityException; +import org.opensaml.xml.security.SecurityHelper; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.credential.UsageType; +import org.opensaml.xml.security.keyinfo.KeyInfoGenerator; +import org.opensaml.xml.security.x509.X509KeyInfoGeneratorFactory; +import org.opensaml.xml.signature.Signature; +import org.opensaml.xml.signature.SignatureConstants; +import org.opensaml.xml.signature.SignatureException; +import org.opensaml.xml.signature.Signer; +import org.springframework.stereotype.Service; +import org.w3c.dom.Document; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ + +@Service("PVPMetadataBuilder") +public class PVPMetadataBuilder { + + X509KeyInfoGeneratorFactory keyInfoFactory = null; + + /** + * + */ + public PVPMetadataBuilder() { + keyInfoFactory = new X509KeyInfoGeneratorFactory(); + keyInfoFactory.setEmitEntityIDAsKeyName(true); + keyInfoFactory.setEmitEntityCertificate(true); + + } + + + /** + * + * Build PVP 2.1 conform SAML2 metadata + * + * @param config + * PVPMetadataBuilder configuration + * + * @return PVP metadata as XML String + * @throws SecurityException + * @throws ConfigurationException + * @throws CredentialsNotAvailableException + * @throws TransformerFactoryConfigurationError + * @throws MarshallingException + * @throws TransformerException + * @throws ParserConfigurationException + * @throws IOException + * @throws SignatureException + */ + public String buildPVPMetadata(IPVPMetadataBuilderConfiguration config) throws CredentialsNotAvailableException, ConfigurationException, SecurityException, TransformerFactoryConfigurationError, MarshallingException, TransformerException, ParserConfigurationException, IOException, SignatureException { + DateTime date = new DateTime(); + EntityDescriptor entityDescriptor = SAML2Utils + .createSAMLObject(EntityDescriptor.class); + + //set entityID + entityDescriptor.setEntityID(config.getEntityID()); + + //set contact and organisation information + List contactPersons = config.getContactPersonInformation(); + if (contactPersons != null) + entityDescriptor.getContactPersons().addAll(contactPersons); + + Organization organisation = config.getOrgansiationInformation(); + if (organisation != null) + entityDescriptor.setOrganization(organisation); + + //set IDP metadata + if (config.buildIDPSSODescriptor()) { + RoleDescriptor idpSSODesc = generateIDPMetadata(config); + if (idpSSODesc != null) + entityDescriptor.getRoleDescriptors().add(idpSSODesc); + + } + + //set SP metadata for interfederation + if (config.buildSPSSODescriptor()) { + RoleDescriptor spSSODesc = generateSPMetadata(config); + if (spSSODesc != null) + entityDescriptor.getRoleDescriptors().add(spSSODesc); + + } + + //set metadata signature parameters + Credential metadataSignCred = config.getMetadataSigningCredentials(); + Signature signature = getIDPSignature(metadataSignCred); + SecurityHelper.prepareSignatureParams(signature, metadataSignCred, null, null); + + + //initialize XML document builder + DocumentBuilder builder; + DocumentBuilderFactory factory = DocumentBuilderFactory + .newInstance(); + + builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + + + //build entities descriptor + if (config.buildEntitiesDescriptorAsRootElement()) { + EntitiesDescriptor entitiesDescriptor = + SAML2Utils.createSAMLObject(EntitiesDescriptor.class); + entitiesDescriptor.setName(config.getEntityFriendlyName()); + entitiesDescriptor.setID(SAML2Utils.getSecureIdentifier()); + entitiesDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); + entitiesDescriptor.getEntityDescriptors().add(entityDescriptor); + + entitiesDescriptor.setSignature(signature); + + //marshall document + Marshaller out = Configuration.getMarshallerFactory() + .getMarshaller(entitiesDescriptor); + out.marshall(entitiesDescriptor, document); + + } else { + entityDescriptor.setValidUntil(date.plusHours(config.getMetadataValidUntil())); + + entityDescriptor.setSignature(signature); + + //marshall document + Marshaller out = Configuration.getMarshallerFactory() + .getMarshaller(entityDescriptor); + out.marshall(entityDescriptor, document); + + } + + //sign metadata + Signer.signObject(signature); + + //transform metadata object to XML string + Transformer transformer = TransformerFactory.newInstance() + .newTransformer(); + + StringWriter sw = new StringWriter(); + StreamResult sr = new StreamResult(sw); + DOMSource source = new DOMSource(document); + transformer.transform(source, sr); + sw.close(); + + return sw.toString(); + } + + + private RoleDescriptor generateSPMetadata(IPVPMetadataBuilderConfiguration config) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { + SPSSODescriptor spSSODescriptor = SAML2Utils.createSAMLObject(SPSSODescriptor.class); + spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + spSSODescriptor.setAuthnRequestsSigned(true); + spSSODescriptor.setWantAssertionsSigned(false); + + KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); + + //Set AuthRequest Signing certificate + Credential authcredential = config.getRequestorResponseSigningCredentials(); + if (authcredential == null) { + Logger.warn("SP Metadata generation FAILED! --> Builder has NO request signing-credential. "); + return null; + + } else { + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authcredential)); + spSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + } + + //Set assertion encryption credentials + Credential authEncCredential = config.getEncryptionCredentials(); + + if (authEncCredential != null) { + KeyDescriptor encryKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + encryKeyDescriptor.setUse(UsageType.ENCRYPTION); + encryKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(authEncCredential)); + spSSODescriptor.getKeyDescriptors().add(encryKeyDescriptor); + + } else { + Logger.warn("No Assertion Encryption-Key defined. This setting is not recommended!"); + + } + + //check nameID formates + if (config.getSPAllowedNameITTypes() == null || config.getSPAllowedNameITTypes().size() == 0) { + Logger.warn("SP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); + return null; + + } else { + for (String format : config.getSPAllowedNameITTypes()) { + NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + nameIDFormat.setFormat(format); + spSSODescriptor.getNameIDFormats().add(nameIDFormat); + + } + } + + + //add POST-Binding assertion consumer services + if (MiscUtil.isNotEmpty(config.getSPAssertionConsumerServicePostBindingURL())) { + AssertionConsumerService postassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); + postassertionConsumerService.setIndex(0); + postassertionConsumerService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + postassertionConsumerService.setLocation(config.getSPAssertionConsumerServicePostBindingURL()); + postassertionConsumerService.setIsDefault(true); + spSSODescriptor.getAssertionConsumerServices().add(postassertionConsumerService); + + } + + //add POST-Binding assertion consumer services + if (MiscUtil.isNotEmpty(config.getSPAssertionConsumerServiceRedirectBindingURL())) { + AssertionConsumerService redirectassertionConsumerService = SAML2Utils.createSAMLObject(AssertionConsumerService.class); + redirectassertionConsumerService.setIndex(1); + redirectassertionConsumerService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + redirectassertionConsumerService.setLocation(config.getSPAssertionConsumerServiceRedirectBindingURL()); + spSSODescriptor.getAssertionConsumerServices().add(redirectassertionConsumerService); + + } + + //validate WebSSO endpoints + if (spSSODescriptor.getAssertionConsumerServices().size() == 0) { + Logger.warn("SP Metadata generation FAILED! --> NO SAML2 AssertionConsumerService endpoint found. "); + return null; + + } + + //add POST-Binding SLO descriptor + if (MiscUtil.isNotEmpty(config.getSPSLOPostBindingURL())) { + SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); + postSLOService.setLocation(config.getSPSLOPostBindingURL()); + postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + spSSODescriptor.getSingleLogoutServices().add(postSLOService); + + } + + //add POST-Binding SLO descriptor + if (MiscUtil.isNotEmpty(config.getSPSLORedirectBindingURL())) { + SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); + redirectSLOService.setLocation(config.getSPSLORedirectBindingURL()); + redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + spSSODescriptor.getSingleLogoutServices().add(redirectSLOService); + + } + + //add POST-Binding SLO descriptor + if (MiscUtil.isNotEmpty(config.getSPSLOSOAPBindingURL())) { + SingleLogoutService soapSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); + soapSLOService.setLocation(config.getSPSLOSOAPBindingURL()); + soapSLOService.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); + spSSODescriptor.getSingleLogoutServices().add(soapSLOService); + + } + + + //add required attributes + List reqSPAttr = config.getSPRequiredAttributes(); + AttributeConsumingService attributeService = SAML2Utils.createSAMLObject(AttributeConsumingService.class); + + attributeService.setIndex(0); + attributeService.setIsDefault(true); + ServiceName serviceName = SAML2Utils.createSAMLObject(ServiceName.class); + serviceName.setName(new LocalizedString("Default Service", "en")); + attributeService.getNames().add(serviceName); + + if (reqSPAttr != null && reqSPAttr.size() > 0) { + Logger.debug("Add " + reqSPAttr.size() + " attributes to SP metadata"); + attributeService.getRequestAttributes().addAll(reqSPAttr); + + } else { + Logger.debug("SP metadata contains NO requested attributes."); + + } + + spSSODescriptor.getAttributeConsumingServices().add(attributeService); + + return spSSODescriptor; + } + + private IDPSSODescriptor generateIDPMetadata(IPVPMetadataBuilderConfiguration config) throws ConfigurationException, CredentialsNotAvailableException, SecurityException { + //check response signing credential + Credential responseSignCred = config.getRequestorResponseSigningCredentials(); + if (responseSignCred == null) { + Logger.warn("IDP Metadata generation FAILED! --> Builder has NO Response signing credential. "); + return null; + + } + + //check nameID formates + if (config.getIDPPossibleNameITTypes() == null || config.getIDPPossibleNameITTypes().size() == 0) { + Logger.warn("IDP Metadata generation FAILED! --> Builder has NO provideable SAML2 nameIDFormats. "); + return null; + + } + + // build SAML2 IDP-SSO descriptor element + IDPSSODescriptor idpSSODescriptor = SAML2Utils + .createSAMLObject(IDPSSODescriptor.class); + + idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); + + //set ass default value, because PVP 2.x specification defines this feature as MUST + idpSSODescriptor.setWantAuthnRequestsSigned(true); + + // add WebSSO descriptor for POST-Binding + if (MiscUtil.isNotEmpty(config.getIDPWebSSOPostBindingURL())) { + SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class); + postSingleSignOnService.setLocation(config.getIDPWebSSOPostBindingURL()); + postSingleSignOnService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService); + + } + + // add WebSSO descriptor for Redirect-Binding + if (MiscUtil.isNotEmpty(config.getIDPWebSSORedirectBindingURL())) { + SingleSignOnService postSingleSignOnService = SAML2Utils.createSAMLObject(SingleSignOnService.class); + postSingleSignOnService.setLocation(config.getIDPWebSSORedirectBindingURL()); + postSingleSignOnService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + idpSSODescriptor.getSingleSignOnServices().add(postSingleSignOnService); + + } + + //add Single LogOut POST-Binding endpoing + if (MiscUtil.isNotEmpty(config.getIDPSLOPostBindingURL())) { + SingleLogoutService postSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); + postSLOService.setLocation(config.getIDPSLOPostBindingURL()); + postSLOService.setBinding(SAMLConstants.SAML2_POST_BINDING_URI); + idpSSODescriptor.getSingleLogoutServices().add(postSLOService); + + } + + //add Single LogOut Redirect-Binding endpoing + if (MiscUtil.isNotEmpty(config.getIDPSLORedirectBindingURL())) { + SingleLogoutService redirectSLOService = SAML2Utils.createSAMLObject(SingleLogoutService.class); + redirectSLOService.setLocation(config.getIDPSLORedirectBindingURL()); + redirectSLOService.setBinding(SAMLConstants.SAML2_REDIRECT_BINDING_URI); + idpSSODescriptor.getSingleLogoutServices().add(redirectSLOService); + + } + + //validate WebSSO endpoints + if (idpSSODescriptor.getSingleSignOnServices().size() == 0) { + Logger.warn("IDP Metadata generation FAILED! --> NO SAML2 SingleSignOnService endpoint found. "); + return null; + + } + + //set assertion signing key + KeyDescriptor signKeyDescriptor = SAML2Utils + .createSAMLObject(KeyDescriptor.class); + signKeyDescriptor.setUse(UsageType.SIGNING); + KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); + signKeyDescriptor.setKeyInfo(keyInfoGenerator.generate(config.getRequestorResponseSigningCredentials())); + idpSSODescriptor.getKeyDescriptors().add(signKeyDescriptor); + + //set IDP attribute set + idpSSODescriptor.getAttributes().addAll(config.getIDPPossibleAttributes()); + + //set providable nameID formats + for (String format : config.getIDPPossibleNameITTypes()) { + NameIDFormat nameIDFormat = SAML2Utils.createSAMLObject(NameIDFormat.class); + nameIDFormat.setFormat(format); + idpSSODescriptor.getNameIDFormats().add(nameIDFormat); + + } + + return idpSSODescriptor; + + } + + private Signature getIDPSignature(Credential credentials) { + PrivateKey privatekey = credentials.getPrivateKey(); + Signature signer = SAML2Utils.createSAMLObject(Signature.class); + + if (privatekey instanceof RSAPrivateKey) { + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA256); + + } else if (privatekey instanceof iaik.security.ecc.ecdsa.ECPrivateKey) { + signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_ECDSA_SHA1); + + } else { + Logger.warn("Could NOT evaluate the Private-Key type from " + credentials.getEntityId() + " credential."); + + + } + + signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); + signer.setSigningCredential(credentials); + return signer; + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java index 959fc7d2d..a7fc8295a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/SingleLogOutBuilder.java @@ -201,7 +201,8 @@ public class SingleLogOutBuilder { try { binding.encodeRespone(req, resp, sloResp, - consumerService.getLocation(), relayState); + consumerService.getLocation(), relayState, + credentialProvider.getIDPAssertionSigningCredential()); } catch (MessageEncodingException e) { Logger.error("Message Encoding exception", e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java new file mode 100644 index 000000000..e0994ff19 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java @@ -0,0 +1,288 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import java.util.Arrays; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.xml.security.credential.Credential; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfiguration { + + private static final int VALIDUNTIL_IN_HOURS = 24; + + private String authURL; + private IDPCredentialProvider credentialProvider; + + public IDPPVPMetadataConfiguration(String authURL, IDPCredentialProvider credentialProvider) { + this.authURL = authURL; + this.credentialProvider = credentialProvider; + + } + + public String getDefaultActionName() { + return (PVP2XProtocol.METADATA); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil() + */ + @Override + public int getMetadataValidUntil() { + return VALIDUNTIL_IN_HOURS; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement() + */ + @Override + public boolean buildEntitiesDescriptorAsRootElement() { + return true; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor() + */ + @Override + public boolean buildIDPSSODescriptor() { + return true; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor() + */ + @Override + public boolean buildSPSSODescriptor() { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityID() + */ + @Override + public String getEntityID() { + return authURL; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName() + */ + @Override + public String getEntityFriendlyName() { + try { + return PVPConfiguration.getInstance().getIDPIssuerName(); + + } catch (ConfigurationException e) { + Logger.error("Can not load Metadata entry: EntityID friendlyName.", e); + return null; + + } + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation() + */ + @Override + public List getContactPersonInformation() { + try { + return PVPConfiguration.getInstance().getIDPContacts(); + + } catch (ConfigurationException e) { + Logger.warn("Can not load Metadata entry: Contect Person", e); + return null; + + } + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation() + */ + @Override + public Organization getOrgansiationInformation() { + try { + return PVPConfiguration.getInstance().getIDPOrganisation(); + + } catch (ConfigurationException e) { + Logger.warn("Can not load Metadata entry: Organisation", e); + return null; + + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials() + */ + @Override + public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPMetaDataSigningCredential(); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials() + */ + @Override + public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPAssertionSigningCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials() + */ + @Override + public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPAssertionEncryptionCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL() + */ + @Override + public String getIDPWebSSOPostBindingURL() { + return authURL + PVPConfiguration.PVP2_IDP_POST; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL() + */ + @Override + public String getIDPWebSSORedirectBindingURL() { + return authURL + PVPConfiguration.PVP2_IDP_REDIRECT; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL() + */ + @Override + public String getIDPSLOPostBindingURL() { + return authURL + PVPConfiguration.PVP2_IDP_POST; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL() + */ + @Override + public String getIDPSLORedirectBindingURL() { + return authURL + PVPConfiguration.PVP2_IDP_REDIRECT; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL() + */ + @Override + public String getSPAssertionConsumerServicePostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL() + */ + @Override + public String getSPAssertionConsumerServiceRedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL() + */ + @Override + public String getSPSLOPostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL() + */ + @Override + public String getSPSLORedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL() + */ + @Override + public String getSPSLOSOAPBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes() + */ + @Override + public List getIDPPossibleAttributes() { + return PVPAttributeBuilder.buildSupportedEmptyAttributes(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes() + */ + @Override + public List getIDPPossibleNameITTypes() { + return Arrays.asList(NameIDType.PERSISTENT, + NameIDType.TRANSIENT, + NameIDType.UNSPECIFIED); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes() + */ + @Override + public List getSPRequiredAttributes() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes() + */ + @Override + public List getSPAllowedNameITTypes() { + return null; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java new file mode 100644 index 000000000..52096fd19 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java @@ -0,0 +1,217 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import java.util.List; + +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.xml.security.credential.Credential; + +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; + +/** + * @author tlenz + * + */ +public interface IPVPMetadataBuilderConfiguration { + + + /** + * Set metadata valid area + * + * @return valid until in hours [h] + */ + public int getMetadataValidUntil(); + + /** + * Build a SAML2 Entities element as metadata root element + * + * @return true, if the metadata should start with entities element + */ + public boolean buildEntitiesDescriptorAsRootElement(); + + /** + * + * + * @return true, if an IDP SSO-descriptor element should be generated + */ + public boolean buildIDPSSODescriptor(); + + /** + * + * + * @return true, if an SP SSO-descriptor element should be generated + */ + public boolean buildSPSSODescriptor(); + + /** + * Set the PVP entityID for this SAML2 metadata. + * The entityID must be an URL and must be start with the public-URL prefix of the server + * + * @return PVP entityID postfix as String + */ + public String getEntityID(); + + /** + * Set a friendlyName for this PVP entity + * + * @return + */ + public String getEntityFriendlyName(); + + /** + * Set the contact information for this metadata entity + * + * @return + */ + public List getContactPersonInformation(); + + /** + * Set organisation information for this metadata entity + * + * @return + */ + public Organization getOrgansiationInformation(); + + + /** + * Set the credential for metadata signing + * + * @return + * @throws CredentialsNotAvailableException + */ + public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException; + + /** + * Set the credential for request/response signing + * IDP metadata: this credential is used for SAML2 response signing + * SP metadata: this credential is used for SAML2 response signing + * + * @return + * @throws CredentialsNotAvailableException + */ + public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException; + + /** + * Set the credential for response encryption + * + * @return + * @throws CredentialsNotAvailableException + */ + public Credential getEncryptionCredentials() throws CredentialsNotAvailableException; + + /** + * Set the IDP Post-Binding URL for WebSSO + * + * @return + */ + public String getIDPWebSSOPostBindingURL(); + + /** + * Set the IDP Redirect-Binding URL for WebSSO + * + * @return + */ + public String getIDPWebSSORedirectBindingURL(); + + /** + * Set the IDP Post-Binding URL for Single LogOut + * + * @return + */ + public String getIDPSLOPostBindingURL(); + + /** + * Set the IDP Redirect-Binding URL for Single LogOut + * + * @return + */ + public String getIDPSLORedirectBindingURL(); + + /** + * Set the SP Post-Binding URL for for the Assertion-Consumer Service + * + * @return + */ + public String getSPAssertionConsumerServicePostBindingURL(); + + /** + * Set the SP Redirect-Binding URL for the Assertion-Consumer Service + * + * @return + */ + public String getSPAssertionConsumerServiceRedirectBindingURL(); + + /** + * Set the SP Post-Binding URL for Single LogOut + * + * @return + */ + public String getSPSLOPostBindingURL(); + + /** + * Set the SP Redirect-Binding URL for Single LogOut + * + * @return + */ + public String getSPSLORedirectBindingURL(); + + /** + * Set the SP SOAP-Binding URL for Single LogOut + * + * @return + */ + public String getSPSLOSOAPBindingURL(); + + + /** + * Set all SAML2 attributes which could be provided by this IDP + * + * @return + */ + public List getIDPPossibleAttributes(); + + /** + * Set all nameID types which could be provided by this IDP + * + * @return a List of SAML2 nameID types + */ + public List getIDPPossibleNameITTypes(); + + /** + * Set all SAML2 attributes which are required by the SP + * + * @return + */ + public List getSPRequiredAttributes(); + + /** + * Set all nameID types which allowed from the SP + * + * @return a List of SAML2 nameID types + */ + public List getSPAllowedNameITTypes(); +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index f7e753273..5e44c9057 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -22,29 +22,50 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; +import java.util.ArrayList; +import java.util.List; + import javax.xml.namespace.QName; import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; +import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.common.xml.SAMLSchemaBuilder; +import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.RequestAbstractType; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusResponseType; +import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; +import org.opensaml.xml.encryption.DecryptionException; +import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; +import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.security.CriteriaSet; +import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; +import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; import org.w3c.dom.Element; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; @@ -53,8 +74,11 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; +@Service("SAMLVerificationEngine") public class SAMLVerificationEngine { + @Autowired AuthConfiguration authConfig; + public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { try { if (msg instanceof MOARequest && @@ -158,116 +182,110 @@ public class SAMLVerificationEngine { } } -// public static void validateAssertion(Response samlResp, boolean validateDestination) throws AssertionValidationExeption { -// try { -// if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { -// List saml2assertions = new ArrayList(); -// -// List allowedPublicURLPrefix = -// AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(); -// boolean isValidDestination = false; -// for (String allowedPreFix : allowedPublicURLPrefix) { -// if (validateDestination && samlResp.getDestination().startsWith( -// allowedPreFix)) { -// isValidDestination = true; -// break; -// -// } -// } -// if (!isValidDestination && validateDestination) { -// Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); -// throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); -// -// } -// -// //check encrypted Assertion -// List encryAssertionList = samlResp.getEncryptedAssertions(); -// if (encryAssertionList != null && encryAssertionList.size() > 0) { -// //decrypt assertions -// -// Logger.debug("Found encryped assertion. Start decryption ..."); -// -// X509Credential authDecCredential = CredentialProvider.getIDPAssertionEncryptionCredential(); -// -// StaticKeyInfoCredentialResolver skicr = -// new StaticKeyInfoCredentialResolver(authDecCredential); -// -// ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); -// encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); -// encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); -// encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); -// -// Decrypter samlDecrypter = -// new Decrypter(null, skicr, encryptedKeyResolver); -// -// for (EncryptedAssertion encAssertion : encryAssertionList) { -// saml2assertions.add(samlDecrypter.decrypt(encAssertion)); -// -// } -// -// Logger.debug("Assertion decryption finished. "); -// -// } else { -// saml2assertions.addAll(samlResp.getAssertions()); -// -// } -// -// List validatedassertions = new ArrayList(); -// for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { -// -// try { -// performSchemaValidation(saml2assertion.getDOM()); -// -// Conditions conditions = saml2assertion.getConditions(); -// DateTime notbefore = conditions.getNotBefore().minusMinutes(5); -// DateTime notafter = conditions.getNotOnOrAfter(); -// if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { -// Logger.warn("PVP2 Assertion is out of Date. " -// + "{ Current : " + new DateTime() -// + " NotBefore: " + notbefore -// + " NotAfter : " + notafter -// + " }");; -// -// } else { -// validatedassertions.add(saml2assertion); -// -// } -// -// } catch (SchemaValidationException e) { -// -// } -// } -// -// if (validatedassertions.isEmpty()) { -// Logger.info("No valid PVP 2.1 assertion received."); -// throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); -// } -// -// samlResp.getAssertions().clear(); -// samlResp.getEncryptedAssertions().clear(); -// samlResp.getAssertions().addAll(validatedassertions); -// -// } else { -// Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " -// + samlResp.getStatus().getStatusCode().getValue()); -// throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " -// + samlResp.getStatus().getStatusCode().getValue(), null); -// } -// -// } catch (CredentialsNotAvailableException e) { -// Logger.warn("Assertion decrypt FAILED - No Credentials", e); -// throw new AssertionValidationExeption("Assertion decrypt FAILED - No Credentials", null, e); -// -// } catch (DecryptionException e) { -// Logger.warn("Assertion decrypt FAILED.", e); -// throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); -// -// } catch (ConfigurationException e) { -// throw new AssertionValidationExeption("pvp.12", null, e); -// } -// } + public void validateAssertion(Response samlResp, boolean validateDestination, Credential assertionDecryption) throws AssertionValidationExeption { + try { + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + List saml2assertions = new ArrayList(); + + //validate destination URL + List allowedPublicURLPrefix = authConfig.getPublicURLPrefix(); + boolean isValidDestination = false; + for (String allowedPreFix : allowedPublicURLPrefix) { + if (validateDestination && samlResp.getDestination().startsWith( + allowedPreFix)) { + isValidDestination = true; + break; + + } + } + if (!isValidDestination && validateDestination) { + Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); + throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); + + } + + //check encrypted Assertion + List encryAssertionList = samlResp.getEncryptedAssertions(); + if (encryAssertionList != null && encryAssertionList.size() > 0) { + //decrypt assertions + + Logger.debug("Found encryped assertion. Start decryption ..."); + + StaticKeyInfoCredentialResolver skicr = + new StaticKeyInfoCredentialResolver(assertionDecryption); + + ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); + encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); + + Decrypter samlDecrypter = + new Decrypter(null, skicr, encryptedKeyResolver); + + for (EncryptedAssertion encAssertion : encryAssertionList) { + saml2assertions.add(samlDecrypter.decrypt(encAssertion)); + + } + + Logger.debug("Assertion decryption finished. "); + + } else { + saml2assertions.addAll(samlResp.getAssertions()); + + } + + List validatedassertions = new ArrayList(); + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { + + try { + performSchemaValidation(saml2assertion.getDOM()); + + Conditions conditions = saml2assertion.getConditions(); + DateTime notbefore = conditions.getNotBefore().minusMinutes(5); + DateTime notafter = conditions.getNotOnOrAfter(); + if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { + Logger.warn("PVP2 Assertion is out of Date. " + + "{ Current : " + new DateTime() + + " NotBefore: " + notbefore + + " NotAfter : " + notafter + + " }");; + + } else { + validatedassertions.add(saml2assertion); + + } + + } catch (SchemaValidationException e) { + + } + } + + if (validatedassertions.isEmpty()) { + Logger.info("No valid PVP 2.1 assertion received."); + throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); + } + + samlResp.getAssertions().clear(); + samlResp.getEncryptedAssertions().clear(); + samlResp.getAssertions().addAll(validatedassertions); + + } else { + Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " + + samlResp.getStatus().getStatusCode().getValue()); + throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " + + samlResp.getStatus().getStatusCode().getValue(), null); + } + + } catch (DecryptionException e) { + Logger.warn("Assertion decrypt FAILED.", e); + throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); + + } catch (ConfigurationException e) { + throw new AssertionValidationExeption("pvp.12", null, e); + } + } - private static void performSchemaValidation(Element source) throws SchemaValidationException { + private void performSchemaValidation(Element source) throws SchemaValidationException { String err = null; try { diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java index 44b1fe2da..54db1d8ff 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java @@ -62,6 +62,7 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask { throws TaskExecutionException { try { + Logger.info("BKU is selected -> Start BKU communication ..."); defaultTaskInitialization(request, executionContext); boolean isLegacyRequest = false; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/builder/FederatedAuthMetadataBuilder.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/builder/FederatedAuthMetadataBuilder.java deleted file mode 100644 index 45d76d4fe..000000000 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/builder/FederatedAuthMetadataBuilder.java +++ /dev/null @@ -1,273 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.auth.modules.federatedauth.builder; - -import java.util.Arrays; -import java.util.List; - -import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.NameIDType; -import org.opensaml.saml2.metadata.ContactPerson; -import org.opensaml.saml2.metadata.Organization; -import org.opensaml.saml2.metadata.RequestedAttribute; -import org.opensaml.xml.security.credential.Credential; -import org.springframework.beans.factory.annotation.Autowired; -import org.springframework.stereotype.Service; - -import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; -import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -@Service("FederatedAuthMetadataBuilder") -public class FederatedAuthMetadataBuilder extends AbstractPVPMetadataBuilder { - - @Autowired FederatedAuthCredentialProvider credentialProvider; - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil() - */ - @Override - public int getMetadataValidUntil() { - return FederatedAuthConstants.METADATA_VALIDUNTIL_IN_HOURS; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement() - */ - @Override - public boolean buildEntitiesDescriptorAsRootElement() { - return false; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor() - */ - @Override - public boolean buildIDPSSODescriptor() { - return false; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor() - */ - @Override - public boolean buildSPSSODescriptor() { - return true; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix() - */ - @Override - public String getEntityIDPostfix() { - return FederatedAuthConstants.ENDPOINT_METADATA; - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName() - */ - @Override - public String getEntityFriendlyName() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation() - */ - @Override - public List getContactPersonInformation() { - try { - return PVPConfiguration.getInstance().getIDPContacts(); - - } catch (ConfigurationException e) { - Logger.warn("Can not load Metadata entry: Contect Person", e); - return null; - - } - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation() - */ - @Override - public Organization getOrgansiationInformation() { - try { - return PVPConfiguration.getInstance().getIDPOrganisation(); - - } catch (ConfigurationException e) { - Logger.warn("Can not load Metadata entry: Organisation", e); - return null; - - } - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials() - */ - @Override - public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getIDPMetaDataSigningCredential(); - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials() - */ - @Override - public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getIDPAssertionSigningCredential(); - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials() - */ - @Override - public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { - return credentialProvider.getIDPAssertionEncryptionCredential(); - - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL() - */ - @Override - public String getIDPWebSSOPostBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL() - */ - @Override - public String getIDPWebSSORedirectBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL() - */ - @Override - public String getIDPSLOPostBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL() - */ - @Override - public String getIDPSLORedirectBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL() - */ - @Override - public String getSPAssertionConsumerServicePostBindingURL() { - return FederatedAuthConstants.ENDPOINT_POST; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL() - */ - @Override - public String getSPAssertionConsumerServiceRedirectBindingURL() { - return FederatedAuthConstants.ENDPOINT_REDIRECT; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL() - */ - @Override - public String getSPSLOPostBindingURL() { - return FederatedAuthConstants.ENDPOINT_POST; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL() - */ - @Override - public String getSPSLORedirectBindingURL() { - return FederatedAuthConstants.ENDPOINT_REDIRECT; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL() - */ - @Override - public String getSPSLOSOAPBindingURL() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes() - */ - @Override - public List getIDPPossibleAttributes() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes() - */ - @Override - public List getIDPPossibleNameITTypes() { - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes() - */ - @Override - public List getSPRequiredAttributes() { - // TODO Auto-generated method stub - return null; - } - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes() - */ - @Override - public List getSPAllowedNameITTypes() { - return Arrays.asList(NameIDType.PERSISTENT, - NameIDType.TRANSIENT, - NameIDType.UNSPECIFIED); - - } - -} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java new file mode 100644 index 000000000..29b6ea18b --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java @@ -0,0 +1,281 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth.config; + +import java.util.Arrays; +import java.util.List; + +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.metadata.ContactPerson; +import org.opensaml.saml2.metadata.Organization; +import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.xml.security.credential.Credential; + +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderConfiguration { + + + private static final int VALIDUNTIL_IN_HOURS = 24; + + private String authURL; + private FederatedAuthCredentialProvider credentialProvider; + + public FederatedAuthMetadataConfiguration(String authURL, FederatedAuthCredentialProvider credentialProvider) { + this.authURL = authURL; + this.credentialProvider = credentialProvider; + + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataValidUntil() + */ + @Override + public int getMetadataValidUntil() { + return FederatedAuthConstants.METADATA_VALIDUNTIL_IN_HOURS; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildEntitiesDescriptorAsRootElement() + */ + @Override + public boolean buildEntitiesDescriptorAsRootElement() { + return false; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildIDPSSODescriptor() + */ + @Override + public boolean buildIDPSSODescriptor() { + return false; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#buildSPSSODescriptor() + */ + @Override + public boolean buildSPSSODescriptor() { + return true; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityIDPostfix() + */ + @Override + public String getEntityID() { + return authURL + FederatedAuthConstants.ENDPOINT_METADATA; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEntityFriendlyName() + */ + @Override + public String getEntityFriendlyName() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getContactPersonInformation() + */ + @Override + public List getContactPersonInformation() { + try { + return PVPConfiguration.getInstance().getIDPContacts(); + + } catch (ConfigurationException e) { + Logger.warn("Can not load Metadata entry: Contect Person", e); + return null; + + } + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getOrgansiationInformation() + */ + @Override + public Organization getOrgansiationInformation() { + try { + return PVPConfiguration.getInstance().getIDPOrganisation(); + + } catch (ConfigurationException e) { + Logger.warn("Can not load Metadata entry: Organisation", e); + return null; + + } + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getMetadataSigningCredentials() + */ + @Override + public Credential getMetadataSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPMetaDataSigningCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getRequestorResponseSigningCredentials() + */ + @Override + public Credential getRequestorResponseSigningCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPAssertionSigningCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getEncryptionCredentials() + */ + @Override + public Credential getEncryptionCredentials() throws CredentialsNotAvailableException { + return credentialProvider.getIDPAssertionEncryptionCredential(); + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSOPostBindingURL() + */ + @Override + public String getIDPWebSSOPostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPWebSSORedirectBindingURL() + */ + @Override + public String getIDPWebSSORedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLOPostBindingURL() + */ + @Override + public String getIDPSLOPostBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPSLORedirectBindingURL() + */ + @Override + public String getIDPSLORedirectBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServicePostBindingURL() + */ + @Override + public String getSPAssertionConsumerServicePostBindingURL() { + return authURL + FederatedAuthConstants.ENDPOINT_POST; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAssertionConsumerServiceRedirectBindingURL() + */ + @Override + public String getSPAssertionConsumerServiceRedirectBindingURL() { + return authURL + FederatedAuthConstants.ENDPOINT_REDIRECT; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOPostBindingURL() + */ + @Override + public String getSPSLOPostBindingURL() { + return authURL + FederatedAuthConstants.ENDPOINT_POST; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLORedirectBindingURL() + */ + @Override + public String getSPSLORedirectBindingURL() { + return authURL + FederatedAuthConstants.ENDPOINT_REDIRECT; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPSLOSOAPBindingURL() + */ + @Override + public String getSPSLOSOAPBindingURL() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleAttributes() + */ + @Override + public List getIDPPossibleAttributes() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getIDPPossibleNameITTypes() + */ + @Override + public List getIDPPossibleNameITTypes() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPRequiredAttributes() + */ + @Override + public List getSPRequiredAttributes() { + // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.builder.AbstractPVPMetadataBuilder#getSPAllowedNameITTypes() + */ + @Override + public List getSPAllowedNameITTypes() { + return Arrays.asList(NameIDType.PERSISTENT, + NameIDType.TRANSIENT, + NameIDType.UNSPECIFIED); + + } + +} -- cgit v1.2.3 From 101f582d457f3e0bbd42083521360d18168fbd84 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 24 Feb 2016 06:22:18 +0100 Subject: add federated IDP authentication modul --- .../pvp2x/SP/tasks/AbstractAuthnRequestTask.java | 293 --------------------- .../pvp2x/SP/tasks/AbstractAuthnResponseTask.java | 53 ---- .../pvp2x/builder/PVPAuthnRequestBuilder.java | 172 ++++++++++++ .../IPVPAuthnRequestBuilderConfiguruation.java | 114 ++++++++ .../exceptions/AuthnRequestBuildException.java | 47 ++++ .../AuthnResponseValidationException.java | 48 ++++ .../storage/DBAuthenticationSessionStoreage.java | 68 ++--- .../id/storage/IAuthenticationSessionStoreage.java | 4 +- .../resources/properties/id_messages_de.properties | 9 + .../federatedauth/FederatedAuthConstants.java | 3 + .../FederatedAuthenticationModuleImpl.java | 12 +- .../FederatedAuthnRequestBuilderConfiguration.java | 161 +++++++++++ .../FederatedAuthMetadataController.java | 14 +- .../tasks/CreateAuthnRequestTask.java | 220 ++++++++++++++++ .../tasks/ReceiveAuthnResponseTask.java | 225 ++++++++++++++++ .../federated.Authentication.process.xml | 30 ++- .../main/resources/moaid_federated_auth.beans.xml | 15 +- 17 files changed, 1073 insertions(+), 415 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java create mode 100644 id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java deleted file mode 100644 index c8c115f82..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnRequestTask.java +++ /dev/null @@ -1,293 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.SP.tasks; -import java.lang.reflect.InvocationTargetException; -import java.security.NoSuchAlgorithmException; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import org.joda.time.DateTime; -import org.opensaml.common.impl.SecureRandomIdentifierGenerator; -import org.opensaml.common.xml.SAMLConstants; -import org.opensaml.saml2.core.AuthnContextClassRef; -import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; -import org.opensaml.saml2.core.AuthnRequest; -import org.opensaml.saml2.core.Issuer; -import org.opensaml.saml2.core.NameID; -import org.opensaml.saml2.core.NameIDPolicy; -import org.opensaml.saml2.core.NameIDType; -import org.opensaml.saml2.core.RequestedAuthnContext; -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.SingleSignOnService; -import org.opensaml.saml2.metadata.provider.MetadataProviderException; -import org.opensaml.ws.message.encoder.MessageEncodingException; -import org.opensaml.xml.security.SecurityException; - -import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; -import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.moduls.RequestImpl; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; - -/** - * @author tlenz - * - */ -public abstract class AbstractAuthnRequestTask extends AbstractAuthServletTask { - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) - */ - @Override - public void execute(ExecutionContext executionContext, - HttpServletRequest request, HttpServletResponse response) - throws TaskExecutionException { - boolean requiredLocalAuthentication = true; - - String idpEntityID = - (String) executionContext.get(MOAIDAuthConstants.PROCESSCONTEXT_INTERFEDERATION_ENTITYID); - - if (MiscUtil.isEmpty(idpEntityID)) { - Logger.info("Interfederation not possible -> not inderfederation IDP EntityID found!"); - throw new TaskExecutionException(pendingReq, "Interfederation not possible", new MOAIDException("No inderfederation-IDP EntityID found.", null)); - - } - - //TODO: create MOASession - //TODO: set relayState to MOASession - //TODO: add support for requested attributes (from context and from metadata) - - - try { - OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(idpEntityID); - IOAAuthParameters sp = pendingReq.getOnlineApplicationConfiguration(); - - String requestedIDP = pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class); - - if (!idp.isInderfederationIDP() || !idp.isInboundSSOInterfederationAllowed()) { - Logger.info("Requested interfederation IDP " + requestedIDP + " is not valid for interfederation."); - Logger.debug("isInderfederationIDP:" + String.valueOf(idp.isInderfederationIDP()) - + " isInboundSSOAllowed:" + String.valueOf(idp.isInboundSSOInterfederationAllowed())); - Logger.info("Switch to local authentication on this IDP ... "); - - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true); - return; - - } - - - - - EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). - getEntityDescriptor(idpEntityID); - - if (idpEntity != null ) { - - //fetch endpoint from IDP metadata - SingleSignOnService redirectEndpoint = null; - for (SingleSignOnService sss : - idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { - - // use POST binding as default if it exists - //TODO: maybe use RedirectBinding as default - if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { - redirectEndpoint = sss; - - } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) && - redirectEndpoint == null ) - redirectEndpoint = sss; - } - - if (redirectEndpoint != null) { - - AuthnRequest authReq = SAML2Utils - .createSAMLObject(AuthnRequest.class); - SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); - authReq.setID(gen.generateIdentifier()); - - //send passive AuthnRequest - authReq.setIsPassive(idp.isPassivRequestUsedForInterfederation()); - - authReq.setAssertionConsumerServiceIndex(0); - authReq.setIssueInstant(new DateTime()); - Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); - issuer.setValue(pendingReq.getAuthURLWithOutSlash()); - - issuer.setFormat(NameIDType.ENTITY); - authReq.setIssuer(issuer); - NameIDPolicy policy = SAML2Utils - .createSAMLObject(NameIDPolicy.class); - policy.setAllowCreate(true); - policy.setFormat(NameID.TRANSIENT); - authReq.setNameIDPolicy(policy); - - authReq.setDestination(redirectEndpoint.getLocation()); - - RequestedAuthnContext reqAuthContext = - SAML2Utils.createSAMLObject(RequestedAuthnContext.class); - - AuthnContextClassRef authnClassRef = - SAML2Utils.createSAMLObject(AuthnContextClassRef.class); - - //check if STORK protocol module is in ClassPath - Object storkRequst = null; - Integer storkSecClass = null; - try { - storkRequst = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest").newInstance(); - if (storkRequst != null && - pendingReq.getClass().isInstance(storkRequst)) { - Object storkAuthnRequest = pendingReq.getClass().getMethod("getStorkAuthnRequest", null).invoke(pendingReq, null); - storkSecClass = (Integer) storkAuthnRequest.getClass().getMethod("getQaa", null).invoke(storkAuthnRequest, null); - - } - - } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { - - - } - - - if (sp != null && sp.isSTORKPVPGateway()){ - //use PVP SecClass instead of STORK QAA level - String secClass = null; - if (storkRequst != null && - pendingReq.getClass().isInstance(storkRequst)) { - - try { - secClass = PVPtoSTORKMapper.getInstance().mapToSecClass( - PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass)); - - } catch (Exception e) { - Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); - - } - } - - if (MiscUtil.isNotEmpty(secClass)) - authnClassRef.setAuthnContextClassRef(secClass); - else - authnClassRef.setAuthnContextClassRef("http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3"); - - } else { - if (storkRequst != null && - pendingReq.getClass().isInstance(storkRequst)) { - //use requested QAA level from STORK request - try { - authnClassRef.setAuthnContextClassRef( - PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass)); - Logger.debug("Use STORK-QAA level " + authnClassRef.getAuthnContextClassRef() - + " from STORK request"); - - } catch (Exception e) { - Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); - - } - - } - - if (MiscUtil.isEmpty(authnClassRef.getAuthnContextClassRef())) - authnClassRef.setAuthnContextClassRef("http://www.stork.gov.eu/1.0/citizenQAALevel/4"); - - } - - reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); - reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); - authReq.setRequestedAuthnContext(reqAuthContext); - - IEncoder binding = null; - if (redirectEndpoint.getBinding().equals( - SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { - binding = new RedirectBinding(); - - } else if (redirectEndpoint.getBinding().equals( - SAMLConstants.SAML2_POST_BINDING_URI)) { - binding = new PostBinding(); - - } - - binding.encodeRequest(request, response, authReq, - redirectEndpoint.getLocation(), pendingReq.getRequestID()); - - //build and send request without an error - requiredLocalAuthentication = false; - - revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), - pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_IDP, idpEntity.getEntityID()); - - - } else { - Logger.warn("Requested IDP " + requestedIDP - + " does not support POST or Redirect Binding."); - - } - - } else { - Logger.warn("Requested IDP " + requestedIDP - + " is not found in InterFederation configuration"); - - } - - } catch (MetadataProviderException e) { - Logger.error("IDP metadata error." , e); - - } catch (NoSuchAlgorithmException e) { - Logger.error("Build IDP authentication request FAILED.", e); - - } catch (MessageEncodingException e) { - Logger.error("Build IDP authentication request FAILED.", e); - - } catch (SecurityException e) { - Logger.error("Build IDP authentication request FAILED.", e); - - } catch (PVP2Exception e) { - Logger.error("Build IDP authentication request FAILED.", e); - - } catch (ConfigurationException e1) { - Logger.error("Build IDP authentication request FAILED.", e1); - - } - - //set flag for next step - executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, - requiredLocalAuthentication); - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java deleted file mode 100644 index 6ce8fab59..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/SP/tasks/AbstractAuthnResponseTask.java +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.protocols.pvp2x.SP.tasks; - -import javax.servlet.http.HttpServletRequest; -import javax.servlet.http.HttpServletResponse; - -import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; -import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.process.api.ExecutionContext; - -/** - * @author tlenz - * - */ -public abstract class AbstractAuthnResponseTask extends AbstractAuthServletTask { - - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) - */ - @Override - public void execute(ExecutionContext executionContext, - HttpServletRequest request, HttpServletResponse response) - throws TaskExecutionException { - - //TODO: validate SAML2 assertion - //TODO: move attributeQuery from AuthenticationDataBuilder to her - //TODO: add SAML2 interfederation Response to MOASession - //TODO: update AuthenticationDataBuilder to use Response from MOASession if exists - - } - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java new file mode 100644 index 000000000..312bb823d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java @@ -0,0 +1,172 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.builder; + +import java.security.NoSuchAlgorithmException; + +import javax.servlet.http.HttpServletResponse; + +import org.joda.time.DateTime; +import org.opensaml.common.impl.SecureRandomIdentifierGenerator; +import org.opensaml.common.xml.SAMLConstants; +import org.opensaml.saml2.core.AuthnContextClassRef; +import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml2.core.AuthnRequest; +import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameIDPolicy; +import org.opensaml.saml2.core.NameIDType; +import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.SingleSignOnService; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.security.SecurityException; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@Service("PVPAuthnRequestBuilder") +public class PVPAuthnRequestBuilder { + + + /** + * Build a PVP2.x specific authentication request + * + * @param pendingReq Currently processed pendingRequest + * @param config AuthnRequest builder configuration, never null + * @param idpEntity SAML2 EntityDescriptor of the IDP, which receive this AuthnRequest, never null + * @param httpResp + * @throws NoSuchAlgorithmException + * @throws SecurityException + * @throws PVP2Exception + * @throws MessageEncodingException + */ + public void buildAuthnRequest(IRequest pendingReq, IPVPAuthnRequestBuilderConfiguruation config, + HttpServletResponse httpResp) throws NoSuchAlgorithmException, MessageEncodingException, PVP2Exception, SecurityException { + //get IDP Entity element from config + EntityDescriptor idpEntity = config.getIDPEntityDescriptor(); + + AuthnRequest authReq = SAML2Utils + .createSAMLObject(AuthnRequest.class); + + //select SingleSignOn Service endpoint from IDP metadata + SingleSignOnService endpoint = null; + for (SingleSignOnService sss : + idpEntity.getIDPSSODescriptor(SAMLConstants.SAML20P_NS).getSingleSignOnServices()) { + + // use POST binding as default if it exists + if (sss.getBinding().equals(SAMLConstants.SAML2_POST_BINDING_URI)) { + endpoint = sss; + + } else if ( sss.getBinding().equals(SAMLConstants.SAML2_REDIRECT_BINDING_URI) + && endpoint == null ) + endpoint = sss; + + } + + if (endpoint == null) { + Logger.warn("Building AuthnRequest FAILED: > Requested IDP " + idpEntity.getEntityID() + + " does not support POST or Redirect Binding."); + throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{idpEntity.getEntityID()}); + + } else + authReq.setDestination(endpoint.getLocation()); + + + //set basic AuthnRequest information + SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); + authReq.setID(gen.generateIdentifier()); + authReq.setIssueInstant(new DateTime()); + + //set isPassive flag + if (config.isPassivRequest() == null) + authReq.setIsPassive(false); + else + authReq.setIsPassive(config.isPassivRequest()); + + //set EntityID of the service provider + Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); + issuer.setFormat(NameIDType.ENTITY); + issuer.setValue(config.getSPEntityID()); + authReq.setIssuer(issuer); + + //set AssertionConsumerService ID + if (config.getAssertionConsumerServiceId() != null) + authReq.setAssertionConsumerServiceIndex(config.getAssertionConsumerServiceId()); + + //set NameIDPolicy + if (config.getNameIDPolicyFormat() != null) { + NameIDPolicy policy = SAML2Utils.createSAMLObject(NameIDPolicy.class); + policy.setAllowCreate(config.getNameIDPolicyAllowCreation()); + policy.setFormat(config.getNameIDPolicyFormat()); + authReq.setNameIDPolicy(policy); + } + + //set requested QAA level + if (config.getAuthnContextClassRef() != null) { + RequestedAuthnContext reqAuthContext = SAML2Utils.createSAMLObject(RequestedAuthnContext.class); + AuthnContextClassRef authnClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); + + authnClassRef.setAuthnContextClassRef(config.getAuthnContextClassRef()); + + if (config.getAuthnContextComparison() == null) + reqAuthContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM); + else + reqAuthContext.setComparison(config.getAuthnContextComparison()); + + reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); + authReq.setRequestedAuthnContext(reqAuthContext); + } + + //TODO: implement requested attributes + //maybe: config.getRequestedAttributes(); + + //select message encoder + IEncoder binding = null; + if (endpoint.getBinding().equals( + SAMLConstants.SAML2_REDIRECT_BINDING_URI)) { + binding = new RedirectBinding(); + + } else if (endpoint.getBinding().equals( + SAMLConstants.SAML2_POST_BINDING_URI)) { + binding = new PostBinding(); + + } + + //encode message + binding.encodeRequest(null, httpResp, authReq, + endpoint.getLocation(), pendingReq.getRequestID(), config.getAuthnRequestSigningCredential()); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java new file mode 100644 index 000000000..d51231044 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java @@ -0,0 +1,114 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.config; + +import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.xml.security.credential.Credential; + +/** + * @author tlenz + * + */ +public interface IPVPAuthnRequestBuilderConfiguruation { + + /** + * If true, the SAML2 isPassive flag is set in the AuthnRequest + * + * @return + */ + public Boolean isPassivRequest(); + + /** + * Define the ID of the AssertionConsumerService, + * which defines the required attributes in service-provider metadata. + * + * @return + */ + public Integer getAssertionConsumerServiceId(); + + /** + * Define the SAML2 EntityID of the service provider. + * + * @return + */ + public String getSPEntityID(); + + /** + * Define the SAML2 NameIDPolicy + * + * @return Service-Provider EntityID, but never null + */ + public String getNameIDPolicyFormat(); + + /** + * Define the AuthnContextClassRefernece of this request + * + * Example: + * http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3 + * http://www.stork.gov.eu/1.0/citizenQAALevel/4 + * + * + * @return + */ + public String getAuthnContextClassRef(); + + /** + * Define the AuthnContextComparison model, which should be used + * + * @return + */ + public AuthnContextComparisonTypeEnumeration getAuthnContextComparison(); + + + /** + * Define the credential, which should be used to sign the AuthnRequest + * + * @return + */ + public Credential getAuthnRequestSigningCredential(); + + + /** + * Define the SAML2 EntityDescriptor of the IDP, which should receive the AuthnRequest + * + * @return Credential, but never null. + */ + public EntityDescriptor getIDPEntityDescriptor(); + + /** + * Set the SAML2 NameIDPolicy allow-creation flag + * + * @return EntityDescriptor, but never null. + */ + public boolean getNameIDPolicyAllowCreation(); + + + /** + * Set the requested SubjectNameID + * + * @return SubjectNameID, or null if no SubjectNameID should be used + */ + public String getSubjectNameID(); + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java new file mode 100644 index 000000000..eebaf6c9e --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnRequestBuildException.java @@ -0,0 +1,47 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class AuthnRequestBuildException extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = -1375451065455859354L; + + /** + * @param messageId + * @param parameters + */ + public AuthnRequestBuildException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + public AuthnRequestBuildException(String messageId, Object[] parameters, Throwable e) { + super(messageId, parameters, e); + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java new file mode 100644 index 000000000..957f9af1d --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/exceptions/AuthnResponseValidationException.java @@ -0,0 +1,48 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.exceptions; + +/** + * @author tlenz + * + */ +public class AuthnResponseValidationException extends PVP2Exception { + + /** + * + */ + private static final long serialVersionUID = 8023812861029406575L; + + /** + * @param messageId + * @param parameters + */ + public AuthnResponseValidationException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + public AuthnResponseValidationException(String messageId, Object[] parameters, Throwable e) { + super(messageId, parameters, e); + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java index 743caec55..cfdb4426b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java @@ -32,6 +32,7 @@ import org.hibernate.HibernateException; import org.hibernate.Query; import org.hibernate.Session; import org.hibernate.Transaction; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import com.fasterxml.jackson.core.JsonProcessingException; @@ -47,8 +48,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OldSSOSessionIDStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.JsonMapper; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; @@ -65,6 +65,8 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("AuthenticationSessionStoreage") public class DBAuthenticationSessionStoreage implements IAuthenticationSessionStoreage{ + @Autowired AuthConfiguration authConfig; + private static JsonMapper mapper = new JsonMapper(); @Override @@ -749,44 +751,30 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } } - public String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException { + public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException { AuthenticatedSessionStore dbsession = null; + Date now = new Date(); - //search for active SSO session - if (MiscUtil.isNotEmpty(ssoID)) { - String moaSession = getMOASessionSSOID(ssoID); - if (MiscUtil.isNotEmpty(moaSession)) { - try { - dbsession = searchInDatabase(moaSession, true); - - }catch (MOADatabaseException e) { + //search for active session + String moaSession = getMOASessionSSOID(req.getMOASessionIdentifier()); + if (MiscUtil.isNotEmpty(moaSession)) { + try { + dbsession = searchInDatabase(moaSession, true); - } - } - } - - String id = null; - Date now = new Date(); - //create new MOASession if any exists - AuthenticationSession session = null; - if (dbsession == null) { - id = Random.nextRandom(); - dbsession = new AuthenticatedSessionStore(); - dbsession.setSessionid(id); - dbsession.setCreated(now); - dbsession.setPendingRequestID(req.getRequestID()); - session = new AuthenticationSession(id, now); + }catch (MOADatabaseException e) { + Logger.error("NO MOASession found but MOASession MUST already exist!"); + throw e; + } + } - } else { - id = dbsession.getSessionid(); - session = decryptSession(dbsession); + AuthenticationSession session = decryptSession(dbsession); - } - - dbsession.setInterfederatedSSOSession(true); + //set Session parameters + session.setAuthenticated(isAuthenticated); dbsession.setAuthenticated(isAuthenticated); + dbsession.setInterfederatedSSOSession(true); dbsession.setUpdated(now); - session.setAuthenticated(true); + encryptSession(session, dbsession); //add interfederation information @@ -816,16 +804,8 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt idp.setIdpurlprefix(interFedEntityID); idp.setAuthURL(req.getAuthURL()); - try { - OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance(). - getOnlineApplicationParameter(idp.getIdpurlprefix()); - idp.setStoreSSOInformation(oa.isInterfederationSSOStorageAllowed()); - - } catch (ConfigurationException e) { - Logger.warn("MOASession could not be created."); - throw new MOADatabaseException(e); - - } + OAAuthParameter oa = authConfig.getOnlineApplicationParameter(idp.getIdpurlprefix()); + idp.setStoreSSOInformation(oa.isInterfederationSSOStorageAllowed()); idp.setMoasession(dbsession); idpList.add(idp); @@ -839,14 +819,12 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt //store AssertionStore element to Database try { MOASessionDBUtils.saveOrUpdate(dbsession); - Logger.debug("MOASession with sessionID=" + id + " is stored in Database"); } catch (MOADatabaseException e) { Logger.warn("MOASession could not be created."); throw new MOADatabaseException(e); } - return id; } @Override diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java index e89713b2e..2fd540a67 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java @@ -242,14 +242,12 @@ public interface IAuthenticationSessionStoreage { * * @param req Pending request * @param isAuthenticated true if the session should be marked as authenticated, otherwise false - * @param ssoID Single Sign-On session identifer - * @return MOASessionID of new created MOASession * @throws MOADatabaseException * @throws AssertionAttributeExtractorExeption * @throws BuildException */ @Deprecated - public String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException; + public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException; /** * Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 92f4c1fa2..50d01ce2f 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -270,6 +270,15 @@ pvp2.21=Die Signature des Requests konnte nicht g\u00FCltig validiert werden. pvp2.22=Der Request konnte nicht g\u00FCltig validiert werden (Fehler\={0}). pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht den Metadaten. + +##add status codes!!!! +sp.pvp2.00=Can not build PVP AuthnRequest for IDP {0}. No valid SingleSignOnService endpoint found. +sp.pvp2.01=Can not build PVP AuthnRequest for IDP {0}. IDP is not allowed for federated authentication. +sp.pvp2.02=Can not build PVP AuthnRequest for IDP {0}. IDP has no (valid) metadata. +sp.pvp2.03=Receive PVP Response from IDP with unsupported Binding. +sp.pvp2.04=Receive invalid PVP Response from IDP. No PVP metadata found. +sp.pvp2.04=Receive invalid PVP Response from IDP {0}. StatusCode {1}. + oauth20.01=Fehlerhafte redirect url oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}" oauth20.03=Angeforderter response_type ist nicht erlaubt diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java index 97e4c0a20..e2f851132 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java @@ -44,4 +44,7 @@ public class FederatedAuthConstants { public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password"; public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias"; + public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4"; + public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3"; + } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java index 4a610549d..6abc60c46 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java @@ -22,6 +22,7 @@ */ package at.gv.egovernment.moa.id.auth.modules.federatedauth; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.modules.AuthModule; import at.gv.egovernment.moa.id.process.api.ExecutionContext; @@ -45,8 +46,15 @@ public class FederatedAuthenticationModuleImpl implements AuthModule { */ @Override public String selectProcess(ExecutionContext context) { - // TODO Auto-generated method stub - return null; + //select interfederation authentication if PERFORM_INTERFEDERATION_AUTH flag is set + Object performfedAuthObj = context.get(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH); + if (performfedAuthObj != null && performfedAuthObj instanceof Boolean) { + if ((boolean) performfedAuthObj) + return "SSOfederationAuthentication"; + + } + + return null; } /* (non-Javadoc) diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java new file mode 100644 index 000000000..eca5c7649 --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java @@ -0,0 +1,161 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth.config; + +import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; +import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.xml.security.credential.Credential; + +import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation; + +/** + * @author tlenz + * + */ +public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation { + + private boolean isPassive; + private String SPEntityID; + private String QAA_Level; + private EntityDescriptor idpEntity; + private Credential signCred; + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#isPassivRequest() + */ + @Override + public Boolean isPassivRequest() { + return this.isPassive; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAssertionConsumerServiceId() + */ + @Override + public Integer getAssertionConsumerServiceId() { + return 0; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getEntityID() + */ + @Override + public String getSPEntityID() { + return this.SPEntityID; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() + */ + @Override + public String getNameIDPolicyFormat() { + return NameID.TRANSIENT; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getNameIDPolicy() + */ + @Override + public boolean getNameIDPolicyAllowCreation() { + return true; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextClassRef() + */ + @Override + public String getAuthnContextClassRef() { + return this.QAA_Level; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnContextComparison() + */ + @Override + public AuthnContextComparisonTypeEnumeration getAuthnContextComparison() { + return AuthnContextComparisonTypeEnumeration.MINIMUM; + } + + /** + * @param isPassive the isPassive to set + */ + public void setPassive(boolean isPassive) { + this.isPassive = isPassive; + } + + /** + * @param sPEntityID the sPEntityID to set + */ + public void setSPEntityID(String sPEntityID) { + SPEntityID = sPEntityID; + } + + /** + * @param qAA_Level the qAA_Level to set + */ + public void setQAA_Level(String qAA_Level) { + QAA_Level = qAA_Level; + } + + /** + * @param idpEntity the idpEntity to set + */ + public void setIdpEntity(EntityDescriptor idpEntity) { + this.idpEntity = idpEntity; + } + + /** + * @param signCred the signCred to set + */ + public void setSignCred(Credential signCred) { + this.signCred = signCred; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential() + */ + @Override + public Credential getAuthnRequestSigningCredential() { + return this.signCred; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getIDPEntityDescriptor() + */ + @Override + public EntityDescriptor getIDPEntityDescriptor() { + return this.idpEntity; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameID() + */ + @Override + public String getSubjectNameID() { + return null; + } + + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java index d41a25a10..c06800079 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java @@ -33,9 +33,12 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; -import at.gv.egovernment.moa.id.auth.modules.federatedauth.builder.FederatedAuthMetadataBuilder; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthMetadataConfiguration; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; import at.gv.egovernment.moa.id.auth.servlet.AbstractController; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPMetadataBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; @@ -46,8 +49,9 @@ import at.gv.egovernment.moa.logging.Logger; @Controller public class FederatedAuthMetadataController extends AbstractController { - @Autowired FederatedAuthMetadataBuilder metadatabuilder; + @Autowired PVPMetadataBuilder metadatabuilder; @Autowired AuthConfiguration authConfig; + @Autowired FederatedAuthCredentialProvider credentialProvider; public FederatedAuthMetadataController() { super(); @@ -68,8 +72,12 @@ public class FederatedAuthMetadataController extends AbstractController { return; } else { + //initialize metadata builder configuration + IPVPMetadataBuilderConfiguration metadataConfig = + new FederatedAuthMetadataConfiguration(authURL, credentialProvider); + //build metadata - String xmlMetadata = metadatabuilder.buildPVPMetadata(authURL); + String xmlMetadata = metadatabuilder.buildPVPMetadata(metadataConfig); //write response resp.setContentType("text/xml"); diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java new file mode 100644 index 000000000..2e134713b --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java @@ -0,0 +1,220 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks; + +import java.lang.reflect.InvocationTargetException; +import java.security.NoSuchAlgorithmException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProviderException; +import org.opensaml.ws.message.encoder.MessageEncodingException; +import org.opensaml.xml.security.SecurityException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthnRequestBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildException; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.util.PVPtoSTORKMapper; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +@Component("CreateFederatedAuthnRequestTask") +public class CreateAuthnRequestTask extends AbstractAuthServletTask { + + @Autowired PVPAuthnRequestBuilder authnReqBuilder; + @Autowired FederatedAuthCredentialProvider credential; + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + try{ + // get IDP entityID + String idpEntityID = pendingReq.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class); + + if (MiscUtil.isEmpty(idpEntityID)) { + Logger.info("Interfederation not possible -> not inderfederation IDP EntityID found!"); + throw new TaskExecutionException(pendingReq, "Interfederation not possible", new MOAIDException("No inderfederation-IDP EntityID found.", null)); + + } + + //load IDP configuration from MOA-ID Configuration + OAAuthParameter idpConfig = authConfig.getOnlineApplicationParameter(idpEntityID); + //validate IDP + if (!idpConfig.isInderfederationIDP() || !idpConfig.isInboundSSOInterfederationAllowed()) { + Logger.info("Requested interfederation IDP " + idpEntityID + " is not valid for interfederation."); + Logger.debug("isInderfederationIDP:" + String.valueOf(idpConfig.isInderfederationIDP()) + + " isInboundSSOAllowed:" + String.valueOf(idpConfig.isInboundSSOInterfederationAllowed())); + + handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{idpEntityID}); + + return; + + } + + //load IDP SAML2 entitydescriptor + EntityDescriptor idpEntity = MOAMetadataProvider.getInstance(). + getEntityDescriptor(idpEntityID); + if (idpEntity == null) { + Logger.warn("Requested IDP " + idpEntityID + + " has no valid metadata or metadata is not found"); + + handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{idpEntityID}); + return; + + } + + //setup AuthnRequestBuilder configuration + FederatedAuthnRequestBuilderConfiguration authnReqConfig = new FederatedAuthnRequestBuilderConfiguration(); + authnReqConfig.setIdpEntity(idpEntity); + authnReqConfig.setPassive(idpConfig.isPassivRequestUsedForInterfederation()); + authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential()); + authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA); + authnReqConfig.setQAA_Level(evaluateRequiredQAALevel()); + + //build and transmit AuthnRequest + authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response); + + } catch (MOAIDException | MetadataProviderException e) { + throw new TaskExecutionException(pendingReq, "Build PVP2.1 AuthnRequest for SSO inderfederation FAILED.", e); + + } catch (MessageEncodingException | NoSuchAlgorithmException | SecurityException e) { + Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e); + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } catch (Exception e) { + Logger.error("Build PVP2.1 AuthnRequest for SSO inderfederation FAILED", e); + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } + } + + /** + * @param executionContext + * @param idpConfig + * @param message + * @param objects + * @throws AuthnRequestBuildException + */ + private void handleAuthnRequestBuildProblem(ExecutionContext executionContext, OAAuthParameter idpConfig, String msgCode, Object[] objects) throws AuthnRequestBuildException { + + if (idpConfig.isPerformLocalAuthenticationOnInterfederationError()) { + Logger.info("Switch to local authentication on this IDP ... "); + + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true); + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true); + + executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH); + + } else { + throw new AuthnRequestBuildException(msgCode, objects); + + } + + } + + private String evaluateRequiredQAALevel() { + IOAAuthParameters sp = pendingReq.getOnlineApplicationConfiguration(); + + //check if STORK protocol module is in ClassPath + Object storkRequst = null; + Integer storkSecClass = null; + try { + storkRequst = Class.forName("at.gv.egovernment.moa.id.protocols.stork2.MOASTORKRequest").newInstance(); + if (storkRequst != null && + pendingReq.getClass().isInstance(storkRequst)) { + Object storkAuthnRequest = pendingReq.getClass().getMethod("getStorkAuthnRequest", null).invoke(pendingReq, null); + storkSecClass = (Integer) storkAuthnRequest.getClass().getMethod("getQaa", null).invoke(storkAuthnRequest, null); + + } + + } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { + + + } + + if (sp != null && sp.isSTORKPVPGateway()){ + //use PVP SecClass instead of STORK QAA level + String secClass = null; + if (storkRequst != null && + pendingReq.getClass().isInstance(storkRequst)) { + + try { + secClass = PVPtoSTORKMapper.getInstance().mapToSecClass( + PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass)); + + } catch (Exception e) { + Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4", e); + + } + } + + if (MiscUtil.isNotEmpty(secClass)) + return secClass; + else + return FederatedAuthConstants.CONFIG_DEFAULT_QAA_SECCLASS_LEVEL; + + } else { + if (storkRequst != null && pendingReq.getClass().isInstance(storkRequst)) { + //use requested QAA level from STORK request + try { + String qaaLevel = PVPConstants.STORK_QAA_PREFIX + String.valueOf(storkSecClass); + Logger.debug("Use STORK-QAA level " + qaaLevel + " from STORK request"); + return qaaLevel; + + + } catch (Exception e) { + Logger.warn("Read STORK-QAA level FAILED with an exception.", e); + + } + } + Logger.warn("STORK-QAA level can not read from STORK request. Use default QAA 4"); + return FederatedAuthConstants.CONFIG_DEFAULT_QAA_STORK_LEVEL; + + } + } + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java new file mode 100644 index 000000000..49f9782ae --- /dev/null +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -0,0 +1,225 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks; + +import java.io.IOException; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.transform.TransformerException; + +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.ws.message.decoder.MessageDecodingException; +import org.opensaml.xml.io.MarshallingException; +import org.opensaml.xml.security.SecurityException; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Component; + +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; +import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.moduls.SSOManager; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; +import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +@Component("ReceiveFederatedAuthnResponseTask") +public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { + + @Autowired SAMLVerificationEngine samlVerificationEngine; + @Autowired FederatedAuthCredentialProvider credentialProvider; + @Autowired SSOManager ssoManager; + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) + */ + @Override + public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + InboundMessage msg = null; + + try { + + IDecoder decoder = null; + //select Response Binding + if (request.getMethod().equalsIgnoreCase("POST")) { + decoder = new PostBinding(); + Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding."); + + } else if (request.getMethod().equalsIgnoreCase("GET")) { + decoder = new RedirectBinding(); + Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding."); + + } else { + Logger.warn("Receive PVP Response, but Binding (" + + request.getMethod() + ") is not supported."); + throw new AuthnResponseValidationException("sp.pvp2.03", null); + + } + + //decode PVP response object + msg = (InboundMessage) decoder.decode(request, response, true); + + if (MiscUtil.isEmpty(msg.getEntityID())) { + throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {}); + + } + + //validate response signature + if(!msg.isVerified()) { + samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + msg.setVerified(true); + + } + + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_AUTHRESPONSE); + + //validate assertion + MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); + + //store valid assertion into pending-request + pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); + + //update MOASession with federation information + authenticatedSessionStorage.createInterfederatedSession(pendingReq, true); + + //store pending-request + requestStoreage.storePendingRequest(pendingReq); + + //write log entries + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED); + Logger.info("Receive a valid assertion from IDP " + msg.getEntityID()); + + } catch (MessageDecodingException | SecurityException e) { + String samlRequest = request.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID PVP Response from federated IDP: " + samlRequest, e); + throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from federated IDP", e); + + } catch (IOException | MarshallingException | TransformerException e) { + Logger.warn("Processing PVP response from federated IDP FAILED.", e); + throw new TaskExecutionException(pendingReq, "Processing PVP response from federated IDP FAILED.", e); + + } catch (CredentialsNotAvailableException e) { + Logger.error("PVP response decrytion FAILED. No credential found.", e); + throw new TaskExecutionException(pendingReq, "PVP response decrytion FAILED. No credential found.", e); + + } catch (AssertionValidationExeption | AuthnResponseValidationException e) { + Logger.info("PVP response validation FAILED. Msg:" + e.getMessage()); + if (msg != null) { + OAAuthParameter idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); + + //remove federated IDP from SSO session if exists + ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request); + + //select next step + handleAuthnResponseValidationProblem(executionContext, idpConfig, e); + + } else + throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e); + + } catch (Exception e) { + + + } + + } + + /** + * @param executionContext + * @param idpConfig + * @param message + * @param objects + * @throws TaskExecutionException + * @throws Throwable + */ + private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, OAAuthParameter idpConfig, Throwable e) throws TaskExecutionException { + + if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) { + Logger.info("Switch to local authentication on this IDP ... "); + + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION, true); + executionContext.put(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_BKUSELECTION, true); + + executionContext.remove(MOAIDAuthConstants.PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH); + + } else { + throw new TaskExecutionException(pendingReq, "PVP response validation FAILED.", e); + + } + + } + + /** + * PreProcess AuthResponse and Assertion + * @param msg + * @throws TransformerException + * @throws MarshallingException + * @throws IOException + * @throws CredentialsNotAvailableException + * @throws AssertionValidationExeption + * @throws AuthnResponseValidationException + */ + private MOAResponse preProcessAuthResponse(MOAResponse msg) throws IOException, MarshallingException, TransformerException, AssertionValidationExeption, CredentialsNotAvailableException, AuthnResponseValidationException { + Logger.debug("Start PVP21 assertion processing... "); + Response samlResp = (Response) msg.getResponse(); + + // check SAML2 response status-code + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + //validate PVP 2.1 assertion + samlVerificationEngine.validateAssertion(samlResp, true, credentialProvider.getIDPAssertionEncryptionCredential()); + + msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); + return msg; + + } else { + Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() + + " from federated IDP."); + throw new AuthnResponseValidationException("sp.pvp2.04", + new Object[]{samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()}); + + } + + } + +} diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml index 4ff64e76d..c5c491ff8 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/federatedauth/federated.Authentication.process.xml @@ -1,18 +1,26 @@ - + - - - - + + + + - - - - - + + + + + + + + + + + + + - + \ No newline at end of file diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml index 3c3dd5b23..4933504f0 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/resources/moaid_federated_auth.beans.xml @@ -10,9 +10,7 @@ http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-3.0.xsd"> - - - + @@ -24,8 +22,15 @@ + + + + - + \ No newline at end of file -- cgit v1.2.3 From 48fd33725c53136fe505067b93390b39e19c41b7 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Mar 2016 11:20:36 +0100 Subject: temporarily commit to save state --- .../moa/id/auth/MOAIDAuthConstants.java | 2 + .../id/auth/builder/AuthenticationDataBuilder.java | 274 +++++++++++---------- .../builder/DynamicOAAuthParameterBuilder.java | 2 +- .../id/data/FederatedAuthenticatenContainer.java | 125 ++++++++++ .../moa/id/moduls/AuthenticationManager.java | 3 +- .../at/gv/egovernment/moa/id/moduls/IRequest.java | 10 + .../gv/egovernment/moa/id/moduls/RequestImpl.java | 2 +- .../gv/egovernment/moa/id/moduls/SSOManager.java | 10 +- ...MandateLegalPersonFullNameAttributeBuilder.java | 40 +-- ...andateLegalPersonSourcePinAttributeBuilder.java | 62 ++--- ...teLegalPersonSourcePinTypeAttributeBuilder.java | 56 +++-- .../MandateNaturalPersonBPKAttributeBuilder.java | 82 +++--- ...dateNaturalPersonBirthDateAttributeBuilder.java | 73 ++++-- ...ateNaturalPersonFamilyNameAttributeBuilder.java | 47 ++-- ...dateNaturalPersonGivenNameAttributeBuilder.java | 49 ++-- .../MandateProfRepDescAttributeBuilder.java | 45 ++-- .../MandateProfRepOIDAttributeBuilder.java | 21 +- .../attributes/MandateTypeAttributeBuilder.java | 31 ++- .../id/protocols/pvp2x/AttributQueryAction.java | 33 ++- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 94 ++++++- .../moa/id/protocols/pvp2x/PVPConstants.java | 2 +- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 6 + .../moa/id/protocols/pvp2x/binding/IDecoder.java | 3 +- .../id/protocols/pvp2x/binding/PostBinding.java | 8 +- .../protocols/pvp2x/binding/RedirectBinding.java | 7 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 5 +- .../pvp2x/builder/PVPAttributeBuilder.java | 19 +- .../pvp2x/builder/PVPAuthnRequestBuilder.java | 23 +- .../builder/assertion/PVP2AssertionBuilder.java | 6 +- .../pvp2x/config/IDPPVPMetadataConfiguration.java | 8 + .../IPVPAuthnRequestBuilderConfiguruation.java | 15 ++ .../config/IPVPMetadataBuilderConfiguration.java | 7 + .../pvp2x/metadata/MOAMetadataProvider.java | 113 +-------- .../pvp2x/metadata/SimpleMOAMetadataProvider.java | 135 ++++++++++ .../pvp2x/utils/AssertionAttributeExtractor.java | 14 +- .../pvp2x/verification/TrustEngineFactory.java | 8 +- .../metadata/MOASPMetadataSignatureFilter.java | 130 ++++++++++ .../metadata/SchemaValidationFilter.java | 7 +- .../storage/DBAuthenticationSessionStoreage.java | 53 ++-- .../id/storage/IAuthenticationSessionStoreage.java | 11 +- .../resources/properties/id_messages_de.properties | 17 +- .../protocol_response_statuscodes_de.properties | 15 ++ .../moa/id/module/test/TestRequestImpl.java | 11 + .../db/dao/session/AuthenticatedSessionStore.java | 115 +++++++-- .../id/commons/db/dao/session/OASessionStore.java | 18 ++ .../engine/MOAeIDASChainingMetadataProvider.java | 3 +- .../engine/MOAeIDASMetadataSignatureFilter.java | 132 ---------- .../elgamandates/ELGAMandatesAuthConstants.java | 54 +++- .../DefaultAuth_with_ELGA_mandates.process.xml | 13 +- .../moaid_elga_mandate_client_auth.beans.xml | 24 +- .../attributes/OAuth20AttributeBuilder.java | 2 +- .../oauth20/protocol/OAuth20AuthAction.java | 2 +- .../federatedauth/FederatedAuthConstants.java | 2 + .../config/FederatedAuthMetadataConfiguration.java | 9 + .../FederatedAuthnRequestBuilderConfiguration.java | 18 ++ .../tasks/CreateAuthnRequestTask.java | 4 +- .../tasks/ReceiveAuthnResponseTask.java | 213 +++++++++++++++- .../moa/id/protocols/saml1/SAML1RequestImpl.java | 2 - 58 files changed, 1561 insertions(+), 734 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java delete mode 100644 id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index 1a9018563..c7ef73b47 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -184,5 +184,7 @@ public class MOAIDAuthConstants extends MOAIDConstants{ public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName"; public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; + //General MOASession data-store keys + public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert"; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 8a9999d85..999f289e0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -45,10 +45,6 @@ import javax.xml.bind.Marshaller; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AuthnStatement; -import org.opensaml.saml2.core.Response; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; -import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.Element; @@ -82,7 +78,6 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; import at.gv.egovernment.moa.id.data.IAuthData; @@ -91,7 +86,6 @@ import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; @@ -99,7 +93,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; @@ -125,140 +118,62 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; - @Autowired private AttributQueryBuilder attributQueryBuilder; - @Autowired private SAMLVerificationEngine samlVerificationEngine; - public IAuthData buildAuthenticationData(IRequest protocolRequest, - AuthenticationSession session, List reqAttributes) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { - AuthenticationData authdata = null; + public IAuthData buildAuthenticationDataForAttributQuery(IRequest pendingReq, + AuthenticationSession session, List reqAttributes) { + AuthenticationData authdata = new AuthenticationData(); - //only needed for SAML1 legacy support try { - //check if SAML1 authentication module is in Classpath - Class saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); - IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance(); - if (saml1RequstTemplate != null && - saml1RequstTemplate.isInstance(protocolRequest)) { - //request is SAML1 --> invoke SAML1 protocol specific methods - if (session.getExtendedSAMLAttributesOA() == null) { - saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList()); - - } else { - saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA()); - } + //mark AttributeQuery as used if it exists + OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); + if (activeOA != null) { + //reuse some parameters if it is a Service-Provider reauthentication + authdata.setSessionIndex(activeOA.getAssertionSessionID()); + authdata.setNameID(activeOA.getUserNameID()); + authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); - authdata = (AuthenticationData) saml1authdata; - - } else { - authdata = new AuthenticationData(); - - } - - } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { - authdata = new AuthenticationData(); - - } - - //reuse some parameters if it is a Service-Provider reauthentication - OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, protocolRequest.getOAURL(), protocolRequest.requestedModule()); - if (activeOA != null) { - authdata.setSessionIndex(activeOA.getAssertionSessionID()); - authdata.setNameID(activeOA.getUserNameID()); - authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); - - //mark AttributeQuery as used - if ( protocolRequest instanceof PVPTargetConfiguration && - ((PVPTargetConfiguration) protocolRequest).getRequest() instanceof MOARequest && - ((PVPTargetConfiguration) protocolRequest).getRequest().getInboundMessage() instanceof AttributeQuery) { - try { - activeOA.setAttributeQueryUsed(true); - MOASessionDBUtils.saveOrUpdate(activeOA); + //mark + if ( pendingReq instanceof PVPTargetConfiguration && + ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest && + ((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) { + try { + activeOA.setAttributeQueryUsed(true); + MOASessionDBUtils.saveOrUpdate(activeOA); - } catch (MOADatabaseException e) { - Logger.error("MOASession interfederation information can not stored to database.", e); + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); - } + } + } } - } - - //search federated IDP information in MOASession - InterfederationSessionStore interfIDP = authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); - IOAAuthParameters oaParam = null; - if (reqAttributes == null) { - //get OnlineApplication from MOA-ID-Auth configuration - oaParam = protocolRequest.getOnlineApplicationConfiguration(); - - //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway - if (oaParam.isSTORKPVPGateway()) - oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, protocolRequest); - - } else { - //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) - oaParam = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes, interfIDP); + getAuthDataFromInterfederation(authdata, session, spConfig, pendingReq, interfIDP, idp, reqAttributes); - } - - if (interfIDP != null ) { - //authentication by using a federated IDP - if (oaParam.isInderfederationIDP() && protocolRequest instanceof PVPTargetConfiguration && - !(((PVPTargetConfiguration)protocolRequest).getRequest() instanceof AttributeQuery)) { - //IDP is a chained interfederated IDP and Authentication is requested - - //only set minimal response attributes - authdata.setQAALevel(interfIDP.getQAALevel()); - authdata.setBPK(interfIDP.getUserNameID()); - - } else { - //get attributes from interfederated IDP - OAAuthParameter idp = authConfig.getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); - getAuthDataFromInterfederation(authdata, session, oaParam, protocolRequest, interfIDP, idp, reqAttributes); + + + + + + //mark attribute request as used + try { + interfIDP.setAttributesRequested(true); + MOASessionDBUtils.saveOrUpdate(interfIDP); + + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); - //mark attribute request as used - try { - interfIDP.setAttributesRequested(true); - MOASessionDBUtils.saveOrUpdate(interfIDP); - - } catch (MOADatabaseException e) { - Logger.error("MOASession interfederation information can not stored to database.", e); - - } } - } else { - //build AuthenticationData from MOASession - buildAuthDataFormMOASession(authdata, session, oaParam, protocolRequest); - - } - return authdata; + return authdata; + + } catch (DynamicOABuildException e) { + //TODO: + + } } - /** - * @param req - * @param session - * @param reqAttributes - * @return - * @throws WrongParametersException - * @throws ConfigurationException - * @throws BuildException - * @throws DynamicOABuildException - */ - public IAuthData buildAuthenticationData(IRequest req, - AuthenticationSession session) throws WrongParametersException, ConfigurationException, BuildException, DynamicOABuildException { - return buildAuthenticationData(req, session, null); - } - /** - * @param authdata - * @param session - * @param oaParam - * @param protocolRequest - * @param interfIDP - * @param idp - * @param reqQueryAttr - * @throws ConfigurationException - */ private void getAuthDataFromInterfederation( AuthenticationData authdata, AuthenticationSession session, IOAAuthParameters oaParam, IRequest req, @@ -363,6 +278,76 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } } + + public IAuthData buildAuthenticationData(IRequest pendingReq, + AuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { + AuthenticationData authdata = null; + + //only needed for SAML1 legacy support + try { + //check if SAML1 authentication module is in Classpath + Class saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); + IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance(); + if (saml1RequstTemplate != null && + saml1RequstTemplate.isInstance(pendingReq)) { + //request is SAML1 --> invoke SAML1 protocol specific methods + if (session.getExtendedSAMLAttributesOA() == null) { + saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList()); + + } else { + saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA()); + } + + authdata = (AuthenticationData) saml1authdata; + + } else { + authdata = new AuthenticationData(); + + } + + } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { + authdata = new AuthenticationData(); + + } + + OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); + //reuse authentication information in case of service-provider reauthentication + if (activeOA != null) { + authdata.setSessionIndex(activeOA.getAssertionSessionID()); + authdata.setNameID(activeOA.getUserNameID()); + authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); + + } + + //get OnlineApplication from MOA-ID-Auth configuration + IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + + //TODO: move to eIDAS-Code in case of ISA1.18 action is enabled for eIDAS + //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway + if (oaParam.isSTORKPVPGateway()) + oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, pendingReq); + + //check if minimal response is required + + //TODO check if really required + Boolean isMinimalFrontChannelResp = pendingReq.getGenericData( + PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class); + if (isMinimalFrontChannelResp != null && isMinimalFrontChannelResp) { + //only set minimal response attributes + authdata.setQAALevel( + pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, String.class)); + authdata.setBPK( + pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, String.class)); + + } else { + //build AuthenticationData from MOASession + buildAuthDataFormMOASession(authdata, session, oaParam, pendingReq); + + } + + return authdata; + } + private void buildAuthDataFormInterfederationResponse( AuthenticationData authData, AuthenticationSession session, @@ -982,19 +967,45 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { MISMandate mandate = session.getMISMandate(); - authData.setMISMandate(mandate); - authData.setUseMandate(session.getUseMandate()); + if (session.getUseMandate() && mandate == null) { + Logger.error("Mandate is requested but NO mandate-data is found!."); + throw new BuildException("builder.00", new Object[]{ + "Mandate", "Mandate is requested but NO mandate-data is found!"}); + + } + authData.setMandateReferenceValue(session.getMandateReferenceValue()); + if (mandate != null) { + //set MIS mandate to authdata + authData.setMISMandate(mandate); + authData.setUseMandate(session.getUseMandate()); + + } else { + //check if ELGA mandates exists + String mandateType = session.getGenericDataFromSession( + PVPConstants.MANDATE_TYPE_NAME, String.class); + if (MiscUtil.isNotEmpty(mandateType)) { + //switch to mandate-mode for authdata generation, because mandate-information + // is directly included in MOA-Session as PVP attributes + Logger.debug("AuthDataBuilder find directly included 'MandateType' attribute." + + " --> Switch to mandate-mode for authdata generation."); + authData.setUseMandate(true); + + } + + + } + if (session.getUseMandate() && session.isOW() && mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) { authData.setBPK(mandate.getOWbPK()); authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); - + //TODO: check in case of mandates for business services authData.setIdentityLink(identityLink); Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); - + } else { buildOAspecificbPK(protocolRequest, oaParam, authData, identityLink.getIdentificationValue(), @@ -1004,7 +1015,10 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } - + //TODO + } catch (BuildException e) { + throw e; + } catch (Throwable ex) { throw new BuildException("builder.00", new Object[]{ "AuthenticationData", ex.toString()}, ex); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index 79b09503f..ab43f2f79 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -45,7 +45,7 @@ import at.gv.egovernment.moa.util.Constants; */ public class DynamicOAAuthParameterBuilder { - public static IOAAuthParameters buildFromAttributeQuery(List reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException { + public static IOAAuthParameters buildFromAttributeQuery(OAAuthParameter oa, List reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException { Logger.debug("Build dynamic OAConfiguration from AttributeQuery and interfederation information"); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java new file mode 100644 index 000000000..9af247714 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java @@ -0,0 +1,125 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.data; + +import java.io.Serializable; + +import at.gv.egovernment.moa.id.util.Random; + +/** + * @author tlenz + * + */ +public class FederatedAuthenticatenContainer implements Serializable { + + /** + * + */ + private static final long serialVersionUID = 6075571915585105988L; + + private String id; + private String moaSessionID; + + private String idpEntityID; + private String userNameID; + private String userQAALevel; + + /** + * Build a new data-container for federated authentication with Attribute-Query + * + */ + public FederatedAuthenticatenContainer() { + this.id = Random.nextRandom(); + + } + + /** + * Get the identifier of this container + * + * @return the identifier of this container, but never null + */ + public String getId() { + return id; + } + + /** + * Get the MOASessionID, of the corresponding MOASession + * + * @return the moaSessionID, or null if no MOASession exists + */ + public String getMoaSessionID() { + return moaSessionID; + } + /** + * @param moaSessionID the moaSessionID to set + */ + public void setMoaSessionID(String moaSessionID) { + this.moaSessionID = moaSessionID; + } + /** + * Get the Entity of the federated IDP, which has the authentication data + * + * @return the idpEntityID, but never null + */ + public String getIdpEntityID() { + return idpEntityID; + } + /** + * @param idpEntityID the idpEntityID to set + */ + public void setIdpEntityID(String idpEntityID) { + this.idpEntityID = idpEntityID; + } + /** + * Get the SAML2 NameID of the user, which is used to identify the user on the federated IDP + * + * @return the SAML2 NameID, but never null + */ + public String getUserNameID() { + return userNameID; + } + /** + * @param userNameID the userNameID to set + */ + public void setUserNameID(String userNameID) { + this.userNameID = userNameID; + } + /** + * Get the SAML2 QAA-level, which should be send to the federated IDP + * + * @return the userQAALevel, but never null + */ + public String getUserQAALevel() { + return userQAALevel; + } + /** + * @param userQAALevel the userQAALevel to set + */ + public void setUserQAALevel(String userQAALevel) { + this.userQAALevel = userQAALevel; + } + + + + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index a97486097..21ef38732 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -70,6 +70,7 @@ import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; @@ -499,7 +500,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { } else { samlVerificationEngine.verifySLOResponse(sloResp, - TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance())); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java index e1edb6b77..d5d0e6c48 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java @@ -22,6 +22,8 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.moduls; +import java.util.Collection; + import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; @@ -189,4 +191,12 @@ public interface IRequest { * @param b true, if the user has abort the authentication process, otherwise false */ public void setAbortedByUser(boolean isAborted); + + /** + * This method get a Set of PVP 2.1 attribute, which are request by this pending-request. + * + * @return A set of PVP attribute names or null if no attributes are requested + * or the Service Provider, which sends this request needs no attributes + */ + public Collection getRequestedAttributes(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index 4dade61fa..e05bedac8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -48,7 +48,7 @@ public abstract class RequestImpl implements IRequest, Serializable{ public static final String DATAID_INTERFEDERATIOIDP_URL = "interIDPURL"; public static final String DATAID_INTERFEDERATIOIDP_RESPONSE = "interIDPResponse"; - public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes"; + public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes"; private static final long serialVersionUID = 1L; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java index 3b7c99d5a..db4022cdc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/SSOManager.java @@ -150,12 +150,11 @@ public class SSOManager { return false; } - //check if request starts an interfederated SSO session + //check if stored SSO session is a federated SSO session if (protocolRequest != null && - protocolRequest instanceof RequestImpl && - storedSession.isInterfederatedSSOSession() && - !storedSession.isAuthenticated()) { - + storedSession.isInterfederatedSSOSession()) { + //in case of federated SSO session, jump to federated IDP for authentication + String interfederationIDP = protocolRequest.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_URL, String.class); @@ -164,6 +163,7 @@ public class SSOManager { if (selectedIDP != null) { //no local SSO session exist -> request interfederated IDP + Logger.info("SSO Session refer to federated IDP: " + selectedIDP.getIdpurlprefix()); protocolRequest.setGenericDataToSession( RequestImpl.DATAID_INTERFEDERATIOIDP_URL, selectedIDP.getIdpurlprefix()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java index 7144ebe6d..67eb92d9b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonFullNameAttributeBuilder.java @@ -27,12 +27,12 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttributeBuilder { @@ -43,22 +43,32 @@ public class MandateLegalPersonFullNameAttributeBuilder implements IPVPAttribute public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - if (corporation == null) { - Logger.error("No corporation mandate"); - throw new NoMandateDataAttributeException(); - } + //get PVP attribute directly, if exists + String fullName = authData.getGenericData(MANDATE_LEG_PER_FULL_NAME_NAME, String.class); + + if (MiscUtil.isEmpty(fullName)) { + Element mandate = authData.getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + if (corporation == null) { + Logger.error("No corporation mandate"); + throw new NoMandateDataAttributeException(); + + } + fullName = corporation.getFullName(); + } return g.buildStringAttribute(MANDATE_LEG_PER_FULL_NAME_FRIENDLY_NAME, MANDATE_LEG_PER_FULL_NAME_NAME, - corporation.getFullName()); + fullName); + } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java index 12dc8877b..9474cd832 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinAttributeBuilder.java @@ -26,14 +26,13 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; -import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttributeBuilder { @@ -44,36 +43,39 @@ public class MandateLegalPersonSourcePinAttributeBuilder implements IPVPAttribu public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if(authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if(mandate == null) { - throw new NoMandateDataAttributeException(); + + //get PVP attribute directly, if exists + String sourcePin = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); + + if (MiscUtil.isEmpty(sourcePin)) { + Element mandate = authData.getMandate(); + if(mandate == null) { + throw new NoMandateDataAttributeException(); + + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + if(corporation == null) { + Logger.error("No corporation mandate"); + throw new NoMandateDataAttributeException(); + + } + if(corporation.getIdentification().size() == 0) { + Logger.error("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + + } + + sourcePin = corporation.getIdentification().get(0).getValue().getValue(); + } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - if(corporation == null) { - Logger.error("No corporation mandate"); - throw new NoMandateDataAttributeException(); - } - IdentificationType id = null; - if(corporation.getIdentification().size() == 0) { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - } - id = corporation.getIdentification().get(0); - /*if(authSession.getBusinessService()) { - id = MandateBuilder.getWBPKIdentification(corporation); - } else { - id = MandateBuilder.getBPKIdentification(corporation); - }*/ - /*if(id == null) { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - }*/ + return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_FRIENDLY_NAME, - MANDATE_LEG_PER_SOURCE_PIN_NAME, id.getValue().getValue()); + MANDATE_LEG_PER_SOURCE_PIN_NAME, sourcePin); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java index a7a9a757b..8391c8230 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateLegalPersonSourcePinTypeAttributeBuilder.java @@ -26,14 +26,13 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; -import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttributeBuilder { @@ -44,32 +43,37 @@ public class MandateLegalPersonSourcePinTypeAttributeBuilder implements IPVPAttr public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); + //get PVP attribute directly, if exists + String sourcePinType = authData.getGenericData(MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class); + + if (MiscUtil.isEmpty(sourcePinType)) { + Element mandate = authData.getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + if (corporation == null) { + Logger.error("No corporate mandate"); + throw new NoMandateDataAttributeException(); + + } + if (corporation.getIdentification().size() == 0) { + Logger.error("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + + } + sourcePinType = corporation.getIdentification().get(0).getType(); + } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - if (corporation == null) { - Logger.error("No corporate mandate"); - throw new NoMandateDataAttributeException(); - } - IdentificationType id = null; - if (corporation.getIdentification().size() == 0) { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - } - id = corporation.getIdentification().get(0); - /* - * id = MandateBuilder.getBPKIdentification(corporate); if (id == null) { - * Logger.error("Failed to generate IdentificationType"); throw new - * NoMandateDataAttributeException(); } - */ + return g.buildStringAttribute(MANDATE_LEG_PER_SOURCE_PIN_TYPE_FRIENDLY_NAME, MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, - id.getType()); + sourcePinType); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java index be6372913..df077a631 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBPKAttributeBuilder.java @@ -30,13 +30,13 @@ import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPers import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBuilder { @@ -45,49 +45,53 @@ public class MandateNaturalPersonBPKAttributeBuilder implements IPVPAttributeBui } public ATT build(IOAAuthParameters oaParam, IAuthData authData, - IAttributeGenerator g) throws AttributeException { - if (authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); - if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } - IdentificationType id = null; - id = physicalPerson.getIdentification().get(0); - if (id == null) { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); - } + IAttributeGenerator g) throws AttributeException { + if (authData.isUseMandate()) { - String bpk; - try { + //get PVP attribute directly, if exists + String bpk = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); + + if (MiscUtil.isEmpty(bpk)) { + //read bPK from mandate if it is not directly included + Element mandate = authData.getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if (physicalPerson == null) { + Logger.error("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + IdentificationType id = null; + id = physicalPerson.getIdentification().get(0); + if (id == null) { + Logger.error("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); + } - if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { - if (oaParam.getBusinessService()) { - bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); + try { + if (id.getType().equals(Constants.URN_PREFIX_BASEID)) { + if (oaParam.getBusinessService()) { + bpk = new BPKBuilder().buildWBPK(id.getValue().getValue(), oaParam.getIdentityLinkDomainIdentifier()); + + } else { + bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget()); + + } - } + } else + bpk = id.getValue().getValue(); - else { - bpk = new BPKBuilder().buildBPK(id.getValue().getValue(), oaParam.getTarget()); - - } + } + catch (BuildException e) { + Logger.error("Failed to generate IdentificationType"); + throw new NoMandateDataAttributeException(); - } else - bpk = id.getValue().getValue(); - - } - catch (BuildException e) { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAttributeException(); + } } return g.buildStringAttribute(MANDATE_NAT_PER_BPK_FRIENDLY_NAME, MANDATE_NAT_PER_BPK_NAME, bpk); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java index e644f49e4..663e927fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonBirthDateAttributeBuilder.java @@ -32,13 +32,13 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.InvalidDateFormatAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttributeBuilder { @@ -49,33 +49,56 @@ public class MandateNaturalPersonBirthDateAttributeBuilder implements IPVPAttrib public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if (authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); - if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } - String dateOfBirth = physicalPerson.getDateOfBirth(); - try { - DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT); - Date date = mandateFormat.parse(dateOfBirth); - DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); - String dateString = pvpDateFormat.format(date); + //get PVP attribute directly, if exists + String birthDayString = authData.getGenericData(MANDATE_NAT_PER_BIRTHDATE_NAME, String.class); + + if (MiscUtil.isEmpty(birthDayString)) { + //read bPK from mandate if it is not directly included + Element mandate = authData.getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if (physicalPerson == null) { + Logger.error("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + + String dateOfBirth = physicalPerson.getDateOfBirth(); + try { + DateFormat mandateFormat = new SimpleDateFormat(MandateBuilder.MANDATE_DATE_OF_BIRTH_FORMAT); + mandateFormat.setLenient(false); + Date date = mandateFormat.parse(dateOfBirth); + DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); + birthDayString = pvpDateFormat.format(date); + + } + catch (ParseException e) { + Logger.warn("MIS mandate birthday has an incorrect formt. (Value:" + dateOfBirth, e); + throw new InvalidDateFormatAttributeException(); + + } + + } else { + try { + DateFormat pvpDateFormat = new SimpleDateFormat(MANDATE_NAT_PER_BIRTHDATE_FORMAT_PATTERN); + pvpDateFormat.setLenient(false); + pvpDateFormat.parse(birthDayString); + + } catch (ParseException e) { + Logger.warn("Format of direct included PVP Attribute " + MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME + + " has an incorrect formt. (Value:" + birthDayString, e); + throw new InvalidDateFormatAttributeException(); + } - return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, dateString); - } - catch (ParseException e) { - e.printStackTrace(); - throw new InvalidDateFormatAttributeException(); } + + return g.buildStringAttribute(MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME, MANDATE_NAT_PER_BIRTHDATE_NAME, birthDayString); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java index fa3ad691d..dd49b2a1e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonFamilyNameAttributeBuilder.java @@ -30,12 +30,12 @@ import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttributeBuilder { @@ -46,29 +46,38 @@ public class MandateNaturalPersonFamilyNameAttributeBuilder implements IPVPAttr public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { if(authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if(mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); - if(physicalPerson == null) { - Logger.error("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } - StringBuilder sb = new StringBuilder(); - Iterator fNamesit = physicalPerson.getName().getFamilyName().iterator(); + //get PVP attribute directly, if exists + String familyName = authData.getGenericData(MANDATE_NAT_PER_FAMILY_NAME_NAME, String.class); - while(fNamesit.hasNext()) { - sb.append(" " + fNamesit.next().getValue()); + if (MiscUtil.isEmpty(familyName)) { + //read mandator familyName from mandate if it is not directly included + Element mandate = authData.getMandate(); + if(mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if(physicalPerson == null) { + Logger.error("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + + StringBuilder sb = new StringBuilder(); + Iterator fNamesit = physicalPerson.getName().getFamilyName().iterator(); + + while(fNamesit.hasNext()) + sb.append(" " + fNamesit.next().getValue()); + + familyName = sb.toString(); + } return g.buildStringAttribute(MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME, - MANDATE_NAT_PER_FAMILY_NAME_NAME, sb.toString()); + MANDATE_NAT_PER_FAMILY_NAME_NAME, familyName); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java index 4c725c1c5..8948f1227 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java @@ -29,12 +29,12 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttributeBuilder { @@ -44,29 +44,36 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); - if (physicalPerson == null) { - Logger.error("No physicalPerson mandate"); - throw new NoMandateDataAttributeException(); - } - - StringBuilder sb = new StringBuilder(); - Iterator gNamesit = physicalPerson.getName().getGivenName().iterator(); + if (authData.isUseMandate()) { + //get PVP attribute directly, if exists + String givenName = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); - while (gNamesit.hasNext()) { - sb.append(" " + gNamesit.next()); + if (MiscUtil.isEmpty(givenName)) { + Element mandate = authData.getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + PhysicalPersonType physicalPerson = mandateObject.getMandator().getPhysicalPerson(); + if (physicalPerson == null) { + Logger.error("No physicalPerson mandate"); + throw new NoMandateDataAttributeException(); + } + + StringBuilder sb = new StringBuilder(); + Iterator gNamesit = physicalPerson.getName().getGivenName().iterator(); + + while (gNamesit.hasNext()) + sb.append(" " + gNamesit.next()); + + givenName = sb.toString(); + } - return g.buildStringAttribute(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, MANDATE_NAT_PER_GIVEN_NAME_NAME, sb.toString()); + return g.buildStringAttribute(MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME, MANDATE_NAT_PER_GIVEN_NAME_NAME, givenName); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java index e70326114..d1da36aa3 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepDescAttributeBuilder.java @@ -26,7 +26,6 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -42,35 +41,37 @@ public class MandateProfRepDescAttributeBuilder implements IPVPAttributeBuilder public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if(authData.isUseMandate()) { - String text = null; + if(authData.isUseMandate()) { + String profRepName = authData.getGenericData(MANDATE_PROF_REP_DESC_NAME, String.class); - MISMandate misMandate = authData.getMISMandate(); - - if(misMandate == null) { - throw new NoMandateDataAttributeException(); - } - - text = misMandate.getTextualDescriptionOfOID(); - - if (MiscUtil.isEmpty(text)) { - Element mandate = authData.getMandate(); - if (mandate == null) { + if (MiscUtil.isEmpty(profRepName)) { + MISMandate misMandate = authData.getMISMandate(); + + if(misMandate == null) { throw new NoMandateDataAttributeException(); } - Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate()); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } - - text = mandateObject.getAnnotation(); + profRepName = misMandate.getTextualDescriptionOfOID(); + + if (MiscUtil.isEmpty(profRepName)) { + Element mandate = authData.getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + Mandate mandateObject = MandateBuilder.buildMandate(authData.getMandate()); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + } + + profRepName = mandateObject.getAnnotation(); + + } } - if(MiscUtil.isNotEmpty(text)) + if(MiscUtil.isNotEmpty(profRepName)) return g.buildStringAttribute(MANDATE_PROF_REP_DESC_FRIENDLY_NAME, - MANDATE_PROF_REP_DESC_NAME, text); + MANDATE_PROF_REP_DESC_NAME, profRepName); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java index 89e9198b6..3cfc40d22 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateProfRepOIDAttributeBuilder.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; @@ -38,19 +37,23 @@ public class MandateProfRepOIDAttributeBuilder implements IPVPAttributeBuilder { public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authData.isUseMandate()) { + if (authData.isUseMandate()) { + String profRepOID = authData.getGenericData(MANDATE_PROF_REP_OID_NAME, String.class); - MISMandate mandate = authData.getMISMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); + if (MiscUtil.isEmpty(profRepOID)) { + MISMandate mandate = authData.getMISMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + } + + profRepOID = mandate.getProfRep(); + } - - String oid = mandate.getProfRep(); - if(MiscUtil.isEmpty(oid)) + if(MiscUtil.isEmpty(profRepOID)) return null; else - return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, oid); + return g.buildStringAttribute(MANDATE_PROF_REP_OID_FRIENDLY_NAME, MANDATE_PROF_REP_OID_NAME, profRepOID); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java index 040174e26..573f0584a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateTypeAttributeBuilder.java @@ -26,11 +26,11 @@ import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.util.MandateBuilder; +import at.gv.egovernment.moa.util.MiscUtil; public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder { @@ -40,17 +40,26 @@ public class MandateTypeAttributeBuilder implements IPVPAttributeBuilder { public ATT build(IOAAuthParameters oaParam, IAuthData authData, IAttributeGenerator g) throws AttributeException { - if (authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if (mandate == null) { - throw new NoMandateDataAttributeException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if (mandateObject == null) { - throw new NoMandateDataAttributeException(); - } + if (authData.isUseMandate()) { + //get PVP attribute directly, if exists + String mandateType = authData.getGenericData(MANDATE_TYPE_NAME, String.class); - return g.buildStringAttribute(MANDATE_TYPE_FRIENDLY_NAME, MANDATE_TYPE_NAME, mandateObject.getAnnotation()); + if (MiscUtil.isEmpty(mandateType)) { + Element mandate = authData.getMandate(); + if (mandate == null) { + throw new NoMandateDataAttributeException(); + + } + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if (mandateObject == null) { + throw new NoMandateDataAttributeException(); + + } + mandateType = mandateObject.getAnnotation(); + + } + + return g.buildStringAttribute(MANDATE_TYPE_FRIENDLY_NAME, MANDATE_TYPE_NAME, mandateType); } return null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index bd6399377..c733e662a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -50,7 +50,6 @@ import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; @@ -80,31 +79,29 @@ public class AttributQueryAction implements IAction { * @see at.gv.egovernment.moa.id.moduls.IAction#processRequest(at.gv.egovernment.moa.id.moduls.IRequest, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse, at.gv.egovernment.moa.id.data.IAuthData) */ @Override - public SLOInformationInterface processRequest(IRequest req, + public SLOInformationInterface processRequest(IRequest pendingReq, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { - if (req instanceof PVPTargetConfiguration && - ((PVPTargetConfiguration) req).getRequest() instanceof MOARequest && - ((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest() instanceof AttributeQuery) { + if (pendingReq instanceof PVPTargetConfiguration && + ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest && + ((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest() instanceof AttributeQuery) { - AttributeQuery attrQuery = (AttributeQuery)((MOARequest)((PVPTargetConfiguration) req).getRequest()).getSamlRequest(); + //set time reference + DateTime date = new DateTime(); - //load moaSession - String nameID = attrQuery.getSubject().getNameID().getValue(); + //load session and request information + AuthenticationSession moaSession = + pendingReq.getGenericData(PVPTargetConfiguration.DATAID_MOASESSION, AuthenticationSession.class); + + AttributeQuery attrQuery = + (AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest(); - AuthenticationSession session = authenticationSessionStorage.getSessionWithUserNameID(nameID); - if (session == null) { - Logger.warn("AttributeQuery nameID does not match to an active single sign-on session."); - throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null); - - } - - DateTime date = new DateTime(); - //generate authData - authData = authDataBuilder.buildAuthenticationData(req, session, attrQuery.getAttributes()); + //generate authData for AttributQueryRequest + authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes()); + //add default attributes in case of mandates or STORK is in use List attrList = addDefaultAttributes(attrQuery, authData); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 08d9f67b6..57c1aa8af 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -57,11 +57,15 @@ import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; @@ -83,6 +87,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SLOException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; @@ -188,7 +193,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { req.getRemoteAddr()); //get POST-Binding decoder implementation - InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp, false); + InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false); pendingReq.setRequest(msg); //preProcess Message @@ -236,7 +241,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { req.getRemoteAddr()); //get POST-Binding decoder implementation - InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp, false); + InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false); pendingReq.setRequest(msg); //preProcess Message @@ -261,9 +266,57 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { } + //PVP2.x IDP SOAP-Binding end-point + @RequestMapping(value = "/pvp2/soap", method = {RequestMethod.POST}) + public void PVPIDPSOAPRequest(HttpServletRequest req, HttpServletResponse resp) throws MOAIDException { + if (!authConfig.getAllowedProtocols().isPVP21Active()) { + Logger.info("PVP2.1 is deaktivated!"); + throw new ProtocolNotActiveException("auth.22", new java.lang.Object[] { NAME }); + + } + + try { + //create pendingRequest object + PVPTargetConfiguration pendingReq = applicationContext.getBean(PVPTargetConfiguration.class); + pendingReq.initialize(req); + pendingReq.setModule(NAME); + + revisionsLogger.logEvent(MOAIDEventConstants.SESSION_CREATED, pendingReq.getUniqueSessionIdentifier()); + revisionsLogger.logEvent(MOAIDEventConstants.TRANSACTION_CREATED, pendingReq.getUniqueTransactionIdentifier()); + revisionsLogger.logEvent( + pendingReq.getUniqueSessionIdentifier(), + pendingReq.getUniqueTransactionIdentifier(), + MOAIDEventConstants.TRANSACTION_IP, + req.getRemoteAddr()); + + //get POST-Binding decoder implementation + InboundMessage msg = (InboundMessage) new SoapBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false); + pendingReq.setRequest(msg); + + //preProcess Message + preProcess(req, resp, pendingReq); + + } catch (SecurityPolicyException e) { + String samlRequest = req.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); + + } catch (SecurityException e) { + String samlRequest = req.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + throw new InvalidProtocolRequestException("pvp2.22", new Object[] {e.getMessage()}); + + } catch (Throwable e) { + String samlRequest = req.getParameter("SAMLRequest"); + Logger.warn("Receive INVALID protocol request: " + samlRequest, e); + + throw new MOAIDException(e.getMessage(), new Object[] {}); + } + } + - public void preProcess(HttpServletRequest request, + private void preProcess(HttpServletRequest request, HttpServletResponse response, PVPTargetConfiguration pendingReq) throws Throwable { InboundMessage msg = pendingReq.getRequest(); @@ -274,7 +327,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { } if(!msg.isVerified()) { - samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + samlVerificationEngine.verify(msg, + TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance())); msg.setVerified(true); } @@ -521,7 +575,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { throw new WrongParametersException("StartAuthentication", PARAM_OA, "auth.12"); - OAAuthParameter oa = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(moaRequest.getEntityID()); + OAAuthParameter oa = authConfig.getOnlineApplicationParameter(moaRequest.getEntityID()); if (!oa.isInderfederationIDP()) { Logger.warn("AttributeQuery requests are only allowed for interfederation IDPs."); throw new AttributQueryException("AttributeQuery requests are only allowed for interfederation IDPs.", null); @@ -533,17 +587,39 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { throw new AttributQueryException("Interfederation IDP does not allow outgoing SSO interfederation.", null); } + + //check active MOASession + String nameID = attrQuery.getSubject().getNameID().getValue(); + AuthenticationSession session = authenticatedSessionStorage.getSessionWithUserNameID(nameID); + if (session == null) { + Logger.warn("AttributeQuery nameID does not match to an active single sign-on session."); + throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null); + } + + //search federated IDP information for this MOASession + + + InterfederationSessionStore interfIDP = + authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); + + //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration + IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(oa, attrQuery.getAttributes(), interfIDP); + + //set preProcessed information into pending-request pendingReq.setRequest(moaRequest); pendingReq.setOAURL(moaRequest.getEntityID()); - pendingReq.setOnlineApplicationConfiguration(oa); + pendingReq.setOnlineApplicationConfiguration(spConfig); pendingReq.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); - //Attribute-Query Request needs authentication - pendingReq.setNeedAuthentication(true); - + //Attribute-Query Request needs authentication, because session MUST be already authenticated + pendingReq.setNeedAuthentication(false); + //set protocol action, which should be executed after authentication pendingReq.setAction(AttributQueryAction.class.getName()); + + //add moasession + pendingReq.setGenericDataToSession(PVPTargetConfiguration.DATAID_MOASESSION, session); //write revisionslog entry revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java index 1d2754e3f..c2b61aaa7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPConstants.java @@ -276,6 +276,6 @@ public interface PVPConstants { public static final int CHARGE_CODE_MAX_LENGTH = 32767; public static final String PVP_HOLDEROFKEY_OID = "1.2.40.0.10.2.1.1.261.xx.xx"; - public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_VERSION_OID; + public static final String PVP_HOLDEROFKEY_NAME = URN_OID_PREFIX + PVP_HOLDEROFKEY_OID; public static final String PVP_HOLDEROFKEY_FRIENDLY_NAME = "HOLDER-OF-KEY-CERTIFICATE"; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index 27773a248..a8e02c317 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -46,6 +46,12 @@ import at.gv.egovernment.moa.logging.Logger; @Scope(value = BeanDefinition.SCOPE_PROTOTYPE) public class PVPTargetConfiguration extends RequestImpl { + public static final String DATAID_MOASESSION = "moasession"; + public static final String DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP = "useMinimalFrontChannelResponse"; + public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID"; + public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel"; + public static final String DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID = "attrQueryContainerID"; + private static final long serialVersionUID = 4889919265919638188L; InboundMessage request; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index 6619876dc..86b31f1eb 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.xml.security.SecurityException; @@ -33,7 +34,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface public interface IDecoder { public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, boolean isSPEndPoint) + HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException, SecurityException, PVP2Exception; public boolean handleDecode(String action, HttpServletRequest req); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index ebb4b2991..6d376faa0 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -37,6 +37,7 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.security.SecurityPolicyResolver; @@ -56,7 +57,6 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.util.HTTPUtils; @@ -146,7 +146,7 @@ public class PostBinding implements IDecoder, IEncoder { } public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException, + HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException, SecurityException { HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); @@ -168,13 +168,13 @@ public class PostBinding implements IDecoder, IEncoder { throw new SecurityException(e); } - messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + messageContext.setMetadataProvider(metadataProvider); //set security policy context BasicSecurityPolicy policy = new BasicSecurityPolicy(); policy.getPolicyRules().add( new MOAPVPSignedRequestPolicyRule( - TrustEngineFactory.getSignatureKnownKeysTrustEngine(), + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider), messageContext.getPeerEntityRole())); SecurityPolicyResolver secResolver = new StaticSecurityPolicyResolver(policy); messageContext.setSecurityPolicyResolver(secResolver); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 0ff18d903..683a72e67 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -38,6 +38,7 @@ import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.saml2.metadata.impl.SingleSignOnServiceBuilder; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.security.SecurityPolicyResolver; @@ -133,7 +134,7 @@ public class RedirectBinding implements IDecoder, IEncoder { } public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException, + HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException, SecurityException { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( @@ -159,10 +160,10 @@ public class RedirectBinding implements IDecoder, IEncoder { } - messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + messageContext.setMetadataProvider(metadataProvider); SAML2HTTPRedirectDeflateSignatureRule signatureRule = new SAML2HTTPRedirectDeflateSignatureRule( - TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider)); SAML2AuthnRequestsSignedRule signedRole = new SAML2AuthnRequestsSignedRule(); BasicSecurityPolicy policy = new BasicSecurityPolicy(); policy.getPolicyRules().add(signatureRule); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index cc3553551..12b571ed1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -34,6 +34,7 @@ import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; import org.opensaml.saml2.core.RequestAbstractType; import org.opensaml.saml2.core.StatusResponseType; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.ws.message.encoder.MessageEncodingException; import org.opensaml.ws.soap.soap11.Envelope; @@ -63,7 +64,7 @@ public class SoapBinding implements IDecoder, IEncoder { @Autowired private IDPCredentialProvider credentialProvider; public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, boolean isSPEndPoint) throws MessageDecodingException, + HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException, SecurityException, PVP2Exception { HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = @@ -71,7 +72,7 @@ public class SoapBinding implements IDecoder, IEncoder { messageContext .setInboundMessageTransport(new HttpServletRequestAdapter( req)); - messageContext.setMetadataProvider(MOAMetadataProvider.getInstance()); + messageContext.setMetadataProvider(metadataProvider); //TODO: update in a futher version: // requires a special SignedSOAPRequestPolicyRole because diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 23ea4d7ee..164583f77 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -29,24 +29,22 @@ import java.util.List; import java.util.ServiceLoader; import org.opensaml.saml2.core.Attribute; - -import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; +import org.opensaml.saml2.metadata.RequestedAttribute; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; - +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; +import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.SamlAttributeGenerator; - import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.InvalidDateFormatAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.UnavailableAttributeException; - import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidDateFormatException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; public class PVPAttributeBuilder { @@ -148,4 +146,13 @@ public class PVPAttributeBuilder { return attributes; } + public static RequestedAttribute buildReqAttribute(String name, String friendlyName, boolean required) { + RequestedAttribute attribute = SAML2Utils.createSAMLObject(RequestedAttribute.class); + attribute.setIsRequired(required); + attribute.setName(name); + attribute.setFriendlyName(friendlyName); + attribute.setNameFormat(Attribute.URI_REFERENCE); + return attribute; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java index 312bb823d..0a0be2a2c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java @@ -33,9 +33,11 @@ import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.saml2.core.Issuer; +import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.NameIDPolicy; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.core.RequestedAuthnContext; +import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.ws.message.encoder.MessageEncodingException; @@ -51,6 +53,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnRequestBuildExce import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -98,7 +101,7 @@ public class PVPAuthnRequestBuilder { if (endpoint == null) { Logger.warn("Building AuthnRequest FAILED: > Requested IDP " + idpEntity.getEntityID() + " does not support POST or Redirect Binding."); - throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{idpEntity.getEntityID()}); + throw new AuthnRequestBuildException("sp.pvp2.00", new Object[]{config.getSPNameForLogging(), idpEntity.getEntityID()}); } else authReq.setDestination(endpoint.getLocation()); @@ -148,7 +151,23 @@ public class PVPAuthnRequestBuilder { reqAuthContext.getAuthnContextClassRefs().add(authnClassRef); authReq.setRequestedAuthnContext(reqAuthContext); } - + + //set request Subject element + if (MiscUtil.isNotEmpty(config.getSubjectNameID())) { + Subject reqSubject = SAML2Utils.createSAMLObject(Subject.class); + NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); + + subjectNameID.setValue(config.getSubjectNameID()); + if (MiscUtil.isNotEmpty(config.getSubjectNameIDFormat())) + subjectNameID.setFormat(config.getSubjectNameIDFormat()); + else + subjectNameID.setFormat(NameID.TRANSIENT); + + reqSubject.setNameID(subjectNameID); + authReq.setSubject(reqSubject ); + + } + //TODO: implement requested attributes //maybe: config.getRequestedAttributes(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index af22a2d7e..03cfe27d7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -284,6 +284,7 @@ public class PVP2AssertionBuilder implements PVPConstants { NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); //build nameID and nameID Format from moasession + //TODO: nameID generation if (authData.isUseMandate()) { Element mandate = authData.getMandate(); if(mandate == null) { @@ -395,7 +396,10 @@ public class PVP2AssertionBuilder implements PVPConstants { subjectNameID.setValue(authData.getNameID()); sessionIndex = authData.getSessionIndex(); - } else + } + + // + if (MiscUtil.isEmpty(sessionIndex)) sessionIndex = SAML2Utils.getSecureIdentifier(); SubjectConfirmationData subjectConfirmationData = SAML2Utils diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java index e0994ff19..9a51e75e4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java @@ -285,4 +285,12 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging() + */ + @Override + public String getSPNameForLogging() { + return "MOA-ID-Auth"; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java index d51231044..e209d0bc5 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java @@ -32,6 +32,13 @@ import org.opensaml.xml.security.credential.Credential; */ public interface IPVPAuthnRequestBuilderConfiguruation { + /** + * Defines a unique name for this PVP Service-provider, which is used for logging + * + * @return + */ + public String getSPNameForLogging(); + /** * If true, the SAML2 isPassive flag is set in the AuthnRequest * @@ -110,5 +117,13 @@ public interface IPVPAuthnRequestBuilderConfiguruation { * @return SubjectNameID, or null if no SubjectNameID should be used */ public String getSubjectNameID(); + + /** + * Define the format of the subjectNameID, which is included in authn-request + * + * + * @return nameIDFormat, of SAML2 'transient' if nothing is defined + */ + public String getSubjectNameIDFormat(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java index 52096fd19..56274535b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java @@ -39,6 +39,13 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx public interface IPVPMetadataBuilderConfiguration { + /** + * Defines a unique name for this PVP Service-provider, which is used for logging + * + * @return + */ + public String getSPNameForLogging(); + /** * Set metadata valid area * diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 03fa686f9..6e87abb06 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -31,12 +31,9 @@ import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Map.Entry; -import java.util.Timer; -import javax.net.ssl.SSLHandshakeException; import javax.xml.namespace.QName; -import org.apache.commons.httpclient.MOAHttpClient; import org.opensaml.saml2.metadata.EntitiesDescriptor; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.RoleDescriptor; @@ -47,20 +44,13 @@ import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.saml2.metadata.provider.MetadataProviderException; import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; import org.opensaml.xml.XMLObject; -import org.opensaml.xml.parse.BasicParserPool; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; -import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; -import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing; import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.InterfederatedIDPPublicServiceFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.PVPMetadataFilterChain; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; @@ -68,7 +58,8 @@ import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; -public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbageCollectorProcessing { +public class MOAMetadataProvider extends SimpleMOAMetadataProvider + implements ObservableMetadataProvider, IGarbageCollectorProcessing { private static MOAMetadataProvider instance = null; private static Object mutex = new Object(); @@ -151,10 +142,9 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage String oaFriendlyName = oaParam.getFriendlyName(); ChainingMetadataProvider chainProvider = (ChainingMetadataProvider) internalProvider; - HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL, - cert, oaFriendlyName, - buildMetadataFilterChain(oaParam, metadataURL, - cert)); + HTTPMetadataProvider newMetadataProvider = createNewHTTPMetaDataProvider(metadataURL, + buildMetadataFilterChain(oaParam, metadataURL, cert), + oaFriendlyName); chainProvider.addMetadataProvider(newMetadataProvider); @@ -264,11 +254,9 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage Logger.info("Loading metadata for: " + oaFriendlyName); httpProvider = createNewHTTPMetaDataProvider( - metadataurl, - cert, - oaFriendlyName, - buildMetadataFilterChain(oaParam, metadataurl, - cert)); + metadataurl, + buildMetadataFilterChain(oaParam, metadataurl, cert), + oaFriendlyName); if (httpProvider != null) providersinuse.put(metadataurl, httpProvider); @@ -389,10 +377,8 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage if (!providersinuse.containsKey(metadataurl)) { httpProvider = createNewHTTPMetaDataProvider( metadataurl, - cert, - oaFriendlyName, - buildMetadataFilterChain(oaParam, metadataurl, - cert)); + buildMetadataFilterChain(oaParam, metadataurl, cert), + oaFriendlyName); if (httpProvider != null) providersinuse.put(metadataurl, httpProvider); @@ -450,86 +436,7 @@ public class MOAMetadataProvider implements ObservableMetadataProvider, IGarbage return filterChain; } - - private HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, byte[] certificate, String oaName, PVPMetadataFilterChain filter) { - HTTPMetadataProvider httpProvider = null; - Timer timer= null; - MOAHttpClient httpClient = null; - try { - httpClient = new MOAHttpClient(); - - if (metadataURL.startsWith("https:")) { - try { - MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( - PVPConstants.SSLSOCKETFACTORYNAME, - AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(), - AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), - null, - AuthConfiguration.DEFAULT_X509_CHAININGMODE, - AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); - - httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); - - } catch (MOAHttpProtocolSocketFactoryException e) { - Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); - - } - } - - timer = new Timer(); - httpProvider = new HTTPMetadataProvider(timer, httpClient, - metadataURL); - httpProvider.setParserPool(new BasicParserPool()); - httpProvider.setRequireValidMetadata(true); - httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes - httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours - //httpProvider.setRefreshDelayFactor(0.1F); - - if (filter == null) { - filter = new PVPMetadataFilterChain(metadataURL, certificate); - } - httpProvider.setMetadataFilter(filter); - httpProvider.initialize(); - - httpProvider.setRequireValidMetadata(true); - - return httpProvider; - - } catch (Throwable e) { - if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { - Logger.warn("SSL-Server certificate for metadata " - + metadataURL + " not trusted.", e); - - } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { - Logger.warn("Signature verification for metadata" - + metadataURL + " FAILED.", e); - - } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { - Logger.warn("Schema validation for metadata " - + metadataURL + " FAILED.", e); - } - - Logger.error( - "Failed to add Metadata file for " - + oaName + "[ " - + e.getMessage() + " ]", e); - - if (httpProvider != null) { - Logger.debug("Destroy failed Metadata provider"); - httpProvider.destroy(); - } - - if (timer != null) { - Logger.debug("Destroy Timer."); - timer.cancel(); - } - - - } - return null; - } - public boolean requireValidMetadata() { return internalProvider.requireValidMetadata(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java new file mode 100644 index 000000000..6d646c609 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/SimpleMOAMetadataProvider.java @@ -0,0 +1,135 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; + +import java.util.Timer; + +import javax.net.ssl.SSLHandshakeException; + +import org.apache.commons.httpclient.MOAHttpClient; +import org.opensaml.saml2.metadata.provider.HTTPMetadataProvider; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.saml2.metadata.provider.MetadataProvider; +import org.opensaml.xml.parse.BasicParserPool; + +import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; +import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public abstract class SimpleMOAMetadataProvider implements MetadataProvider{ + + /** + * Create a single SAML2 HTTP metadata provider + * + * @param metadataURL URL, where the metadata should be loaded + * @param filter Filters, which should be used to validate the metadata + * @param IdForLogging Id, which is used for Logging + * + * @return SAML2 Metadata Provider + */ + protected HTTPMetadataProvider createNewHTTPMetaDataProvider(String metadataURL, MetadataFilter filter, String IdForLogging ) { + HTTPMetadataProvider httpProvider = null; + Timer timer= null; + MOAHttpClient httpClient = null; + try { + httpClient = new MOAHttpClient(); + + if (metadataURL.startsWith("https:")) { + try { + MOAHttpProtocolSocketFactory protoSocketFactory = new MOAHttpProtocolSocketFactory( + PVPConstants.SSLSOCKETFACTORYNAME, + AuthConfigurationProviderFactory.getInstance().getCertstoreDirectory(), + AuthConfigurationProviderFactory.getInstance().getTrustedCACertificates(), + null, + AuthConfiguration.DEFAULT_X509_CHAININGMODE, + AuthConfigurationProviderFactory.getInstance().isTrustmanagerrevoationchecking()); + + httpClient.setCustomSSLTrustStore(metadataURL, protoSocketFactory); + + } catch (MOAHttpProtocolSocketFactoryException e) { + Logger.warn("MOA SSL-TrustStore can not initialized. Use default Java TrustStore."); + + } + } + + timer = new Timer(); + httpProvider = new HTTPMetadataProvider(timer, httpClient, + metadataURL); + httpProvider.setParserPool(new BasicParserPool()); + httpProvider.setRequireValidMetadata(true); + httpProvider.setMinRefreshDelay(1000*60*15); //15 minutes + httpProvider.setMaxRefreshDelay(1000*60*60*24); //24 hours + //httpProvider.setRefreshDelayFactor(0.1F); + + httpProvider.setMetadataFilter(filter); + httpProvider.initialize(); + + httpProvider.setRequireValidMetadata(true); + + return httpProvider; + + } catch (Throwable e) { + if (e.getCause() != null && e.getCause().getCause() instanceof SSLHandshakeException) { + Logger.warn("SSL-Server certificate for metadata " + + metadataURL + " not trusted.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SignatureValidationException) { + Logger.warn("Signature verification for metadata" + + metadataURL + " FAILED.", e); + + } if (e.getCause() != null && e.getCause().getCause() instanceof SchemaValidationException) { + Logger.warn("Schema validation for metadata " + + metadataURL + " FAILED.", e); + } + + Logger.error( + "Failed to load Metadata file for " + + IdForLogging + "[ " + + e.getMessage() + " ]", e); + + if (httpProvider != null) { + Logger.debug("Destroy failed Metadata provider"); + httpProvider.destroy(); + } + + if (timer != null) { + Logger.debug("Destroy Timer."); + timer.cancel(); + } + + + } + + return null; + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 9c294245f..8787df82d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -24,9 +24,11 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collection; import java.util.HashMap; import java.util.List; import java.util.Map; +import java.util.Set; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; @@ -111,7 +113,7 @@ public class AssertionAttributeExtractor { * * @return */ - public boolean containsAllRequiredAttributes(List attributeNameList) { + public boolean containsAllRequiredAttributes(Collection attributeNameList) { //first check if a bPK or an encrypted bPK is available if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || @@ -152,6 +154,16 @@ public class AssertionAttributeExtractor { } + /** + * Return all include PVP attribute names + * + * @return + */ + public Set getAllIncludeAttributeNames() { + return attributs.keySet(); + + } + // public PersonalAttributeList getSTORKAttributes() { // return storkAttributes; // } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java index 67a91f6e1..3ea124db6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/TrustEngineFactory.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; import java.util.ArrayList; import java.util.List; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.xml.security.keyinfo.BasicProviderKeyInfoCredentialResolver; import org.opensaml.xml.security.keyinfo.KeyInfoCredentialResolver; @@ -35,8 +36,6 @@ import org.opensaml.xml.security.keyinfo.provider.RSAKeyValueProvider; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.signature.impl.ExplicitKeySignatureTrustEngine; //import org.opensaml.xml.signature.impl.PKIXSignatureTrustEngine; - -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; //import edu.internet2.middleware.shibboleth.common.security.MetadataPKIXValidationInformationResolver; public class TrustEngineFactory { @@ -65,11 +64,10 @@ public class TrustEngineFactory { // } // } - public static SignatureTrustEngine getSignatureKnownKeysTrustEngine() { + public static SignatureTrustEngine getSignatureKnownKeysTrustEngine(MetadataProvider provider) { MetadataCredentialResolver resolver; - resolver = new MetadataCredentialResolver( - MOAMetadataProvider.getInstance()); + resolver = new MetadataCredentialResolver(provider); List keyInfoProvider = new ArrayList(); keyInfoProvider.add(new DSAKeyValueProvider()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java new file mode 100644 index 000000000..f67c475bb --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/MOASPMetadataSignatureFilter.java @@ -0,0 +1,130 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; + +import java.io.IOException; +import java.io.StringWriter; + +import javax.xml.transform.Transformer; +import javax.xml.transform.TransformerException; +import javax.xml.transform.TransformerFactory; +import javax.xml.transform.TransformerFactoryConfigurationError; +import javax.xml.transform.dom.DOMSource; +import javax.xml.transform.stream.StreamResult; + +import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.saml2.metadata.provider.FilterException; +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; + +import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils; +import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +public class MOASPMetadataSignatureFilter implements MetadataFilter { + + private String trustProfileID = null; + + /** + * + */ + public MOASPMetadataSignatureFilter(String trustProfileID) { + this.trustProfileID = trustProfileID; + + } + + + /* (non-Javadoc) + * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) + */ + @Override + public void doFilter(XMLObject metadata) throws FilterException { + if (metadata instanceof EntityDescriptor) { + if (((EntityDescriptor) metadata).isSigned()) { + EntityDescriptor entityDes = (EntityDescriptor) metadata; + //check signature; + try { + Transformer transformer = TransformerFactory.newInstance() + .newTransformer(); + StringWriter sw = new StringWriter(); + StreamResult sr = new StreamResult(sw); + DOMSource source = new DOMSource(metadata.getDOM()); + transformer.transform(source, sr); + sw.close(); + String metadataXML = sw.toString(); + + SignatureVerificationUtils sigVerify = + new SignatureVerificationUtils(); + VerifyXMLSignatureResponse result = sigVerify.verify( + metadataXML.getBytes(), trustProfileID); + + //check signature-verification result + if (result.getSignatureCheckCode() != 0) { + Logger.warn("Metadata signature-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getSignatureCheckCode()); + throw new FilterException("Metadata signature-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getSignatureCheckCode()); + + } + + if (result.getCertificateCheckCode() != 0) { + Logger.warn("Metadata certificate-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getCertificateCheckCode()); + throw new FilterException("Metadata certificate-verification FAILED!" + + " Metadata: " + entityDes.getEntityID() + + " StatusCode:" + result.getCertificateCheckCode()); + + } + + + } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { + Logger.error("Metadata verification has an interal error.", e); + throw new FilterException("Metadata verification has an interal error." + + " Message:" + e.getMessage()); + + } + + + } else { + Logger.warn("Metadata root-element MUST be signed."); + throw new FilterException("Metadata root-element MUST be signed.'"); + + } + + } else { + Logger.warn("Metadata root-element is not of type 'EntityDescriptor'"); + throw new FilterException("Metadata root-element is not of type 'EntityDescriptor'"); + + } + + } + +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java index 1aca587c9..69fe0ee6a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/metadata/SchemaValidationFilter.java @@ -22,16 +22,13 @@ */ package at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata; -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; - import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; import org.opensaml.common.xml.SAMLSchemaBuilder; - +import org.opensaml.saml2.metadata.provider.MetadataFilter; +import org.opensaml.xml.XMLObject; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.config.ConfigurationException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java index cfdb4426b..c190ad779 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java @@ -53,9 +53,8 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.moduls.RequestImpl; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; -import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.id.util.SessionEncrytionUtil; @@ -95,9 +94,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt Date now = new Date(); dbsession.setCreated(now); dbsession.setUpdated(now); - - dbsession.setPendingRequestID(target.getRequestID()); - + //set additional session informations AuthenticationSessionExtensions sessionExt = new AuthenticationSessionExtensions(); sessionExt.setUniqueSessionId(target.getUniqueSessionIdentifier()); @@ -443,6 +440,10 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } + //set additional information for AttributeQuery + activeOA.setAttQueryContainerID(protocolRequest.getGenericData( + PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID, String.class)); + List activeOAs = dbsession.getActiveOAsessions(); activeOAs.add(activeOA); dbsession.setActiveOAsessions(activeOAs); @@ -461,7 +462,6 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt dbsession.setSSOSession(true); dbsession.setSSOsessionid(SSOSessionID); dbsession.setAuthenticated(false); - dbsession.setPendingRequestID("empty"); //Store MOASession session.saveOrUpdate(dbsession); @@ -751,7 +751,8 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } } - public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException { + @Override + public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException { AuthenticatedSessionStore dbsession = null; Date now = new Date(); @@ -766,23 +767,27 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt throw e; } } + + dbsession.setUpdated(now); + //decrypt MOASession AuthenticationSession session = decryptSession(dbsession); - //set Session parameters - session.setAuthenticated(isAuthenticated); - dbsession.setAuthenticated(isAuthenticated); - dbsession.setInterfederatedSSOSession(true); - dbsession.setUpdated(now); - + //federated Session are never authenticated locally, + // because they get always authentication information from federated IDP + session.setAuthenticated(false); + dbsession.setAuthenticated(false); + + //encrypt MOASession encryptSession(session, dbsession); + + //mark as federated SSO session + dbsession.setInterfederatedSSOSession(true); //add interfederation information List idpList = dbsession.getInderfederation(); - - MOAResponse interfederationResp = req.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, MOAResponse.class); - String interFedEntityID = interfederationResp.getEntityID(); - + + //check if federated IDP is already stored InterfederationSessionStore idp = null; if (idpList == null) { idpList = new ArrayList(); @@ -791,7 +796,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } else { for (InterfederationSessionStore el : idpList) { //resue old entry if interfederation IDP is reused for authentication - if (el.getIdpurlprefix().equals(interFedEntityID)) + if (el.getIdpurlprefix().equals(idpEntityID)) idp = el; } @@ -801,7 +806,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt if (idp == null) { idp = new InterfederationSessionStore(); idp.setCreated(now); - idp.setIdpurlprefix(interFedEntityID); + idp.setIdpurlprefix(idpEntityID); idp.setAuthURL(req.getAuthURL()); OAAuthParameter oa = authConfig.getOnlineApplicationParameter(idp.getIdpurlprefix()); @@ -809,12 +814,11 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt idp.setMoasession(dbsession); idpList.add(idp); - } - AssertionAttributeExtractor extract = new AssertionAttributeExtractor(interfederationResp.getResponse()); - idp.setSessionIndex(extract.getSessionIndex()); - idp.setUserNameID(extract.getNameID()); + } + idp.setSessionIndex(extractor.getSessionIndex()); + idp.setUserNameID(extractor.getNameID()); idp.setAttributesRequested(false); - idp.setQAALevel(extract.getQAALevel()); + idp.setQAALevel(extractor.getQAALevel()); //store AssertionStore element to Database try { @@ -1024,4 +1028,5 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt throw e; } } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java index 2fd540a67..aaa54fbb9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java @@ -36,6 +36,7 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; /** * @author tlenz @@ -238,16 +239,16 @@ public interface IAuthenticationSessionStoreage { /** - * Create a MOASession from interfederation information + * Add information of the federated IDP to MOASession * - * @param req Pending request - * @param isAuthenticated true if the session should be marked as authenticated, otherwise false + * @param req Pending request of the service-provider request, never null + * @param idpEntityID The SAML2 EntityID of the federated IDP, never null + * @param extractor AssertionAttributeExtractor which holds the SAML2 response of the federated IDP, never null * @throws MOADatabaseException * @throws AssertionAttributeExtractorExeption * @throws BuildException */ - @Deprecated - public void createInterfederatedSession(IRequest req, boolean isAuthenticated) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException; + public void addFederatedSessionInformation(IRequest req, String idpEntityID, AssertionAttributeExtractor extractor) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException; /** * Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index 50d01ce2f..a94b90931 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -112,6 +112,8 @@ service.07=Der SZR-Gateway ist unter {0} nicht erreichbar. service.08=Die Eintragung der ausländischen Person am SZR-Gateway ist fehlgeschlagen. service.09=Der SZR-Gateway Client konnte nicht initialisiert werden. +service.10=Die Verwendung des Service {0} ist nicht m\u00f6glich. Ursache: {1} + cleaner.00=AuthenticationSessionCleaner wurde gestartet cleaner.01=Fehler im AuthenticationSessionCleaner cleaner.02=Abgelaufene MOASession {0} wurde aus dem Speicher entfernt @@ -272,12 +274,15 @@ pvp2.23={0} ist keine gueltige AssertionConsumerServiceURL oder entspricht nicht ##add status codes!!!! -sp.pvp2.00=Can not build PVP AuthnRequest for IDP {0}. No valid SingleSignOnService endpoint found. -sp.pvp2.01=Can not build PVP AuthnRequest for IDP {0}. IDP is not allowed for federated authentication. -sp.pvp2.02=Can not build PVP AuthnRequest for IDP {0}. IDP has no (valid) metadata. -sp.pvp2.03=Receive PVP Response from IDP with unsupported Binding. -sp.pvp2.04=Receive invalid PVP Response from IDP. No PVP metadata found. -sp.pvp2.04=Receive invalid PVP Response from IDP {0}. StatusCode {1}. +sp.pvp2.00=Can not build PVP AuthnRequest for {0} {1}. No valid SingleSignOnService endpoint found. +sp.pvp2.01=Can not build PVP AuthnRequest for {0} {0}. IDP is not allowed for federated authentication. +sp.pvp2.02=Can not build PVP AuthnRequest for {0} {0}. IDP has no (valid) metadata. +sp.pvp2.03=Receive PVP Response from {0} with unsupported Binding. +sp.pvp2.04=Receive invalid PVP Response from {0}. No PVP metadata found. +sp.pvp2.05=Receive invalid PVP Response from {0} {1}. StatusCode {2}. +sp.pvp2.06=Receive invalid PVP Response from {0}. Assertion does not contain all required attributes. +sp.pvp2.07=Receive invalid PVP Response from {0}. Attribute {1} is not valid. +sp.pvp2.08=Receive invalid PVP Response from {0}. Response issuer {1} is not valid or allowed. oauth20.01=Fehlerhafte redirect url oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}" diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 0b00b2d29..4e36e2cbf 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -90,6 +90,21 @@ service.07=4200 service.08=4201 service.09=9007 +service.10=TODO + +process.01=TODO +process.02=TODO + +sp.pvp2.00=TODO +sp.pvp2.01=TODO +sp.pvp2.02=TODO +sp.pvp2.03=TODO +sp.pvp2.04=TODO +sp.pvp2.05=TODO +sp.pvp2.06=TODO +sp.pvp2.07=TODO +sp.pvp2.08=TODO + validator.00=1102 validator.01=1102 validator.02=1102 diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java index 6d43bcdc6..125d83d6d 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java @@ -22,6 +22,8 @@ */ package at.gv.egovernment.moa.id.module.test; +import java.util.Collection; + import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.moduls.IRequest; @@ -247,6 +249,15 @@ public class TestRequestImpl implements IRequest { // TODO Auto-generated method stub } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.moduls.IRequest#getRequestedAttributes() + */ + @Override + public Collection getRequestedAttributes() { + // TODO Auto-generated method stub + return null; + } diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java index af5950c98..a8cc1928e 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/AuthenticatedSessionStore.java @@ -38,7 +38,6 @@ import javax.persistence.Lob; import javax.persistence.NamedQueries; import javax.persistence.NamedQuery; import javax.persistence.OneToMany; -import javax.persistence.PrePersist; import javax.persistence.PreUpdate; import javax.persistence.Table; import javax.persistence.Temporal; @@ -130,46 +129,115 @@ public class AuthenticatedSessionStore implements Serializable{ this.id = id; } + /** + * Get the internal ID of this MOASession + * + * @return moaSessionID, but never null + */ public String getSessionid() { return sessionid; + } + /** + * Set the internal ID of this MOASession. + * + * @param sessionid The internal ID of this MOASession, but never null + **/ public void setSessionid(String sessionid) { this.sessionid = sessionid; } + /** + * Get the Single Sign-On SessionID of this MOASession + * + * @return SSO SessionID + */ public String getSSOsessionid() { return SSOsessionid; } + /** + * Set the Single Sign-On SessionID for this MOASession + * + * @param sSOsessionid SSO SessionID + */ public void setSSOsessionid(String sSOsessionid) { SSOsessionid = sSOsessionid; } + /** + * Get the serialized (and encrypted) AuthenticatedData DAO, which contains the user + * identification and authentication information. + * + * @return serialized (and encryped) authenticationData, but never null + */ public byte[] getSession() { return authSession; } + /** + * Set the AuthenticationData DAO, as serialized (and encrypted) blob.

+ * + * This method should only be used, since MOASesion is not authenticated + * this.isAuthenticated() == false. If the MOASession is already authenticated, + * the corresponding user authentication data should not be changed any more. + * + * @param session the serialized (and encryped) authenticationData + */ public void setSession(byte[] session) { this.authSession = session; } + /** + * Indicates this MOASession is already authenticated.

+ * + * A authenticated MOASession contains all information, which are + * needed build protocol specific authentication information. + * Therefore, a user has already performed a full identification and + * authentication process. + * + * @return true, if this MOASession is authenticated, otherwise false + */ public boolean isAuthenticated() { return isAuthenticated; } + /** + * Mark a MOASession as authenticated.

+ * + * A MOASession had to be marked as authenticated, if the user + * identification and authentication process is completed. + * + * @param isAuthenticated + */ public void setAuthenticated(boolean isAuthenticated) { this.isAuthenticated = isAuthenticated; } + /** + * Indicates this MOASession as a Single Sign-On session + * + * @return true if it is a SSO session, otherwise false + */ public boolean isSSOSession() { return isSSOSession; } + /** + * Mark this MOASession as a Single Sign-On session + * + * @param isSSOSession true, if this MOASession is a SSO session, otherwise false + */ public void setSSOSession(boolean isSSOSession) { this.isSSOSession = isSSOSession; } + /** + * Get a timestamp when this MOASession was created + * + * @return timestamp + */ public Date getCreated() { return created; } @@ -178,6 +246,11 @@ public class AuthenticatedSessionStore implements Serializable{ this.created = created; } + /** + * Get a timestamp, when this MOASession was updated last time + * + * @return timestamp + */ public Date getUpdated() { return updated; } @@ -186,6 +259,12 @@ public class AuthenticatedSessionStore implements Serializable{ this.updated = updated; } + /** + * Get a List of Service Providers, which has received a authentication information by using + * Single Sign-On + * + * @return + */ public List getActiveOAsessions() { return activeOAsessions; } @@ -198,6 +277,12 @@ public class AuthenticatedSessionStore implements Serializable{ this.activeOAsessions = activeOAsessions; } + /** + * Get a List of old Single Sign-On SessionIDs, which are already used for this MOASession. + * Every SSO SessionID can only be used once. + * + * @return + */ public List getOldssosessionids() { return oldssosessionids; } @@ -207,6 +292,8 @@ public class AuthenticatedSessionStore implements Serializable{ } /** + * Get a List of federated IDPs which are already used in this Session + * * @return the inderfederation */ public List getInderfederation() { @@ -221,20 +308,8 @@ public class AuthenticatedSessionStore implements Serializable{ } /** - * @return the pendingRequestID - */ - public String getPendingRequestID() { - return pendingRequestID; - } - - /** - * @param pendingRequestID the pendingRequestID to set - */ - public void setPendingRequestID(String pendingRequestID) { - this.pendingRequestID = pendingRequestID; - } - - /** + * Get the initial vector for AuthenticationData encryption + * * @return the iv */ public byte[] getIv() { @@ -242,6 +317,8 @@ public class AuthenticatedSessionStore implements Serializable{ } /** + * Set the inital vector for AuthenticationData encryption + * * @param iv the iv to set */ public void setIv(byte[] iv) { @@ -249,14 +326,18 @@ public class AuthenticatedSessionStore implements Serializable{ } /** - * @return the isInterfederatedSSOSession + * Indicates this MOASession as an federated session + * + * @return true if it is a federated session, otherwise false */ public boolean isInterfederatedSSOSession() { return isInterfederatedSSOSession; } /** - * @param isInterfederatedSSOSession the isInterfederatedSSOSession to set + * Mark this MOASession as an federated session + * + * @param isInterfederatedSSOSession true, if this MOASession is a federated session */ public void setInterfederatedSSOSession(boolean isInterfederatedSSOSession) { this.isInterfederatedSSOSession = isInterfederatedSSOSession; diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java index 8b720e901..bead2f593 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java @@ -71,6 +71,9 @@ public class OASessionStore implements Serializable{ @Column(name = "attributequeryused", unique=false, nullable=false) private boolean attributeQueryUsed = false; + @Column(name = "attQueryContainerID", unique=false, nullable=true) + private String attQueryContainerID = null; + @Column(name = "created", updatable=false, nullable=false) // @Temporal(TemporalType.TIMESTAMP) private Date created; @@ -200,6 +203,21 @@ public class OASessionStore implements Serializable{ this.authURL = authURL; } + /** + * @return the attQueryContainerID + */ + public String getAttQueryContainerID() { + return attQueryContainerID; + } + + /** + * @param attQueryContainerID the attQueryContainerID to set + */ + public void setAttQueryContainerID(String attQueryContainerID) { + this.attQueryContainerID = attQueryContainerID; + } + + diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index 965abcde1..55504dcb0 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing; import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter; import at.gv.egovernment.moa.id.saml2.MetadataFilterChain; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -178,7 +179,7 @@ public class MOAeIDASChainingMetadataProvider implements ObservableMetadataProvi //add Metadata filters MetadataFilterChain filter = new MetadataFilterChain(); - filter.addFilter(new MOAeIDASMetadataSignatureFilter( + filter.addFilter(new MOASPMetadataSignatureFilter( authConfig.getBasicMOAIDConfiguration(Constants.CONIG_PROPS_EIDAS_METADATA_VALIDATION_TRUSTSTORE))); httpProvider.setMetadataFilter(filter); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java deleted file mode 100644 index c9f3e5bcd..000000000 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASMetadataSignatureFilter.java +++ /dev/null @@ -1,132 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.auth.modules.eidas.engine; - -import java.io.IOException; -import java.io.StringWriter; - -import javax.xml.transform.Transformer; -import javax.xml.transform.TransformerConfigurationException; -import javax.xml.transform.TransformerException; -import javax.xml.transform.TransformerFactory; -import javax.xml.transform.TransformerFactoryConfigurationError; -import javax.xml.transform.dom.DOMSource; -import javax.xml.transform.stream.StreamResult; - -import org.opensaml.saml2.metadata.EntityDescriptor; -import org.opensaml.saml2.metadata.provider.FilterException; -import org.opensaml.saml2.metadata.provider.MetadataFilter; -import org.opensaml.xml.XMLObject; - -import at.gv.egovernment.moa.id.auth.builder.SignatureVerificationUtils; -import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; -import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.logging.Logger; - -/** - * @author tlenz - * - */ -public class MOAeIDASMetadataSignatureFilter implements MetadataFilter { - - private String trustProfileID = null; - - /** - * - */ - public MOAeIDASMetadataSignatureFilter(String trustProfileID) { - this.trustProfileID = trustProfileID; - - } - - - /* (non-Javadoc) - * @see org.opensaml.saml2.metadata.provider.MetadataFilter#doFilter(org.opensaml.xml.XMLObject) - */ - @Override - public void doFilter(XMLObject metadata) throws FilterException { - if (metadata instanceof EntityDescriptor) { - if (((EntityDescriptor) metadata).isSigned()) { - EntityDescriptor entityDes = (EntityDescriptor) metadata; - //check signature; - try { - Transformer transformer = TransformerFactory.newInstance() - .newTransformer(); - StringWriter sw = new StringWriter(); - StreamResult sr = new StreamResult(sw); - DOMSource source = new DOMSource(metadata.getDOM()); - transformer.transform(source, sr); - sw.close(); - String metadataXML = sw.toString(); - - SignatureVerificationUtils sigVerify = - new SignatureVerificationUtils(); - VerifyXMLSignatureResponse result = sigVerify.verify( - metadataXML.getBytes(), trustProfileID); - - //check signature-verification result - if (result.getSignatureCheckCode() != 0) { - Logger.warn("eIDAS Metadata signature-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getSignatureCheckCode()); - throw new FilterException("eIDAS Metadata signature-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getSignatureCheckCode()); - - } - - if (result.getCertificateCheckCode() != 0) { - Logger.warn("eIDAS Metadata certificate-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getCertificateCheckCode()); - throw new FilterException("eIDAS Metadata certificate-verification FAILED!" - + " Metadata: " + entityDes.getEntityID() - + " StatusCode:" + result.getCertificateCheckCode()); - - } - - - } catch (MOAIDException | TransformerFactoryConfigurationError | TransformerException | IOException e) { - Logger.error("eIDAS Metadata verification has an interal error.", e); - throw new FilterException("eIDAS Metadata verification has an interal error." - + " Message:" + e.getMessage()); - - } - - - } else { - Logger.warn("eIDAS Metadata root-element MUST be signed."); - throw new FilterException("eIDAS Metadata root-element MUST be signed.'"); - - } - - } else { - Logger.warn("eIDAS Metadata root-element is not of type 'EntityDescriptor'"); - throw new FilterException("eIDAS Metadata root-element is not of type 'EntityDescriptor'"); - - } - - } - -} diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java index 935cefdf9..f682913e6 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java @@ -22,6 +22,12 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates; * that you distribute must include a readable copy of the "NOTICE" text file. */ +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; + +import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; /** * @author tlenz @@ -29,13 +35,24 @@ package at.gv.egovernment.moa.id.auth.modules.elgamandates; */ public class ELGAMandatesAuthConstants { + public static final String MODULE_NAME_FOR_LOGGING = "ELGA Mandate-Service"; + public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; + //Service endpoint definitions public static final String ENDPOINT_POST = "/sp/elga_mandate/post"; public static final String ENDPOINT_REDIRECT = "/sp/elga_mandate/redirect"; public static final String ENDPOINT_METADATA = "/sp/elga_mandate/metadata"; - public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate."; + //configuration properties + public static final String CONFIG_PROPS_PREFIX = "modules.elga_mandate."; + + public static final String CONFIG_PROPS_SUBJECTNAMEID_TARGET = CONFIG_PROPS_PREFIX + "nameID.target"; + + public static final String CONFIG_PROPS_ENTITYID = CONFIG_PROPS_PREFIX + "service.entityID"; + public static final String CONFIG_PROPS_METADATAURL = CONFIG_PROPS_PREFIX + "service.metadataurl"; + public static final String CONFIG_PROPS_METADATA_TRUSTPROFILE = CONFIG_PROPS_PREFIX + "service.metadata.trustprofileID"; + public static final String CONFIG_PROPS_KEYSTORE = CONFIG_PROPS_PREFIX + "keystore.path"; public static final String CONFIG_PROPS_KEYSTOREPASSWORD = CONFIG_PROPS_PREFIX + "keystore.password"; public static final String CONFIG_PROPS_SIGN_METADATA_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "metadata.sign.password"; @@ -45,7 +62,42 @@ public class ELGAMandatesAuthConstants { public static final String CONFIG_PROPS_ENCRYPTION_KEY_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.password"; public static final String CONFIG_PROPS_ENCRYPTION_ALIAS_PASSWORD = CONFIG_PROPS_PREFIX + "response.encryption.alias"; + + /** + * + * Get required PVP attributes + * First : PVP attribute name (OID) + * Second: FriendlyName + * + */ + public static final List> REQUIRED_PVP_ATTRIBUTES = + Collections.unmodifiableList(new ArrayList>() { + private static final long serialVersionUID = 1L; + { + //request mandate type + add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME)); + + //request attributes for natural mandators + add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BPK_NAME, PVPConstants.MANDATE_NAT_PER_BPK_FRIENDLY_NAME)); + add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, PVPConstants.MANDATE_NAT_PER_BIRTHDATE_FRIENDLY_NAME)); + add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_FRIENDLY_NAME)); + add(Pair.newInstance(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_FRIENDLY_NAME)); + + //request reference_value + add(Pair.newInstance(PVPConstants.MANDATE_REFERENCE_VALUE_NAME, PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME)); + } + }); + + public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4"; public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3"; + + public static List getRequiredAttributeNames() { + List list = new ArrayList(); + for (Pair el : REQUIRED_PVP_ATTRIBUTES) + list.add(el.getFirst()); + return list; + } + } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml index 1c0071c4a..b648e4d27 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml @@ -16,6 +16,11 @@ + + + + + @@ -39,11 +44,15 @@ + - - + + + + + diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml index 89f1edd06..6e567a42c 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml @@ -14,23 +14,25 @@ - + - - - + + + + - - \ No newline at end of file diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 1f9d9e3a0..21fe4e5fa 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -33,6 +33,7 @@ import com.google.gson.JsonPrimitive; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.builder.attributes.BPKAttributeBuilder; import at.gv.egovernment.moa.id.protocols.builder.attributes.EIDAuthBlock; import at.gv.egovernment.moa.id.protocols.builder.attributes.EIDCcsURL; @@ -59,7 +60,6 @@ import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateProfRepDescA import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateProfRepOIDAttributeBuilder; import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateReferenceValueAttributeBuilder; import at.gv.egovernment.moa.id.protocols.builder.attributes.MandateTypeAttributeBuilder; -import at.gv.egovernment.moa.id.protocols.oauth20.Pair; import at.gv.egovernment.moa.id.protocols.oauth20.protocol.OAuth20AuthRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index 33d057fe9..518a694b0 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -38,13 +38,13 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; +import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; -import at.gv.egovernment.moa.id.protocols.oauth20.Pair; import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder; import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OpenIdExpirationTimeAttribute; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java index e2f851132..1f7f27617 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthConstants.java @@ -28,6 +28,8 @@ package at.gv.egovernment.moa.id.auth.modules.federatedauth; */ public class FederatedAuthConstants { + public static final String MODULE_NAME_FOR_LOGGING = "federated IDP"; + public static final int METADATA_VALIDUNTIL_IN_HOURS = 24; public static final String ENDPOINT_POST = "/sp/federated/post"; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java index 29b6ea18b..0f2c85350 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java @@ -278,4 +278,13 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#getSPNameForLogging() + */ + @Override + public String getSPNameForLogging() { + return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING; + } + } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java index eca5c7649..4ae162f5a 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java @@ -27,6 +27,7 @@ import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.xml.security.credential.Credential; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation; /** @@ -157,5 +158,22 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSPNameForLogging() + */ + @Override + public String getSPNameForLogging() { + return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDFormat() + */ + @Override + public String getSubjectNameIDFormat() { + // TODO Auto-generated method stub + return null; + } + } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java index 2e134713b..06664af45 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java @@ -89,7 +89,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { Logger.debug("isInderfederationIDP:" + String.valueOf(idpConfig.isInderfederationIDP()) + " isInboundSSOAllowed:" + String.valueOf(idpConfig.isInboundSSOInterfederationAllowed())); - handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{idpEntityID}); + handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.01", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID}); return; @@ -102,7 +102,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { Logger.warn("Requested IDP " + idpEntityID + " has no valid metadata or metadata is not found"); - handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{idpEntityID}); + handleAuthnRequestBuildProblem(executionContext, idpConfig, "sp.pvp2.02", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, idpEntityID}); return; } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index 49f9782ae..d87109244 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -23,14 +23,21 @@ package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks; import java.io.IOException; +import java.util.Collection; +import java.util.List; +import java.util.Set; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.xml.transform.TransformerException; +import org.opensaml.saml2.core.Attribute; +import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.ws.message.decoder.MessageDecodingException; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject; import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; @@ -38,25 +45,39 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; +import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AuthnResponseValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; +import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -67,9 +88,12 @@ import at.gv.egovernment.moa.util.MiscUtil; @Component("ReceiveFederatedAuthnResponseTask") public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { - @Autowired SAMLVerificationEngine samlVerificationEngine; - @Autowired FederatedAuthCredentialProvider credentialProvider; - @Autowired SSOManager ssoManager; + @Autowired private SAMLVerificationEngine samlVerificationEngine; + @Autowired private FederatedAuthCredentialProvider credentialProvider; + @Autowired private SSOManager ssoManager; + @Autowired private AttributQueryBuilder attributQueryBuilder; + @Autowired private ITransactionStorage transactionStorage; + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) @@ -94,21 +118,21 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } else { Logger.warn("Receive PVP Response, but Binding (" + request.getMethod() + ") is not supported."); - throw new AuthnResponseValidationException("sp.pvp2.03", null); + throw new AuthnResponseValidationException("sp.pvp2.03", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); } //decode PVP response object - msg = (InboundMessage) decoder.decode(request, response, true); + msg = (InboundMessage) decoder.decode(request, response, MOAMetadataProvider.getInstance(), true); if (MiscUtil.isEmpty(msg.getEntityID())) { - throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {}); + throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); } //validate response signature if(!msg.isVerified()) { - samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); + samlVerificationEngine.verify(msg, TrustEngineFactory.getSignatureKnownKeysTrustEngine(MOAMetadataProvider.getInstance())); msg.setVerified(true); } @@ -118,12 +142,77 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //validate assertion MOAResponse processedMsg = preProcessAuthResponse((MOAResponse) msg); - //store valid assertion into pending-request - pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); + //load IDP and SP configuration + IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); + IOAAuthParameters spConfig = pendingReq.getOnlineApplicationConfiguration(); + + //check if response Entity is valid + if (!idpConfig.isInderfederationIDP()) { + Logger.warn("Response Issuer is not a federated IDP. Stopping federated authentication ..."); + throw new AuthnResponseValidationException("sp.pvp2.08", + new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, + msg.getEntityID()}); + + } - //update MOASession with federation information - authenticatedSessionStorage.createInterfederatedSession(pendingReq, true); + //load MOASession from database + defaultTaskInitialization(request, executionContext); + //initialize Attribute extractor + AssertionAttributeExtractor extractor = + new AssertionAttributeExtractor((Response) processedMsg.getResponse()); + + //check if SP is also a federated IDP + if (spConfig.isInderfederationIDP()) { + //SP is a federated IDP --> answer only with nameID and wait for attribute-Query + pendingReq.setGenericDataToSession( + PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, true); + pendingReq.setGenericDataToSession( + PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID()); + pendingReq.setGenericDataToSession( + PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel()); + + //build data-container for AttributeQuery + FederatedAuthenticatenContainer container = new FederatedAuthenticatenContainer(); + container.setIdpEntityID(idpConfig.getPublicURLPrefix()); + container.setUserNameID(extractor.getNameID()); + container.setUserQAALevel(extractor.getQAALevel()); + + if (idpConfig.isInterfederationSSOStorageAllowed()) { + //open SSO session and store IDP as federated IDP + container.setMoaSessionID(moasession.getSessionID()); + + //store federatedIDP to MOASession + authenticatedSessionStorage. + addFederatedSessionInformation(pendingReq, + idpConfig.getPublicURLPrefix(), extractor); + + } + + //store container into transaction storage + transactionStorage.put(container.getId(), container); + + //store container ID to pending-request + pendingReq.setGenericDataToSession( + PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID, + container.getId()); + + } else { + //SP is real Service-Provider --> check attributes in response + // and start Attribute-Query if required + + //get authenticationData and store it into MOASession + getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(), + idpConfig); + + //update MOASession + authenticatedSessionStorage.storeSession(moasession); + + } + + //store valid assertion into pending-request + pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); + //store pending-request requestStoreage.storePendingRequest(pendingReq); @@ -165,6 +254,104 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } + private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig, + IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{ + + try { + Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... "); + Collection requestedAttr = pendingReq.getRequestedAttributes(); + + //check if SAML2 Assertion contains a minimal set of attributes + if (!extractor.containsAllRequiredAttributes()) { + Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); + //collect attributes by using BackChannel communication + String endpoint = idpConfig.getIDPAttributQueryServiceURL(); + if (MiscUtil.isEmpty(endpoint)) { + Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix()); + throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix(), null); + + } + + //build attributQuery request + List attributs = + attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator()); + AttributeQuery query = + attributQueryBuilder.buildAttributQueryRequest(extractor.getNameID(), endpoint, attributs); + + //build SOAP request + List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); + + if (xmlObjects.size() == 0) { + Logger.error("Receive emptry AttributeQuery response-body."); + throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); + + } + + if (xmlObjects.get(0) instanceof Response) { + Response intfResp = (Response) xmlObjects.get(0); + + //validate PVP 2.1 response + try { + samlVerificationEngine.verifyIDPResponse(intfResp, + TrustEngineFactory.getSignatureKnownKeysTrustEngine( + MOAMetadataProvider.getInstance())); + + //create assertion attribute extractor from AttributeQuery response + extractor = new AssertionAttributeExtractor(intfResp); + + } catch (Exception e) { + Logger.warn("PVP 2.1 assertion validation FAILED.", e); + throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); + } + + } else { + Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); + throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); + + } + + } else { + Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. "); + + } + + //check if all attributes are include + if (!extractor.containsAllRequiredAttributes( + pendingReq.getRequestedAttributes())) { + Logger.warn("PVP Response from federated IDP contains not all requested attributes."); + throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); + + } + + //copy attributes into MOASession + Set includedAttrNames = extractor.getAllIncludeAttributeNames(); + for (String el : includedAttrNames) { + moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el)); + Logger.debug("Add PVP-attribute " + el + " into MOASession"); + + } + + } catch (SOAPException e) { + throw new BuildException("builder.06", null, e); + + } catch (SecurityException e) { + throw new BuildException("builder.06", null, e); + + } catch (AttributQueryException e) { + throw new BuildException("builder.06", null, e); + + } catch (SessionDataStorageException e) { + throw new BuildException("builder.06", null, e); + + } catch (AssertionValidationExeption e) { + throw new BuildException("builder.06", null, e); + + } catch (AssertionAttributeExtractorExeption e) { + throw new BuildException("builder.06", null, e); + + } + } + /** * @param executionContext * @param idpConfig @@ -215,8 +402,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } else { Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() + " from federated IDP."); - throw new AuthnResponseValidationException("sp.pvp2.04", - new Object[]{samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()}); + throw new AuthnResponseValidationException("sp.pvp2.05", + new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING, samlResp.getIssuer().getValue(), samlResp.getStatus().getStatusCode().getValue()}); } diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java index e85f8ce6b..64c0a0c8e 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java @@ -81,8 +81,6 @@ public class SAML1RequestImpl extends RequestImpl { reqAttr.add(PVPConstants.MANDATE_FULL_MANDATE_NAME); } - //return attributQueryBuilder.buildSAML2AttributeList(this.getOnlineApplicationConfiguration(), reqAttr.iterator()); - return reqAttr; } -- cgit v1.2.3 From da937437e46e06365072820aa555d4cb3f9f9110 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 2 Mar 2016 22:10:36 +0100 Subject: next parts of new federated authentication implementation --- .../id/auth/builder/AuthenticationDataBuilder.java | 226 ++++++++++++--------- .../builder/DynamicOAAuthParameterBuilder.java | 71 ++----- .../id/data/FederatedAuthenticatenContainer.java | 125 ------------ .../id/protocols/pvp2x/AttributQueryAction.java | 30 ++- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 17 +- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 2 - .../storage/DBAuthenticationSessionStoreage.java | 8 +- .../id/storage/IAuthenticationSessionStoreage.java | 4 +- .../resources/properties/id_messages_de.properties | 7 +- .../protocol_response_statuscodes_de.properties | 5 + .../tasks/ReceiveAuthnResponseTask.java | 39 ++-- 11 files changed, 201 insertions(+), 333 deletions(-) delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index 999f289e0..8b9918eab 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -32,6 +32,7 @@ import java.util.Arrays; import java.util.Date; import java.util.Iterator; import java.util.List; +import java.util.Set; import java.util.Map.Entry; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -45,6 +46,9 @@ import javax.xml.bind.Marshaller; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.AuthnStatement; +import org.opensaml.saml2.core.Response; +import org.opensaml.ws.soap.common.SOAPException; +import org.opensaml.xml.XMLObject; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.Element; @@ -77,7 +81,9 @@ import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.AuthenticationRoleFactory; import at.gv.egovernment.moa.id.data.IAuthData; @@ -86,13 +92,16 @@ import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AttributQueryException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; @@ -118,9 +127,11 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { @Autowired private IAuthenticationSessionStoreage authenticatedSessionStorage; @Autowired protected AuthConfiguration authConfig; + @Autowired private AttributQueryBuilder attributQueryBuilder; + @Autowired private SAMLVerificationEngine samlVerificationEngine; public IAuthData buildAuthenticationDataForAttributQuery(IRequest pendingReq, - AuthenticationSession session, List reqAttributes) { + AuthenticationSession session, List reqAttributes, InterfederationSessionStore nextIDPInformation) throws MOAIDException { AuthenticationData authdata = new AuthenticationData(); try { @@ -146,134 +157,147 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } } } - - getAuthDataFromInterfederation(authdata, session, spConfig, pendingReq, interfIDP, idp, reqAttributes); - - - - + //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration + IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes); - //mark attribute request as used - try { - interfIDP.setAttributesRequested(true); - MOASessionDBUtils.saveOrUpdate(interfIDP); - - } catch (MOADatabaseException e) { - Logger.error("MOASession interfederation information can not stored to database.", e); + //search federated IDP information for this MOASession + if (nextIDPInformation != null) { + Logger.info("Find active federated IDP information." + + ". --> Request next IDP:" + nextIDPInformation.getIdpurlprefix() + + " for authentication information."); + + //load configuration of next IDP + OAAuthParameter idp = authConfig.getOnlineApplicationParameter(nextIDPInformation.getIdpurlprefix()); + if (idp == null) { + Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() + + "is not loadable."); + throw new MOAIDException("auth.32", new Object[]{nextIDPInformation.getIdpurlprefix()}); + + } + + //check if next IDP config allows inbound messages + if (!idp.isInboundSSOInterfederationAllowed()) { + Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() + + "disallow inbound authentication messages."); + throw new MOAIDException("auth.33", new Object[]{nextIDPInformation.getIdpurlprefix()}); + + } + + //check next IDP service area policy. BusinessService IDPs can only request wbPKs + if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) { + Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() + + " has a BusinessService-IDP but requests PublicService attributes."); + throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()}); + + } + + //validation complete --> start AttributeQuery Request + getAuthDataFromInterfederation(authdata, reqAttributes, nextIDPInformation, idp); + + } else { + Logger.debug("Build authData for AttributQuery from local MOASession."); + buildAuthDataFormMOASession(authdata, session, spConfig, pendingReq); } - - + return authdata; - - } catch (DynamicOABuildException e) { - //TODO: - + + } catch (MOAIDException e) { + throw e; } } private void getAuthDataFromInterfederation( - AuthenticationData authdata, AuthenticationSession session, - IOAAuthParameters oaParam, IRequest req, - InterfederationSessionStore interfIDP, OAAuthParameter idp, List reqQueryAttr) throws BuildException, ConfigurationException{ + AuthenticationData authdata, List reqQueryAttr, + InterfederationSessionStore nextIDPInfo, OAAuthParameter nextIDPConfig ) throws MOAIDException{ + String idpEnityID = nextIDPConfig.getPublicURLPrefix(); + AssertionAttributeExtractor extractor; try { - List attributs = null; - - //IDP is a chained interfederated IDP and request is of type AttributQuery - if (oaParam.isInderfederationIDP() && req instanceof PVPTargetConfiguration && - (((PVPTargetConfiguration)req).getRequest() instanceof AttributeQuery) && - reqQueryAttr != null) { - attributs = reqQueryAttr; - - //IDP is a service provider IDP and request interfederated IDP to collect attributes - } else { - //get PVP 2.1 attributes from protocol specific requested attributes - attributs = (List) req.getGenericData(RequestImpl.DATAID_REQUESTED_ATTRIBUTES); + Logger.debug("Starting AttributeQuery process ..."); + //collect attributes by using BackChannel communication + String endpoint = nextIDPConfig.getIDPAttributQueryServiceURL(); + if (MiscUtil.isEmpty(endpoint)) { + Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID); + throw new ConfigurationException("config.26", new Object[]{idpEnityID}); } - - //get SAML2 Response from federated IDP - Response intfResp = - (Response) req.getGenericData( - RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, MOAResponse.class).getResponse(); - - //initialize Attribute extractor - AssertionAttributeExtractor extractor = new AssertionAttributeExtractor(intfResp); - - //check if SAML2 Assertion contains already all required attributes - if (!extractor.containsAllRequiredAttributes()) { - Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); - //collect attributes by using BackChannel communication - String endpoint = idp.getIDPAttributQueryServiceURL(); - if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix()); - throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idp.getPublicURLPrefix(), null); - } - //build attributQuery request - AttributeQuery query = - attributQueryBuilder.buildAttributQueryRequest(interfIDP.getUserNameID(), endpoint, attributs); + //build attributQuery request + AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(nextIDPInfo.getUserNameID(), endpoint, reqQueryAttr); - //build SOAP request - List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); + //build SOAP request + List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); + + if (xmlObjects.size() == 0) { + Logger.error("Receive emptry AttributeQuery response-body."); + throw new AttributQueryException("auth.27", + new Object[]{idpEnityID, "Receive emptry AttributeQuery response-body."}); - if (xmlObjects.size() == 0) { - Logger.error("Receive emptry AttributeQuery response-body."); - throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); - - } + } + + Response intfResp; + if (xmlObjects.get(0) instanceof Response) { + intfResp = (Response) xmlObjects.get(0); - if (xmlObjects.get(0) instanceof Response) { - intfResp = (Response) xmlObjects.get(0); - - //validate PVP 2.1 response - try { - samlVerificationEngine.verifyIDPResponse(intfResp, TrustEngineFactory.getSignatureKnownKeysTrustEngine()); - - //TODO: find better solution - //SAMLVerificationEngine.validateAssertion(intfResp, false); - - } catch (Exception e) { - Logger.warn("PVP 2.1 assertion validation FAILED.", e); - throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); + //validate PVP 2.1 response + try { + samlVerificationEngine.verifyIDPResponse(intfResp, + TrustEngineFactory.getSignatureKnownKeysTrustEngine( + MOAMetadataProvider.getInstance())); + + //create assertion attribute extractor from AttributeQuery response + extractor = new AssertionAttributeExtractor(intfResp); + + //copy attributes into authData object + Set includedAttrNames = extractor.getAllIncludeAttributeNames(); + for (String el : includedAttrNames) { + authdata.setGenericData(el, extractor.getSingleAttributeValue(el)); + Logger.debug("Add PVP-attribute " + el + " into authData objext"); + } - - } else { - Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); - throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); - + + + } catch (Exception e) { + Logger.warn("PVP 2.1 assertion validation FAILED.", e); + throw new AssertionValidationExeption("auth.27", + new Object[]{idpEnityID, e.getMessage()}, e); } - - //create assertion attribute extractor from AttributeQuery response - extractor = new AssertionAttributeExtractor(intfResp); - + } else { - Logger.info("Interfedation response include all attributes with are required. Skip AttributQuery request step. "); + Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); + throw new AttributQueryException("auth.27", + new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"}); + + } + + try { + //mark attribute request as used + if (nextIDPInfo.isStoreSSOInformation()) { + nextIDPInfo.setAttributesRequested(true); + MOASessionDBUtils.saveOrUpdate(nextIDPInfo); + + //delete federated IDP from Session + } else { + MOASessionDBUtils.delete(nextIDPInfo); + + } + + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); } - //parse response information to authData - buildAuthDataFormInterfederationResponse(authdata, session, extractor, oaParam, req); - + } catch (SOAPException e) { throw new BuildException("builder.06", null, e); } catch (SecurityException e) { throw new BuildException("builder.06", null, e); - - } catch (AttributQueryException e) { - throw new BuildException("builder.06", null, e); - - } catch (BuildException e) { - throw new BuildException("builder.06", null, e); - - } catch (AssertionValidationExeption e) { - throw new BuildException("builder.06", null, e); - - } catch (AssertionAttributeExtractorExeption e) { - throw new BuildException("builder.06", null, e); + + } catch (org.opensaml.xml.security.SecurityException e1) { + throw new BuildException("builder.06", null, e1); } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java index ab43f2f79..8c0de1121 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/DynamicOAAuthParameterBuilder.java @@ -38,6 +38,7 @@ import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -45,65 +46,35 @@ import at.gv.egovernment.moa.util.Constants; */ public class DynamicOAAuthParameterBuilder { - public static IOAAuthParameters buildFromAttributeQuery(OAAuthParameter oa, List reqAttributes, InterfederationSessionStore interfIDP) throws DynamicOABuildException { + public static IOAAuthParameters buildFromAttributeQuery(List reqAttributes) throws DynamicOABuildException { Logger.debug("Build dynamic OAConfiguration from AttributeQuery and interfederation information"); - try { - DynamicOAAuthParameters dynamicOA = new DynamicOAAuthParameters(); - - for (Attribute attr : reqAttributes) { - //get Target or BusinessService from request - if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { - String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); - if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { - dynamicOA.setBusinessService(false); - dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length())); - - } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || - attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { - dynamicOA.setBusinessService(true); - dynamicOA.setTarget(attrValue); - - } else { - Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); - throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null); - - } - - } + DynamicOAAuthParameters dynamicOA = new DynamicOAAuthParameters(); - } - - if (interfIDP != null) { - //load interfederated IDP informations - OAAuthParameter idp = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(interfIDP.getIdpurlprefix()); - if (idp == null) { - Logger.warn("Interfederated IDP configuration is not loadable."); - throw new DynamicOABuildException("Interfederated IDP configuration is not loadable.", null); + for (Attribute attr : reqAttributes) { + //get Target or BusinessService from request + if (attr.getName().equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { + String attrValue = attr.getAttributeValues().get(0).getDOM().getTextContent(); + if (attrValue.startsWith(Constants.URN_PREFIX_CDID)) { + dynamicOA.setBusinessService(false); + dynamicOA.setTarget(attrValue.substring((Constants.URN_PREFIX_CDID + "+").length())); + + } else if( attrValue.startsWith(Constants.URN_PREFIX_WBPK) || + attrValue.startsWith(Constants.URN_PREFIX_STORK) ) { + dynamicOA.setBusinessService(true); + dynamicOA.setTarget(attrValue); + + } else { + Logger.error("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea"); + throw new DynamicOABuildException("Sector identification " + attrValue + " is not a valid Target or BusinessServiceArea", null); } - - dynamicOA.setApplicationID(idp.getPublicURLPrefix()); - dynamicOA.setInderfederatedIDP(idp.isInderfederationIDP()); - dynamicOA.setIDPQueryURL(idp.getIDPAttributQueryServiceURL()); - //check if IDP service area policy. BusinessService IDPs can only request wbPKs - if (!dynamicOA.getBusinessService() && !idp.isIDPPublicService()) { - Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() - + " has a BusinessService-IDP but requests PublicService attributes."); - throw new DynamicOABuildException("Interfederated IDP " + idp.getPublicURLPrefix() - + " has a BusinessService-IDP but requests PublicService attributes.", null); - - } } - return dynamicOA; - - } catch (ConfigurationException e) { - Logger.warn("Internel server errror. Basic configuration load failed.", e); - throw new DynamicOABuildException("Basic configuration load failed.", null); - } + } + return dynamicOA; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java deleted file mode 100644 index 9af247714..000000000 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/FederatedAuthenticatenContainer.java +++ /dev/null @@ -1,125 +0,0 @@ -/* - * Copyright 2014 Federal Chancellery Austria - * MOA-ID has been developed in a cooperation between BRZ, the Federal - * Chancellery Austria - ICT staff unit, and Graz University of Technology. - * - * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by - * the European Commission - subsequent versions of the EUPL (the "Licence"); - * You may not use this work except in compliance with the Licence. - * You may obtain a copy of the Licence at: - * http://www.osor.eu/eupl/ - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the Licence is distributed on an "AS IS" basis, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the Licence for the specific language governing permissions and - * limitations under the Licence. - * - * This product combines work with different licenses. See the "NOTICE" text - * file for details on the various modules and licenses. - * The "NOTICE" text file is part of the distribution. Any derivative works - * that you distribute must include a readable copy of the "NOTICE" text file. - */ -package at.gv.egovernment.moa.id.data; - -import java.io.Serializable; - -import at.gv.egovernment.moa.id.util.Random; - -/** - * @author tlenz - * - */ -public class FederatedAuthenticatenContainer implements Serializable { - - /** - * - */ - private static final long serialVersionUID = 6075571915585105988L; - - private String id; - private String moaSessionID; - - private String idpEntityID; - private String userNameID; - private String userQAALevel; - - /** - * Build a new data-container for federated authentication with Attribute-Query - * - */ - public FederatedAuthenticatenContainer() { - this.id = Random.nextRandom(); - - } - - /** - * Get the identifier of this container - * - * @return the identifier of this container, but never null - */ - public String getId() { - return id; - } - - /** - * Get the MOASessionID, of the corresponding MOASession - * - * @return the moaSessionID, or null if no MOASession exists - */ - public String getMoaSessionID() { - return moaSessionID; - } - /** - * @param moaSessionID the moaSessionID to set - */ - public void setMoaSessionID(String moaSessionID) { - this.moaSessionID = moaSessionID; - } - /** - * Get the Entity of the federated IDP, which has the authentication data - * - * @return the idpEntityID, but never null - */ - public String getIdpEntityID() { - return idpEntityID; - } - /** - * @param idpEntityID the idpEntityID to set - */ - public void setIdpEntityID(String idpEntityID) { - this.idpEntityID = idpEntityID; - } - /** - * Get the SAML2 NameID of the user, which is used to identify the user on the federated IDP - * - * @return the SAML2 NameID, but never null - */ - public String getUserNameID() { - return userNameID; - } - /** - * @param userNameID the userNameID to set - */ - public void setUserNameID(String userNameID) { - this.userNameID = userNameID; - } - /** - * Get the SAML2 QAA-level, which should be send to the federated IDP - * - * @return the userQAALevel, but never null - */ - public String getUserQAALevel() { - return userQAALevel; - } - /** - * @param userQAALevel the userQAALevel to set - */ - public void setUserQAALevel(String userQAALevel) { - this.userQAALevel = userQAALevel; - } - - - - -} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index c733e662a..042eeeed8 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -41,8 +41,13 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; +import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; +import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; @@ -53,7 +58,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionB import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; +import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -62,9 +69,10 @@ import at.gv.egovernment.moa.logging.Logger; @Service("AttributQueryAction") public class AttributQueryAction implements IAction { - @Autowired IAuthenticationSessionStoreage authenticationSessionStorage; + @Autowired private IAuthenticationSessionStoreage authenticationSessionStorage; @Autowired private AuthenticationDataBuilder authDataBuilder; @Autowired private IDPCredentialProvider pvpCredentials; + @Autowired private ITransactionStorage transactionStorage; private final static List DEFAULTSTORKATTRIBUTES = Arrays.asList( new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); @@ -90,16 +98,22 @@ public class AttributQueryAction implements IAction { //set time reference DateTime date = new DateTime(); - //load session and request information - AuthenticationSession moaSession = - pendingReq.getGenericData(PVPTargetConfiguration.DATAID_MOASESSION, AuthenticationSession.class); - + //get Single Sign-On information for the Service-Provider + // which sends the Attribute-Query request + AuthenticationSession moaSession = authenticationSessionStorage.getSession(pendingReq.getMOASessionIdentifier()); + if (moaSession == null) { + Logger.warn("No MOASession with ID:" + pendingReq.getMOASessionIdentifier() + " FOUND."); + throw new MOAIDException("auth.02", new Object[]{pendingReq.getMOASessionIdentifier()}); + } + + InterfederationSessionStore nextIDPInformation = + authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSessionID()); + AttributeQuery attrQuery = (AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest(); - - + //generate authData for AttributQueryRequest - authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes()); + authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes(), nextIDPInformation); //add default attributes in case of mandates or STORK is in use diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 57c1aa8af..4dbc35041 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -593,23 +593,14 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { AuthenticationSession session = authenticatedSessionStorage.getSessionWithUserNameID(nameID); if (session == null) { Logger.warn("AttributeQuery nameID does not match to an active single sign-on session."); - throw new AttributQueryException("AttributeQuery nameID does not match to an active single sign-on session.", null); + throw new AttributQueryException("auth.31", null); } - //search federated IDP information for this MOASession - - - InterfederationSessionStore interfIDP = - authenticatedSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(session); - - //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration - IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(oa, attrQuery.getAttributes(), interfIDP); - //set preProcessed information into pending-request pendingReq.setRequest(moaRequest); pendingReq.setOAURL(moaRequest.getEntityID()); - pendingReq.setOnlineApplicationConfiguration(spConfig); + pendingReq.setOnlineApplicationConfiguration(oa); pendingReq.setBinding(SAMLConstants.SAML2_SOAP11_BINDING_URI); //Attribute-Query Request needs authentication, because session MUST be already authenticated @@ -619,8 +610,8 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { pendingReq.setAction(AttributQueryAction.class.getName()); //add moasession - pendingReq.setGenericDataToSession(PVPTargetConfiguration.DATAID_MOASESSION, session); - + pendingReq.setMOASessionIdentifier(session.getSessionID()); + //write revisionslog entry revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROTOCOL_PVP_REQUEST_ATTRIBUTQUERY); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index a8e02c317..b8ced1198 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -46,11 +46,9 @@ import at.gv.egovernment.moa.logging.Logger; @Scope(value = BeanDefinition.SCOPE_PROTOTYPE) public class PVPTargetConfiguration extends RequestImpl { - public static final String DATAID_MOASESSION = "moasession"; public static final String DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP = "useMinimalFrontChannelResponse"; public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID"; public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel"; - public static final String DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID = "attrQueryContainerID"; private static final long serialVersionUID = 4889919265919638188L; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java index c190ad779..316ca2177 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java @@ -832,9 +832,9 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } @Override - public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession) { - MiscUtil.assertNotNull(moaSession, "MOASession"); - Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSession.getSessionID() + " from database."); + public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(String moaSessionID) { + MiscUtil.assertNotNull(moaSessionID, "MOASessionID"); + Logger.trace("Get interfederated IDP for AttributeQuery with sessionID " + moaSessionID + " from database."); Session session = MOASessionDBUtils.getCurrentSession(); List result; @@ -843,7 +843,7 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt synchronized (session) { tx = session.beginTransaction(); Query query = session.getNamedQuery("getInterfederatedIDPForAttributeQueryWithSessionID"); - query.setParameter("sessionID", moaSession.getSessionID()); + query.setParameter("sessionID", moaSessionID); result = query.list(); //send transaction diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java index aaa54fbb9..666511425 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/IAuthenticationSessionStoreage.java @@ -253,10 +253,10 @@ public interface IAuthenticationSessionStoreage { /** * Search an active federation IDP which could be used for federated Single Sign-On by using an AttributeQuery * - * @param moaSession MOASession data object + * @param moaSessionID ID of a active MOASession * @return Information of the federated IDP, or null if no active federated IDP is found */ - public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(AuthenticationSession moaSession); + public InterfederationSessionStore searchInterfederatedIDPFORAttributeQueryWithSessionID(String moaSessionID); /** * Remove an active federation IDP from MOASession diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index a94b90931..cf2e9d6d5 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -44,10 +44,14 @@ auth.23=Das BKU-Selektion Template entspricht nicht der Spezifikation von MOA-ID auth.24=Das Send-Assertion Template entspricht nicht der Spezifikation von MOA-ID 2.x. auth.25=Fehler beim validieren der SZR-Gateway Response. auth.26=SessionID unbekannt. -auth.27=Federated authentication FAILED! Assertion from {0} IDP is not valid. +auth.27=Federated authentication FAILED! Assertion from {0} IDP is not valid. (Msg:{1}) auth.28=Transaktion {0} kann nicht weitergef\u00FChrt werden. Wahrscheinlich wurde ein TimeOut erreicht. auth.29=Federated authentication FAILED! Can not build authentication request for IDP {0} auth.30=No valid Single Sign-On session found. Authentication process is aborted. +auth.31=Federated authentication FAILED. No information for AttributeQuery, maybe a timeout occures. +auth.32=Federated authentication FAILED. No configuration for IDP {0} +auth.33=Federated authentication FAILED. Configuration of IDP {0} does not allow inbound messages. +auth.34=Federated authentication FAILED. Configuration of IDP {0} is marked as BusinessService-IDP, but Public-Service attributes are requested. init.00=MOA ID Authentisierung wurde erfolgreich gestartet init.01=Fehler beim Aktivieren des IAIK-JCE/JSSE/JDK1.3 Workaround\: SSL ist m\u00F6glicherweise nicht verf\u00FCgbar @@ -82,6 +86,7 @@ config.22=F\u00FCr den Interfederation-Gateway mit der ID {0} ist kein Endpunkt config.23=Fehler beim initialisieren von OpenSAML config.24=MOA-ID-Auth Configfile {1} does not start with {0} prefix. config.25=Der verwendete IDP PublicURLPrefix {0} ist nicht erlaubt. +config.26=Federated IDP {0} contains no AttributeQuery URL. parser.00=Leichter Fehler beim Parsen: {0} parser.01=Fehler beim Parsen: {0} diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 4e36e2cbf..2aed7d47d 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -28,6 +28,10 @@ auth.27=4401 auth.28=1100 auth.29=4401 auth.30=1110 +auth.31=TODO +auth.32=TODO +auth.33=TODO +auth.34=TODO init.00=9199 init.01=9199 @@ -62,6 +66,7 @@ config.22=9008 config.23=9199 config.24=9199 config.25=9199 +config.26=TODO parser.00=1101 parser.01=1101 diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index d87109244..a07a87c2b 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -171,31 +171,10 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, extractor.getNameID()); pendingReq.setGenericDataToSession( PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, extractor.getQAALevel()); - - //build data-container for AttributeQuery - FederatedAuthenticatenContainer container = new FederatedAuthenticatenContainer(); - container.setIdpEntityID(idpConfig.getPublicURLPrefix()); - container.setUserNameID(extractor.getNameID()); - container.setUserQAALevel(extractor.getQAALevel()); - - if (idpConfig.isInterfederationSSOStorageAllowed()) { - //open SSO session and store IDP as federated IDP - container.setMoaSessionID(moasession.getSessionID()); - - //store federatedIDP to MOASession - authenticatedSessionStorage. - addFederatedSessionInformation(pendingReq, - idpConfig.getPublicURLPrefix(), extractor); - - } - - //store container into transaction storage - transactionStorage.put(container.getId(), container); - - //store container ID to pending-request - pendingReq.setGenericDataToSession( - PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID, - container.getId()); + + authenticatedSessionStorage. + addFederatedSessionInformation(pendingReq, + idpConfig.getPublicURLPrefix(), extractor); } else { //SP is real Service-Provider --> check attributes in response @@ -204,12 +183,18 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //get authenticationData and store it into MOASession getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(), idpConfig); + + //store federatedIDP to MOASession + if (idpConfig.isInterfederationSSOStorageAllowed()) + authenticatedSessionStorage. + addFederatedSessionInformation(pendingReq, + idpConfig.getPublicURLPrefix(), extractor); //update MOASession authenticatedSessionStorage.storeSession(moasession); } - + //store valid assertion into pending-request pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); @@ -268,7 +253,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { String endpoint = idpConfig.getIDPAttributQueryServiceURL(); if (MiscUtil.isEmpty(endpoint)) { Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix()); - throw new ConfigurationException("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix(), null); + throw new ConfigurationException("config.26", new Object[]{idpConfig.getPublicURLPrefix()}); } -- cgit v1.2.3 From b9937af42fdab6b85aa1121148bda474c70f5e75 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 8 Mar 2016 11:10:19 +0100 Subject: finish first beta-version of ELGA mandate-service client-module --- .../java/at/gv/egovernment/moa/util/Constants.java | 4 + id/server/auth/pom.xml | 11 +- id/server/idserverlib/pom.xml | 17 +- .../id/advancedlogging/MOAIDEventConstants.java | 6 +- .../moa/id/advancedlogging/StatisticLogger.java | 13 +- .../moa/id/auth/MOAIDAuthConstants.java | 4 + .../moa/id/auth/MOAIDAuthInitializer.java | 166 ++ .../id/auth/builder/AuthenticationDataBuilder.java | 1652 ++++++++++---------- .../moa/id/auth/builder/BPKBuilder.java | 97 +- .../AuthenticationSessionStorageConstants.java | 2 + .../StartAuthentificationParameterParser.java | 24 +- .../moa/id/data/AuthenticationData.java | 76 +- .../at/gv/egovernment/moa/id/data/IAuthData.java | 4 +- .../at/gv/egovernment/moa/id/data/MISMandate.java | 26 +- .../java/at/gv/egovernment/moa/id/data/Trible.java | 51 + .../moa/id/moduls/AuthenticationManager.java | 4 +- .../gv/egovernment/moa/id/moduls/RequestImpl.java | 5 +- .../attributes/BirthdateAttributeBuilder.java | 1 - .../protocols/builder/attributes/EIDSourcePIN.java | 1 - .../MandateFullMandateAttributeBuilder.java | 5 +- ...dateNaturalPersonGivenNameAttributeBuilder.java | 2 +- .../id/protocols/pvp2x/AttributQueryAction.java | 212 ++- .../id/protocols/pvp2x/AuthenticationAction.java | 15 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 22 +- .../moa/id/protocols/pvp2x/binding/IDecoder.java | 3 +- .../id/protocols/pvp2x/binding/PostBinding.java | 29 +- .../protocols/pvp2x/binding/RedirectBinding.java | 26 +- .../id/protocols/pvp2x/binding/SoapBinding.java | 3 +- .../pvp2x/builder/AuthResponseBuilder.java | 19 +- .../pvp2x/builder/PVPAttributeBuilder.java | 49 + .../pvp2x/builder/PVPAuthnRequestBuilder.java | 15 +- .../builder/assertion/PVP2AssertionBuilder.java | 167 +- .../IPVPAuthnRequestBuilderConfiguruation.java | 17 + .../protocols/pvp2x/config/PVPConfiguration.java | 21 +- .../metadata/IMOARefreshableMetadataProvider.java | 38 + .../pvp2x/metadata/MOAMetadataProvider.java | 3 +- .../pvp2x/utils/AssertionAttributeExtractor.java | 92 +- .../AbstractRequestSignedSecurityPolicyRule.java | 4 +- .../validation/MOAPVPSignedRequestPolicyRule.java | 17 +- .../pvp2x/verification/SAMLVerificationEngine.java | 129 +- .../verification/SAMLVerificationEngineSP.java | 161 ++ .../storage/DBAuthenticationSessionStoreage.java | 5 - .../resources/properties/id_messages_de.properties | 6 +- .../protocol_response_statuscodes_de.properties | 5 + .../id/commons/db/dao/session/OASessionStore.java | 24 +- .../internal/tasks/CertificateReadRequestTask.java | 2 +- .../tasks/InitializeBKUAuthenticationTask.java | 180 ++- .../internal/tasks/VerifyCertificateTask.java | 2 +- .../id/util/client/mis/simple/MISSimpleClient.java | 2 - .../internal/DefaultAuthentication.process.xml | 2 +- .../moa/id/auth/modules/eidas/Constants.java | 2 - .../eidas/tasks/ReceiveAuthnResponseTask.java | 4 + .../moa/id/protocols/eidas/EIDASProtocol.java | 3 +- .../eidas/eIDASAuthenticationRequest.java | 6 +- .../ELGAMandatesRequestBuilderConfiguration.java | 40 +- .../tasks/ELGAInitializeBKUAuthenticationTask.java | 107 ++ .../tasks/ReceiveElgaMandateResponseTask.java | 65 +- .../elgamandates/tasks/RequestELGAMandateTask.java | 15 +- .../utils/ELGAMandateServiceMetadataProvider.java | 5 +- .../DefaultAuth_with_ELGA_mandates.process.xml | 8 +- .../moaid_elga_mandate_client_auth.beans.xml | 4 + id/server/modules/moa-id-module-openID/pom.xml | 6 - .../data/SSOTransferAuthenticationData.java | 20 +- .../ssotransfer/utils/SSOContainerUtils.java | 4 +- .../src/test/java/at/gv/egiz/tests/Tests.java | 19 +- .../FederatedAuthnRequestBuilderConfiguration.java | 17 +- .../tasks/ReceiveAuthnResponseTask.java | 94 +- .../protocols/saml1/SAML1AuthenticationServer.java | 280 ++-- .../moa/id/protocols/saml1/SAML1Protocol.java | 11 +- .../moa/id/protocols/saml1/SAML1RequestImpl.java | 19 +- id/server/pom.xml | 5 +- pom.xml | 8 +- 72 files changed, 2527 insertions(+), 1656 deletions(-) create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Trible.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/IMOARefreshableMetadataProvider.java create mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java create mode 100644 id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java index 5d12691f8..5a5f4edac 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/Constants.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/Constants.java @@ -443,6 +443,10 @@ public interface Constants { /** URN prefix for context dependent id (stork). */ public static final String URN_PREFIX_STORK = URN_PREFIX + ":storkid"; + + //TODO: update to eIDAS prefix + /** URN prefix for context dependent id (eIDAS). */ + public static final String URN_PREFIX_EIDAS = URN_PREFIX + ":storkid"; /** URN prefix for context dependent id. */ public static final String URN_PREFIX_BASEID = URN_PREFIX + ":baseid"; diff --git a/id/server/auth/pom.xml b/id/server/auth/pom.xml index e3e9ee4f0..e88692a14 100644 --- a/id/server/auth/pom.xml +++ b/id/server/auth/pom.xml @@ -128,6 +128,11 @@ + + MOA.id.server + moa-id-spring-initializer + + MOA.id.server.modules @@ -172,11 +177,13 @@ moa-id-modules-federated_authentication - + + + iaik.prod diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml index 770230bfc..8cf2603e1 100644 --- a/id/server/idserverlib/pom.xml +++ b/id/server/idserverlib/pom.xml @@ -33,17 +33,12 @@ 6.1.1 test - + + + com.google.guava + guava + 19.0 + at.gv.egiz.components diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAIDEventConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAIDEventConstants.java index d5d0a3ab1..eccd63e3d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAIDEventConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/MOAIDEventConstants.java @@ -81,7 +81,7 @@ public interface MOAIDEventConstants extends EventConstants { public static final int AUTHPROCESS_PEPS_REQUESTED = 4400; public static final int AUTHPROCESS_PEPS_RECEIVED = 4401; public static final int AUTHPROCESS_PEPS_IDL_RECEIVED = 4402; - + //person information public static final int PERSONAL_INFORMATION_PROF_REPRESENTATIVE_BPK = 5000; public static final int PERSONAL_INFORMATION_PROF_REPRESENTATIVE = 5001; @@ -92,6 +92,10 @@ public interface MOAIDEventConstants extends EventConstants { public static final int PERSONAL_INFORMATION_MANDATE_MANDATOR_HASH = 5102; public static final int PERSONAL_INFORMATION_MANDATE_MANDATOR_BASEID = 5103; + //Attribute Provider [6000 --> 7900] + public static final int AUTHPROCESS_ELGA_MANDATE_SERVICE_REQUESTED = 6000; + public static final int AUTHPROCESS_ELGA_MANDATE_RECEIVED = 6001; + public static final int AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED = 6002; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java index 87b3bc9ca..8efdf6014 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/advancedlogging/StatisticLogger.java @@ -54,6 +54,7 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -106,12 +107,14 @@ public class StatisticLogger { boolean isbusinessservice = isBusinessService(dbOA); dblog.setBusinessservice(isbusinessservice); dblog.setOatarget(authData.getBPKType()); - - dblog.setInterfederatedSSOSession(authData.isInterfederatedSSOSession()); + + + boolean isFederatedAuthentication = protocolRequest.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE) != null; + dblog.setInterfederatedSSOSession(isFederatedAuthentication); - if (authData.isInterfederatedSSOSession()) { + if (isFederatedAuthentication) { dblog.setBkutype(IOAAuthParameters.INDERFEDERATEDIDP); - dblog.setBkuurl(authData.getInterfederatedIDP()); + dblog.setBkuurl(protocolRequest.getGenericData(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, String.class)); } else { dblog.setBkuurl(authData.getBkuURL()); @@ -252,7 +255,7 @@ public class StatisticLogger { dblog.setBkutype(findBKUType(moasession.getBkuURL(), dbOA)); } - dblog.setMandatelogin(moasession.getUseMandate()); + dblog.setMandatelogin(moasession.isMandateUsed()); } } catch (MOADatabaseException e) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java index c7ef73b47..27c87ccbf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java @@ -25,6 +25,8 @@ public class MOAIDAuthConstants extends MOAIDConstants{ public static final String PARAM_TARGET = "Target"; /** servlet parameter "useMandate" */ public static final String PARAM_USEMANDATE = "useMandate"; + public static final String PARAM_USEMISMANDATE = "useMISMandate"; + public static final String PARAM_USEELGAMANDATE = "useELGAMandate"; /** servlet parameter "OA" */ public static final String PARAM_OA = "OA"; /** servlet parameter "bkuURI" */ @@ -166,6 +168,8 @@ public class MOAIDAuthConstants extends MOAIDConstants{ } }); + public static final String COUNTRYCODE_AUSTRIA = "AT"; + public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$"; public static final String MDC_TRANSACTION_ID = "transactionId"; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java new file mode 100644 index 000000000..458f9afe6 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthInitializer.java @@ -0,0 +1,166 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth; + +import java.io.IOException; +import java.security.GeneralSecurityException; +import java.security.Provider; +import java.security.Security; + +import javax.activation.CommandMap; +import javax.activation.MailcapCommandMap; + +import org.springframework.web.context.support.GenericWebApplicationContext; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; +import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; +import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.util.Random; +import at.gv.egovernment.moa.id.util.SSLUtils; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.logging.LoggingContext; +import at.gv.egovernment.moa.logging.LoggingContextManager; +import at.gv.egovernment.moa.spss.server.config.ConfigurationProvider; +import at.gv.egovernment.moa.spss.server.iaik.config.IaikConfigurator; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; +import iaik.pki.PKIException; +import iaik.security.ecc.provider.ECCProvider; +import iaik.security.provider.IAIK; + +/** + * @author tlenz + * + */ +public class MOAIDAuthInitializer { + + /** + * Initializes the web application components which need initialization: + * logging, JSSE, MOA-ID Auth configuration, Axis, session cleaner. + * @param rootContext + */ + public static void initialize(GenericWebApplicationContext rootContext) throws ConfigurationException, + PKIException, IOException, GeneralSecurityException { + Logger.setHierarchy("moa.id.auth"); + Logger.info("Default java file.encoding: " + + System.getProperty("file.encoding")); + + + //JDK bug workaround according to: + // http://jce.iaik.tugraz.at/products/03_cms/faq/index.php#JarVerifier + // register content data handlers for S/MIME types + MailcapCommandMap mc = new MailcapCommandMap(); + CommandMap.setDefaultCommandMap(mc); + + if (MiscUtil.isEmpty(System.getProperty("https.cipherSuites"))) + System.setProperty( + "https.cipherSuites", + "TLS_DH_anon_WITH_AES_128_CBC_SHA" + + ",TLS_DHE_RSA_WITH_AES_128_CBC_SHA" + + ",TLS_DHE_DSS_WITH_AES_128_CBC_SHA" + + ",TLS_RSA_WITH_AES_128_CBC_SHA" + + ",TLS_RSA_WITH_AES_256_CBC_SHA" + + ",SSL_DH_anon_WITH_3DES_EDE_CBC_SHA" + + ",SSL_RSA_WITH_3DES_EDE_CBC_SHA" + ); + + + + // load some jsse classes so that the integrity of the jars can be + // verified + // before the iaik jce is installed as the security provider + // this workaround is only needed when sun jsse is used in conjunction + // with + // iaik-jce (on jdk1.3) + ClassLoader cl = MOAIDAuthInitializer.class.getClassLoader(); + try { + cl.loadClass("javax.security.cert.Certificate"); // from jcert.jar + } catch (ClassNotFoundException e) { + Logger.warn(MOAIDMessageProvider.getInstance().getMessage( + "init.01", null), e); + } + + Logger.info("Loading Java security providers."); + IAIK.addAsProvider(); + ECCProvider.addAsProvider(); + + // Initializes SSLSocketFactory store + SSLUtils.initialize(); + + // Initializes Namespace Map + Constants.nSMap.put(Constants.SAML_PREFIX, Constants.SAML_NS_URI); + Constants.nSMap.put(Constants.ECDSA_PREFIX, + "http://www.w3.org/2001/04/xmldsig-more#"); + Constants.nSMap.put(Constants.DSIG_PREFIX, Constants.DSIG_NS_URI); + + //seed the random number generator + Random.seedRandom(); + Logger.debug("Random-number generator is seeded."); + + // Initialize configuration provider + AuthConfiguration authConf = AuthConfigurationProviderFactory.reload(rootContext); + + //test, if MOA-ID is already configured + authConf.getPublicURLPrefix(); + + + // Initialize MOA-SP + //MOA-SP is only use by API calls since MOA-ID 3.0.0 + try { + LoggingContextManager.getInstance().setLoggingContext( + new LoggingContext("startup")); + ConfigurationProvider config = ConfigurationProvider + .getInstance(); + new IaikConfigurator().configure(config); + + } catch (at.gv.egovernment.moa.spss.server.config.ConfigurationException ex) { + throw new ConfigurationException("config.10", new Object[] { ex + .toString() }, ex); + + } + + + //IAIK.addAsProvider(); + //ECCProvider.addAsProvider(); + + Security.insertProviderAt(IAIK.getInstance(), 0); + Security.addProvider(new ECCProvider()); + + if (Logger.isDebugEnabled()) { + Logger.debug("Loaded Security Provider:"); + Provider[] providerList = Security.getProviders(); + for (int i=0; i reqAttributes, InterfederationSessionStore nextIDPInformation) throws MOAIDException { - AuthenticationData authdata = new AuthenticationData(); + + public IAuthData buildAuthenticationData(IRequest pendingReq, + AuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { + return buildAuthenticationData(pendingReq, session, pendingReq.getOnlineApplicationConfiguration()); + } + + public IAuthData buildAuthenticationData(IRequest pendingReq, + AuthenticationSession session, IOAAuthParameters oaParam) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { + AuthenticationData authdata = null; + + //only needed for SAML1 legacy support try { - //mark AttributeQuery as used if it exists - OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); - if (activeOA != null) { - //reuse some parameters if it is a Service-Provider reauthentication - authdata.setSessionIndex(activeOA.getAssertionSessionID()); - authdata.setNameID(activeOA.getUserNameID()); - authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); - - //mark - if ( pendingReq instanceof PVPTargetConfiguration && - ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest && - ((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) { - try { - activeOA.setAttributeQueryUsed(true); - MOASessionDBUtils.saveOrUpdate(activeOA); - - } catch (MOADatabaseException e) { - Logger.error("MOASession interfederation information can not stored to database.", e); + //check if SAML1 authentication module is in Classpath + Class saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); + IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance(); + if (saml1RequstTemplate != null && + saml1RequstTemplate.isInstance(pendingReq)) { + //request is SAML1 --> invoke SAML1 protocol specific methods + if (session.getExtendedSAMLAttributesOA() == null) { + saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList()); - } + } else { + saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA()); } + + authdata = (AuthenticationData) saml1authdata; + + } else { + authdata = new AuthenticationData(); + } + + } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { + authdata = new AuthenticationData(); - //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration - IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes); - - //search federated IDP information for this MOASession - if (nextIDPInformation != null) { - Logger.info("Find active federated IDP information." - + ". --> Request next IDP:" + nextIDPInformation.getIdpurlprefix() - + " for authentication information."); - - //load configuration of next IDP - OAAuthParameter idp = authConfig.getOnlineApplicationParameter(nextIDPInformation.getIdpurlprefix()); - if (idp == null) { - Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() - + "is not loadable."); - throw new MOAIDException("auth.32", new Object[]{nextIDPInformation.getIdpurlprefix()}); - - } - - //check if next IDP config allows inbound messages - if (!idp.isInboundSSOInterfederationAllowed()) { - Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() - + "disallow inbound authentication messages."); - throw new MOAIDException("auth.33", new Object[]{nextIDPInformation.getIdpurlprefix()}); - - } - - //check next IDP service area policy. BusinessService IDPs can only request wbPKs - if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) { - Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() - + " has a BusinessService-IDP but requests PublicService attributes."); - throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()}); - - } + } - //validation complete --> start AttributeQuery Request - getAuthDataFromInterfederation(authdata, reqAttributes, nextIDPInformation, idp); - - } else { - Logger.debug("Build authData for AttributQuery from local MOASession."); - buildAuthDataFormMOASession(authdata, session, spConfig, pendingReq); + OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); + //reuse authentication information in case of service-provider reauthentication + if (activeOA != null) { + authdata.setSessionIndex(activeOA.getAssertionSessionID()); + authdata.setNameID(activeOA.getUserNameID()); + authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); + + } + + //TODO: move to eIDAS-Code in case of ISA1.18 action is enabled for eIDAS + //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway + if (oaParam.isSTORKPVPGateway()) + oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, pendingReq); - } - - return authdata; + Boolean isMinimalFrontChannelResp = pendingReq.getGenericData( + PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class); + if (isMinimalFrontChannelResp != null && isMinimalFrontChannelResp) { + //only set minimal response attributes + authdata.setQAALevel( + pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, String.class)); + authdata.setBPK( + pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, String.class)); - } catch (MOAIDException e) { - throw e; + } else { + //build AuthenticationData from MOASession + buildAuthDataFormMOASession(authdata, session, oaParam, pendingReq); + } + + return authdata; } - - private void getAuthDataFromInterfederation( - AuthenticationData authdata, List reqQueryAttr, - InterfederationSessionStore nextIDPInfo, OAAuthParameter nextIDPConfig ) throws MOAIDException{ - String idpEnityID = nextIDPConfig.getPublicURLPrefix(); + /** + * Get PVP authentication attributes by using a SAML2 AttributeQuery + * + * @param reqQueryAttr List of PVP attributes which are requested + * @param userNameID SAML2 UserNameID of the user for which attributes are requested + * @param idpConfig Configuration of the IDP, which is requested + * @return + * @return PVP attribute DAO, which contains all received information + * @throws MOAIDException + */ + public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List reqQueryAttr, + String userNameID, IOAAuthParameters idpConfig ) throws MOAIDException{ + String idpEnityID = idpConfig.getPublicURLPrefix(); - AssertionAttributeExtractor extractor; try { Logger.debug("Starting AttributeQuery process ..."); //collect attributes by using BackChannel communication - String endpoint = nextIDPConfig.getIDPAttributQueryServiceURL(); + String endpoint = idpConfig.getIDPAttributQueryServiceURL(); if (MiscUtil.isEmpty(endpoint)) { Logger.error("No AttributeQueryURL for interfederationIDP " + idpEnityID); throw new ConfigurationException("config.26", new Object[]{idpEnityID}); @@ -226,7 +202,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } //build attributQuery request - AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(nextIDPInfo.getUserNameID(), endpoint, reqQueryAttr); + AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(userNameID, endpoint, reqQueryAttr); //build SOAP request List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); @@ -249,17 +225,8 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { MOAMetadataProvider.getInstance())); //create assertion attribute extractor from AttributeQuery response - extractor = new AssertionAttributeExtractor(intfResp); - - //copy attributes into authData object - Set includedAttrNames = extractor.getAllIncludeAttributeNames(); - for (String el : includedAttrNames) { - authdata.setGenericData(el, extractor.getSingleAttributeValue(el)); - Logger.debug("Add PVP-attribute " + el + " into authData objext"); - - } - - + return new AssertionAttributeExtractor(intfResp); + } catch (Exception e) { Logger.warn("PVP 2.1 assertion validation FAILED.", e); throw new AssertionValidationExeption("auth.27", @@ -272,24 +239,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { new Object[]{idpEnityID, "Receive AttributeQuery response-body include no PVP 2.1 response"}); } - - try { - //mark attribute request as used - if (nextIDPInfo.isStoreSSOInformation()) { - nextIDPInfo.setAttributesRequested(true); - MOASessionDBUtils.saveOrUpdate(nextIDPInfo); - - //delete federated IDP from Session - } else { - MOASessionDBUtils.delete(nextIDPInfo); - - } - - } catch (MOADatabaseException e) { - Logger.error("MOASession interfederation information can not stored to database.", e); - - } - + } catch (SOAPException e) { throw new BuildException("builder.06", null, e); @@ -301,589 +251,588 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } } - - - public IAuthData buildAuthenticationData(IRequest pendingReq, - AuthenticationSession session) throws ConfigurationException, BuildException, WrongParametersException, DynamicOABuildException { - AuthenticationData authdata = null; - //only needed for SAML1 legacy support - try { - //check if SAML1 authentication module is in Classpath - Class saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); - IAuthData saml1authdata = (IAuthData) Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1AuthenticationData").newInstance(); - if (saml1RequstTemplate != null && - saml1RequstTemplate.isInstance(pendingReq)) { - //request is SAML1 --> invoke SAML1 protocol specific methods - if (session.getExtendedSAMLAttributesOA() == null) { - saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, new ArrayList()); + private void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, + IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException { + + Collection includedToGenericAuthData = null; + if (session.getGenericSessionDataStorage() != null && + !session.getGenericSessionDataStorage().isEmpty()) + includedToGenericAuthData = session.getGenericSessionDataStorage().keySet(); + else + includedToGenericAuthData = new ArrayList(); + + try { + //#################################################### + //set general authData info's + authData.setIssuer(protocolRequest.getAuthURL()); + authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); + authData.setIsBusinessService(oaParam.getBusinessService()); + + + //#################################################### + //parse user info's from identityLink + IdentityLink idlFromPVPAttr = null; + IdentityLink identityLink = session.getIdentityLink(); + if (identityLink != null) { + parseBasicUserInfosFromIDL(authData, identityLink, includedToGenericAuthData); + + } else { + // identityLink is not direct in MOASession + String pvpAttrIDL = session.getGenericDataFromSession(PVPConstants.EID_IDENTITY_LINK_NAME, String.class); + //find PVP-Attr. which contains the IdentityLink + if (MiscUtil.isNotEmpty(pvpAttrIDL)) { + Logger.debug("Find PVP-Attr: " + PVPConstants.EID_IDENTITY_LINK_FRIENDLY_NAME + + " --> Parse basic user info's from that attribute."); + InputStream idlStream = null; + try { + idlStream = Base64Utils.decodeToStream(pvpAttrIDL, false); + idlFromPVPAttr = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); + parseBasicUserInfosFromIDL(authData, idlFromPVPAttr, includedToGenericAuthData); + + } catch (ParseException e) { + Logger.error("Received IdentityLink is not valid", e); + + } catch (Exception e) { + Logger.error("Received IdentityLink is not valid", e); + + } finally { + try { + includedToGenericAuthData.remove(PVPConstants.EID_IDENTITY_LINK_NAME); + if (idlStream != null) + idlStream.close(); + + } catch (IOException e) { + Logger.fatal("Close InputStream FAILED.", e); + + } + + } - } else { - saml1authdata.getClass().getMethod("setExtendedSAMLAttributesOA", List.class).invoke(saml1authdata, session.getExtendedSAMLAttributesOA()); } - authdata = (AuthenticationData) saml1authdata; - - } else { - authdata = new AuthenticationData(); - + //if no basic user info's are set yet, parse info's single PVP-Attributes + if (MiscUtil.isEmpty(authData.getFamilyName())) { + Logger.debug("No IdentityLink found or not parseable --> Parse basic user info's from single PVP-Attributes."); + authData.setFamilyName(session.getGenericDataFromSession(PVPConstants.PRINCIPAL_NAME_NAME, String.class)); + authData.setGivenName(session.getGenericDataFromSession(PVPConstants.GIVEN_NAME_NAME, String.class)); + authData.setDateOfBirth(session.getGenericDataFromSession(PVPConstants.BIRTHDATE_NAME, String.class)); + authData.setIdentificationValue(session.getGenericDataFromSession(PVPConstants.EID_SOURCE_PIN_NAME, String.class)); + authData.setIdentificationType(session.getGenericDataFromSession(PVPConstants.EID_SOURCE_PIN_TYPE_NAME, String.class)); + + //remove corresponding keys from genericSessionData if exists + includedToGenericAuthData.remove(PVPConstants.PRINCIPAL_NAME_NAME); + includedToGenericAuthData.remove(PVPConstants.GIVEN_NAME_NAME); + includedToGenericAuthData.remove(PVPConstants.BIRTHDATE_NAME); + includedToGenericAuthData.remove(PVPConstants.EID_SOURCE_PIN_NAME); + includedToGenericAuthData.remove(PVPConstants.EID_SOURCE_PIN_TYPE_NAME); + } + } - - } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | InvocationTargetException | NoSuchMethodException | java.lang.SecurityException ex) { - authdata = new AuthenticationData(); - } + if (authData.getIdentificationType() != null && + !authData.getIdentificationType().equals(Constants.URN_PREFIX_BASEID)) { + Logger.trace("IdentificationType is not a baseID --> clear it. "); + authData.setBPK(authData.getIdentificationValue()); + authData.setBPKType(authData.getIdentificationType()); - OASessionStore activeOA = authenticatedSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); - //reuse authentication information in case of service-provider reauthentication - if (activeOA != null) { - authdata.setSessionIndex(activeOA.getAssertionSessionID()); - authdata.setNameID(activeOA.getUserNameID()); - authdata.setNameIDFormat(activeOA.getUserNameIDFormat()); + authData.setIdentificationValue(null); + authData.setIdentificationType(null); + + } + + + //#################################################### + //set BKU URL + includedToGenericAuthData.remove(PVPConstants.EID_CCS_URL_NAME); + if (MiscUtil.isNotEmpty(session.getBkuURL())) + authData.setBkuURL(session.getBkuURL()); + else + authData.setBkuURL(session.getGenericDataFromSession(PVPConstants.EID_CCS_URL_NAME, String.class)); - } - - //get OnlineApplication from MOA-ID-Auth configuration - IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - - //TODO: move to eIDAS-Code in case of ISA1.18 action is enabled for eIDAS - //build OA dynamically from STROK request if this OA is used as STORK<->PVP gateway - if (oaParam.isSTORKPVPGateway()) - oaParam = DynamicOAAuthParameterBuilder.buildFromAuthnRequest(oaParam, pendingReq); - - //check if minimal response is required - - //TODO check if really required - Boolean isMinimalFrontChannelResp = pendingReq.getGenericData( - PVPTargetConfiguration.DATAID_INTERFEDERATION_MINIMAL_FRONTCHANNEL_RESP, Boolean.class); - if (isMinimalFrontChannelResp != null && isMinimalFrontChannelResp) { - //only set minimal response attributes - authdata.setQAALevel( - pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_QAALEVEL, String.class)); - authdata.setBPK( - pendingReq.getGenericData(PVPTargetConfiguration.DATAID_INTERFEDERATION_NAMEID, String.class)); + + //#################################################### + //set QAA level + includedToGenericAuthData.remove(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME); + if (MiscUtil.isNotEmpty(session.getQAALevel())) + authData.setQAALevel(session.getQAALevel()); + + else { + String qaaLevel = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); + if (MiscUtil.isNotEmpty(qaaLevel)) { + Logger.debug("Find PVP-Attr: " + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + + " --> Parse QAA-Level from that attribute."); - } else { - //build AuthenticationData from MOASession - buildAuthDataFormMOASession(authdata, session, oaParam, pendingReq); + if (qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) { + authData.setQAALevel(qaaLevel); + + } else { + Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); + String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel); + if (MiscUtil.isNotEmpty(mappedQAA)) + authData.setQAALevel(mappedQAA); + + } + } + } - } - - return authdata; - } + //if no QAA level is set in MOASession then set default QAA level + if (MiscUtil.isEmpty(authData.getQAALevel())) { + Logger.info("No QAA level found. Set to default level " + PVPConstants.STORK_QAA_PREFIX + "1"); + authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1"); + + } - private void buildAuthDataFormInterfederationResponse( - AuthenticationData authData, - AuthenticationSession session, - AssertionAttributeExtractor extractor, - IOAAuthParameters oaParam, - IRequest req) - throws BuildException, AssertionAttributeExtractorExeption { - - Logger.debug("Build AuthData from assertion starts ...."); - - authData.setIsBusinessService(oaParam.getBusinessService()); - - authData.setFamilyName(extractor.getSingleAttributeValue(PVPConstants.PRINCIPAL_NAME_NAME)); - authData.setGivenName(extractor.getSingleAttributeValue(PVPConstants.GIVEN_NAME_NAME)); - authData.setDateOfBirth(extractor.getSingleAttributeValue(PVPConstants.BIRTHDATE_NAME)); - authData.setCcc(extractor.getSingleAttributeValue(PVPConstants.EID_ISSUING_NATION_NAME)); - authData.setBkuURL(extractor.getSingleAttributeValue(PVPConstants.EID_CCS_URL_NAME)); - authData.setIdentificationValue(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_NAME)); - authData.setIdentificationType(extractor.getSingleAttributeValue(PVPConstants.EID_SOURCE_PIN_TYPE_NAME)); - - - if (extractor.containsAttribute(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { - String bpkType = extractor.getSingleAttributeValue(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME); - if (bpkType.startsWith(Constants.URN_PREFIX_CDID) && - !bpkType.substring(Constants.URN_PREFIX_CDID.length(), - Constants.URN_PREFIX_CDID.length() + 1).equals("+")) { - Logger.warn("Receive uncorrect encoded bBKType attribute " + bpkType + " Starting attribute value correction ... "); - bpkType = Constants.URN_PREFIX_CDID + "+" + bpkType.substring(Constants.URN_PREFIX_CDID.length() + 1); + + //#################################################### + //set signer certificate + includedToGenericAuthData.remove(PVPConstants.EID_SIGNER_CERTIFICATE_NAME); + if (session.getEncodedSignerCertificate() != null) + authData.setSignerCertificate(session.getEncodedSignerCertificate()); + + else { + String pvpAttrSignerCert = session.getGenericDataFromSession(PVPConstants.EID_SIGNER_CERTIFICATE_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpAttrSignerCert)) { + Logger.debug("Find PVP-Attr: " + PVPConstants.EID_SIGNER_CERTIFICATE_FRIENDLY_NAME); + try { + authData.setSignerCertificate(Base64Utils.decode(pvpAttrSignerCert, false)); + + } catch (IOException e) { + Logger.error("SignerCertificate received via federated IDP is NOT valid", e); + + } + } else + Logger.info("NO SignerCertificate in MOASession."); } - - authData.setBPKType(bpkType); - } - - if (extractor.containsAttribute(PVPConstants.BPK_NAME)) { - String pvpbPK = extractor.getSingleAttributeValue(PVPConstants.BPK_NAME); - if (pvpbPK.startsWith("bPK:")) { - Logger.warn("Attribute " + PVPConstants.BPK_NAME - + " contains a not standardize prefix! Staring attribute value correction process ..."); - pvpbPK = pvpbPK.substring("bPK:".length()); + + //#################################################### + //set authBlock + includedToGenericAuthData.remove(PVPConstants.EID_AUTH_BLOCK_NAME); + if (MiscUtil.isNotEmpty(session.getAuthBlock())) { + authData.setAuthBlock(session.getAuthBlock()); + + } else { + String pvpAttrAuthBlock = session.getGenericDataFromSession(PVPConstants.EID_AUTH_BLOCK_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpAttrAuthBlock)) { + Logger.debug("Find PVP-Attr: " + PVPConstants.EID_AUTH_BLOCK_FRIENDLY_NAME); + try { + byte[] authBlock = Base64Utils.decode(pvpAttrAuthBlock, false); + authData.setAuthBlock(new String(authBlock, "UTF-8")); + + } catch (IOException e) { + Logger.error("AuthBlock received via federated IDP is NOT valid", e); + + } + + } else + Logger.info("NO AuthBlock in MOASession."); } - String[] spitted = pvpbPK.split(":"); - authData.setBPK(spitted[1]); - if (MiscUtil.isEmpty(authData.getBPKType())) { - Logger.debug("PVP assertion contains NO bPK/wbPK target attribute. " + - "Starting target extraction from bPK/wbPK prefix ..."); - //exract bPK/wbPK type from bpk attribute value prefix if type is - //not transmitted as single attribute - Pattern pattern = Pattern.compile("[a-zA-Z]{2}(-[a-zA-Z]+)?"); - Matcher matcher = pattern.matcher(spitted[0]); - if (matcher.matches()) { - //find public service bPK - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + spitted[0]); - Logger.debug("Found bPK prefix. Set target to " + authData.getBPKType()); - - } else { - //find business service wbPK - authData.setBPKType(Constants.URN_PREFIX_WBPK+ "+" + spitted[0]); - Logger.debug("Found wbPK prefix. Set target to " + authData.getBPKType()); - - } + + //#################################################### + //set isForeigner flag + //TODO: change to new eIDAS-token attribute identifier + if (session.getGenericDataFromSession(PVPConstants.EID_STORK_TOKEN_NAME) != null) { + Logger.debug("Find PVP-Attr: " + PVPConstants.EID_STORK_TOKEN_FRIENDLY_NAME + + " --> Set 'isForeigner' flag to TRUE"); + authData.setForeigner(true); + + } else { + authData.setForeigner(session.isForeigner()); + } - } - - boolean foundEncryptedbPKForOA = false; - if (extractor.containsAttribute(PVPConstants.ENC_BPK_LIST_NAME)) { - List encbPKList = Arrays.asList( - extractor.getSingleAttributeValue(PVPConstants.ENC_BPK_LIST_NAME).split(";")); - authData.setEncbPKList(encbPKList); - for (String fullEncbPK : encbPKList) { - int index = fullEncbPK.indexOf("|"); - if (index >= 0) { - String encbPK = fullEncbPK.substring(index+1); - String second = fullEncbPK.substring(0, index); - int secIndex = second.indexOf("+"); - if (secIndex >= 0) { - if (oaParam.getTarget().equals(second.substring(secIndex+1))) { - Logger.debug("Found encrypted bPK for online-application " - + oaParam.getPublicURLPrefix() - + " Start decryption process ..."); - PrivateKey privKey = oaParam.getBPKDecBpkDecryptionKey(); - foundEncryptedbPKForOA = true; - if (privKey != null) { - try { - String bPK = BPKBuilder.decryptBPK(encbPK, oaParam.getTarget(), privKey); - if (MiscUtil.isNotEmpty(bPK)) { - if (MiscUtil.isEmpty(authData.getBPK())) { - authData.setBPK(bPK); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); - Logger.info("bPK decryption process finished successfully."); - } - - } else { - Logger.error("bPK decryption FAILED."); - + + + //#################################################### + //set citizen country-code + includedToGenericAuthData.remove(PVPConstants.EID_ISSUING_NATION_NAME); + String pvpCCCAttr = session.getGenericDataFromSession(PVPConstants.EID_ISSUING_NATION_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpCCCAttr)) { + authData.setCcc(pvpCCCAttr); + Logger.debug("Find PVP-Attr: " + PVPConstants.EID_ISSUING_NATION_FRIENDLY_NAME); + + } else { + if (authData.isForeigner()) { + try { + if (authData.getSignerCertificate() != null) { + //TODO: replace with TSL lookup when TSL is ready! + X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); + if (certificate != null) { + LdapName ln = new LdapName(certificate.getIssuerDN() + .getName()); + for (Rdn rdn : ln.getRdns()) { + if (rdn.getType().equalsIgnoreCase("C")) { + Logger.info("C is: " + rdn.getValue()); + authData.setCcc(rdn.getValue().toString()); + break; } - } catch (BuildException e) { - Logger.error("bPK decryption FAILED.", e); - } - - } else { - Logger.info("bPK decryption FAILED, because no valid decryption key is found."); - - } - - } else { - Logger.info("Found encrypted bPK but " + - "encrypted bPK target does not match to online-application target"); + } - } - } - } - } - } - - if (MiscUtil.isEmpty(authData.getIdentificationValue()) && - MiscUtil.isEmpty(authData.getBPK()) && - !foundEncryptedbPKForOA) { - Logger.info("Federated assertion include no bPK, encrypted bPK or baseID"); - throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.EID_SOURCE_PIN_NAME - + " or " + PVPConstants.ENC_BPK_LIST_NAME); - - } - - //check if received bPK matchs to online application configuration - //and no encrypted bPK is found for this oa - if (!matchsReceivedbPKToOnlineApplication(oaParam, authData) - && !foundEncryptedbPKForOA) { - Logger.info("Received bPK/wbPK does not match to online application"); - - if (MiscUtil.isEmpty(authData.getIdentificationValue())) { - Logger.info("No baseID found. Connect SZR to reveive baseID ..."); - try { - EgovUtilPropertiesConfiguration eGovClientsConfig = authConfig.geteGovUtilsConfig(); - if (eGovClientsConfig != null) { - SZRClient szrclient = new SZRClient(eGovClientsConfig); + } else + Logger.warn("NO PVP-Attr: " + PVPConstants.EID_ISSUING_NATION_NAME + + " and NO SignerCertificate in MOASession -->" + + " Can NOT extract citizen-country of foreign person."); - Logger.debug("Create SZR request to get baseID ... "); - PersonInfoType personInfo = new PersonInfoType(); - at.gv.util.xsd.szr.persondata.PhysicalPersonType person = new at.gv.util.xsd.szr.persondata.PhysicalPersonType(); - personInfo.setPerson(person); - at.gv.util.xsd.szr.persondata.PersonNameType name = new at.gv.util.xsd.szr.persondata.PersonNameType(); - person.setName(name); - at.gv.util.xsd.szr.persondata.IdentificationType idValue = new at.gv.util.xsd.szr.persondata.IdentificationType(); - person.setIdentification(idValue); - //set bPK or wbPK - idValue.setValue(authData.getBPK()); - idValue.setType(authData.getBPKType()); - - //set person information - name.setGivenName(authData.getGivenName()); - name.setFamilyName(authData.getFamilyName()); - if (authData.getDateOfBirth() != null) - person.setDateOfBirth(authData.getFormatedDateOfBirth()); - - //request szr and store baseID - authData.setIdentificationValue(szrclient.getStammzahl(personInfo)); - authData.setIdentificationType(Constants.URN_PREFIX_BASEID); - - } else { - Logger.warn("No SZR clieht configuration found. Interfederation SSO login not possible."); - throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + } catch (Exception e) { + Logger.error("Failed to extract country code from certificate with message: " + e.getMessage()); } - - } catch (EgovUtilException e) { - Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); - throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.EID_SOURCE_PIN_NAME); - - } catch (SZRException e) { - Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); - throw new AssertionAttributeExtractorExeption("No " + PVPConstants.BPK_FRIENDLY_NAME - + " or " + PVPConstants.EID_SOURCE_PIN_NAME); + + } else { + authData.setCcc(COUNTRYCODE_AUSTRIA); - } + } } - //build OA specific bPK/wbPK information - buildOAspecificbPK(req, oaParam, authData, - authData.getIdentificationValue(), - authData.getIdentificationType()); - } - - if (MiscUtil.isEmpty(authData.getBPK())) { - Logger.debug("Calcutlate bPK from baseID"); - buildOAspecificbPK(req, oaParam, authData, - authData.getIdentificationValue(), - authData.getIdentificationType()); - - } - - - try { - String qaaLevel = extractor.getQAALevel(); - if (MiscUtil.isNotEmpty(qaaLevel) && - qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) { - authData.setQAALevel(qaaLevel); - - } else { - Logger.debug("Found PVP QAA level. QAA mapping process starts ... "); - String mappedQAA = PVPtoSTORKMapper.getInstance().mapToQAALevel(qaaLevel); - if (MiscUtil.isNotEmpty(mappedQAA)) - authData.setQAALevel(mappedQAA); + //#################################################### + //set max. SSO session time + includedToGenericAuthData.remove(AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO); + Date validToFromFederatedIDP = session.getGenericDataFromSession( + AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO, Date.class); + if (validToFromFederatedIDP != null) { + authData.setSsoSessionValidTo(validToFromFederatedIDP); + Logger.debug("Use idToken validTo periode from federated IDP response."); - else - throw new AssertionAttributeExtractorExeption("PVP SecClass not mappable"); + } else { + if (authData.isSsoSession()) { + long maxSSOSessionTime = authConfig.getSSOCreatedTimeOut() * 1000; + Date ssoSessionValidTo = new Date(session.getSessionCreated().getTime() + maxSSOSessionTime); + authData.setSsoSessionValidTo(ssoSessionValidTo); - } - - } catch (AssertionAttributeExtractorExeption e) { - Logger.warn("No QAA level found in element of interfederated assertion. " + - "(ErrorHeader=" + e.getMessage() + ")"); - if (extractor.containsAttribute(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) { - authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + - extractor.getSingleAttributeValue(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)); - - } else { - Logger.info("No QAA level found. Set to default level " + - PVPConstants.STORK_QAA_PREFIX + "1"); - authData.setQAALevel(PVPConstants.STORK_QAA_PREFIX + "1"); + } else { + //set valid to 5 min + Date ssoSessionValidTo = new Date(new Date().getTime() + 5 * 60 * 1000); + authData.setSsoSessionValidTo(ssoSessionValidTo); + } } - - } - - if (extractor.containsAttribute(PVPConstants.EID_AUTH_BLOCK_NAME)) { - try { - byte[] authBlock = Base64Utils.decode(extractor.getSingleAttributeValue(PVPConstants.EID_AUTH_BLOCK_NAME), false); - authData.setAuthBlock(new String(authBlock, "UTF-8")); - } catch (IOException e) { - Logger.error("Received AuthBlock is not valid", e); + //mandate functionality + MISMandate misMandate = null; + if (session.isMandateUsed()) { + //#################################################### + //set Mandate reference value + includedToGenericAuthData.remove(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); + if (MiscUtil.isNotEmpty(session.getMandateReferenceValue())) + authData.setMandateReferenceValue(session.getMandateReferenceValue()); - } - } - - if (extractor.containsAttribute(PVPConstants.EID_SIGNER_CERTIFICATE_NAME)) { - try { - authData.setSignerCertificate(Base64Utils.decode( - extractor.getSingleAttributeValue(PVPConstants.EID_SIGNER_CERTIFICATE_NAME), false)); + else { + String pvpMandateRefAttr = session.getGenericDataFromSession(PVPConstants.MANDATE_REFERENCE_VALUE_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpMandateRefAttr)) { + authData.setMandateReferenceValue(pvpMandateRefAttr); + Logger.debug("Find PVP-Attr: " + PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME); + } + } - } catch (IOException e) { - Logger.error("Received SignerCertificate is not valid", e); - } - } + /* TODO: Support SSO Mandate MODE! + * Insert functionality to translate mandates in case of SSO + */ - if (extractor.containsAttribute(PVPConstants.EID_IDENTITY_LINK_NAME)) { - try { - InputStream idlStream = Base64Utils.decodeToStream(extractor.getSingleAttributeValue(PVPConstants.EID_IDENTITY_LINK_NAME), false); - IdentityLink idl = new IdentityLinkAssertionParser(idlStream).parseIdentityLink(); - idlStream.close(); - buildOAspecificIdentityLink(oaParam, authData, idl); + //#################################################### + //set Full-mandate + misMandate = session.getMISMandate(); + if (misMandate != null ) { + //set MIS mandate to authdata + authData.setMISMandate(misMandate); + authData.setUseMandate(session.isMandateUsed()); + + } else { + String pvpFullMandateAttr = session.getGenericDataFromSession( + PVPConstants.MANDATE_FULL_MANDATE_NAME, String.class); + //check if full-mandate is available as PVP attribute + if (MiscUtil.isNotEmpty(pvpFullMandateAttr)) { + Logger.debug("Find PVP-Attr: " + PVPConstants.MANDATE_FULL_MANDATE_FRIENDLY_NAME); + try { + byte[] mandate = Base64Utils.decode(pvpFullMandateAttr, false); + misMandate = new MISMandate(); + misMandate.setMandate(mandate); + + //read Organwalter OID + String pvpRepOIDAttr = session.getGenericDataFromSession(PVPConstants.MANDATE_PROF_REP_OID_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpRepOIDAttr)) { + misMandate.setProfRep(pvpRepOIDAttr); + Logger.debug("Find PVP-Attr: " + PVPConstants.MANDATE_PROF_REP_OID_NAME); - } catch (ParseException e) { - Logger.error("Received IdentityLink is not valid", e); - - } catch (Exception e) { - Logger.error("Received IdentityLink is not valid", e); + } + + //read Organwalter bPK from full-mandate + NodeList mandateElements = misMandate.getMandateDOM().getChildNodes(); + for (int i=0; i Use single PVP attributes for mandate information."); + //check if ELGA mandates exists + String mandateType = session.getGenericDataFromSession(PVPConstants.MANDATE_TYPE_NAME, String.class); + if (MiscUtil.isNotEmpty(mandateType)) { + //switch to mandate-mode for authdata generation, because mandate-information + // is directly included in MOA-Session as PVP attributes + Logger.info("AuthDataBuilder find directly included 'MandateType' PVP-attribute." + + " --> Switch to mandate-mode for authdata generation."); + authData.setUseMandate(true); + + } + } + } + //remove PVP attributes with mandate information, because full-mandate exists + if (authData.getMISMandate() != null) { + includedToGenericAuthData.remove(PVPConstants.MANDATE_FULL_MANDATE_NAME); + + includedToGenericAuthData.remove(PVPConstants.MANDATE_TYPE_NAME); + + includedToGenericAuthData.remove(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME); + includedToGenericAuthData.remove(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME); + includedToGenericAuthData.remove(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME); + + includedToGenericAuthData.remove(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME); + includedToGenericAuthData.remove(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME); + includedToGenericAuthData.remove(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME); + includedToGenericAuthData.remove(PVPConstants.MANDATE_NAT_PER_BPK_NAME); + includedToGenericAuthData.remove(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME); + includedToGenericAuthData.remove(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME); + + includedToGenericAuthData.remove(PVPConstants.MANDATE_PROF_REP_DESC_NAME); + includedToGenericAuthData.remove(PVPConstants.MANDATE_PROF_REP_OID_NAME); + } } - } - // set mandate attributes - authData.setMandateReferenceValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME)); - - if (extractor.containsAttribute(PVPConstants.MANDATE_FULL_MANDATE_NAME)) { - try { - byte[] mandate = Base64Utils.decode( - (extractor.getSingleAttributeValue(PVPConstants.MANDATE_FULL_MANDATE_NAME)), false); + + + + //#################################################### + // set bPK and IdentityLink for Organwalter --> + // Organwalter has a special bPK is received from MIS + if (authData.isUseMandate() && session.isOW() && misMandate != null + && MiscUtil.isNotEmpty(misMandate.getOWbPK())) { + //TODO: if full-mandate is removed in OPB --> OWbPK functionality needs an update!!! + authData.setBPK(misMandate.getOWbPK()); + authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); + Logger.trace("Authenticated User is OW: " + misMandate.getOWbPK()); - if (authData.getMISMandate() == null) - authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setMandate(mandate); - authData.getMISMandate().setFullMandateIncluded(true); - authData.setUseMandate(true); - - } catch (Exception e) { - Logger.error("Received Mandate is not valid", e); - throw new AssertionAttributeExtractorExeption(PVPConstants.MANDATE_FULL_MANDATE_NAME); - } - } - - //TODO: build short mandate if full mandate is no included. - if (authData.getMISMandate() == null && - (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) - || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME) - || extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME)) ) { - Logger.info("Federated assertion contains no full mandate. Start short mandate generation process ... "); - - MISMandate misMandate = new MISMandate(); - misMandate.setFullMandateIncluded(false); - - Mandate mandateObject = new Mandate(); - Mandator mandator = new Mandator(); - mandateObject.setMandator(mandator); + //TODO: check in case of mandates for business services + if (identityLink != null) + authData.setIdentityLink(identityLink); - //build legal person short mandate - if (extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME) && - extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME) && - extractor.containsAttribute(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)) { - Logger.debug("Build short mandate for legal person ..."); - CorporateBodyType legalperson = new CorporateBodyType(); - IdentificationType legalID = new IdentificationType(); - Value idvalue = new Value(); - legalID.setValue(idvalue ); - legalperson.getIdentification().add(legalID ); - mandator.setCorporateBody(legalperson ); - - legalperson.setFullName(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME)); - legalID.setType(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME)); - idvalue.setValue(extractor.getSingleAttributeValue(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME)); - - //build natural person short mandate - } else if ( (extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME) || - extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BPK_NAME)) && - extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME) && - extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME) && - extractor.containsAttribute(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME)) { - Logger.debug("Build short mandate for natural person ..."); - PhysicalPersonType physPerson = new PhysicalPersonType(); - PersonNameType persName = new PersonNameType(); - mandator.setPhysicalPerson(physPerson ); - physPerson.setName(persName ); - FamilyName familyName = new FamilyName(); - persName.getFamilyName().add(familyName ); - IdentificationType persID = new IdentificationType(); - physPerson.getIdentification().add(persID ); - Value idValue = new Value(); - persID.setValue(idValue ); - - String[] pvp2GivenName = extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME).split(" "); - for(int i=0; i pvpEncbPKAttr = getEncryptedbPKFromPVPAttribute(session, authData, oaParam); + + //check if a unique ID for this citizen exists + if (MiscUtil.isEmpty(authData.getIdentificationValue()) && + MiscUtil.isEmpty(pvpbPKValue) && MiscUtil.isEmpty(authData.getBPK()) && + pvpEncbPKAttr == null) { + Logger.info("Can not build authData, because moaSession include no bPK, encrypted bPK or baseID"); + throw new MOAIDException("builder.08", new Object[]{"No " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME + + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME}); + + } + + // baseID is in MOASesson --> calculate bPK directly + if (MiscUtil.isNotEmpty(authData.getIdentificationValue())) { + Logger.debug("Citizen baseID is in MOASession --> calculate bPK from this."); + Pair result = buildOAspecificbPK(protocolRequest, oaParam, authData); + authData.setBPK(result.getFirst()); + authData.setBPKType(result.getSecond()); + + //check if bPK already added to AuthData matches OA + } else if (MiscUtil.isNotEmpty(authData.getBPK()) + && matchsReceivedbPKToOnlineApplication(oaParam, authData.getBPKType()) ) { + Logger.debug("Correct bPK is already included in AuthData."); + + //check if bPK received by PVP-Attribute matches OA + } else if (MiscUtil.isNotEmpty(pvpbPKValue) && + matchsReceivedbPKToOnlineApplication(oaParam, pvpbPKTypeAttr)) { + Logger.debug("Receive correct bPK from PVP-Attribute"); + authData.setBPK(pvpbPKValue); + authData.setBPKType(pvpbPKTypeAttr); + //check if decrypted bPK exists + } else if (pvpEncbPKAttr != null) { + Logger.debug("Receive bPK as encrypted bPK and decryption was possible."); + authData.setBPK(pvpEncbPKAttr.getFirst()); + authData.setBPKType(pvpEncbPKAttr.getSecond()); + + //ask SZR to get bPK } else { - String[] pvp2bPK = extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BPK_NAME).split(":"); - if (pvp2bPK.length == 2) { - idValue.setValue(pvp2bPK[1]); + String notValidbPK = authData.getBPK(); + String notValidbPKType = authData.getBPKType(); + if (MiscUtil.isEmpty(notValidbPK) && + MiscUtil.isEmpty(notValidbPKType)) { + notValidbPK = pvpbPKValue; + notValidbPKType = pvpbPKTypeAttr; - Pattern pattern = Pattern.compile(MOAIDAuthConstants.REGEX_PATTERN_TARGET); - Matcher matcher = pattern.matcher(pvp2bPK[0]); - if (matcher.matches()) - persID.setType(Constants.URN_PREFIX_CDID + "+" + pvp2bPK[0]); - else - persID.setType(Constants.URN_PREFIX_WBPK + "+" + pvp2bPK[0]); + if (MiscUtil.isEmpty(notValidbPK) && + MiscUtil.isEmpty(notValidbPKType)) { + Logger.fatal("No bPK in MOASession. THIS error should not occur any more."); + throw new NullPointerException("No bPK in MOASession. THIS error should not occur any more."); + } + } + + Pair baseIDFromSZR = getbaseIDFromSZR(authData, notValidbPK, notValidbPKType); + if (baseIDFromSZR != null) { + Logger.info("Receive citizen baseID from SRZ. Authentication can be completed"); + authData.setIdentificationValue(baseIDFromSZR.getFirst()); + authData.setIdentificationType(baseIDFromSZR.getSecond()); + Pair result = buildOAspecificbPK(protocolRequest, oaParam, authData); + authData.setBPK(result.getFirst()); + authData.setBPKType(result.getSecond()); } else { - Logger.warn("Receive mandator bPK from federation with an unsupported format. " + extractor.getSingleAttributeValue(PVPConstants.MANDATE_NAT_PER_BPK_NAME)); - throw new AssertionAttributeExtractorExeption("Receive mandator bPK from federation with an unsupported format."); + Logger.warn("Can not build authData, because moaSession include no valid bPK, encrypted bPK or baseID"); + throw new MOAIDException("builder.08", new Object[]{"No valid " + PVPConstants.BPK_FRIENDLY_NAME + + " or " + PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME + + " or " + PVPConstants.ENC_BPK_LIST_FRIENDLY_NAME}); } } - - } else { - Logger.error("Short mandate could not generated. Assertion contains not all attributes which are necessary."); - throw new AssertionAttributeExtractorExeption("Assertion contains not all attributes which are necessary for mandate generation", null); - - } - - try { - JAXBContext jc = JAXBContext.newInstance("at.gv.e_government.reference.namespace.mandates._20040701_"); - Marshaller m = jc.createMarshaller(); - ByteArrayOutputStream stream = new ByteArrayOutputStream(); - m.marshal(mandateObject, stream); - misMandate.setMandate(Base64Utils.encode(stream.toByteArray()).getBytes()); - stream.close(); + + //build IdentityLink + if (identityLink != null) + authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, identityLink, authData.getBPK(), authData.getBPKType())); - } catch (JAXBException e) { - Logger.error("Failed to parse short mandate", e); - throw new AssertionAttributeExtractorExeption(); + else if (idlFromPVPAttr != null) { + authData.setIdentityLink(buildOAspecificIdentityLink(oaParam, idlFromPVPAttr, authData.getBPK(), authData.getBPKType())); + Logger.debug("Set IdentityLink received from federated IDP"); - } catch (IOException e) { - Logger.error("Failed to parse short mandate", e); - throw new AssertionAttributeExtractorExeption(); - - } - authData.setUseMandate(true); + } else { + Logger.info("Can NOT set IdentityLink. Msg: No IdentityLink found"); + + } + } - } - - - if (extractor.containsAttribute(PVPConstants.MANDATE_PROF_REP_OID_NAME)) { - if (authData.getMISMandate() == null) - authData.setMISMandate(new MISMandate()); - authData.getMISMandate().setProfRep( - extractor.getSingleAttributeValue(PVPConstants.MANDATE_PROF_REP_OID_NAME)); - } - - //set PVP role attribute - if (extractor.containsAttribute(PVPConstants.ROLES_NAME)) { - String pvpRoles = extractor.getSingleAttributeValue(PVPConstants.ROLES_NAME); - if (MiscUtil.isNotEmpty(pvpRoles)) { - List roles = Arrays.asList(pvpRoles.split(";")); + //################################################################### + //set PVP role attribute (implemented for ISA 1.18 action) + includedToGenericAuthData.remove(PVPConstants.ROLES_NAME); + String pvpAttrRoles = session.getGenericDataFromSession(PVPConstants.ROLES_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpAttrRoles)) { + List roles = Arrays.asList(pvpAttrRoles.split(";")); for (String role : roles) { authData.addAuthenticationRole(AuthenticationRoleFactory.buildFormPVPole(role)); - } - } - } - - //set PVP OU attribute - if (extractor.containsAttribute(PVPConstants.OU_NAME)) { - authData.setPvpAttribute_OU(extractor.getSingleAttributeValue(PVPConstants.OU_NAME)); - Logger.debug("Found PVP 'OU' attribute in response -> " + authData.getPvpAttribute_OU()); - - } - - //set STORK attributes - if (extractor.containsAttribute(PVPConstants.EID_STORK_TOKEN_NAME)) { - try { - authData.setGenericData(AuthenticationSessionStorageConstants.STORK_RESPONSE, - extractor.getSingleAttributeValue(PVPConstants.EID_STORK_TOKEN_NAME)); - authData.setForeigner(true); - } catch (SessionDataStorageException e) { - Logger.warn("STORK Response can not stored into generic authData.", e); + } + } + + + //################################################################### + //set PVP OU attribute (implemented for ISA 1.18 action) + includedToGenericAuthData.remove(PVPConstants.OU_NAME); + String pvpAttrOUName = session.getGenericDataFromSession(PVPConstants.OU_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpAttrOUName)) { + authData.setPvpAttribute_OU(pvpAttrOUName); + Logger.debug("Found PVP 'OU' attribute in response -> " + authData.getPvpAttribute_OU()); - } + } - } - -// if (!extractor.getSTORKAttributes().isEmpty()) { -// authData.setStorkAttributes(extractor.getSTORKAttributes()); -// authData.setForeigner(true); -// -// } + //#################################################################### + //parse AuthBlock signature-verification response + //INFO: this parameters are only required for SAML1 auth. protocol + VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); + if (verifyXMLSigResp != null) { + authData.setQualifiedCertificate(verifyXMLSigResp + .isQualifiedCertificate()); + authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); + authData.setPublicAuthorityCode(verifyXMLSigResp + .getPublicAuthorityCode()); - authData.setSsoSession(true); - authData.setInterfederatedSSOSession(true); - - if (extractor.getFullAssertion().getAuthnStatements() != null - && extractor.getFullAssertion().getAuthnStatements().size() > 0) { - for (AuthnStatement el : extractor.getFullAssertion().getAuthnStatements()) { - if (el.getSessionNotOnOrAfter() != null) { - authData.setSsoSessionValidTo(el.getSessionNotOnOrAfter().toDate()); - break; - } + } else { + //set parameters in respect to QAA level + Logger.info("No authBlock signature-verfication response found. Maybe IDP federation is in use."); + if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) + authData.setQualifiedCertificate(true); + else + authData.setQualifiedCertificate(false); + authData.setPublicAuthority(false); + + } + + //#################################################################### + //copy all generic authentication information, which are not processed before to authData + Iterator copyInterator = includedToGenericAuthData.iterator(); + while (copyInterator.hasNext()) { + String elementKey = copyInterator.next(); + try { + authData.setGenericData(elementKey, session.getGenericDataFromSession(elementKey)); + + } catch (SessionDataStorageException e) { + Logger.warn("Can not add generic authData with key:" + elementKey, e); + + } } - } else { - authData.setSsoSessionValidTo(extractor.getFullAssertion().getConditions().getNotOnOrAfter().toDate()); + } catch (BuildException e) { + throw e; - } + } catch (Throwable ex) { + throw new BuildException("builder.00", new Object[]{ + "AuthenticationData", ex.toString()}, ex); + } - //only for SAML1 - if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel())) - authData.setQualifiedCertificate(true); - else - authData.setQualifiedCertificate(false); - authData.setPublicAuthority(false); } - + /** - * @param oaParam - * @param authData - * @return + * Check a bPK-Type against a Service-Provider configuration
+ * If bPK-Type is null the result is false. + * + * @param oaParam Service-Provider configuration, never null + * @param bPKType bPK-Type to check + * @return true, if bPK-Type matchs to Service-Provider configuration, otherwise false */ - private boolean matchsReceivedbPKToOnlineApplication( - IOAAuthParameters oaParam, AuthenticationData authData) { - + private boolean matchsReceivedbPKToOnlineApplication(IOAAuthParameters oaParam, String bPKType) { String oaTarget = null; if (oaParam.getBusinessService()) { - if (oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_WBPK) || - oaParam.getIdentityLinkDomainIdentifier().startsWith(Constants.URN_PREFIX_STORK)) - oaTarget = oaParam.getIdentityLinkDomainIdentifier(); - - else { - Logger.warn("BusinessIdentifier can not be clearly assigned, because it starts without a prefix."); - return false; - - } - + oaTarget = oaParam.getIdentityLinkDomainIdentifier(); + } else { oaTarget = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); } - - - if (oaTarget.equals(authData.getBPKType())) + + if (oaTarget.equals(bPKType)) return true; else return false; } - private void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, - IOAAuthParameters oaParam, IRequest protocolRequest) throws BuildException, ConfigurationException { - - IdentityLink identityLink = session.getIdentityLink(); - - VerifyXMLSignatureResponse verifyXMLSigResp = session.getXMLVerifySignatureResponse(); - - authData.setIssuer(protocolRequest.getAuthURL()); - + private void parseBasicUserInfosFromIDL(AuthenticationData authData, IdentityLink identityLink, Collection includedGenericSessionData) { //baseID or wbpk in case of BusinessService without SSO or BusinessService SSO authData.setIdentificationValue(identityLink.getIdentificationValue()); authData.setIdentificationType(identityLink.getIdentificationType()); @@ -892,173 +841,238 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { authData.setFamilyName(identityLink.getFamilyName()); authData.setDateOfBirth(identityLink.getDateOfBirth()); - if (verifyXMLSigResp != null) { - authData.setQualifiedCertificate(verifyXMLSigResp - .isQualifiedCertificate()); - authData.setPublicAuthority(verifyXMLSigResp.isPublicAuthority()); - authData.setPublicAuthorityCode(verifyXMLSigResp - .getPublicAuthorityCode()); - - } else { - Logger.warn("No signature verfication response found!"); - - } - - authData.setBkuURL(session.getBkuURL()); - - //copy all generic authentication information to authData - if (session.getGenericSessionDataStorage() != null && - !session.getGenericSessionDataStorage().isEmpty()) { - Iterator> copyInterator = session.getGenericSessionDataStorage().entrySet().iterator(); - while (copyInterator.hasNext()) { - Entry element = copyInterator.next(); - try { - authData.setGenericData(element.getKey(), element.getValue()); - - } catch (SessionDataStorageException e) { - Logger.warn("Can not add generic authData with key:" + element.getKey(), e); - - } - } - } - - authData.setSignerCertificate(session.getEncodedSignerCertificate()); - authData.setAuthBlock(session.getAuthBlock()); - - authData.setForeigner(session.isForeigner()); - authData.setQAALevel(session.getQAALevel()); - - authData.setIsBusinessService(oaParam.getBusinessService()); + //remove corresponding keys from genericSessionData if exists + includedGenericSessionData.remove(PVPConstants.PRINCIPAL_NAME_NAME); + includedGenericSessionData.remove(PVPConstants.GIVEN_NAME_NAME); + includedGenericSessionData.remove(PVPConstants.BIRTHDATE_NAME); + includedGenericSessionData.remove(PVPConstants.EID_SOURCE_PIN_NAME); + includedGenericSessionData.remove(PVPConstants.EID_SOURCE_PIN_TYPE_NAME); - if (session.isForeigner()) { - try { - //TODO: replace with TSL lookup when TSL is ready! - X509Certificate certificate = new X509Certificate(authData.getSignerCertificate()); - if (certificate != null) { - LdapName ln = new LdapName(certificate.getIssuerDN() - .getName()); - for (Rdn rdn : ln.getRdns()) { - if (rdn.getType().equalsIgnoreCase("C")) { - Logger.info("C is: " + rdn.getValue()); - authData.setCcc(rdn.getValue().toString()); - break; - } - } - } + } + + /** + * @param authData + * @param notValidbPK + * @param notValidbPKType + * @return + */ + private Pair getbaseIDFromSZR(AuthenticationData authData, String notValidbPK, + String notValidbPKType) { + try { + EgovUtilPropertiesConfiguration eGovClientsConfig = authConfig.geteGovUtilsConfig(); + if (eGovClientsConfig != null) { + Logger.info("bPK in MOASession (bPK-Type:" + notValidbPKType + + " does no match to Service-Provider configuration. --> Request SZR to get correct bPK."); - } catch (Exception e) { - Logger.error("Failed to extract country code from certificate with message: " + e.getMessage()); + SZRClient szrclient = new SZRClient(eGovClientsConfig); - } - - if (MiscUtil.isEmpty(authData.getCcc())) { - String storkCCC = authData.getGenericData( - AuthenticationSessionStorageConstants.STORK_CCC, String.class); + Logger.debug("Create SZR request to get baseID ... "); + PersonInfoType personInfo = new PersonInfoType(); + at.gv.util.xsd.szr.persondata.PhysicalPersonType person = new at.gv.util.xsd.szr.persondata.PhysicalPersonType(); + personInfo.setPerson(person); + at.gv.util.xsd.szr.persondata.PersonNameType name = new at.gv.util.xsd.szr.persondata.PersonNameType(); + person.setName(name); + at.gv.util.xsd.szr.persondata.IdentificationType idValue = new at.gv.util.xsd.szr.persondata.IdentificationType(); + person.setIdentification(idValue); + + //set bPK or wbPK + idValue.setValue(authData.getBPK()); + idValue.setType(authData.getBPKType()); + + //set person information + name.setGivenName(authData.getGivenName()); + name.setFamilyName(authData.getFamilyName()); + if (authData.getDateOfBirth() != null) + person.setDateOfBirth(authData.getFormatedDateOfBirth()); + + //request szr and store baseID + return Pair.newInstance(szrclient.getStammzahl(personInfo), + Constants.URN_PREFIX_BASEID); + + } else { + Logger.debug("No SZR clieht configuration found."); + return null; - if (MiscUtil.isNotEmpty(storkCCC)) { - authData.setCcc(storkCCC); - Logger.info("Can not extract country from certificate -> Use country:" + storkCCC + " from STORK request."); - - } - } + + } catch (SZRException e) { + Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); - } else { - authData.setCcc("AT"); + } catch (at.gv.util.ex.EgovUtilException e) { + Logger.warn("SZR connection FAILED. Interfederation SSO login not possible.", e); } - try { - authData.setSsoSession(protocolRequest.needSingleSignOnFunctionality()); + return null; + } + + /** + * Add encrypted bPKs from PVP Attribute 'ENC_BPK_LIST_NAME', which could be exist in + * MOASession as 'GenericData' 
session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class)
+ * to authData + * + * @param session MOASession, but never null + * @param authData AuthenticationData DAO + * @param spConfig Service-Provider configuration + * + * @return Pair which was received by PVP-Attribute and could be decrypted for this Service Provider, + * or null if no attribute exists or can not decrypted + */ + private Pair getEncryptedbPKFromPVPAttribute(AuthenticationSession session, + AuthenticationData authData, IOAAuthParameters spConfig) { + //set List of encrypted bPKs to authData DAO + String pvpEncbPKListAttr = session.getGenericDataFromSession(PVPConstants.ENC_BPK_LIST_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpEncbPKListAttr)) { + List encbPKList = Arrays.asList(pvpEncbPKListAttr.split(";")); + authData.setEncbPKList(encbPKList); - //set max. SSO session time - if (authData.isSsoSession()) { - long maxSSOSessionTime = authConfig.getSSOCreatedTimeOut() * 1000; - Date ssoSessionValidTo = new Date(session.getSessionCreated().getTime() + maxSSOSessionTime); - authData.setSsoSessionValidTo(ssoSessionValidTo); - - } else { - //set valid to 5 min - Date ssoSessionValidTo = new Date(new Date().getTime() + 5 * 60 * 1000); - authData.setSsoSessionValidTo(ssoSessionValidTo); - + //check if one of this encrypted bPK could be decrypt for this Service-Provider + for (String fullEncbPK : encbPKList) { + int index = fullEncbPK.indexOf("|"); + if (index >= 0) { + String encbPK = fullEncbPK.substring(index+1); + String second = fullEncbPK.substring(0, index); + int secIndex = second.indexOf("+"); + if (secIndex >= 0) { + if (spConfig.getTarget().equals(second.substring(secIndex+1))) { + Logger.debug("Found encrypted bPK for online-application " + + spConfig.getPublicURLPrefix() + + " Start decryption process ..."); + PrivateKey privKey = spConfig.getBPKDecBpkDecryptionKey(); + if (privKey != null) { + try { + String bPK = BPKBuilder.decryptBPK(encbPK, spConfig.getTarget(), privKey); + if (MiscUtil.isNotEmpty(bPK)) { + Logger.info("bPK decryption process finished successfully."); + return Pair.newInstance(bPK, Constants.URN_PREFIX_CDID + "+" + spConfig.getTarget()); + + } else { + Logger.error("bPK decryption FAILED."); + + } + } catch (BuildException e) { + Logger.error("bPK decryption FAILED.", e); + + } + + } else { + Logger.info("bPK decryption FAILED, because no valid decryption key is found."); + + } + + } else { + Logger.info("Found encrypted bPK but " + + "encrypted bPK target does not match to online-application target"); + + } + } + } } - - - /* TODO: Support SSO Mandate MODE! - * Insert functionality to translate mandates in case of SSO - */ + } + + return null; + } + /** + * Get bPK from PVP Attribute 'BPK_NAME', which could be exist in + * MOASession as 'GenericData' 
session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class)
+ * + * @param session MOASession, but never null + * @return bPK, which was received by PVP-Attribute, or null if no attribute exists + */ + private String getbPKValueFromPVPAttribute(AuthenticationSession session) { + String pvpbPKValueAttr = session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpbPKValueAttr)) { - MISMandate mandate = session.getMISMandate(); - if (session.getUseMandate() && mandate == null) { - Logger.error("Mandate is requested but NO mandate-data is found!."); - throw new BuildException("builder.00", new Object[]{ - "Mandate", "Mandate is requested but NO mandate-data is found!"}); + //fix a wrong bPK-value prefix, which was used in some PVP Standardportal implementations + if (pvpbPKValueAttr.startsWith("bPK:")) { + Logger.warn("Attribute " + PVPConstants.BPK_NAME + + " contains a not standardize prefix! Staring attribute value correction process ..."); + pvpbPKValueAttr = pvpbPKValueAttr.substring("bPK:".length()); } - authData.setMandateReferenceValue(session.getMandateReferenceValue()); - - if (mandate != null) { - //set MIS mandate to authdata - authData.setMISMandate(mandate); - authData.setUseMandate(session.getUseMandate()); - - } else { - //check if ELGA mandates exists - String mandateType = session.getGenericDataFromSession( - PVPConstants.MANDATE_TYPE_NAME, String.class); - if (MiscUtil.isNotEmpty(mandateType)) { - //switch to mandate-mode for authdata generation, because mandate-information - // is directly included in MOA-Session as PVP attributes - Logger.debug("AuthDataBuilder find directly included 'MandateType' attribute." - + " --> Switch to mandate-mode for authdata generation."); - authData.setUseMandate(true); - - } - + String[] spitted = pvpbPKValueAttr.split(":"); + if (spitted.length != 2) { + Logger.warn("Attribute " + PVPConstants.BPK_NAME + " has a wrong encoding and can NOT be USED!" + + " Value:" + pvpbPKValueAttr); + return null; } - - if (session.getUseMandate() && session.isOW() - && mandate != null && MiscUtil.isNotEmpty(mandate.getOWbPK())) { - authData.setBPK(mandate.getOWbPK()); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + "OW"); - - //TODO: check in case of mandates for business services - authData.setIdentityLink(identityLink); - Logger.trace("Authenticated User is OW: " + mandate.getOWbPK()); - - } else { - buildOAspecificbPK(protocolRequest, oaParam, authData, - identityLink.getIdentificationValue(), - identityLink.getIdentificationType()); - - buildOAspecificIdentityLink(oaParam, authData, identityLink); - - } + Logger.debug("Find PVP-Attr: " + PVPConstants.BPK_FRIENDLY_NAME); + return spitted[1]; - //TODO - } catch (BuildException e) { - throw e; + } + + return null; + } + + /** + * Get bPK-Type from PVP Attribute 'EID_SECTOR_FOR_IDENTIFIER_NAME', which could be exist in + * MOASession as 'GenericData' 
session.getGenericDataFromSession(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, String.class)
+ * + * @param session MOASession, but never null + * @return bPKType, which was received by PVP-Attribute, or null if no attribute exists + */ + private String getbPKTypeFromPVPAttribute(AuthenticationSession session) { + String pvpbPKTypeAttr = session.getGenericDataFromSession(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME, String.class); + if (MiscUtil.isNotEmpty(pvpbPKTypeAttr)) { - } catch (Throwable ex) { - throw new BuildException("builder.00", new Object[]{ - "AuthenticationData", ex.toString()}, ex); - } + //fix a wrong bPK-Type encoding, which was used in some PVP Standardportal implementations + if (pvpbPKTypeAttr.startsWith(Constants.URN_PREFIX_CDID) && + !pvpbPKTypeAttr.substring(Constants.URN_PREFIX_CDID.length(), + Constants.URN_PREFIX_CDID.length() + 1).equals("+")) { + Logger.warn("Receive uncorrect encoded bBKType attribute " + pvpbPKTypeAttr + " Starting attribute value correction ... "); + pvpbPKTypeAttr = Constants.URN_PREFIX_CDID + "+" + pvpbPKTypeAttr.substring(Constants.URN_PREFIX_CDID.length() + 1); + + } + Logger.debug("Find PVP-Attr: " + PVPConstants.EID_SECTOR_FOR_IDENTIFIER_FRIENDLY_NAME); + return pvpbPKTypeAttr; + } + + return null; + + + /* + * INFO: This code could be used to extract the bPKType from 'PVPConstants.BPK_NAME', + * because the prefix of BPK_NAME attribute contains the postfix of the bPKType + * + * Now, all PVP Standardportals should be able to send 'EID_SECTOR_FOR_IDENTIFIER' + * PVP attributes + */ +// String pvpbPKValueAttr = session.getGenericDataFromSession(PVPConstants.BPK_NAME, String.class); +// String[] spitted = pvpbPKValueAttr.split(":"); +// if (MiscUtil.isEmpty(authData.getBPKType())) { +// Logger.debug("PVP assertion contains NO bPK/wbPK target attribute. " + +// "Starting target extraction from bPK/wbPK prefix ..."); +// //exract bPK/wbPK type from bpk attribute value prefix if type is +// //not transmitted as single attribute +// Pattern pattern = Pattern.compile("[a-zA-Z]{2}(-[a-zA-Z]+)?"); +// Matcher matcher = pattern.matcher(spitted[0]); +// if (matcher.matches()) { +// //find public service bPK +// authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + spitted[0]); +// Logger.debug("Found bPK prefix. Set target to " + authData.getBPKType()); +// +// } else { +// //find business service wbPK +// authData.setBPKType(Constants.URN_PREFIX_WBPK+ "+" + spitted[0]); +// Logger.debug("Found wbPK prefix. Set target to " + authData.getBPKType()); +// +// } +// } } - - private void buildOAspecificIdentityLink(IOAAuthParameters oaParam, AuthenticationData authData, IdentityLink idl) throws MOAIDException { + + private IdentityLink buildOAspecificIdentityLink(IOAAuthParameters oaParam, IdentityLink idl, String bPK, String bPKType) throws MOAIDException { if (oaParam.getBusinessService()) { Element idlassertion = idl.getSamlAssertion(); //set bpk/wpbk; Node prIdentification = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_VALUE_XPATH); - prIdentification.getFirstChild().setNodeValue(authData.getBPK()); + prIdentification.getFirstChild().setNodeValue(bPK); //set bkp/wpbk type Node prIdentificationType = XPathUtils.selectSingleNode(idlassertion, IdentityLinkAssertionParser.PERSON_IDENT_TYPE_XPATH); - prIdentificationType.getFirstChild().setNodeValue(authData.getBPKType()); + prIdentificationType.getFirstChild().setNodeValue(bPKType); IdentityLinkAssertionParser idlparser = new IdentityLinkAssertionParser(idlassertion); IdentityLink businessServiceIdl = idlparser.parseIdentityLink(); @@ -1073,62 +1087,70 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { resignedilAssertion = businessServiceIdl.getSamlAssertion(); } IdentityLinkAssertionParser resignedIDLParser = new IdentityLinkAssertionParser(resignedilAssertion); - IdentityLink resignedIDL = resignedIDLParser.parseIdentityLink(); + return resignedIDLParser.parseIdentityLink(); - authData.setIdentityLink(resignedIDL); - } else - authData.setIdentityLink(idl); + return idl; } - - private void buildOAspecificbPK(IRequest protocolRequest, IOAAuthParameters oaParam, AuthenticationData authData, String baseID, String baseIDType) throws BuildException { - - if (oaParam.getBusinessService()) { - //since we have foreigner, wbPK is not calculated in BKU - if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { - String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); - authData.setBPK(new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr)); - authData.setBPKType(registerAndOrdNr); - - } else { - authData.setBPK(baseID); - authData.setBPKType(baseIDType); - - } - Logger.trace("Authenticate user with wbPK " + authData.getBPK()); - - } else { - if (baseIDType.equals(Constants.URN_PREFIX_BASEID)) { - // only compute bPK if online application is a public service and we have the Stammzahl - String target = null; - Object saml1Requst = null; - try { - saml1Requst = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl").newInstance(); - - } catch (ClassNotFoundException | InstantiationException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException ex) { - - - } - - if (saml1Requst != null && protocolRequest.getClass().isInstance(saml1Requst)) - target = protocolRequest.getGenericData( - MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, String.class); - else - target = oaParam.getTarget(); - - String bpkBase64 = new BPKBuilder().buildBPK(baseID, target); - authData.setBPK(bpkBase64); - authData.setBPKType(Constants.URN_PREFIX_CDID + "+" + target); - } + private Pair buildOAspecificbPK(IRequest pendingReq, IOAAuthParameters oaParam, AuthenticationData authData) throws BuildException { + + String bPK; + String bPKType; - Logger.trace("Authenticate user with bPK " + authData.getBPK()); - } + String baseID = authData.getIdentificationValue(); + String baseIDType = authData.getIdentificationType(); + + String eIDASOutboundCountry = pendingReq.getGenericData(RequestImpl.eIDAS_GENERIC_REQ_DATA_COUNTRY, String.class); + if (Constants.URN_PREFIX_BASEID.equals(baseIDType)) { + if (MiscUtil.isNotEmpty(eIDASOutboundCountry) && !COUNTRYCODE_AUSTRIA.equals(eIDASOutboundCountry)) { + Pair eIDASID = new BPKBuilder().buildeIDASIdentifer(baseIDType, baseID, + COUNTRYCODE_AUSTRIA, eIDASOutboundCountry); + Logger.trace("Authenticate user with bPK:" + eIDASID.getFirst() + " Type:" + eIDASID.getSecond()); + return eIDASID; + + } else if (oaParam.getBusinessService()) { + //is Austrian private-service application + String registerAndOrdNr = oaParam.getIdentityLinkDomainIdentifier(); + bPK = new BPKBuilder().buildbPKorwbPK(baseID, registerAndOrdNr); + bPKType = registerAndOrdNr; + + } else { + // only compute bPK if online application is a public service and we have the Stammzahl + String target = null; + Class saml1RequstTemplate = null; + try { + saml1RequstTemplate = Class.forName("at.gv.egovernment.moa.id.protocols.saml1.SAML1RequestImpl"); + if (saml1RequstTemplate != null && + saml1RequstTemplate.isInstance(pendingReq)) { + target = (String) pendingReq.getClass().getMethod("getTarget").invoke(pendingReq); + + } + + } catch (ClassNotFoundException | IllegalAccessException | IllegalArgumentException | java.lang.SecurityException | InvocationTargetException | NoSuchMethodException ex) { } + + if (MiscUtil.isEmpty(target)) + target = oaParam.getTarget(); + + bPK = new BPKBuilder().buildBPK(baseID, target); + bPKType = Constants.URN_PREFIX_CDID + "+" + target; + + } + + } else { + Logger.warn("!!!baseID-element does not include a baseID. This should not be happen any more!!!"); + bPK = baseID; + bPKType = baseIDType; + + } + Logger.trace("Authenticate user with bPK:" + bPK + " Type:" + bPKType); + return Pair.newInstance(bPK, bPKType); + } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java index 1cf6929e6..9e4e36fec 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/BPKBuilder.java @@ -46,13 +46,6 @@ package at.gv.egovernment.moa.id.auth.builder; -import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.Base64Utils; -import at.gv.egovernment.moa.util.Constants; -import at.gv.egovernment.moa.util.MiscUtil; - import java.security.InvalidKeyException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -66,6 +59,13 @@ import javax.crypto.Cipher; import javax.crypto.IllegalBlockSizeException; import javax.crypto.NoSuchPaddingException; +import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.data.Pair; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.Base64Utils; +import at.gv.egovernment.moa.util.Constants; +import at.gv.egovernment.moa.util.MiscUtil; + /** * Builder for the bPK, as defined in * "Ableitung f¨r die bereichsspezifische Personenkennzeichnung" @@ -203,73 +203,42 @@ public class BPKBuilder { /** * Builds the storkeid from the given parameters. * - * @param identityLink identity link - * @param destinationCountry destination country code (2 chars) - * @return storkid in a BASE64 encoding - * @throws BuildException if an error occurs on building the wbPK - */ - public String buildStorkeIdentifier(IdentityLink identityLink, String destinationCountry) - throws BuildException { - return buildStorkbPK(identityLink.getIdentificationValue(), - identityLink.getIdentificationType(), "AT", destinationCountry); - } - - /** - * Builds the storkeid from the given parameters. - * - * @param identityLink identity link - * @param destinationCountry destination country code (2 chars) - * @return storkid in a BASE64 encoding - * @throws BuildException if an error occurs on building the wbPK - */ - public String buildStorkeIdentifier(String identificationType, String identificationValue, String destinationCountry) - throws BuildException { - return buildStorkbPK(identificationValue, identificationType, "AT", destinationCountry); - } - - /** - * Builds the storkeid from the given parameters. - * - * @param identityLink identity link - * @param sourceCountry source country code (2 chars) - * @param destinationCountry destination country code (2 chars) - * @return storkid in a BASE64 encoding + * @param baseID baseID of the citizen + * @param baseIDType Type of the baseID + * @param sourceCountry CountryCode of that country, which build the eIDAs ID + * @param destinationCountry CountryCode of that country, which receives the eIDAs ID + * + * @return Pair in a BASE64 encoding * @throws BuildException if an error occurs on building the wbPK */ - public String buildStorkbPK(String baseID, String baseIDType, String sourceCountry, String destinationCountry) - throws BuildException { - String identificationValue = null; - + public Pair buildeIDASIdentifer(String baseID, String baseIDType, String sourceCountry, String destinationCountry) + throws BuildException { + String bPK = null; + String bPKType = null; + // check if we have been called by public sector application - if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { - identificationValue = calculateStorkeIdentifierBase(baseID, sourceCountry, destinationCountry); + if (baseIDType.startsWith(Constants.URN_PREFIX_BASEID)) { + bPKType = Constants.URN_PREFIX_EIDAS + "+" + sourceCountry + "+" + destinationCountry; + Logger.debug("Building eIDAS identification from: [identValue]+" + bPKType); + bPK = calculatebPKwbPK(baseID + "+" + bPKType); } else { // if not, sector identification value is already calculated by BKU - Logger.debug("STORK eIdentifier already provided by BKU"); - identificationValue = baseID; + Logger.debug("eIDAS eIdentifier already provided by BKU"); + bPK = baseID; } - if ((identificationValue == null || - identificationValue.length() == 0 || - destinationCountry == null || - destinationCountry.length() == 0 || - sourceCountry == null || - sourceCountry.length() == 0)) { + if ((MiscUtil.isEmpty(bPK) || + MiscUtil.isEmpty(sourceCountry) || + MiscUtil.isEmpty(destinationCountry))) { throw new BuildException("builder.00", - new Object[]{"storkid", "Unvollständige Parameterangaben: identificationValue=" + - identificationValue + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); + new Object[]{"eIDAS-ID", "Unvollständige Parameterangaben: identificationValue=" + + bPK + ", Zielland=" + destinationCountry + ", Ursprungsland=" + sourceCountry}); } - Logger.info("Building STORK identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); - String eIdentifier = sourceCountry+"/"+destinationCountry+"/"+identificationValue; - - return eIdentifier; - } - - private String calculateStorkeIdentifierBase(String baseID, String sourceCountry, String destinationCountry) throws BuildException { - String basisbegriff = baseID + "+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry; - Logger.debug("Building STORK identification from: [identValue]+" + Constants.URN_PREFIX_STORK + "+" + sourceCountry + "+" + destinationCountry); - return calculatebPKwbPK(basisbegriff); + Logger.debug("Building eIDAS identification from: " + sourceCountry+"/"+destinationCountry+"/" + "[identValue]"); + String eIdentifier = sourceCountry + "/" + destinationCountry + "/" + bPK; + + return Pair.newInstance(eIdentifier, baseIDType); } private String calculatebPKwbPK(String basisbegriff) throws BuildException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSessionStorageConstants.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSessionStorageConstants.java index 648dcf6f1..4a764e362 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSessionStorageConstants.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSessionStorageConstants.java @@ -38,5 +38,7 @@ public class AuthenticationSessionStorageConstants { public static final String eIDAS_ATTRIBUTELIST = PREFIX_eIDAS + "attributeList"; public static final String eIDAS_RESPONSE = PREFIX_eIDAS + "response"; + + public static final String FEDERATION_RESPONSE_VALIDE_TO = "federationRespValidTo"; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java index b7e95785b..a4abbbcfa 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java @@ -78,20 +78,20 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ //check UseMandate flag - String useMandateString = null; - boolean useMandateBoolean = false; + String useMISMandateString = null; + boolean useMISMandateBoolean = false; if ((useMandate != null) && (useMandate.compareTo("") != 0)) { - useMandateString = useMandate; + useMISMandateString = useMandate; } else { - useMandateString = "false"; + useMISMandateString = "false"; } - if (useMandateString.compareToIgnoreCase("true") == 0) - useMandateBoolean = true; + if (useMISMandateString.compareToIgnoreCase("true") == 0) + useMISMandateBoolean = true; else - useMandateBoolean = false; + useMISMandateBoolean = false; - moasession.setUseMandate(useMandateString); + moasession.setUseMandate(useMISMandateString); //load OnlineApplication configuration @@ -155,7 +155,7 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ } else { Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + oaParam.getIdentityLinkDomainIdentifier()); - if (useMandateBoolean) { + if (useMISMandateBoolean) { Logger.error("Online-Mandate Mode for business application not supported."); throw new AuthenticationException("auth.17", null); } @@ -213,6 +213,12 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ protocolReq.setNeedSingleSignOnFunctionality(false); } + if (protocolReq.needSingleSignOnFunctionality() && useMISMandateBoolean) { + Logger.info("Usage of MIS-MandateService does not allow Single Sign-On. --> SSO is disabled for this request."); + protocolReq.setNeedSingleSignOnFunctionality(false); + + } + } public void parse(ExecutionContext ec, HttpServletRequest req, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java index 53be0881b..aa9a0824d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java @@ -147,8 +147,8 @@ public class AuthenticationData implements IAuthData, Serializable { private boolean ssoSession = false; private Date ssoSessionValidTo = null; - private boolean interfederatedSSOSession = false; - private String interfederatedIDP = null; +// private boolean interfederatedSSOSession = false; +// private String interfederatedIDP = null; private String sessionIndex = null; private String nameID = null; @@ -255,16 +255,18 @@ public class AuthenticationData implements IAuthData, Serializable { } /** - * Returns the identificationValue. - * @return String + * Holds the baseID of a citizen + * + * @return baseID */ public String getIdentificationValue() { return identificationValue; } /** - * Returns the identificationType - * @return String + * Holds the type of the baseID + * + * @return baseID-Type */ public String getIdentificationType() { return identificationType; @@ -439,6 +441,10 @@ public class AuthenticationData implements IAuthData, Serializable { } public Element getMandate() { + if (mandate == null) + return null; + + //parse Element from mandate XML try { byte[] byteMandate = mandate.getMandate(); String stringMandate = new String(byteMandate); @@ -579,7 +585,9 @@ public class AuthenticationData implements IAuthData, Serializable { } /** - * @return the ccc + * CountryCode of the citizen which is identified and authenticated + * + * @return the CountryCode 
like. AT, SI, ...
*/ public String getCcc() { return ccc; @@ -635,33 +643,33 @@ public class AuthenticationData implements IAuthData, Serializable { this.nameIDFormat = nameIDFormat; } - /** - * @return the interfederatedSSOSession - */ - public boolean isInterfederatedSSOSession() { - return interfederatedSSOSession; - } - - /** - * @param interfederatedSSOSession the interfederatedSSOSession to set - */ - public void setInterfederatedSSOSession(boolean interfederatedSSOSession) { - this.interfederatedSSOSession = interfederatedSSOSession; - } - - /** - * @return the interfederatedIDP - */ - public String getInterfederatedIDP() { - return interfederatedIDP; - } - - /** - * @param interfederatedIDP the interfederatedIDP to set - */ - public void setInterfederatedIDP(String interfederatedIDP) { - this.interfederatedIDP = interfederatedIDP; - } +// /** +// * @return the interfederatedSSOSession +// */ +// public boolean isInterfederatedSSOSession() { +// return interfederatedSSOSession; +// } +// +// /** +// * @param interfederatedSSOSession the interfederatedSSOSession to set +// */ +// public void setInterfederatedSSOSession(boolean interfederatedSSOSession) { +// this.interfederatedSSOSession = interfederatedSSOSession; +// } +// +// /** +// * @return the interfederatedIDP +// */ +// public String getInterfederatedIDP() { +// return interfederatedIDP; +// } +// +// /** +// * @param interfederatedIDP the interfederatedIDP to set +// */ +// public void setInterfederatedIDP(String interfederatedIDP) { +// this.interfederatedIDP = interfederatedIDP; +// } /** * @return the ssoSessionValidTo diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java index 91d40fcc3..c32564679 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java @@ -40,7 +40,7 @@ public interface IAuthData { boolean isBusinessService(); boolean isSsoSession(); - boolean isInterfederatedSSOSession(); + //boolean isInterfederatedSSOSession(); boolean isUseMandate(); String getFamilyName(); @@ -53,7 +53,7 @@ public interface IAuthData { Date getSsoSessionValidTo(); - String getInterfederatedIDP(); + //String getInterfederatedIDP(); String getIdentificationValue(); String getIdentificationType(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MISMandate.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MISMandate.java index 12fe3c948..81157994e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MISMandate.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/MISMandate.java @@ -79,7 +79,7 @@ public class MISMandate implements Serializable{ private String oid = null; private byte[] mandate = null; private String owBPK = null; - private boolean isFullMandateIncluded = false; +// private boolean isFullMandateIncluded = false; public String getProfRep() { return oid; @@ -144,18 +144,18 @@ public class MISMandate implements Serializable{ } } - /** - * @return the isFullMandateIncluded - */ - public boolean isFullMandateIncluded() { - return isFullMandateIncluded; - } - /** - * @param isFullMandateIncluded the isFullMandateIncluded to set - */ - public void setFullMandateIncluded(boolean isFullMandateIncluded) { - this.isFullMandateIncluded = isFullMandateIncluded; - } +// /** +// * @return the isFullMandateIncluded +// */ +// public boolean isFullMandateIncluded() { +// return isFullMandateIncluded; +// } +// /** +// * @param isFullMandateIncluded the isFullMandateIncluded to set +// */ +// public void setFullMandateIncluded(boolean isFullMandateIncluded) { +// this.isFullMandateIncluded = isFullMandateIncluded; +// } } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Trible.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Trible.java new file mode 100644 index 000000000..78e8be452 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/Trible.java @@ -0,0 +1,51 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.data; + +public class Trible { + private final P1 first; + private final P2 second; + private final P3 third; + + private Trible(final P1 newFirst, final P2 newSecond, final P3 newThird) { + this.first = newFirst; + this.second = newSecond; + this.third = newThird; + } + + public P1 getFirst() { + return this.first; + } + + public P2 getSecond() { + return this.second; + } + + public P3 getThird() { + return this.third; + } + + public static Trible newInstance(final P1 newFirst, final P2 newSecond, final P3 newThird) { + return new Trible(newFirst, newSecond, newThird); + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java index 21ef38732..f065bbc56 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/AuthenticationManager.java @@ -72,7 +72,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.SingleLogOutBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; import at.gv.egovernment.moa.id.storage.ITransactionStorage; @@ -100,7 +100,7 @@ public class AuthenticationManager extends MOAIDAuthConstants { @Autowired private MOAReversionLogger revisionsLogger; @Autowired protected AuthConfiguration authConfig; @Autowired private SingleLogOutBuilder sloBuilder; - @Autowired private SAMLVerificationEngine samlVerificationEngine; + @Autowired private SAMLVerificationEngineSP samlVerificationEngine; public void performSingleLogOut(HttpServletRequest httpReq, HttpServletResponse httpResp, AuthenticationSession session, PVPTargetConfiguration pvpReq) throws MOAIDException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java index e05bedac8..aec5ad124 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/RequestImpl.java @@ -48,7 +48,10 @@ public abstract class RequestImpl implements IRequest, Serializable{ public static final String DATAID_INTERFEDERATIOIDP_URL = "interIDPURL"; public static final String DATAID_INTERFEDERATIOIDP_RESPONSE = "interIDPResponse"; - public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes"; + public static final String DATAID_REQUESTED_ATTRIBUTES = "requestedAttributes"; + public static final String DATAID_INTERFEDERATIOIDP_ENTITYID = "interIDPEntityID"; + + public static final String eIDAS_GENERIC_REQ_DATA_COUNTRY = "country"; private static final long serialVersionUID = 1L; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BirthdateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BirthdateAttributeBuilder.java index 7cbdeca66..0e6dc1838 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BirthdateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/BirthdateAttributeBuilder.java @@ -26,7 +26,6 @@ import java.text.DateFormat; import java.text.SimpleDateFormat; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java index 0437cd687..69f0c3088 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/EIDSourcePIN.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.builder.attributes; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributePolicyException; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java index 27d3845ff..ca66700a2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateFullMandateAttributeBuilder.java @@ -26,10 +26,7 @@ import java.io.IOException; import javax.xml.transform.TransformerException; -import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.AttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.attributes.exceptions.NoMandateDataAttributeException; @@ -48,7 +45,7 @@ public class MandateFullMandateAttributeBuilder implements IPVPAttributeBuilder if (authData.isUseMandate()) { //only provide full mandate if it is included. //In case of federation only a short mandate could be include - if (authData.getMandate() != null && authData.getMISMandate().isFullMandateIncluded()) { + if (authData.getMandate() != null) { String fullMandate; try { fullMandate = DOMUtils.serializeNode(authData diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java index 8948f1227..55c864335 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/builder/attributes/MandateNaturalPersonGivenNameAttributeBuilder.java @@ -46,7 +46,7 @@ public class MandateNaturalPersonGivenNameAttributeBuilder implements IPVPAttrib IAttributeGenerator g) throws AttributeException { if (authData.isUseMandate()) { //get PVP attribute directly, if exists - String givenName = authData.getGenericData(MANDATE_NAT_PER_BPK_NAME, String.class); + String givenName = authData.getGenericData(MANDATE_NAT_PER_GIVEN_NAME_NAME, String.class); if (MiscUtil.isEmpty(givenName)) { Element mandate = authData.getMandate(); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 042eeeed8..142810d45 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x; import java.util.ArrayList; import java.util.Arrays; +import java.util.Date; import java.util.List; import javax.servlet.http.HttpServletRequest; @@ -44,23 +45,28 @@ import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.commons.db.dao.session.OASessionStore; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer; +import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; +import at.gv.egovernment.moa.id.data.Trible; import at.gv.egovernment.moa.id.moduls.IAction; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; +import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.storage.IAuthenticationSessionStoreage; -import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.logging.Logger; -import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz @@ -72,7 +78,7 @@ public class AttributQueryAction implements IAction { @Autowired private IAuthenticationSessionStoreage authenticationSessionStorage; @Autowired private AuthenticationDataBuilder authDataBuilder; @Autowired private IDPCredentialProvider pvpCredentials; - @Autowired private ITransactionStorage transactionStorage; + @Autowired private AuthConfiguration authConfig; private final static List DEFAULTSTORKATTRIBUTES = Arrays.asList( new String[]{PVPConstants.EID_STORK_TOKEN_NAME}); @@ -98,34 +104,44 @@ public class AttributQueryAction implements IAction { //set time reference DateTime date = new DateTime(); - //get Single Sign-On information for the Service-Provider - // which sends the Attribute-Query request - AuthenticationSession moaSession = authenticationSessionStorage.getSession(pendingReq.getMOASessionIdentifier()); - if (moaSession == null) { - Logger.warn("No MOASession with ID:" + pendingReq.getMOASessionIdentifier() + " FOUND."); - throw new MOAIDException("auth.02", new Object[]{pendingReq.getMOASessionIdentifier()}); - } - - InterfederationSessionStore nextIDPInformation = - authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSessionID()); - - AttributeQuery attrQuery = - (AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest(); + try { + //get Single Sign-On information for the Service-Provider + // which sends the Attribute-Query request + AuthenticationSession moaSession = authenticationSessionStorage.getSession(pendingReq.getMOASessionIdentifier()); + if (moaSession == null) { + Logger.warn("No MOASession with ID:" + pendingReq.getMOASessionIdentifier() + " FOUND."); + throw new MOAIDException("auth.02", new Object[]{pendingReq.getMOASessionIdentifier()}); + } - //generate authData for AttributQueryRequest - authData = authDataBuilder.buildAuthenticationDataForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes(), nextIDPInformation); - + InterfederationSessionStore nextIDPInformation = + authenticationSessionStorage.searchInterfederatedIDPFORAttributeQueryWithSessionID(moaSession.getSessionID()); - //add default attributes in case of mandates or STORK is in use - List attrList = addDefaultAttributes(attrQuery, authData); + AttributeQuery attrQuery = + (AttributeQuery)((MOARequest)((PVPTargetConfiguration) pendingReq).getRequest()).getSamlRequest(); + + //build PVP 2.1 response-attribute information for this AttributQueryRequest + Trible, Date, String> responseInfo = + buildResponseInformationForAttributQuery(pendingReq, moaSession, attrQuery.getAttributes(), nextIDPInformation); - //build PVP 2.1 assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(req, attrQuery, attrList, authData, date, authData.getSessionIndex()); - - //build PVP 2.1 response - Response authResponse = AuthResponseBuilder.buildResponse(req.getAuthURL(), attrQuery, date, assertion); - - try { + Logger.debug("AttributQuery return " + responseInfo.getFirst().size() + + " attributes with QAA-Level:" + responseInfo.getThird() + + " validTo:" + responseInfo.getSecond().toString()); + + //build PVP 2.1 assertion + + String issuerEntityID = pendingReq.getAuthURL(); + if (issuerEntityID.endsWith("/")) + issuerEntityID = issuerEntityID.substring(0, issuerEntityID.length()-1); + + Assertion assertion = PVP2AssertionBuilder.buildAssertion(issuerEntityID, + attrQuery, responseInfo.getFirst(), date, new DateTime(responseInfo.getSecond().getTime()), + responseInfo.getThird(), authData.getSessionIndex()); + + //build PVP 2.1 response + Response authResponse = AuthResponseBuilder.buildResponse( + MOAMetadataProvider.getInstance(), issuerEntityID, attrQuery, date, + assertion, authConfig.isPVP2AssertionEncryptionActive()); + SoapBinding decoder = new SoapBinding(); decoder.encodeRespone(httpReq, httpResp, authResponse, null, null, pvpCredentials.getIDPAssertionSigningCredential()); @@ -139,6 +155,11 @@ public class AttributQueryAction implements IAction { Logger.error("Security exception", e); throw new MOAIDException("pvp2.01", null, e); + } catch (MOADatabaseException e) { + Logger.error("MOASession with SessionID=" + pendingReq.getMOASessionIdentifier() + + " is not found in Database", e); + throw new MOAIDException("init.04", new Object[] { pendingReq.getMOASessionIdentifier() }); + } } else { @@ -164,32 +185,143 @@ public class AttributQueryAction implements IAction { public String getDefaultActionName() { return PVP2XProtocol.ATTRIBUTEQUERY; } + + private Trible, Date, String> buildResponseInformationForAttributQuery(IRequest pendingReq, + AuthenticationSession session, List reqAttributes, InterfederationSessionStore nextIDPInformation) throws MOAIDException { + try { + //mark AttributeQuery as used if it exists + OASessionStore activeOA = authenticationSessionStorage.searchActiveOASSOSession(session, pendingReq.getOAURL(), pendingReq.requestedModule()); + if (activeOA != null) { + //mark + if ( pendingReq instanceof PVPTargetConfiguration && + ((PVPTargetConfiguration) pendingReq).getRequest() instanceof MOARequest && + ((PVPTargetConfiguration) pendingReq).getRequest().getInboundMessage() instanceof AttributeQuery) { + try { + activeOA.setAttributeQueryUsed(true); + MOASessionDBUtils.saveOrUpdate(activeOA); + + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); + + } + } + } + + //build OnlineApplication dynamic from requested attributes (AttributeQuerry Request) and configuration + IOAAuthParameters spConfig = DynamicOAAuthParameterBuilder.buildFromAttributeQuery(reqAttributes); + + //search federated IDP information for this MOASession + if (nextIDPInformation != null) { + Logger.info("Find active federated IDP information." + + ". --> Request next IDP:" + nextIDPInformation.getIdpurlprefix() + + " for authentication information."); + + //load configuration of next IDP + OAAuthParameter idp = authConfig.getOnlineApplicationParameter(nextIDPInformation.getIdpurlprefix()); + if (idp == null) { + Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() + + "is not loadable."); + throw new MOAIDException("auth.32", new Object[]{nextIDPInformation.getIdpurlprefix()}); + + } + + //check if next IDP config allows inbound messages + if (!idp.isInboundSSOInterfederationAllowed()) { + Logger.warn("Configuration for federated IDP:" + nextIDPInformation.getIdpurlprefix() + + "disallow inbound authentication messages."); + throw new MOAIDException("auth.33", new Object[]{nextIDPInformation.getIdpurlprefix()}); + + } + + //check next IDP service area policy. BusinessService IDPs can only request wbPKs + if (!spConfig.getBusinessService() && !idp.isIDPPublicService()) { + Logger.error("Interfederated IDP " + idp.getPublicURLPrefix() + + " has a BusinessService-IDP but requests PublicService attributes."); + throw new MOAIDException("auth.34", new Object[]{nextIDPInformation.getIdpurlprefix()}); + + } + + //validation complete --> start AttributeQuery Request + AssertionAttributeExtractor extractor = authDataBuilder.getAuthDataFromAttributeQuery(reqAttributes, + nextIDPInformation.getUserNameID(), idp); + + try { + //mark attribute request as used + if (nextIDPInformation.isStoreSSOInformation()) { + nextIDPInformation.setAttributesRequested(true); + MOASessionDBUtils.saveOrUpdate(nextIDPInformation); - private List addDefaultAttributes(AttributeQuery query, IAuthData authData) { + //delete federated IDP from Session + } else { + MOASessionDBUtils.delete(nextIDPInformation); + + } + + } catch (MOADatabaseException e) { + Logger.error("MOASession interfederation information can not stored to database.", e); + + } + + return Trible.newInstance( + extractor.getAllResponseAttributesFromFirstAttributeStatement(), + extractor.getAssertionNotOnOrAfter(), + extractor.getQAALevel()); + + } else { + Logger.debug("Build authData for AttributQuery from local MOASession."); + IAuthData authData = authDataBuilder.buildAuthenticationData(pendingReq, session, spConfig); + + //add default attributes in case of mandates or STORK is in use + List attrList = addDefaultAttributes(reqAttributes, authData); + + //build Set of response attributes + List respAttr = PVPAttributeBuilder.buildSetOfResponseAttributes(authData, attrList); + + return Trible.newInstance(respAttr, authData.getSsoSessionValidTo(), authData.getQAALevel()); + + } + + } catch (MOAIDException e) { + throw e; + } + } + + /** + * Add additional PVP Attribute-Names in respect to current MOASession. + *

+ * 
As example: if current MOASession includes mandates but mandate attributes are not requested, 
+	 * this method a a minimum set of mandate attribute-names
+ * + * @param reqAttr From Service Provider requested attributes + * @param authData AuthenticationData + * @return List of PVP attribute-names + */ + private List addDefaultAttributes(List reqAttr, IAuthData authData) { - List reqAttributs = new ArrayList(); + List reqAttributeNames = new ArrayList(); - for (Attribute attr : query.getAttributes()) { - reqAttributs.add(attr.getName()); + for (Attribute attr : reqAttr) { + reqAttributeNames.add(attr.getName()); } //add default STORK attributes if it is a STORK authentication - if (authData.isForeigner() && !reqAttributs.containsAll(DEFAULTSTORKATTRIBUTES)) { + if (authData.isForeigner() && !reqAttributeNames.containsAll(DEFAULTSTORKATTRIBUTES)) { for (String el : DEFAULTSTORKATTRIBUTES) { - if (!reqAttributs.contains(el)) - reqAttributs.add(el); + if (!reqAttributeNames.contains(el)) + reqAttributeNames.add(el); } } //add default mandate attributes if it is a authentication with mandates - if (authData.isUseMandate() && !reqAttributs.containsAll(DEFAULTMANDATEATTRIBUTES)) { + if (authData.isUseMandate() && !reqAttributeNames.containsAll(DEFAULTMANDATEATTRIBUTES)) { for (String el : DEFAULTMANDATEATTRIBUTES) { - if (!reqAttributs.contains(el)) - reqAttributs.add(el); + if (!reqAttributeNames.contains(el)) + reqAttributeNames.add(el); } } - return reqAttributs; + return reqAttributeNames; } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java index 2882f20e1..a214dad9d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AuthenticationAction.java @@ -38,6 +38,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; @@ -50,6 +51,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AuthResponseBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.BindingNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -57,6 +59,7 @@ import at.gv.egovernment.moa.logging.Logger; @Service("PVPAuthenticationRequestAction") public class AuthenticationAction implements IAction { @Autowired IDPCredentialProvider pvpCredentials; + @Autowired AuthConfiguration authConfig; public SLOInformationInterface processRequest(IRequest req, HttpServletRequest httpReq, HttpServletResponse httpResp, IAuthData authData) throws MOAIDException { @@ -77,12 +80,18 @@ public class AuthenticationAction implements IAction { SLOInformationImpl sloInformation = new SLOInformationImpl(); - + //change to entity value from entity name to IDP EntityID (URL) + String issuerEntityID = pvpRequest.getAuthURL(); + if (issuerEntityID.endsWith("/")) + issuerEntityID = issuerEntityID.substring(0, issuerEntityID.length()-1); + //build Assertion - Assertion assertion = PVP2AssertionBuilder.buildAssertion(pvpRequest, authnRequest, authData, + Assertion assertion = PVP2AssertionBuilder.buildAssertion(issuerEntityID, pvpRequest, authnRequest, authData, peerEntity, date, consumerService, sloInformation); - Response authResponse = AuthResponseBuilder.buildResponse(pvpRequest.getAuthURL(), authnRequest, date, assertion); + Response authResponse = AuthResponseBuilder.buildResponse( + MOAMetadataProvider.getInstance(), issuerEntityID, authnRequest, + date, assertion, authConfig.isPVP2AssertionEncryptionActive()); IEncoder binding = null; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 4dbc35041..8065af1a6 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -57,20 +57,18 @@ import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.builder.DynamicOAAuthParameterBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; -import at.gv.egovernment.moa.id.commons.db.dao.session.InterfederationSessionStore; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.moduls.NoPassivAuthenticationException; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IEncoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.SoapBinding; @@ -92,7 +90,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.CheckMandateAttributes; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.AuthnRequestValidator; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.id.util.ErrorResponseUtils; import at.gv.egovernment.moa.id.util.HTTPUtils; @@ -105,7 +103,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class PVP2XProtocol extends AbstractAuthProtocolModulController { @Autowired IDPCredentialProvider pvpCredentials; - @Autowired SAMLVerificationEngine samlVerificationEngine; + @Autowired SAMLVerificationEngineSP samlVerificationEngine; public static final String NAME = PVP2XProtocol.class.getName(); public static final String PATH = "id_pvp2x"; @@ -193,9 +191,11 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { req.getRemoteAddr()); //get POST-Binding decoder implementation - InboundMessage msg = (InboundMessage) new PostBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false); + InboundMessage msg = (InboundMessage) new PostBinding().decode( + req, resp, MOAMetadataProvider.getInstance(), false, + new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(pendingReq.getAuthURL()))); pendingReq.setRequest(msg); - + //preProcess Message preProcess(req, resp, pendingReq); @@ -241,7 +241,9 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { req.getRemoteAddr()); //get POST-Binding decoder implementation - InboundMessage msg = (InboundMessage) new RedirectBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false); + InboundMessage msg = (InboundMessage) new RedirectBinding().decode( + req, resp, MOAMetadataProvider.getInstance(), false, + new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(pendingReq.getAuthURL()))); pendingReq.setRequest(msg); //preProcess Message @@ -290,7 +292,9 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { req.getRemoteAddr()); //get POST-Binding decoder implementation - InboundMessage msg = (InboundMessage) new SoapBinding().decode(req, resp, MOAMetadataProvider.getInstance(), false); + InboundMessage msg = (InboundMessage) new SoapBinding().decode( + req, resp, MOAMetadataProvider.getInstance(), false, + new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(pendingReq.getAuthURL()))); pendingReq.setRequest(msg); //preProcess Message diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java index 86b31f1eb..71c5a46a4 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/IDecoder.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.binding; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.opensaml.common.binding.decoding.URIComparator; import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.ws.message.decoder.MessageDecodingException; import org.opensaml.xml.security.SecurityException; @@ -34,7 +35,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface public interface IDecoder { public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) + HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint, URIComparator comparator) throws MessageDecodingException, SecurityException, PVP2Exception; public boolean handleDecode(String action, HttpServletRequest req); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java index 6d376faa0..46381fcc2 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/PostBinding.java @@ -28,6 +28,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.velocity.app.VelocityEngine; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.binding.decoding.URIComparator; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPPostDecoder; import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; @@ -49,17 +50,14 @@ import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.validation.MOAPVPSignedRequestPolicyRule; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; -import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -146,26 +144,21 @@ public class PostBinding implements IDecoder, IEncoder { } public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException, + HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint, URIComparator comparator) throws MessageDecodingException, SecurityException { HTTPPostDecoder decode = new HTTPPostDecoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = new BasicSAMLMessageContext(); messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - try { - //set metadata descriptor type - if (isSPEndPoint) { - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req)))); - - } else { - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSOPostService(HTTPUtils.extractAuthURLFromRequest(req)))); - } - - } catch (ConfigurationException e) { - throw new SecurityException(e); + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(comparator); + + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(comparator); } messageContext.setMetadataProvider(metadataProvider); @@ -173,7 +166,7 @@ public class PostBinding implements IDecoder, IEncoder { //set security policy context BasicSecurityPolicy policy = new BasicSecurityPolicy(); policy.getPolicyRules().add( - new MOAPVPSignedRequestPolicyRule( + new MOAPVPSignedRequestPolicyRule(metadataProvider, TrustEngineFactory.getSignatureKnownKeysTrustEngine(metadataProvider), messageContext.getPeerEntityRole())); SecurityPolicyResolver secResolver = new StaticSecurityPolicyResolver(policy); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java index 683a72e67..1d13cbd07 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/RedirectBinding.java @@ -27,6 +27,7 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.binding.decoding.URIComparator; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.decoding.HTTPRedirectDeflateDecoder; import org.opensaml.saml2.binding.encoding.HTTPRedirectDeflateEncoder; @@ -50,17 +51,14 @@ import org.opensaml.xml.parse.BasicParserPool; import org.opensaml.xml.security.SecurityException; import org.opensaml.xml.security.credential.Credential; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVP2XProtocol; import at.gv.egovernment.moa.id.protocols.pvp2x.config.MOADefaultBootstrap; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessageInterface; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; -import at.gv.egovernment.moa.id.util.HTTPUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -134,7 +132,7 @@ public class RedirectBinding implements IDecoder, IEncoder { } public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException, + HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint, URIComparator comparator) throws MessageDecodingException, SecurityException { HTTPRedirectDeflateDecoder decode = new HTTPRedirectDeflateDecoder( @@ -144,20 +142,14 @@ public class RedirectBinding implements IDecoder, IEncoder { messageContext .setInboundMessageTransport(new HttpServletRequestAdapter(req)); - try { - //set metadata descriptor type - if (isSPEndPoint) { - messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getSPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req)))); - - } else { - messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); - decode.setURIComparator(new MOAURICompare(PVPConfiguration.getInstance().getIDPSSORedirectService(HTTPUtils.extractAuthURLFromRequest(req)))); - } - - } catch (ConfigurationException e) { - throw new SecurityException(e); + //set metadata descriptor type + if (isSPEndPoint) { + messageContext.setPeerEntityRole(IDPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(comparator); + } else { + messageContext.setPeerEntityRole(SPSSODescriptor.DEFAULT_ELEMENT_NAME); + decode.setURIComparator(comparator); } messageContext.setMetadataProvider(metadataProvider); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java index 12b571ed1..25b22f0ad 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/binding/SoapBinding.java @@ -29,6 +29,7 @@ import javax.servlet.http.HttpServletResponse; import org.opensaml.common.SAMLObject; import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.common.binding.decoding.URIComparator; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.binding.encoding.HTTPSOAP11Encoder; import org.opensaml.saml2.core.RequestAbstractType; @@ -64,7 +65,7 @@ public class SoapBinding implements IDecoder, IEncoder { @Autowired private IDPCredentialProvider credentialProvider; public InboundMessageInterface decode(HttpServletRequest req, - HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint) throws MessageDecodingException, + HttpServletResponse resp, MetadataProvider metadataProvider, boolean isSPEndPoint, URIComparator comparator) throws MessageDecodingException, SecurityException, PVP2Exception { HTTPSOAP11Decoder soapDecoder = new HTTPSOAP11Decoder(new BasicParserPool()); BasicSAMLMessageContext messageContext = diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java index 24c2626e3..aea3c2ee7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AuthResponseBuilder.java @@ -23,7 +23,6 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder; import java.util.ArrayList; -import java.util.Date; import java.util.List; import org.joda.time.DateTime; @@ -38,6 +37,7 @@ import org.opensaml.saml2.core.Response; import org.opensaml.saml2.encryption.Encrypter; import org.opensaml.saml2.encryption.Encrypter.KeyPlacement; import org.opensaml.saml2.metadata.SPSSODescriptor; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.security.MetadataCredentialResolver; import org.opensaml.security.MetadataCriteria; import org.opensaml.xml.encryption.EncryptionException; @@ -52,11 +52,8 @@ import org.opensaml.xml.security.keyinfo.KeyInfoGeneratorFactory; import org.opensaml.xml.security.x509.X509Credential; import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; -import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.InvalidAssertionEncryptionException; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.logging.Logger; @@ -66,15 +63,12 @@ import at.gv.egovernment.moa.logging.Logger; */ public class AuthResponseBuilder { - public static Response buildResponse(String authURL, RequestAbstractType req, DateTime date, Assertion assertion) throws InvalidAssertionEncryptionException, ConfigurationException { + public static Response buildResponse(MetadataProvider metadataProvider, String issuerEntityID, RequestAbstractType req, DateTime date, Assertion assertion, boolean enableEncryption) throws InvalidAssertionEncryptionException, ConfigurationException { Response authResponse = SAML2Utils.createSAMLObject(Response.class); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - //change to entity value from entity name to IDP EntityID (URL) - if (authURL.endsWith("/")) - authURL = authURL.substring(0, authURL.length()-1); - nissuer.setValue(authURL); + nissuer.setValue(issuerEntityID); nissuer.setFormat(NameID.ENTITY); authResponse.setIssuer(nissuer); authResponse.setInResponseTo(req.getID()); @@ -91,7 +85,7 @@ public class AuthResponseBuilder { //check, if metadata includes an encryption key MetadataCredentialResolver mdCredResolver = - new MetadataCredentialResolver(MOAMetadataProvider.getInstance()); + new MetadataCredentialResolver(metadataProvider); CriteriaSet criteriaSet = new CriteriaSet(); criteriaSet.add( new EntityIDCriteria(req.getIssuer().getValue()) ); @@ -107,9 +101,8 @@ public class AuthResponseBuilder { throw new InvalidAssertionEncryptionException(); } - - boolean isEncryptionActive = AuthConfigurationProviderFactory.getInstance().isPVP2AssertionEncryptionActive(); - if (encryptionCredentials != null && isEncryptionActive) { + + if (encryptionCredentials != null && enableEncryption) { //encrypt SAML2 assertion try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java index 164583f77..c48caed29 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAttributeBuilder.java @@ -23,6 +23,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.builder; import java.util.ArrayList; +import java.util.Collection; import java.util.HashMap; import java.util.Iterator; import java.util.List; @@ -155,4 +156,52 @@ public class PVPAttributeBuilder { return attribute; } + /** + * Build a set of PVP Response-Attributes + *

+ * INFO: If a specific attribute can not be build, a info is logged, but no execpetion is thrown. + * Therefore, the return List must not include all requested attributes. + * + * @param authData AuthenticationData IAuthData which is used to build the attribute values, but never null + * @param reqAttributenName List of PVP attribute names which are requested, but never null + * @return List of PVP attributes, but never null + */ + public static List buildSetOfResponseAttributes(IAuthData authData, + Collection reqAttributenName) { + List attrList = new ArrayList(); + if (reqAttributenName != null) { + Iterator it = reqAttributenName.iterator(); + while (it.hasNext()) { + String reqAttributName = it.next(); + try { + Attribute attr = PVPAttributeBuilder.buildAttribute( + reqAttributName, null, authData); + if (attr == null) { + Logger.info( + "Attribute generation failed! for " + + reqAttributName); + + } else { + attrList.add(attr); + + } + + } catch (PVP2Exception e) { + Logger.info( + "Attribute generation failed! for " + + reqAttributName); + + } catch (Exception e) { + Logger.warn( + "General Attribute generation failed! for " + + reqAttributName, e); + + } + } + } + + return attrList; + } + + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java index 0a0be2a2c..d5d84dd51 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java @@ -108,8 +108,16 @@ public class PVPAuthnRequestBuilder { //set basic AuthnRequest information - SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); - authReq.setID(gen.generateIdentifier()); + String reqID = config.getRequestID(); + if (MiscUtil.isNotEmpty(reqID)) + authReq.setID(reqID); + + else { + SecureRandomIdentifierGenerator gen = new SecureRandomIdentifierGenerator(); + authReq.setID(gen.generateIdentifier()); + + } + authReq.setIssueInstant(new DateTime()); //set isPassive flag @@ -158,6 +166,9 @@ public class PVPAuthnRequestBuilder { NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); subjectNameID.setValue(config.getSubjectNameID()); + if (MiscUtil.isNotEmpty(config.getSubjectNameIDQualifier())) + subjectNameID.setNameQualifier(config.getSubjectNameIDQualifier()); + if (MiscUtil.isNotEmpty(config.getSubjectNameIDFormat())) subjectNameID.setFormat(config.getSubjectNameIDFormat()); else diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 03cfe27d7..7a7044ebf 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -66,7 +66,6 @@ import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; @@ -86,45 +85,24 @@ import at.gv.egovernment.moa.util.MiscUtil; public class PVP2AssertionBuilder implements PVPConstants { - public static Assertion buildAssertion(IRequest pendingReq, AttributeQuery attrQuery, - List reqAttributes, IAuthData authData, DateTime date, String sessionIndex) throws ConfigurationException { - - + /** + * Build a PVP assertion as response for a SAML2 AttributeQuery request + * + * @param issuerEntityID EnitiyID, which should be used for this IDP response + * @param attrQuery AttributeQuery request from Service-Provider + * @param attrList List of PVP response attributes + * @param now Current time + * @param validTo ValidTo time of the assertion + * @param qaaLevel QAA level of the authentication + * @param sessionIndex SAML2 SessionIndex, which should be included * + * @return PVP 2.1 Assertion + * @throws ConfigurationException + */ + public static Assertion buildAssertion(String issuerEntityID, AttributeQuery attrQuery, + List attrList, DateTime now, DateTime validTo, String qaaLevel, String sessionIndex) throws ConfigurationException { + AuthnContextClassRef authnContextClassRef = SAML2Utils.createSAMLObject(AuthnContextClassRef.class); - authnContextClassRef.setAuthnContextClassRef(authData.getQAALevel()); - - List attrList = new ArrayList(); - if (reqAttributes != null) { - Iterator it = reqAttributes.iterator(); - while (it.hasNext()) { - String reqAttributName = it.next(); - try { - Attribute attr = PVPAttributeBuilder.buildAttribute( - reqAttributName, null, authData); - if (attr == null) { - Logger.error( - "Attribute generation failed! for " - + reqAttributName); - - } else { - attrList.add(attr); - - } - - } catch (PVP2Exception e) { - Logger.error( - "Attribute generation failed! for " - + reqAttributName); - - } catch (Exception e) { - Logger.error( - "General Attribute generation failed! for " - + reqAttributName, e); - - } - } - } - + authnContextClassRef.setAuthnContextClassRef(qaaLevel); NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); subjectNameID.setFormat(attrQuery.getSubject().getNameID().getFormat()); @@ -132,17 +110,31 @@ public class PVP2AssertionBuilder implements PVPConstants { SubjectConfirmationData subjectConfirmationData = null; - return buildGenericAssertion(pendingReq.getAuthURL(), attrQuery.getIssuer().getValue(), date, + return buildGenericAssertion(issuerEntityID, attrQuery.getIssuer().getValue(), now, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, - new DateTime(authData.getSsoSessionValidTo().getTime())); + validTo); } - - public static Assertion buildAssertion(PVPTargetConfiguration pendingReq, AuthnRequest authnRequest, + + + /** + * Build a PVP 2.1 assertion as response of a SAML2 AuthnRequest + * + * @param issuerEntityID EnitiyID, which should be used for this IDP response + * @param pendingReq Current processed pendingRequest DAO + * @param authnRequest Current processed PVP AuthnRequest + * @param authData AuthenticationData of the user, which is already authenticated + * @param peerEntity SAML2 EntityDescriptor of the service-provider, which receives the response + * @param date TimeStamp + * @param assertionConsumerService SAML2 endpoint of the service-provider, which should be used + * @param sloInformation Single LogOut information DAO + * @return + * @throws MOAIDException + */ + public static Assertion buildAssertion(String issuerEntityID, PVPTargetConfiguration pendingReq, AuthnRequest authnRequest, IAuthData authData, EntityDescriptor peerEntity, DateTime date, AssertionConsumerService assertionConsumerService, SLOInformationImpl sloInformation) throws MOAIDException { - RequestedAuthnContext reqAuthnContext = authnRequest .getRequestedAuthnContext(); @@ -282,37 +274,74 @@ public class PVP2AssertionBuilder implements PVPConstants { } NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); - + //build nameID and nameID Format from moasession //TODO: nameID generation if (authData.isUseMandate()) { - Element mandate = authData.getMandate(); - if(mandate == null) { - throw new NoMandateDataAvailableException(); - } - Mandate mandateObject = MandateBuilder.buildMandate(mandate); - if(mandateObject == null) { - throw new NoMandateDataAvailableException(); - } - CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); - PhysicalPersonType pysicalperson = mandateObject.getMandator().getPhysicalPerson(); + String bpktype = null; + String bpk = null; - IdentificationType id; - if(corporation != null && corporation.getIdentification().size() > 0) - id = corporation.getIdentification().get(0); - + Element mandate = authData.getMandate(); + if(mandate != null) { + Mandate mandateObject = MandateBuilder.buildMandate(mandate); + if(mandateObject == null) { + throw new NoMandateDataAvailableException(); + } + CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); + PhysicalPersonType pysicalperson = mandateObject.getMandator().getPhysicalPerson(); - else if (pysicalperson != null && pysicalperson.getIdentification().size() > 0) - id = pysicalperson.getIdentification().get(0); + IdentificationType id; + if(corporation != null && corporation.getIdentification().size() > 0) + id = corporation.getIdentification().get(0); + + + else if (pysicalperson != null && pysicalperson.getIdentification().size() > 0) + id = pysicalperson.getIdentification().get(0); + + else { + Logger.error("Failed to generate IdentificationType"); + throw new NoMandateDataAvailableException(); + } + + bpktype = id.getType(); + bpk = id.getValue().getValue(); + + } else { + Logger.debug("Read mandatpr bPK|baseID from PVP attributes ... "); + bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); + bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); - else { - Logger.error("Failed to generate IdentificationType"); - throw new NoMandateDataAvailableException(); + if (MiscUtil.isEmpty(bpk)) { + //no sourcePin is included --> search for bPK + bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); + + //set bPK-Type from configuration, because it MUST be equal to service-provider type + if (oaParam.getBusinessService()) { + if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) + bpktype = oaParam.getIdentityLinkDomainIdentifier(); + else + bpktype = Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier(); + + } else { + if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+")) + bpktype = oaParam.getTarget(); + else + bpktype = Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget(); + + } + + } else { + //sourcePin is include --> check sourcePinType + if (MiscUtil.isEmpty(bpktype)) + bpktype = Constants.URN_PREFIX_BASEID; + + } } - - String bpktype = id.getType(); - String bpk = id.getValue().getValue(); + if (MiscUtil.isEmpty(bpk) || MiscUtil.isEmpty(bpktype)) { + throw new NoMandateDataAvailableException(); + + } if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { if (oaParam.getBusinessService()) { @@ -335,7 +364,7 @@ public class PVP2AssertionBuilder implements PVPConstants { subjectNameID.setNameQualifier(bpktype); subjectNameID.setValue(bpk); } - + } else { subjectNameID.setNameQualifier(authData.getBPKType()); subjectNameID.setValue(authData.getBPK()); @@ -414,7 +443,7 @@ public class PVP2AssertionBuilder implements PVPConstants { sloInformation.setNameIDFormat(subjectNameID.getFormat()); sloInformation.setSessionIndex(sessionIndex); - return buildGenericAssertion(pendingReq.getAuthURL(), peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter()); + return buildGenericAssertion(issuerEntityID, peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter()); } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java index e209d0bc5..6e1798ed1 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java @@ -118,6 +118,15 @@ public interface IPVPAuthnRequestBuilderConfiguruation { */ public String getSubjectNameID(); + /** + * Define the qualifier of the SubjectNameID + *

+ * Like: 'urn:publicid:gv.at:cdid+BF' + * + * @return qualifier, or null if no qualifier should be set + */ + public String getSubjectNameIDQualifier(); + /** * Define the format of the subjectNameID, which is included in authn-request * @@ -125,5 +134,13 @@ public interface IPVPAuthnRequestBuilderConfiguruation { * @return nameIDFormat, of SAML2 'transient' if nothing is defined */ public String getSubjectNameIDFormat(); + + /** + * Define a SP specific SAMK2 requestID + * + * @return requestID, or null if the requestID should be generated automatically + */ + public String getRequestID(); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index bbf395a6f..58210a72c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -28,7 +28,6 @@ import java.security.cert.CertificateException; import java.util.ArrayList; import java.util.List; import java.util.Map; -import java.util.Properties; import java.util.jar.Attributes; import java.util.jar.Manifest; @@ -92,18 +91,18 @@ public class PVPConfiguration { private static String moaIDVersion = null; //PVP2 generalpvpconfigdb; - Properties props; - String rootDir = null; + //Properties props; + //String rootDir = null; private PVPConfiguration() { - try { - //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); - props = AuthConfigurationProviderFactory.getInstance().getGeneralPVP2ProperiesConfig(); - rootDir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); - - } catch (ConfigurationException e) { - e.printStackTrace(); - } +// try { +// //generalpvpconfigdb = AuthConfigurationProvider.getInstance().getGeneralPVP2DBConfig(); +// //props = AuthConfigurationProviderFactory.getInstance().getGeneralPVP2ProperiesConfig(); +// //rootDir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); +// +// } catch (ConfigurationException e) { +// e.printStackTrace(); +// } } public List getIDPPublicPath() throws ConfigurationException { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/IMOARefreshableMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/IMOARefreshableMetadataProvider.java new file mode 100644 index 000000000..3da4dc18a --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/IMOARefreshableMetadataProvider.java @@ -0,0 +1,38 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.metadata; + +/** + * @author tlenz + * + */ +public interface IMOARefreshableMetadataProvider { + + /** + * Refresh a entity or load a entity in a metadata provider + * + * @param entityID + * @return true, if refresh is success, otherwise false + */ + public boolean refreshMetadataProvider(String entityID); +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java index 6e87abb06..618346485 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/metadata/MOAMetadataProvider.java @@ -59,7 +59,7 @@ import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.MiscUtil; public class MOAMetadataProvider extends SimpleMOAMetadataProvider - implements ObservableMetadataProvider, IGarbageCollectorProcessing { + implements ObservableMetadataProvider, IGarbageCollectorProcessing, IMOARefreshableMetadataProvider { private static MOAMetadataProvider instance = null; private static Object mutex = new Object(); @@ -118,6 +118,7 @@ public class MOAMetadataProvider extends SimpleMOAMetadataProvider MetadataProvider internalProvider; + @Override public boolean refreshMetadataProvider(String entityID) { try { OAAuthParameter oaParam = diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 8787df82d..106be8a09 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.utils; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; +import java.util.Date; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -53,9 +54,18 @@ public class AssertionAttributeExtractor { private final List minimalAttributeNameList = Arrays.asList( PVPConstants.PRINCIPAL_NAME_NAME, - PVPConstants.GIVEN_NAME_NAME); - - + PVPConstants.GIVEN_NAME_NAME, + PVPConstants.ENC_BPK_LIST_NAME, + PVPConstants.BPK_NAME); + + /** + * Parse the SAML2 Response element and extracts included information + *

+ * INFO: Actually, only the first SAML2 Assertion of the SAML2 Response is used! + * + * @param samlResponse SAML2 Response + * @throws AssertionAttributeExtractorExeption + */ public AssertionAttributeExtractor(StatusResponseType samlResponse) throws AssertionAttributeExtractorExeption { if (samlResponse != null && samlResponse instanceof Response) { List assertions = ((Response) samlResponse).getAssertions(); @@ -96,6 +106,27 @@ public class AssertionAttributeExtractor { throw new AssertionAttributeExtractorExeption(); } + /** + * Get all SAML2 attributes from first SAML2 AttributeStatement element + * + * @return List of SAML2 Attributes + */ + public List getAllResponseAttributesFromFirstAttributeStatement() { + return assertion.getAttributeStatements().get(0).getAttributes(); + + } + + /** + * Get all SAML2 attributes of specific SAML2 AttributeStatement element + * + * @param attrStatementID List ID of the AttributeStatement element + * @return List of SAML2 Attributes + */ + public List getAllResponseAttributes(int attrStatementID) { + return assertion.getAttributeStatements().get(attrStatementID).getAttributes(); + + } + /** * check attributes from assertion with minimal required attribute list * @return @@ -107,7 +138,7 @@ public class AssertionAttributeExtractor { /** * check attributes from assertion with attributeNameList - * bPK or enc_bPK is always needed + * bPK or enc_bPK are always needed * * @param List of attributes which are required * @@ -116,24 +147,24 @@ public class AssertionAttributeExtractor { public boolean containsAllRequiredAttributes(Collection attributeNameList) { //first check if a bPK or an encrypted bPK is available - if (attributs.containsKey(PVPConstants.ENC_BPK_LIST_NAME) || - (attributs.containsKey(PVPConstants.BPK_NAME))) { - boolean flag = true; - for (String attr : attributeNameList) { - if (!attributs.containsKey(attr)) { - flag = false; - Logger.debug("Assertion contains no Attribute " + attr); - - } - + boolean flag = true; + for (String attr : attributeNameList) { + if (!attributs.containsKey(attr)) { + flag = false; + Logger.debug("Assertion contains no Attribute " + attr); + } - - return flag; - + } - Logger.debug("Assertion contains no bPK or encryptedbPK."); - return false; + if (flag) + return flag; + + else { + Logger.debug("Assertion contains no bPK or encryptedbPK."); + return false; + + } } public boolean containsAttribute(String attributeName) { @@ -218,6 +249,29 @@ public class AssertionAttributeExtractor { return assertion; } + + /** + * Get the Assertion validTo period + * + * Primarily, the 'SessionNotOnOrAfter' attribute in the SAML2 'AuthnStatment' element is used. + * If this is empty, this method returns value of SAML 'Conditions' element. + * + * @return Date, until this SAML2 assertion is valid + */ + public Date getAssertionNotOnOrAfter() { + if (getFullAssertion().getAuthnStatements() != null + && getFullAssertion().getAuthnStatements().size() > 0) { + for (AuthnStatement el : getFullAssertion().getAuthnStatements()) { + if (el.getSessionNotOnOrAfter() != null) + return (el.getSessionNotOnOrAfter().toDate()); + } + + } + + return getFullAssertion().getConditions().getNotOnOrAfter().toDate(); + + } + private AuthnStatement getAuthnStatement() throws AssertionAttributeExtractorExeption { List authnList = assertion.getAuthnStatements(); if (authnList.size() == 0) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java index f62410656..86ca591ee 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/AbstractRequestSignedSecurityPolicyRule.java @@ -139,7 +139,7 @@ public abstract class AbstractRequestSignedSecurityPolicyRule implements Securit throw new SecurityPolicyException("Signature validation FAILED."); } - Logger.debug("PVP AuthnRequest signature valid."); + Logger.debug("PVP message signature valid."); } catch (org.opensaml.xml.security.SecurityException e) { Logger.info("PVP2x message signature validation FAILED. Message:" + e.getMessage()); @@ -148,7 +148,7 @@ public abstract class AbstractRequestSignedSecurityPolicyRule implements Securit } } else { - throw new SecurityPolicyException("Request is not signed."); + throw new SecurityPolicyException("PVP Message is not signed."); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java index 932f3b818..7b3f890e9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/validation/MOAPVPSignedRequestPolicyRule.java @@ -25,10 +25,12 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.validation; import javax.xml.namespace.QName; import org.opensaml.common.SignableSAMLObject; +import org.opensaml.saml2.metadata.provider.MetadataProvider; import org.opensaml.xml.XMLObject; import org.opensaml.xml.signature.SignatureTrustEngine; -import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; +import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.IMOARefreshableMetadataProvider; +import at.gv.egovernment.moa.logging.Logger; /** * @author tlenz @@ -37,13 +39,19 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; public class MOAPVPSignedRequestPolicyRule extends AbstractRequestSignedSecurityPolicyRule { + private IMOARefreshableMetadataProvider metadataProvider = null; + /** + * @param metadataProvider * @param trustEngine * @param peerEntityRole */ - public MOAPVPSignedRequestPolicyRule(SignatureTrustEngine trustEngine, + public MOAPVPSignedRequestPolicyRule(MetadataProvider metadataProvider, SignatureTrustEngine trustEngine, QName peerEntityRole) { super(trustEngine, peerEntityRole); + if (metadataProvider instanceof IMOARefreshableMetadataProvider) + this.metadataProvider = (IMOARefreshableMetadataProvider) metadataProvider; + } /* (non-Javadoc) @@ -51,7 +59,10 @@ public class MOAPVPSignedRequestPolicyRule extends */ @Override protected boolean refreshMetadataProvider(String entityID) { - return MOAMetadataProvider.getInstance().refreshMetadataProvider(entityID); + if (metadataProvider != null) + return metadataProvider.refreshMetadataProvider(entityID); + + return false; } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java index 5e44c9057..f384dd511 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngine.java @@ -22,50 +22,30 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.pvp2x.verification; -import java.util.ArrayList; -import java.util.List; - import javax.xml.namespace.QName; import javax.xml.transform.dom.DOMSource; import javax.xml.validation.Schema; import javax.xml.validation.Validator; -import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.common.xml.SAMLSchemaBuilder; -import org.opensaml.saml2.core.Conditions; -import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.RequestAbstractType; -import org.opensaml.saml2.core.Response; -import org.opensaml.saml2.core.StatusCode; import org.opensaml.saml2.core.StatusResponseType; -import org.opensaml.saml2.encryption.Decrypter; -import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.saml2.metadata.IDPSSODescriptor; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.opensaml.security.MetadataCriteria; import org.opensaml.security.SAMLSignatureProfileValidator; -import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; -import org.opensaml.xml.encryption.DecryptionException; -import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; -import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.security.CriteriaSet; -import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.credential.UsageType; import org.opensaml.xml.security.criteria.EntityIDCriteria; import org.opensaml.xml.security.criteria.UsageCriteria; -import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; import org.opensaml.xml.signature.SignatureTrustEngine; import org.opensaml.xml.validation.ValidationException; -import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.Element; import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; -import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.InboundMessage; import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOARequest; @@ -77,8 +57,6 @@ import at.gv.egovernment.moa.util.MiscUtil; @Service("SAMLVerificationEngine") public class SAMLVerificationEngine { - @Autowired AuthConfiguration authConfig; - public void verify(InboundMessage msg, SignatureTrustEngine sigTrustEngine ) throws org.opensaml.xml.security.SecurityException, Exception { try { if (msg instanceof MOARequest && @@ -181,111 +159,8 @@ public class SAMLVerificationEngine { throw new InvalidProtocolRequestException("pvp2.21", new Object[] {}); } } - - public void validateAssertion(Response samlResp, boolean validateDestination, Credential assertionDecryption) throws AssertionValidationExeption { - try { - if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { - List saml2assertions = new ArrayList(); - - //validate destination URL - List allowedPublicURLPrefix = authConfig.getPublicURLPrefix(); - boolean isValidDestination = false; - for (String allowedPreFix : allowedPublicURLPrefix) { - if (validateDestination && samlResp.getDestination().startsWith( - allowedPreFix)) { - isValidDestination = true; - break; - - } - } - if (!isValidDestination && validateDestination) { - Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); - throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); - - } - - //check encrypted Assertion - List encryAssertionList = samlResp.getEncryptedAssertions(); - if (encryAssertionList != null && encryAssertionList.size() > 0) { - //decrypt assertions - - Logger.debug("Found encryped assertion. Start decryption ..."); - - StaticKeyInfoCredentialResolver skicr = - new StaticKeyInfoCredentialResolver(assertionDecryption); - - ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); - encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); - encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); - - Decrypter samlDecrypter = - new Decrypter(null, skicr, encryptedKeyResolver); - - for (EncryptedAssertion encAssertion : encryAssertionList) { - saml2assertions.add(samlDecrypter.decrypt(encAssertion)); - - } - - Logger.debug("Assertion decryption finished. "); - - } else { - saml2assertions.addAll(samlResp.getAssertions()); - - } - - List validatedassertions = new ArrayList(); - for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - - try { - performSchemaValidation(saml2assertion.getDOM()); - - Conditions conditions = saml2assertion.getConditions(); - DateTime notbefore = conditions.getNotBefore().minusMinutes(5); - DateTime notafter = conditions.getNotOnOrAfter(); - if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { - Logger.warn("PVP2 Assertion is out of Date. " - + "{ Current : " + new DateTime() - + " NotBefore: " + notbefore - + " NotAfter : " + notafter - + " }");; - - } else { - validatedassertions.add(saml2assertion); - - } - - } catch (SchemaValidationException e) { - - } - } - - if (validatedassertions.isEmpty()) { - Logger.info("No valid PVP 2.1 assertion received."); - throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); - } - - samlResp.getAssertions().clear(); - samlResp.getEncryptedAssertions().clear(); - samlResp.getAssertions().addAll(validatedassertions); - - } else { - Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " - + samlResp.getStatus().getStatusCode().getValue()); - throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " - + samlResp.getStatus().getStatusCode().getValue(), null); - } - - } catch (DecryptionException e) { - Logger.warn("Assertion decrypt FAILED.", e); - throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); - - } catch (ConfigurationException e) { - throw new AssertionValidationExeption("pvp.12", null, e); - } - } - - private void performSchemaValidation(Element source) throws SchemaValidationException { + + protected void performSchemaValidation(Element source) throws SchemaValidationException { String err = null; try { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java new file mode 100644 index 000000000..cd80d8c24 --- /dev/null +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java @@ -0,0 +1,161 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.protocols.pvp2x.verification; + +import java.util.ArrayList; +import java.util.List; + +import org.joda.time.DateTime; +import org.opensaml.saml2.core.Conditions; +import org.opensaml.saml2.core.EncryptedAssertion; +import org.opensaml.saml2.core.Response; +import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.encryption.Decrypter; +import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; +import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; +import org.opensaml.xml.encryption.DecryptionException; +import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; +import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; +import org.opensaml.xml.security.credential.Credential; +import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; +import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.SchemaValidationException; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@Service("SAMLVerificationEngineSP") +public class SAMLVerificationEngineSP extends SAMLVerificationEngine { + + @Autowired AuthConfiguration authConfig; + + public void validateAssertion(Response samlResp, boolean validateDestination, Credential assertionDecryption) throws AssertionValidationExeption { + try { + if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { + List saml2assertions = new ArrayList(); + + //validate destination URL + List allowedPublicURLPrefix = authConfig.getPublicURLPrefix(); + boolean isValidDestination = false; + for (String allowedPreFix : allowedPublicURLPrefix) { + if (validateDestination && samlResp.getDestination().startsWith( + allowedPreFix)) { + isValidDestination = true; + break; + + } + } + if (!isValidDestination && validateDestination) { + Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); + throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); + + } + + //check encrypted Assertion + List encryAssertionList = samlResp.getEncryptedAssertions(); + if (encryAssertionList != null && encryAssertionList.size() > 0) { + //decrypt assertions + + Logger.debug("Found encryped assertion. Start decryption ..."); + + StaticKeyInfoCredentialResolver skicr = + new StaticKeyInfoCredentialResolver(assertionDecryption); + + ChainingEncryptedKeyResolver encryptedKeyResolver = new ChainingEncryptedKeyResolver(); + encryptedKeyResolver.getResolverChain().add( new InlineEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); + encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); + + Decrypter samlDecrypter = + new Decrypter(null, skicr, encryptedKeyResolver); + + for (EncryptedAssertion encAssertion : encryAssertionList) { + saml2assertions.add(samlDecrypter.decrypt(encAssertion)); + + } + + Logger.debug("Assertion decryption finished. "); + + } else { + saml2assertions.addAll(samlResp.getAssertions()); + + } + + List validatedassertions = new ArrayList(); + for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { + + try { + performSchemaValidation(saml2assertion.getDOM()); + + Conditions conditions = saml2assertion.getConditions(); + DateTime notbefore = conditions.getNotBefore().minusMinutes(5); + DateTime notafter = conditions.getNotOnOrAfter(); + if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { + Logger.warn("PVP2 Assertion is out of Date. " + + "{ Current : " + new DateTime() + + " NotBefore: " + notbefore + + " NotAfter : " + notafter + + " }");; + + } else { + validatedassertions.add(saml2assertion); + + } + + } catch (SchemaValidationException e) { + + } + } + + if (validatedassertions.isEmpty()) { + Logger.info("No valid PVP 2.1 assertion received."); + throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); + } + + samlResp.getAssertions().clear(); + samlResp.getEncryptedAssertions().clear(); + samlResp.getAssertions().addAll(validatedassertions); + + } else { + Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " + + samlResp.getStatus().getStatusCode().getValue()); + throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " + + samlResp.getStatus().getStatusCode().getValue(), null); + } + + } catch (DecryptionException e) { + Logger.warn("Assertion decrypt FAILED.", e); + throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); + + } catch (ConfigurationException e) { + throw new AssertionValidationExeption("pvp.12", null, e); + } + } +} diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java index 316ca2177..10594d6fc 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/DBAuthenticationSessionStoreage.java @@ -53,7 +53,6 @@ import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.EncryptedData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionAttributeExtractorExeption; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.util.Random; @@ -440,10 +439,6 @@ public class DBAuthenticationSessionStoreage implements IAuthenticationSessionSt } - //set additional information for AttributeQuery - activeOA.setAttQueryContainerID(protocolRequest.getGenericData( - PVPTargetConfiguration.DATAID_INTERFEDERATION_ATTRQUERYCONTAINERID, String.class)); - List activeOAs = dbsession.getActiveOAsessions(); activeOAs.add(activeOA); dbsession.setActiveOAsessions(activeOAs); diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index cf2e9d6d5..a53d7e920 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -105,6 +105,7 @@ builder.04=Die Personenbindung konnte nicht neu signiert werden und wird aus die builder.05=Beim resignieren der Personenbindung ist ein allgemeiner Fehler aufgetreten und wird aus diesem Grund nicht ausgeliefert. builder.06=Fehler beim generieren der Anmeldedaten aus SSO IDP Interfederation Informationen. builder.07=Fehlerhaftes SecurityLayer Template. +builder.08=Authentication process could NOT completed. Reason: {0} service.00=Fehler beim Aufruf des Web Service: {0} service.01=Fehler beim Aufruf des Web Service: kein Endpoint @@ -220,6 +221,8 @@ validator.70=Das einmale Tokken im signierten AuthBlock ({0}) stimmt nicht mit d validator.71=Das Signaturzertifikat ist nicht qualifiziert. validator.72=Das Signaturzertifikat ist nicht qualifiziert und es wurde keine OID f\u00FCr Test Identit\u00E4ten gefunden. +validator.73=Das MIS-Vollmachtenservice und das ELGA-Vollmachtenservice k\u00f6nnen nicht in einem Anmeldevorgang verwendet werden. + ssl.01=Validierung des SSL-Server-Endzertifikates hat fehlgeschlagen stork.00=STORK SAML AuthnRequest konnte nicht signiert werden @@ -284,10 +287,11 @@ sp.pvp2.01=Can not build PVP AuthnRequest for {0} {0}. IDP is not allowed for fe sp.pvp2.02=Can not build PVP AuthnRequest for {0} {0}. IDP has no (valid) metadata. sp.pvp2.03=Receive PVP Response from {0} with unsupported Binding. sp.pvp2.04=Receive invalid PVP Response from {0}. No PVP metadata found. -sp.pvp2.05=Receive invalid PVP Response from {0} {1}. StatusCode {2}. +sp.pvp2.05=Receive invalid PVP Response from {0} {1}. StatusCode:{2} Msg:{3}. sp.pvp2.06=Receive invalid PVP Response from {0}. Assertion does not contain all required attributes. sp.pvp2.07=Receive invalid PVP Response from {0}. Attribute {1} is not valid. sp.pvp2.08=Receive invalid PVP Response from {0}. Response issuer {1} is not valid or allowed. +sp.pvp2.09=Receive invalid PVP Response from {0} {1}. StatusCodes:{2} {3} Msg:{4} oauth20.01=Fehlerhafte redirect url oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}" diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index 2aed7d47d..a81540e2b 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -85,6 +85,7 @@ builder.04=Die Personenbindung konnte nicht neu signiert werden und wird aus die builder.05=Beim resignieren der Personenbindung ist ein allgemeiner Fehler aufgetreten und wird aus diesem Grund nicht ausgeliefert. builder.06=4400 builder.07=9002 +builder.08=TODO service.00=4300 service.03=4300 @@ -109,6 +110,7 @@ sp.pvp2.05=TODO sp.pvp2.06=TODO sp.pvp2.07=TODO sp.pvp2.08=TODO +sp.pvp2.09=TODO validator.00=1102 validator.01=1102 @@ -178,6 +180,9 @@ validator.69=1106 validator.70=1106 validator.71=1105 +validator.72=TODO +validator.73=TODO + ssl.01=1107 stork.00=1200 diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java index bead2f593..44ae43115 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/db/dao/session/OASessionStore.java @@ -70,10 +70,7 @@ public class OASessionStore implements Serializable{ @Column(name = "attributequeryused", unique=false, nullable=false) private boolean attributeQueryUsed = false; - - @Column(name = "attQueryContainerID", unique=false, nullable=true) - private String attQueryContainerID = null; - + @Column(name = "created", updatable=false, nullable=false) // @Temporal(TemporalType.TIMESTAMP) private Date created; @@ -203,24 +200,5 @@ public class OASessionStore implements Serializable{ this.authURL = authURL; } - /** - * @return the attQueryContainerID - */ - public String getAttQueryContainerID() { - return attQueryContainerID; - } - - /** - * @param attQueryContainerID the attQueryContainerID to set - */ - public void setAttQueryContainerID(String attQueryContainerID) { - this.attQueryContainerID = attQueryContainerID; - } - - - - - - } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java index e3afc713b..aff6b1ca6 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java @@ -54,7 +54,7 @@ public class CertificateReadRequestTask extends AbstractAuthServletTask { //execute default task initialization defaultTaskInitialization(req, executionContext); - boolean useMandate = moasession.getUseMandate(); + boolean useMandate = moasession.isMandateUsed(); boolean identityLinkAvailable = BooleanUtils.isTrue((Boolean) executionContext.get("identityLinkAvailable")); if (!identityLinkAvailable && useMandate) { Logger.error("Online-Mandate Mode for foreign citizencs not supported."); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java index 54db1d8ff..b1b87f68d 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java @@ -34,6 +34,7 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser; @@ -62,91 +63,8 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask { throws TaskExecutionException { try { - Logger.info("BKU is selected -> Start BKU communication ..."); - defaultTaskInitialization(request, executionContext); - - boolean isLegacyRequest = false; - Object isLegacyRequestObj = executionContext.get("isLegacyRequest"); - if (isLegacyRequestObj != null && isLegacyRequestObj instanceof Boolean) - isLegacyRequest = (boolean) isLegacyRequestObj; - - if (isLegacyRequest) { - //parse request parameter into MOASession - Logger.info("Start Authentication Module: " + pendingReq.requestedModule() - + " Action: " + pendingReq.requestedAction()); - - authInitialisationParser.parse(executionContext, request, moasession, pendingReq); - - } else { - String bkuid = (String) executionContext.get(MOAIDAuthConstants.PARAM_BKU); - String useMandate = (String) executionContext.get(MOAIDAuthConstants.PARAM_USEMANDATE); - String ccc = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC); - - if (MiscUtil.isEmpty(bkuid)) { - Logger.warn("BKU-type is empty. Maybe an old BKU-selection template is in use."); - throw new MOAIDException("auth.23", new Object[] {}); - } - - //load OA Config - IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); - - if (oaParam == null) - throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() }); - - else { - revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), - pendingReq, MOAIDEventConstants.AUTHPROCESS_BKUTYPE_SELECTED, bkuid); - - //get Target from config or from request in case of SAML 1 - String target = null; - if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && - pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol")) - target = pendingReq.getGenericData("target", String.class); - else - target = oaParam.getTarget(); - - String bkuURL = oaParam.getBKUURL(bkuid); - if (MiscUtil.isEmpty(bkuURL)) { - Logger.info("No OA specific BKU defined. Use BKU from default configuration"); - bkuURL = authConfig.getDefaultBKUURL(bkuid); - } - - //search for OA specific template - String templateURL = null; - List oaTemplateURLList = oaParam.getTemplateURL(); - if ( oaTemplateURLList != null && oaTemplateURLList.size() > 0 - && MiscUtil.isNotEmpty(oaTemplateURLList.get(0)) ) { - templateURL = oaTemplateURLList.get(0); - - } else { - templateURL = authConfig.getSLRequestTemplates(bkuid); - } - - //make url absolut if it is a local url - if (MiscUtil.isNotEmpty(templateURL)) - templateURL = FileUtils.makeAbsoluteURL(templateURL, - authConfig.getRootConfigFileDir()); - - if (oaParam.isOnlyMandateAllowed()) - useMandate = "true"; - - if (!oaParam.isShowMandateCheckBox()) - useMandate = "false"; - - //parse all OA parameters i - authInitialisationParser.parse( moasession, - target, - pendingReq.getOAURL(), - bkuURL, - templateURL, - useMandate, - ccc, - request, - pendingReq); - } - } - - executionContext.put(MOAIDAuthConstants.PARAM_USEMANDATE, moasession.getUseMandate()); + // + internalInitializeWithoutPersist(executionContext, request, response); // make sure MOASession and Pending-Request has been persisted before running the process try { @@ -171,5 +89,97 @@ public class InitializeBKUAuthenticationTask extends AbstractAuthServletTask { } } + + protected void internalInitializeWithoutPersist(ExecutionContext executionContext, + HttpServletRequest request, HttpServletResponse response) throws WrongParametersException, MOAIDException, MOADatabaseException { + + Logger.info("BKU is selected -> Start BKU communication ..."); + defaultTaskInitialization(request, executionContext); + + boolean isLegacyRequest = false; + Object isLegacyRequestObj = executionContext.get("isLegacyRequest"); + if (isLegacyRequestObj != null && isLegacyRequestObj instanceof Boolean) + isLegacyRequest = (boolean) isLegacyRequestObj; + + if (isLegacyRequest) { + //parse request parameter into MOASession + Logger.info("Start Authentication Module: " + pendingReq.requestedModule() + + " Action: " + pendingReq.requestedAction()); + + authInitialisationParser.parse(executionContext, request, moasession, pendingReq); + + } else { + String bkuid = (String) executionContext.get(MOAIDAuthConstants.PARAM_BKU); + String useMandate = (String) executionContext.get(MOAIDAuthConstants.PARAM_USEMANDATE); + String ccc = (String) executionContext.get(MOAIDAuthConstants.PARAM_CCC); + + if (MiscUtil.isEmpty(bkuid)) { + Logger.warn("BKU-type is empty. Maybe an old BKU-selection template is in use."); + throw new MOAIDException("auth.23", new Object[] {}); + } + + //load OA Config + IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + + if (oaParam == null) + throw new AuthenticationException("auth.00", new Object[] { pendingReq.getOAURL() }); + + else { + revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), + pendingReq, MOAIDEventConstants.AUTHPROCESS_BKUTYPE_SELECTED, bkuid); + + //get Target from config or from request in case of SAML 1 + String target = null; + if (MiscUtil.isNotEmpty(pendingReq.getGenericData("target", String.class)) && + pendingReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol")) + target = pendingReq.getGenericData("target", String.class); + else + target = oaParam.getTarget(); + + String bkuURL = oaParam.getBKUURL(bkuid); + if (MiscUtil.isEmpty(bkuURL)) { + Logger.info("No OA specific BKU defined. Use BKU from default configuration"); + bkuURL = authConfig.getDefaultBKUURL(bkuid); + } + + //search for OA specific template + String templateURL = null; + List oaTemplateURLList = oaParam.getTemplateURL(); + if ( oaTemplateURLList != null && oaTemplateURLList.size() > 0 + && MiscUtil.isNotEmpty(oaTemplateURLList.get(0)) ) { + templateURL = oaTemplateURLList.get(0); + + } else { + templateURL = authConfig.getSLRequestTemplates(bkuid); + } + + //make url absolut if it is a local url + if (MiscUtil.isNotEmpty(templateURL)) + templateURL = FileUtils.makeAbsoluteURL(templateURL, + authConfig.getRootConfigFileDir()); + + if (oaParam.isOnlyMandateAllowed()) + useMandate = "true"; + + if (!oaParam.isShowMandateCheckBox()) + useMandate = "false"; + + //parse all OA parameters i + authInitialisationParser.parse( moasession, + target, + pendingReq.getOAURL(), + bkuURL, + templateURL, + useMandate, + ccc, + request, + pendingReq); + } + } + + executionContext.put(MOAIDAuthConstants.PARAM_USEMANDATE, moasession.isMandateUsed()); + executionContext.put(MOAIDAuthConstants.PARAM_USEMISMANDATE, moasession.isMandateUsed()); + + } } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java index 464c1f3a1..cd444f7c8 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java @@ -89,7 +89,7 @@ public class VerifyCertificateTask extends AbstractAuthServletTask { throw new AuthenticationException("auth.14", null); } - if (moasession.getUseMandate()) { + if (moasession.isMandateUsed()) { // verify certificate for OrganWalter authServer.verifyCertificate(moasession, cert, pendingReq); diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java index e346c8bee..7b5a7b9c0 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/client/mis/simple/MISSimpleClient.java @@ -56,7 +56,6 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import org.apache.commons.codec.binary.Base64; -import org.apache.commons.httpclient.HostConfiguration; import org.apache.commons.httpclient.HttpClient; import org.apache.commons.httpclient.methods.PostMethod; import org.apache.commons.httpclient.methods.StringRequestEntity; @@ -148,7 +147,6 @@ public class MISSimpleClient { //misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate))); misMandate.setMandate(Base64.decodeBase64(DOMUtils.getText(mandate).getBytes())); - misMandate.setFullMandateIncluded(true); foundMandates.add(misMandate); } diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml index 74792ed72..afa3fe2ad 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/resources/at/gv/egovernment/moa/id/auth/modules/internal/DefaultAuthentication.process.xml @@ -38,7 +38,7 @@ - + diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java index 909b29fab..8471439e2 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/Constants.java @@ -79,6 +79,4 @@ public class Constants { public static final int eIDAS_REVERSIONSLOG_SP_AUTHREQUEST= 3403; public static final int eIDAS_REVERSIONSLOG_SP_AUTHRESPONSE= 3404; - public static final String eIDAS_GENERIC_REQ_DATA_COUNTRY = "country"; - } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java index dea9e675e..9858d6004 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java @@ -15,6 +15,7 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeLis import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import eu.eidas.auth.commons.EIDASAuthnResponse; @@ -72,6 +73,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { AuthenticationSessionStorageConstants.eIDAS_RESPONSE, decSamlToken); + //set issuer nation as PVP attribute into MOASession + moasession.setGenericDataToSession(PVPConstants.EID_ISSUING_NATION_NAME, samlResp.getCountry()); + //store MOA-session to database authenticatedSessionStorage.storeSession(moasession); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 4caa6700a..1e3b0f507 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -39,6 +39,7 @@ import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -153,7 +154,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { // - memorize country code of target country pendingReq.setGenericDataToSession( - Constants.eIDAS_GENERIC_REQ_DATA_COUNTRY, samlReq.getCountry()); + RequestImpl.eIDAS_GENERIC_REQ_DATA_COUNTRY, samlReq.getCountry()); // - memorize requested attributes pendingReq.setEidasRequestedAttributes(new MOAPersonalAttributeList(samlReq.getPersonalAttributeList())); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index d75d4b1b9..5f3f89aee 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -37,7 +37,6 @@ import org.springframework.http.MediaType; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; -import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; @@ -90,8 +89,9 @@ public class eIDASAuthenticationRequest implements IAction { case Constants.eIDAS_ATTR_DATEOFBIRTH: newValue = new SimpleDateFormat("YYYY-MM-dd").format(authData.getDateOfBirth()); break; case Constants.eIDAS_ATTR_CURRENTFAMILYNAME: newValue = authData.getFamilyName();break; case Constants.eIDAS_ATTR_CURRENTGIVENNAME: newValue = authData.getGivenName();break; - case Constants.eIDAS_ATTR_PERSONALIDENTIFIER: newValue = new BPKBuilder().buildStorkeIdentifier(authData.getIdentificationType(), authData.getIdentificationValue(), - eidasRequest.getGenericData(Constants.eIDAS_GENERIC_REQ_DATA_COUNTRY, String.class)); break; + + //TODO: change bPK builder !!!!!! + case Constants.eIDAS_ATTR_PERSONALIDENTIFIER: newValue = authData.getBPK(); break; } if("".equals(newValue)) diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java index b521116d3..320c4fdc6 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java @@ -42,6 +42,8 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest private EntityDescriptor idpEntity; private Credential signCred; private String subjectNameID; + private String subjectNameIDQualifier; + private String requestID; /* (non-Javadoc) @@ -73,7 +75,7 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest */ @Override public String getNameIDPolicyFormat() { - return NameID.TRANSIENT; + return NameID.PERSISTENT; } /* (non-Javadoc) @@ -81,7 +83,7 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest */ @Override public boolean getNameIDPolicyAllowCreation() { - return true; + return false; } /* (non-Javadoc) @@ -143,6 +145,15 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest this.subjectNameID = subjectNameID; } + + + /** + * @param requestID the requestID to set + */ + public void setRequestID(String requestID) { + this.requestID = requestID; + } + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getAuthnRequestSigningCredential() */ @@ -183,5 +194,30 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest return NameID.PERSISTENT; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID() + */ + @Override + public String getRequestID() { + return this.requestID; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier() + */ + @Override + public String getSubjectNameIDQualifier() { + return this.subjectNameIDQualifier; + } + + /** + * @param subjectNameIDQualifier the subjectNameIDQualifier to set + */ + public void setSubjectNameIDQualifier(String subjectNameIDQualifier) { + this.subjectNameIDQualifier = subjectNameIDQualifier; + } + + + } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java new file mode 100644 index 000000000..50bac3eab --- /dev/null +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java @@ -0,0 +1,107 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.modules.elgamandates.tasks; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.stereotype.Component; + +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.auth.modules.internal.tasks.InitializeBKUAuthenticationTask; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.logging.Logger; + +/** + * @author tlenz + * + */ +@Component("ELGAInitializeBKUAuthenticationTask") +public class ELGAInitializeBKUAuthenticationTask extends InitializeBKUAuthenticationTask { + + @Override + public void execute(ExecutionContext executionContext, + HttpServletRequest request, HttpServletResponse response) + throws TaskExecutionException { + + try { + //perform Default-BKU authentication initialization + internalInitializeWithoutPersist(executionContext, request, response); + + //perform ELGA Mandate-Service specific parts + Logger.debug("Perfom ELGA-Mandate specific parts of initialisation."); + Boolean misMandateUsed = (Boolean) executionContext.get(MOAIDAuthConstants.PARAM_USEMISMANDATE); + + boolean elgaMandateUsed = false; + Object elgaMandateUsedObj = executionContext.get(MOAIDAuthConstants.PARAM_USEELGAMANDATE); + if (elgaMandateUsedObj == null || + !(elgaMandateUsedObj instanceof String || elgaMandateUsedObj instanceof Boolean)) { + Logger.error("Use ELGA-MandateService flag has a wrong type."); + throw new MOAIDException("auth.12", new Object[]{"Start-BKU Authentication","useELGAMandate"}); + + } else { + if (elgaMandateUsedObj instanceof String) + elgaMandateUsed = Boolean.parseBoolean((String) elgaMandateUsedObj); + else + elgaMandateUsed = (boolean) elgaMandateUsedObj; + + } + + + //check if both mandate Services are requested + if ( (misMandateUsed != null && misMandateUsed) && + elgaMandateUsed ) { + Logger.error("Can not use MIS-MandateService and ELGA-MandateService twince"); + throw new MOAIDException("validator.73", null); + + } + + //remove MIS-Mandate flag and set useMandate flag to MOASession + if (elgaMandateUsed) { + Logger.debug("Authentication process select ELGA-MandateService."); + executionContext.remove(MOAIDAuthConstants.PARAM_USEMISMANDATE); + moasession.setUseMandates(elgaMandateUsed); + } + + //disable SSO if it is requested + if (pendingReq.needSingleSignOnFunctionality() && moasession.isMandateUsed()) { + Logger.info("ELGA-MandateService does not allow Single Sign-On. SSO get disabled for this request."); + pendingReq.setNeedSingleSignOnFunctionality(false); + + + } + + //store MOASession and pendingRequest + requestStoreage.storePendingRequest(pendingReq); + authenticatedSessionStorage.storeSession(moasession); + + } catch (MOADatabaseException | MOAIDException e) { + Logger.info("Initialize BKUAuthentication with ELGA Mandates FAILED. Reason:" + e.getMessage()); + throw new TaskExecutionException(pendingReq, e.getMessage(), e); + + } + } +} diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java index 13e17e03e..a5e316f10 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java @@ -37,6 +37,7 @@ import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -46,6 +47,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCred import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; @@ -55,7 +57,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -67,7 +69,7 @@ import at.gv.egovernment.moa.util.MiscUtil; @Component("ReceiveElgaMandateResponseTask") public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { - @Autowired SAMLVerificationEngine samlVerificationEngine; + @Autowired SAMLVerificationEngineSP samlVerificationEngine; @Autowired ELGAMandatesCredentialProvider credentialProvider; @Autowired ELGAMandateServiceMetadataProvider metadataProvider; @@ -81,13 +83,18 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { try { IDecoder decoder = null; + MOAURICompare comperator = null; //select Response Binding if (request.getMethod().equalsIgnoreCase("POST")) { decoder = new PostBinding(); + comperator = new MOAURICompare(pendingReq.getAuthURL() + + ELGAMandatesAuthConstants.ENDPOINT_POST); Logger.debug("Receive PVP Response from ELGA mandate-service, by using POST-Binding."); } else if (request.getMethod().equalsIgnoreCase("GET")) { decoder = new RedirectBinding(); + comperator = new MOAURICompare(pendingReq.getAuthURL() + + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT); Logger.debug("Receive PVP Response from ELGA mandate-service, by using Redirect-Binding."); } else { @@ -99,7 +106,8 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { } //decode PVP response object - msg = (InboundMessage) decoder.decode(request, response, metadataProvider, true); + msg = (InboundMessage) decoder.decode(request, response, metadataProvider, true, + comperator); if (MiscUtil.isEmpty(msg.getEntityID())) { throw new InvalidProtocolRequestException("sp.pvp2.04", @@ -138,7 +146,7 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { //validate receive mandate reference-value String responseRefValue = extractor.getSingleAttributeValue(PVPConstants.MANDATE_REFERENCE_VALUE_NAME); if (!moasession.getMandateReferenceValue().equals(responseRefValue)) { - Logger.warn("PVP Response from ELGA mandate-service contains not all requested attributes."); + Logger.warn("PVP Response from ELGA mandate-service contains a not valid MandateReferenceValue."); throw new AssertionValidationExeption("sp.pvp2.07", new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, PVPConstants.MANDATE_REFERENCE_VALUE_FRIENDLY_NAME}); @@ -157,30 +165,35 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { //store MOASession authenticatedSessionStorage.storeSession(moasession); - //TODO write log entries - //revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_INTERFEDERATION_REVEIVED); + //write revisions log entry + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_RECEIVED); Logger.info("Receive a valid assertion from ELGA mandate-service " + msg.getEntityID()); } catch (MessageDecodingException | SecurityException e) { String samlRequest = request.getParameter("SAMLRequest"); Logger.warn("Receive INVALID PVP Response from ELGA mandate-service: " + samlRequest, e); + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED); throw new TaskExecutionException(pendingReq, "Receive INVALID PVP Response from ELGA mandate-service", e); } catch (IOException | MarshallingException | TransformerException e) { Logger.warn("Processing PVP response from ELGA mandate-service FAILED.", e); + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED); throw new TaskExecutionException(pendingReq, "Processing PVP response from ELGA mandate-service FAILED.", e); } catch (CredentialsNotAvailableException e) { Logger.error("ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e); + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED); throw new TaskExecutionException(pendingReq, "ELGA mandate-service: PVP response decrytion FAILED. No credential found.", e); } catch (AssertionValidationExeption | AuthnResponseValidationException e) { - Logger.info("ELGA mandate-service: PVP response validation FAILED. Msg:" + e.getMessage()); + Logger.info("ELGA mandate-service: PVP response validation FAILED. Msg:" + e.getMessage()); + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED, e.getMessageId()); throw new TaskExecutionException(pendingReq, "ELGA mandate-service: PVP response validation FAILED.", e); } catch (Exception e) { - Logger.info("ELGA mandate-service: General Exception. Msg:" + e.getMessage()); + Logger.info("ELGA mandate-service: General Exception. Msg:" + e.getMessage()); + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_ERROR_RECEIVED); throw new TaskExecutionException(pendingReq, "ELGA mandate-service: General Exception.", e); } @@ -210,12 +223,36 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { return msg; } else { - Logger.info("Receive StatusCode " + samlResp.getStatus().getStatusCode().getValue() - + " from federated IDP."); - throw new AuthnResponseValidationException("sp.pvp2.04", - new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, - samlResp.getIssuer().getValue(), - samlResp.getStatus().getStatusCode().getValue()}); + String errorMsg = "No error message"; + StatusCode firstCode = samlResp.getStatus().getStatusCode(); + + //get errormessage from response + if (samlResp.getStatus().getStatusMessage() != null && + MiscUtil.isNotEmpty(samlResp.getStatus().getStatusMessage().getMessage())) + errorMsg = samlResp.getStatus().getStatusMessage().getMessage(); + + //extract response status-codes + if (firstCode.getStatusCode() == null) { + Logger.info("Receive StatusCode:" + firstCode.getValue() + " | Msg:" + errorMsg + + " from federated IDP."); + throw new AuthnResponseValidationException("sp.pvp2.05", + new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, + samlResp.getIssuer().getValue(), + firstCode.getValue(), + samlResp.getStatus().getStatusMessage().getMessage()}); + + } else { + StatusCode secondCode = firstCode.getStatusCode(); + Logger.info("Receive StatusCode:" + firstCode.getValue() + " -> StatusCode:" + secondCode.getValue() + + " | Msg:" + errorMsg + " from federated IDP."); + throw new AuthnResponseValidationException("sp.pvp2.09", + new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, + samlResp.getIssuer().getValue(), + firstCode.getValue(), + secondCode.getValue(), + samlResp.getStatus().getStatusMessage().getMessage()}); + + } } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index bcd8076bc..2a3e72640 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -34,6 +34,7 @@ import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; +import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; @@ -92,7 +93,7 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { authnReqConfig.setPassive(false); authnReqConfig.setSignCred(credential.getIDPAssertionSigningCredential()); authnReqConfig.setSPEntityID(pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA); - + //set bPK of representative String representativeBPK = null; @@ -129,15 +130,19 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { } } - - //TODO: check subjectNameID: as per PVP S-Profile specification, - // subjectNameID starts with target postfix (like. GH:xxxxxxxxxxxxx) + + //set bPK of representative as SAML2 subjectNameID authnReqConfig.setSubjectNameID(representativeBPK ); + authnReqConfig.setSubjectNameIDQualifier(configTarget); + + //set MandateReferenceValue as RequestID + authnReqConfig.setRequestID(moasession.getMandateReferenceValue()); //build and transmit AuthnRequest authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response); - //TODO: TODO: add revisionslog entries + //write revisions log entry + revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_ELGA_MANDATE_SERVICE_REQUESTED, moasession.getMandateReferenceValue()); } catch (MetadataProviderException e) { throw new TaskExecutionException(pendingReq, "ELGA Mandate-Service metadata problem", new ELGAMetadataException("service.10", diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java index 6deb8eb2b..49f131983 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java @@ -197,13 +197,12 @@ public class ELGAMandateServiceMetadataProvider extends SimpleMOAMetadataProvide filter, ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING); - metadataProvider.setRequireValidMetadata(true); - - if (metadataProvider == null) { Logger.error("Create ELGA Mandate-Service Client FAILED."); throw new MetadataProviderException("Can not initialize ELGA Mandate-Service metadaa provider."); } + + metadataProvider.setRequireValidMetadata(true); } } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml index b648e4d27..8cd08d226 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/at/gv/egovernment/moa/id/auth/modules/elgamandates/DefaultAuth_with_ELGA_mandates.process.xml @@ -5,7 +5,7 @@ - National authentication with Austrian Citizen Card and mobile signature with our without mandate. - Legacy authentication for foreign citizens using MOCCA supported signature cards. --> - + @@ -25,9 +25,9 @@ - + - + @@ -43,7 +43,7 @@ - + diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml index 6e567a42c..c1abe78df 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/resources/moaid_elga_mandate_client_auth.beans.xml @@ -27,6 +27,10 @@ class="at.gv.egovernment.moa.id.auth.modules.elgamandates.controller.ELGAMandateSignalController"/> + + diff --git a/id/server/modules/moa-id-module-openID/pom.xml b/id/server/modules/moa-id-module-openID/pom.xml index 030cd32a0..4684c8032 100644 --- a/id/server/modules/moa-id-module-openID/pom.xml +++ b/id/server/modules/moa-id-module-openID/pom.xml @@ -78,12 +78,6 @@ guava 19.0 - - diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index 17e88e381..103a03063 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -89,21 +89,12 @@ public class SSOTransferAuthenticationData implements IAuthData { return true; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#isInterfederatedSSOSession() - */ - @Override - public boolean isInterfederatedSSOSession() { - // TODO Auto-generated method stub - return false; - } - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.IAuthData#isUseMandate() */ @Override public boolean isUseMandate() { - return this.authSession.getUseMandate(); + return this.authSession.isMandateUsed(); } /* (non-Javadoc) @@ -167,15 +158,6 @@ public class SSOTransferAuthenticationData implements IAuthData { return null; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.data.IAuthData#getInterfederatedIDP() - */ - @Override - public String getInterfederatedIDP() { - // TODO Auto-generated method stub - return null; - } - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.data.IAuthData#getIdentificationValue() */ diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java index 4d41ff652..dea538f75 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java @@ -105,7 +105,7 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableEx import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; @@ -139,7 +139,7 @@ public class SSOContainerUtils { } @Autowired IDPCredentialProvider credentials; - @Autowired SAMLVerificationEngine samlVerificationEngine; + @Autowired SAMLVerificationEngineSP samlVerificationEngine; @Autowired AuthConfiguration authConfig; public void parseSSOContainerToMOASessionDataObject(IRequest pendingReq, AuthenticationSession moasession, Response ssoInformation) throws AssertionAttributeExtractorExeption, ConfigurationException { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java index 1beab574a..57f4d11ad 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/test/java/at/gv/egiz/tests/Tests.java @@ -22,17 +22,6 @@ */ package at.gv.egiz.tests; -import java.io.IOException; - -import org.hibernate.mapping.Map; - -import com.fasterxml.jackson.core.JsonParseException; -import com.fasterxml.jackson.databind.JsonMappingException; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.google.gson.JsonElement; -import com.google.gson.JsonObject; -import com.google.gson.JsonParser; - /** * @author tlenz * @@ -65,10 +54,10 @@ public class Tests { - } catch (IOException e) { - // TODO Auto-generated catch block - e.printStackTrace(); - } +// } catch (IOException e) { +// // TODO Auto-generated catch block +// e.printStackTrace(); +// } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java index 4ae162f5a..19eae06d7 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java @@ -171,7 +171,22 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque */ @Override public String getSubjectNameIDFormat() { - // TODO Auto-generated method stub + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID() + */ + @Override + public String getRequestID() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier() + */ + @Override + public String getSubjectNameIDQualifier() { return null; } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index a07a87c2b..d5c5354c0 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -32,12 +32,9 @@ import javax.servlet.http.HttpServletResponse; import javax.xml.transform.TransformerException; import org.opensaml.saml2.core.Attribute; -import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; import org.opensaml.ws.message.decoder.MessageDecodingException; -import org.opensaml.ws.soap.common.SOAPException; -import org.opensaml.xml.XMLObject; import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; @@ -45,8 +42,11 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; +import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; +import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; @@ -55,12 +55,12 @@ import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCr import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; +import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder; @@ -73,11 +73,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor; -import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; -import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine; +import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory; -import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -88,11 +86,12 @@ import at.gv.egovernment.moa.util.MiscUtil; @Component("ReceiveFederatedAuthnResponseTask") public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { - @Autowired private SAMLVerificationEngine samlVerificationEngine; + @Autowired private SAMLVerificationEngineSP samlVerificationEngine; @Autowired private FederatedAuthCredentialProvider credentialProvider; @Autowired private SSOManager ssoManager; @Autowired private AttributQueryBuilder attributQueryBuilder; - @Autowired private ITransactionStorage transactionStorage; + @Autowired private AuthenticationDataBuilder authDataBuilder; + /* (non-Javadoc) @@ -106,13 +105,16 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { try { IDecoder decoder = null; + MOAURICompare comperator = null; //select Response Binding if (request.getMethod().equalsIgnoreCase("POST")) { decoder = new PostBinding(); + comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST); Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding."); } else if (request.getMethod().equalsIgnoreCase("GET")) { decoder = new RedirectBinding(); + comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT); Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding."); } else { @@ -123,7 +125,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } //decode PVP response object - msg = (InboundMessage) decoder.decode(request, response, MOAMetadataProvider.getInstance(), true); + msg = (InboundMessage) decoder.decode( + request, response, MOAMetadataProvider.getInstance(), true, + comperator); if (MiscUtil.isEmpty(msg.getEntityID())) { throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING}); @@ -179,8 +183,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } else { //SP is real Service-Provider --> check attributes in response // and start Attribute-Query if required - - //get authenticationData and store it into MOASession + getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(), idpConfig); @@ -197,7 +200,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { //store valid assertion into pending-request pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg); - + pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID()); + //store pending-request requestStoreage.storePendingRequest(pendingReq); @@ -245,55 +249,17 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { try { Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... "); Collection requestedAttr = pendingReq.getRequestedAttributes(); - + //check if SAML2 Assertion contains a minimal set of attributes if (!extractor.containsAllRequiredAttributes()) { - Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); - //collect attributes by using BackChannel communication - String endpoint = idpConfig.getIDPAttributQueryServiceURL(); - if (MiscUtil.isEmpty(endpoint)) { - Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix()); - throw new ConfigurationException("config.26", new Object[]{idpConfig.getPublicURLPrefix()}); - - } - + Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ..."); + //build attributQuery request List attributs = attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator()); - AttributeQuery query = - attributQueryBuilder.buildAttributQueryRequest(extractor.getNameID(), endpoint, attributs); - - //build SOAP request - List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); - if (xmlObjects.size() == 0) { - Logger.error("Receive emptry AttributeQuery response-body."); - throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null); - - } - - if (xmlObjects.get(0) instanceof Response) { - Response intfResp = (Response) xmlObjects.get(0); - - //validate PVP 2.1 response - try { - samlVerificationEngine.verifyIDPResponse(intfResp, - TrustEngineFactory.getSignatureKnownKeysTrustEngine( - MOAMetadataProvider.getInstance())); - - //create assertion attribute extractor from AttributeQuery response - extractor = new AssertionAttributeExtractor(intfResp); - - } catch (Exception e) { - Logger.warn("PVP 2.1 assertion validation FAILED.", e); - throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e); - } - - } else { - Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response"); - throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null); - - } + //request IDP to get additional attributes + extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig); } else { Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. "); @@ -314,14 +280,13 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el)); Logger.debug("Add PVP-attribute " + el + " into MOASession"); - } - - } catch (SOAPException e) { - throw new BuildException("builder.06", null, e); - - } catch (SecurityException e) { - throw new BuildException("builder.06", null, e); + } + //set validTo from this federated IDP response + moasession.setGenericDataToSession( + AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO, + extractor.getAssertionNotOnOrAfter()); + } catch (AttributQueryException e) { throw new BuildException("builder.06", null, e); @@ -334,6 +299,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } catch (AssertionAttributeExtractorExeption e) { throw new BuildException("builder.06", null, e); + } catch (MOAIDException e) { + throw new BuildException("builder.06", null, e); + } } diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 5eb39880e..9d0dac0f8 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -26,9 +26,12 @@ import java.io.ByteArrayOutputStream; import java.io.IOException; import java.util.List; import java.util.Vector; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBElement; +import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; import javax.xml.namespace.QName; import javax.xml.parsers.ParserConfigurationException; @@ -40,7 +43,10 @@ import org.springframework.stereotype.Service; import org.w3c.dom.Element; import org.xml.sax.SAXException; +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; +import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; import at.gv.egovernment.moa.id.auth.AuthenticationServer; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; @@ -48,7 +54,6 @@ import at.gv.egovernment.moa.id.auth.builder.SAMLArtifactBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl; -import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; @@ -61,7 +66,9 @@ import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.data.AuthenticationData; +import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; @@ -262,15 +269,20 @@ public class SAML1AuthenticationServer extends AuthenticationServer { person.getIdentification().add(id ); Value value = new Value(); id.setValue(value ); - - id.setType(authData.getIdentificationType()); - //add baseID if it is requested and available - if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) && - saml1parameter.isProvideIdentityLink() ) + + if ( MiscUtil.isNotEmpty(authData.getIdentificationValue()) && + saml1parameter.isProvideIdentityLink() && !authData.isBusinessService()) { + //add baseID if it is requested and available and SP is publicService value.setValue(authData.getIdentificationValue()); - else - value.setValue(""); - + id.setType(authData.getIdentificationType()); + + } else { + //otherwise add bPK + value.setValue(authData.getBPK()); + id.setType(authData.getBPKType()); + + } + familyName.setValue(authData.getFamilyName()); familyName.setPrimary("undefined"); name.getGivenName().add(authData.getGivenName()); @@ -310,14 +322,15 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } - String samlAssertion; + String samlAssertion; + + //add mandate info's if (authData.isUseMandate()) { List oaAttributes = authData.getExtendedSAMLAttributesOA(); - //only provide full mandate if it is included. - //In case of federation only a short mandate could be include + //only provide full mandate if it is included. if (saml1parameter.isProvideFullMandatorData() - && authData.getMISMandate().isFullMandateIncluded()) { + && authData.getMISMandate() != null) { try { @@ -442,33 +455,36 @@ public class SAML1AuthenticationServer extends AuthenticationServer { throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_AUTH_BLOCK, PARAM_SESSIONID }); - IdentityLink tempIdentityLink = null; - + Element prPerson = null; + String identificationType = ""; + String identificationValue = ""; + Element mandate = authData.getMandate(); + if (mandate == null) { + //no full-mandate include + Logger.info("AuthData contains no full-mandate. Starting 'mandateDate' generation from PVP attributes ..."); + mandate = generateMandateDateFromPVPMandateAttributes(authData); + + } - if (authData.isUseMandate()) { - tempIdentityLink = new IdentityLink(); + if (mandate != null) { Element mandator = ParepUtils.extractMandator(mandate); String dateOfBirth = ""; - Element prPerson = null; String familyName = ""; String givenName = ""; - String identificationType = ""; - String identificationValue = ""; if (mandator != null) { boolean physical = ParepUtils.isPhysicalPerson(mandator); if (physical) { - familyName = ParepUtils.extractText(mandator, - "descendant-or-self::pr:Name/pr:FamilyName/text()"); - givenName = ParepUtils.extractText(mandator, - "descendant-or-self::pr:Name/pr:GivenName/text()"); - dateOfBirth = ParepUtils - .extractMandatorDateOfBirth(mandator); + familyName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:FamilyName/text()"); + givenName = ParepUtils.extractText(mandator, "descendant-or-self::pr:Name/pr:GivenName/text()"); + dateOfBirth = ParepUtils.extractMandatorDateOfBirth(mandator); + } else { familyName = ParepUtils.extractMandatorFullName(mandator); + } - identificationType = ParepUtils.getIdentification(mandator, - "Type"); + + identificationType = ParepUtils.getIdentification(mandator, "Type"); identificationValue = ParepUtils.extractMandatorWbpk(mandator); prPerson = ParepUtils.extractPrPersonOfMandate(mandate); @@ -495,33 +511,19 @@ public class SAML1AuthenticationServer extends AuthenticationServer { ParepUtils .HideStammZahlen(prPerson, true, null, null, true); } - - tempIdentityLink.setDateOfBirth(dateOfBirth); - tempIdentityLink.setFamilyName(familyName); - tempIdentityLink.setGivenName(givenName); - tempIdentityLink.setIdentificationType(identificationType); - tempIdentityLink.setIdentificationValue(identificationValue); - tempIdentityLink.setPrPerson(prPerson); - try { - tempIdentityLink.setSamlAssertion(authData.getIdentityLink() - .getSamlAssertion()); - } catch (Exception e) { - throw new ValidateException("validator.64", null); - } - } - + } - - Element mandatePerson = tempIdentityLink.getPrPerson(); - - String mandateData = null; - try { + + if (prPerson == null) { + Logger.warn("Mandates are enabled, but no mandate-information is found in authData."); + throw new AuthenticationException("auth.16", new Object[] { "Mandates are enabled, but no mandate information is included" }); + } + + try { boolean provideStammzahl = oaParam.getSAML1Parameter().isProvideStammzahl(); - - String oatargetType; - + String oatargetType; if(oaParam.getBusinessService()) { if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) oatargetType = oaParam.getIdentityLinkDomainIdentifier(); @@ -530,64 +532,166 @@ public class SAML1AuthenticationServer extends AuthenticationServer { } else { oatargetType = AuthenticationSession.TARGET_PREFIX_ + oaParam.getTarget(); + } - Element prIdentification = (Element) mandatePerson - .getElementsByTagNameNS(Constants.PD_NS_URI, - "Identification").item(0); + Element prIdentification = (Element) prPerson. + getElementsByTagNameNS(Constants.PD_NS_URI,"Identification").item(0); - if (!oatargetType.equals(tempIdentityLink.getIdentificationType())) { - - String isPrPerson = mandatePerson.getAttribute("xsi:type"); + if (!oatargetType.equals(identificationType)) { + String isPrPerson = prPerson.getAttribute("xsi:type"); if (!StringUtils.isEmpty(isPrPerson)) { if (isPrPerson.equalsIgnoreCase("pr:PhysicalPerson")) { - String baseid = getBaseId(mandatePerson); - Element identificationBpK = createIdentificationBPK(mandatePerson, - baseid, oaParam.getTarget()); - - if (!provideStammzahl) { - prIdentification.getFirstChild().setTextContent(""); + + String baseid = getBaseId(prPerson); + Element identificationBpK; + if (MiscUtil.isNotEmpty(baseid)) { + identificationBpK = createIdentificationBPK(prPerson, baseid, oaParam.getTarget()); + + if (!provideStammzahl) { + prIdentification.getFirstChild().setTextContent(""); + } + + prPerson.insertBefore(identificationBpK, + prIdentification); + + } else { + Logger.info("No baseID included. --> Build 'MandateDate' without baseID"); + } + + - mandatePerson.insertBefore(identificationBpK, - prIdentification); + } } } else { - -// Element identificationBpK = mandatePerson.getOwnerDocument() -// .createElementNS(Constants.PD_NS_URI, "Identification"); -// Element valueBpK = mandatePerson.getOwnerDocument().createElementNS( -// Constants.PD_NS_URI, "Value"); -// -// valueBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( -// tempIdentityLink.getIdentificationValue())); -// Element typeBpK = mandatePerson.getOwnerDocument().createElementNS( -// Constants.PD_NS_URI, "Type"); -// typeBpK.appendChild(mandatePerson.getOwnerDocument().createTextNode( -// "urn:publicid:gv.at:cdid+bpk")); -// identificationBpK.appendChild(valueBpK); -// identificationBpK.appendChild(typeBpK); -// -// mandatePerson.insertBefore(identificationBpK, prIdentification); + ; } - - mandateData = DOMUtils.serializeNode(mandatePerson); + return DOMUtils.serializeNode(prPerson); } catch (TransformerException e1) { - throw new AuthenticationException("auth.16", - new Object[] { GET_MIS_SESSIONID }); + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID }); } catch (IOException e1) { - throw new AuthenticationException("auth.16", - new Object[] { GET_MIS_SESSIONID }); + throw new AuthenticationException("auth.16", new Object[] { GET_MIS_SESSIONID }); } - return mandateData; } + private Element generateMandateDateFromPVPMandateAttributes(IAuthData authdata) throws BuildException { + String legalSourcePin = authdata.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class); + String legalSourceType = authdata.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class); + String legalCommonName = authdata.getGenericData(PVPConstants.MANDATE_LEG_PER_FULL_NAME_NAME, String.class); + + String natSourcePin = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class); + String natSourcePinType = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class); + String natbPK = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class); + + String natGivenName = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_GIVEN_NAME_NAME, String.class); + String natFamilyName = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_FAMILY_NAME_NAME, String.class); + String natDateOfBirth = authdata.getGenericData(PVPConstants.MANDATE_NAT_PER_BIRTHDATE_NAME, String.class); + + Mandate mandateObject = new Mandate(); + Mandator mandator = new Mandator(); + mandateObject.setMandator(mandator); + + if (MiscUtil.isNotEmpty(legalCommonName) && MiscUtil.isNotEmpty(legalSourceType) + && MiscUtil.isNotEmpty(legalSourcePin)) { + Logger.debug("Build 'mandateDate' element for legal person ..."); + at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType legalperson = + new at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType(); + at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType legalID = + new at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType(); + at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value idvalue = + new at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value(); + + legalID.setValue(idvalue ); + legalperson.getIdentification().add(legalID ); + mandator.setCorporateBody(legalperson); + legalperson.setFullName(legalCommonName); + legalID.setType(legalSourceType); + idvalue.setValue(legalSourcePin); + + } else if (MiscUtil.isNotEmpty(natFamilyName) && MiscUtil.isNotEmpty(natGivenName) && MiscUtil.isNotEmpty(natDateOfBirth) + && (MiscUtil.isNotEmpty(natSourcePin) || MiscUtil.isNotEmpty(natbPK))){ + Logger.debug("Build 'mandateDate' element for natural person ..."); + at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType physPerson = + new at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType(); + at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType persName = + new at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType(); + at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName familyName = + new at.gv.e_government.reference.namespace.persondata._20020228_.PersonNameType.FamilyName(); + at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType persID = + new at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType(); + at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value idValue = + new at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType.Value(); + + physPerson.setName(persName ); + persName.getFamilyName().add(familyName ); + physPerson.getIdentification().add(persID ); + persID.setValue(idValue ); + mandator.setPhysicalPerson(physPerson); + + String[] pvp2GivenName = natGivenName.split(" "); + for(int i=0; i idserverlib - - auth moa-id-commons modules + moa-id-spring-initializer + + auth diff --git a/pom.xml b/pom.xml index a450357d8..ed1c361f8 100644 --- a/pom.xml +++ b/pom.xml @@ -421,6 +421,12 @@ 1.46 + + MOA.id.server + moa-id-spring-initializer + ${moa-id-version} + + MOA moa-common @@ -446,7 +452,7 @@ test test-jar - + MOA.id.server.modules moa-id-module-stork -- cgit v1.2.3 From a6cadad81df2b44a99ca452ea1737abf1fa7d3e8 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 10 Mar 2016 12:31:38 +0100 Subject: add additional PVP response validation --- .../id/protocols/pvp2x/PVPTargetConfiguration.java | 3 + .../builder/assertion/PVP2AssertionBuilder.java | 1 + .../verification/SAMLVerificationEngineSP.java | 142 +++++++++++++++++---- .../resources/properties/id_messages_de.properties | 2 + .../protocol_response_statuscodes_de.properties | 2 + .../elgamandates/ELGAMandatesAuthConstants.java | 3 + .../tasks/ReceiveElgaMandateResponseTask.java | 23 +++- .../elgamandates/tasks/RequestELGAMandateTask.java | 9 +- .../tasks/ReceiveAuthnResponseTask.java | 5 +- 9 files changed, 162 insertions(+), 28 deletions(-) (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java index b8ced1198..e7f2a7d4b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVPTargetConfiguration.java @@ -50,8 +50,11 @@ public class PVPTargetConfiguration extends RequestImpl { public static final String DATAID_INTERFEDERATION_NAMEID = "federatedNameID"; public static final String DATAID_INTERFEDERATION_QAALEVEL = "federatedQAALevel"; + public static final String DATAID_INTERFEDERATION_REQUESTID = "authnReqID"; + private static final long serialVersionUID = 4889919265919638188L; + InboundMessage request; String binding; String consumerURL; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java index 7a7044ebf..3aa05bb2d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java @@ -435,6 +435,7 @@ public class PVP2AssertionBuilder implements PVPConstants { .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime())); + subjectConfirmationData.setNotBefore(date); subjectConfirmationData.setRecipient(assertionConsumerService.getLocation()); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java index cd80d8c24..1e13da179 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/verification/SAMLVerificationEngineSP.java @@ -26,10 +26,15 @@ import java.util.ArrayList; import java.util.List; import org.joda.time.DateTime; +import org.opensaml.common.binding.decoding.BasicURLComparator; +import org.opensaml.saml2.core.Audience; +import org.opensaml.saml2.core.AudienceRestriction; import org.opensaml.saml2.core.Conditions; import org.opensaml.saml2.core.EncryptedAssertion; import org.opensaml.saml2.core.Response; import org.opensaml.saml2.core.StatusCode; +import org.opensaml.saml2.core.validator.AudienceRestrictionSchemaValidator; +import org.opensaml.saml2.core.validator.AudienceSchemaValidator; import org.opensaml.saml2.encryption.Decrypter; import org.opensaml.saml2.encryption.EncryptedElementTypeEncryptedKeyResolver; import org.opensaml.xml.encryption.ChainingEncryptedKeyResolver; @@ -38,9 +43,11 @@ import org.opensaml.xml.encryption.InlineEncryptedKeyResolver; import org.opensaml.xml.encryption.SimpleRetrievalMethodEncryptedKeyResolver; import org.opensaml.xml.security.credential.Credential; import org.opensaml.xml.security.keyinfo.StaticKeyInfoCredentialResolver; +import org.opensaml.xml.validation.ValidationException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; +import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.AssertionValidationExeption; @@ -56,7 +63,17 @@ public class SAMLVerificationEngineSP extends SAMLVerificationEngine { @Autowired AuthConfiguration authConfig; - public void validateAssertion(Response samlResp, boolean validateDestination, Credential assertionDecryption) throws AssertionValidationExeption { + /** + * Validate a PVP response and all included assertions + * + * @param samlResp + * @param validateDestination + * @param assertionDecryption + * @param spEntityID + * @param loggerSPName + * @throws AssertionValidationExeption + */ + public void validateAssertion(Response samlResp, boolean validateDestination, Credential assertionDecryption, String spEntityID, String loggerSPName) throws AssertionValidationExeption { try { if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { List saml2assertions = new ArrayList(); @@ -74,15 +91,28 @@ public class SAMLVerificationEngineSP extends SAMLVerificationEngine { } if (!isValidDestination && validateDestination) { Logger.warn("PVP 2.1 assertion destination does not match to IDP URL"); - throw new AssertionValidationExeption("PVP 2.1 assertion destination does not match to IDP URL", null); + throw new AssertionValidationExeption("sp.pvp2.07", new Object[]{loggerSPName, "'Destination' attribute is not valid"}); } - //check encrypted Assertion + //validate response issueInstant + DateTime issueInstant = samlResp.getIssueInstant(); + if (issueInstant == null) { + Logger.warn("PVP response does not include a 'IssueInstant' attribute"); + throw new AssertionValidationExeption("sp.pvp2.07", new Object[]{loggerSPName, "'IssueInstant' attribute is not included"}); + + } + if (issueInstant.minusMinutes(MOAIDAuthConstants.TIME_JITTER).isAfterNow()) { + Logger.warn("PVP response: IssueInstant DateTime is not valid anymore."); + throw new AssertionValidationExeption("sp.pvp2.07", new Object[]{loggerSPName, "'IssueInstant' Time is not valid any more"}); + + } + + + //check encrypted Assertions List encryAssertionList = samlResp.getEncryptedAssertions(); if (encryAssertionList != null && encryAssertionList.size() > 0) { - //decrypt assertions - + //decrypt assertions Logger.debug("Found encryped assertion. Start decryption ..."); StaticKeyInfoCredentialResolver skicr = @@ -93,13 +123,10 @@ public class SAMLVerificationEngineSP extends SAMLVerificationEngine { encryptedKeyResolver.getResolverChain().add( new EncryptedElementTypeEncryptedKeyResolver() ); encryptedKeyResolver.getResolverChain().add( new SimpleRetrievalMethodEncryptedKeyResolver() ); - Decrypter samlDecrypter = - new Decrypter(null, skicr, encryptedKeyResolver); + Decrypter samlDecrypter = new Decrypter(null, skicr, encryptedKeyResolver); - for (EncryptedAssertion encAssertion : encryAssertionList) { + for (EncryptedAssertion encAssertion : encryAssertionList) saml2assertions.add(samlDecrypter.decrypt(encAssertion)); - - } Logger.debug("Assertion decryption finished. "); @@ -108,35 +135,90 @@ public class SAMLVerificationEngineSP extends SAMLVerificationEngine { } + //validate all assertions List validatedassertions = new ArrayList(); for (org.opensaml.saml2.core.Assertion saml2assertion : saml2assertions) { - + + boolean isAssertionValid = true; try { + //schema validation performSchemaValidation(saml2assertion.getDOM()); - + + + //validate DateTime conditions Conditions conditions = saml2assertion.getConditions(); - DateTime notbefore = conditions.getNotBefore().minusMinutes(5); - DateTime notafter = conditions.getNotOnOrAfter(); - if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { - Logger.warn("PVP2 Assertion is out of Date. " - + "{ Current : " + new DateTime() - + " NotBefore: " + notbefore - + " NotAfter : " + notafter - + " }");; + if (conditions != null) { + DateTime notbefore = conditions.getNotBefore().minusMinutes(5); + DateTime notafter = conditions.getNotOnOrAfter(); + if ( notbefore.isAfterNow() || notafter.isBeforeNow() ) { + isAssertionValid = false; + Logger.info("Assertion:" + saml2assertion.getID() + + " is out of Date. " + + "{ Current : " + new DateTime() + + " NotBefore: " + notbefore + + " NotAfter : " + notafter + + " }");; + + } + + //validate audienceRestrictions are valid for this SP + List audienceRest = conditions.getAudienceRestrictions(); + if (audienceRest == null || audienceRest.size() == 0) { + Logger.info("Assertion:" + saml2assertion.getID() + + " has not 'AudienceRestriction' element"); + isAssertionValid = false; + + } else { + for (AudienceRestriction el : audienceRest) { + el.registerValidator(new AudienceRestrictionSchemaValidator()); + el.validate(false); + + for (Audience audience : el.getAudiences()) { + audience.registerValidator(new AudienceSchemaValidator()); + audience.validate(false); + + if (!urlCompare(spEntityID, audience.getAudienceURI())) { + Logger.info("Assertion:" + saml2assertion.getID() + + " 'AudienceRestriction' is not valid."); + isAssertionValid = false; + } + } + } + } + } else { + Logger.info("Assertion:" + saml2assertion.getID() + + " contains not 'Conditions' element"); + isAssertionValid = false; + + } + + //add assertion if it is valid + if (isAssertionValid) { + Logger.debug("Add valid Assertion:" + saml2assertion.getID()); validatedassertions.add(saml2assertion); - } + } else + Logger.warn("Remove non-valid Assertion:" + saml2assertion.getID()); } catch (SchemaValidationException e) { + isAssertionValid = false; + Logger.info("Assertion:" + saml2assertion.getID() + + " Schema validation FAILED. Msg:" + e.getMessage()); + + } catch (ValidationException e) { + isAssertionValid = false; + Logger.info("Assertion:" + saml2assertion.getID() + + " AudienceRestriction schema-validation FAILED. Msg:" + e.getMessage()); } } if (validatedassertions.isEmpty()) { Logger.info("No valid PVP 2.1 assertion received."); - throw new AssertionValidationExeption("No valid PVP 2.1 assertion received.", null); + throw new AssertionValidationExeption("sp.pvp2.10", new Object[]{loggerSPName}); + } samlResp.getAssertions().clear(); @@ -146,16 +228,26 @@ public class SAMLVerificationEngineSP extends SAMLVerificationEngine { } else { Logger.info("PVP 2.1 assertion includes an error. Receive errorcode " + samlResp.getStatus().getStatusCode().getValue()); - throw new AssertionValidationExeption("PVP 2.1 assertion includes an error. Receive errorcode " - + samlResp.getStatus().getStatusCode().getValue(), null); + throw new AssertionValidationExeption("sp.pvp2.05", + new Object[]{loggerSPName, + samlResp.getIssuer().getValue(), + samlResp.getStatus().getStatusCode().getValue(), + samlResp.getStatus().getStatusMessage().getMessage()}); + } } catch (DecryptionException e) { Logger.warn("Assertion decrypt FAILED.", e); - throw new AssertionValidationExeption("Assertion decrypt FAILED.", null, e); + throw new AssertionValidationExeption("sp.pvp2.11", null, e); } catch (ConfigurationException e) { throw new AssertionValidationExeption("pvp.12", null, e); } } + + protected static boolean urlCompare(String url1, String url2) { + BasicURLComparator comparator = new BasicURLComparator(); + comparator.setCaseInsensitive(false); + return comparator.compare(url1, url2); + } } diff --git a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties index a53d7e920..34ef9c1d0 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/id_messages_de.properties @@ -292,6 +292,8 @@ sp.pvp2.06=Receive invalid PVP Response from {0}. Assertion does not contain all sp.pvp2.07=Receive invalid PVP Response from {0}. Attribute {1} is not valid. sp.pvp2.08=Receive invalid PVP Response from {0}. Response issuer {1} is not valid or allowed. sp.pvp2.09=Receive invalid PVP Response from {0} {1}. StatusCodes:{2} {3} Msg:{4} +sp.pvp2.10=Receive invalid PVP Response from {0}. No valid assertion included. +sp.pvp2.11=Receive invalid PVP Response from {0}. Assertion decryption FAILED. oauth20.01=Fehlerhafte redirect url oauth20.02=Fehlender oder ung\u00FCltiger Parameter "{0}" diff --git a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties index a81540e2b..27070cc84 100644 --- a/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties +++ b/id/server/idserverlib/src/main/resources/resources/properties/protocol_response_statuscodes_de.properties @@ -111,6 +111,8 @@ sp.pvp2.06=TODO sp.pvp2.07=TODO sp.pvp2.08=TODO sp.pvp2.09=TODO +sp.pvp2.10=TODO +sp.pvp2.11=TODO validator.00=1102 validator.01=1102 diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java index e4eaa5ee7..b50d1cf4e 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java @@ -75,6 +75,9 @@ public class ELGAMandatesAuthConstants { Collections.unmodifiableList(new ArrayList>() { private static final long serialVersionUID = 1L; { + //add PVP Version attribute + add(Pair.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME)); + //request mandate type add(Pair.newInstance(PVPConstants.MANDATE_TYPE_NAME, PVPConstants.MANDATE_TYPE_FRIENDLY_NAME)); diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java index 0688e7c64..f976793b8 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ReceiveElgaMandateResponseTask.java @@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServi import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare; import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding; @@ -142,6 +143,8 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { } + + //load MOASession object defaultTaskInitialization(request, executionContext); @@ -216,10 +219,28 @@ public class ReceiveElgaMandateResponseTask extends AbstractAuthServletTask { Logger.debug("Start PVP-2.1 assertion processing... "); Response samlResp = (Response) msg.getResponse(); + //validate 'inResponseTo' attribute + String authnReqID = pendingReq.getGenericData( + PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID, String.class); + String inResponseTo = samlResp.getInResponseTo(); + + if (MiscUtil.isEmpty(authnReqID) || MiscUtil.isEmpty(inResponseTo) || + !authnReqID.equals(inResponseTo)) { + Logger.info("Validation of request/response IDs FAILED." + + " ReqID:" + authnReqID + " InRespTo:" + inResponseTo); + throw new AuthnResponseValidationException("sp.pvp2.07", + new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, + "'InResponseTo'"}); + + } + // check SAML2 response status-code if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { //validate PVP 2.1 assertion - samlVerificationEngine.validateAssertion(samlResp, true, credentialProvider.getIDPAssertionEncryptionCredential()); + samlVerificationEngine.validateAssertion(samlResp, true, + credentialProvider.getIDPAssertionEncryptionCredential(), + pendingReq.getAuthURL() + ELGAMandatesAuthConstants.ENDPOINT_METADATA, + ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING); msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); return msg; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index 2a3e72640..d25921167 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -46,6 +46,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServi import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.process.api.ExecutionContext; +import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; @@ -137,7 +138,13 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { //set MandateReferenceValue as RequestID authnReqConfig.setRequestID(moasession.getMandateReferenceValue()); - + pendingReq.setGenericDataToSession( + PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID, + authnReqConfig.getRequestID()); + + //store pending-request + requestStoreage.storePendingRequest(pendingReq); + //build and transmit AuthnRequest authnReqBuilder.buildAuthnRequest(pendingReq, authnReqConfig , response); diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index d5c5354c0..01163efd6 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -347,7 +347,10 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { // check SAML2 response status-code if (samlResp.getStatus().getStatusCode().getValue().equals(StatusCode.SUCCESS_URI)) { //validate PVP 2.1 assertion - samlVerificationEngine.validateAssertion(samlResp, true, credentialProvider.getIDPAssertionEncryptionCredential()); + samlVerificationEngine.validateAssertion(samlResp, true, + credentialProvider.getIDPAssertionEncryptionCredential(), + pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA, + FederatedAuthConstants.MODULE_NAME_FOR_LOGGING); msg.setSAMLMessage(SAML2Utils.asDOMDocument(samlResp).getDocumentElement()); return msg; -- cgit v1.2.3 From f67427831d1f8c49ce6c474691b880d90a42b584 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 14 Mar 2016 09:17:57 +0100 Subject: refactor the GUI generation for user interaction --- id/ConfigWebTool/pom.xml | 5 + .../auth/pvp2/MetaDataVerificationFilter.java | 2 +- .../configuration/data/FormularCustomization.java | 20 +- .../id/configuration/data/oa/OABPKEncryption.java | 2 +- .../configuration/struts/action/BasicOAAction.java | 60 +- .../configuration/struts/action/EditOAAction.java | 27 +- .../id/configuration/struts/action/VIDPAction.java | 2 +- .../oa/OAAuthenticationDataValidation.java | 2 +- .../htmlTemplates/loginFormFull.html | 874 +-------------------- .../htmlTemplates/sendAssertionFormFull.html | 581 +------------- .../conf/moa-id/htmlTemplates/css_template.css | 625 +++++++++++++++ .../conf/moa-id/htmlTemplates/error_message.html | 37 + .../moa-id/htmlTemplates/javascript_tempalte.js | 200 +++++ .../conf/moa-id/htmlTemplates/loginFormFull.html | 874 +-------------------- .../conf/moa-id/htmlTemplates/redirectForm.html | 13 + .../htmlTemplates/sendAssertionFormFull.html | 581 +------------- .../conf/moa-id/htmlTemplates/slo_template.html | 372 +-------- id/server/idserverlib/pom.xml | 4 + .../moa/id/advancedlogging/MOAReversionLogger.java | 6 +- .../moa/id/advancedlogging/StatisticLogger.java | 10 +- .../moa/id/advancedlogging/TransactionIDUtils.java | 2 +- .../moa/id/auth/AuthenticationSessionCleaner.java | 4 +- .../moa/id/auth/BaseAuthenticationServer.java | 3 +- .../moa/id/auth/MOAIDAuthConstants.java | 194 ----- .../moa/id/auth/MOAIDAuthInitializer.java | 6 +- .../id/auth/builder/AuthenticationDataBuilder.java | 14 +- .../builder/CreateXMLSignatureRequestBuilder.java | 6 +- .../moa/id/auth/builder/DataURLBuilder.java | 2 +- .../builder/DynamicOAAuthParameterBuilder.java | 6 +- .../moa/id/auth/builder/GUILayoutBuilder.java | 157 ---- .../moa/id/auth/builder/LoginFormBuilder.java | 171 ---- .../moa/id/auth/builder/RedirectFormBuilder.java | 65 -- .../id/auth/builder/SendAssertionFormBuilder.java | 147 ---- .../auth/builder/SignatureVerificationUtils.java | 2 +- .../moa/id/auth/data/AuthenticationSession.java | 2 +- .../id/auth/exception/AuthenticationException.java | 1 + .../moa/id/auth/exception/BKUException.java | 2 + .../moa/id/auth/exception/BuildException.java | 1 + .../exception/DatabaseEncryptionException.java | 2 + .../id/auth/exception/DynamicOABuildException.java | 2 + .../id/auth/exception/ECDSAConverterException.java | 1 + .../exception/InvalidProtocolRequestException.java | 2 + .../auth/exception/MISSimpleClientException.java | 1 + .../moa/id/auth/exception/MOAIDException.java | 222 ------ .../moa/id/auth/exception/MOASPException.java | 2 + .../moa/id/auth/exception/ParseException.java | 1 + .../auth/exception/ProtocolNotActiveException.java | 2 + .../moa/id/auth/exception/ServiceException.java | 1 + .../exception/SessionDataStorageException.java | 45 -- .../moa/id/auth/exception/ValidateException.java | 1 + .../auth/exception/WrongParametersException.java | 1 + .../auth/invoke/SignatureVerificationInvoker.java | 10 +- .../id/auth/modules/AbstractAuthServletTask.java | 6 +- .../id/auth/modules/BKUSelectionModuleImpl.java | 2 +- .../id/auth/modules/TaskExecutionException.java | 2 +- .../internal/tasks/EvaluateBKUSelectionTask.java | 2 +- .../tasks/EvaluateSSOConsentsTaskImpl.java | 2 +- .../internal/tasks/FinalizeAuthenticationTask.java | 4 +- .../tasks/GenerateBKUSelectionFrameTask.java | 43 +- .../GenerateSSOConsentEvaluatorFrameTask.java | 37 +- .../tasks/RestartAuthProzessManagement.java | 2 +- .../StartAuthentificationParameterParser.java | 10 +- .../moa/id/auth/servlet/AbstractController.java | 128 +-- .../AbstractProcessEngineSignalController.java | 6 +- .../id/auth/servlet/GUILayoutBuilderServlet.java | 128 --- .../GeneralProcessEngineSignalController.java | 6 +- .../id/auth/servlet/IDPSingleLogOutServlet.java | 66 +- .../moa/id/auth/servlet/LogOutServlet.java | 4 +- .../moa/id/auth/servlet/RedirectServlet.java | 48 +- .../WebFrontEndSecurityInterceptor.java | 6 +- .../gv/egovernment/moa/id/client/SZRGWClient.java | 25 +- .../moa/id/client/SZRGWClientException.java | 2 +- .../moa/id/client/utils/SZRGWClientUtils.java | 12 +- .../moa/id/config/ConfigurationException.java | 82 -- .../moa/id/config/ConfigurationProvider.java | 66 -- .../moa/id/config/ConfigurationProviderImpl.java | 2 + .../moa/id/config/ConnectionParameter.java | 1 + .../id/config/ConnectionParameterInterface.java | 35 - .../moa/id/config/auth/AuthConfiguration.java | 165 ---- .../auth/AuthConfigurationProviderFactory.java | 3 +- .../moa/id/config/auth/IOAAuthParameters.java | 224 ------ .../moa/id/config/auth/OAAuthParameter.java | 64 +- .../PropertyBasedAuthConfigurationProvider.java | 15 +- .../config/auth/data/BPKDecryptionParameters.java | 137 ---- .../config/auth/data/DynamicOAAuthParameters.java | 18 +- .../moa/id/config/auth/data/ProtocolAllowed.java | 91 --- .../auth/data/SAML1ConfigurationParameters.java | 276 ------- .../gv/egovernment/moa/id/config/stork/CPEPS.java | 138 ---- .../moa/id/config/stork/STORKConfig.java | 33 +- .../config/stork/SignatureCreationParameter.java | 103 --- .../stork/SignatureVerificationParameter.java | 53 -- .../moa/id/config/stork/StorkAttribute.java | 27 - .../config/stork/StorkAttributeProviderPlugin.java | 81 -- .../moa/id/data/AuthenticationData.java | 2 +- .../moa/id/moduls/AuthenticationManager.java | 67 +- .../at/gv/egovernment/moa/id/moduls/IAction.java | 3 +- .../gv/egovernment/moa/id/moduls/IModulInfo.java | 2 + .../at/gv/egovernment/moa/id/moduls/IRequest.java | 202 ----- .../egovernment/moa/id/moduls/IRequestStorage.java | 3 +- .../id/moduls/NoPassivAuthenticationException.java | 2 +- .../gv/egovernment/moa/id/moduls/RequestImpl.java | 9 +- .../egovernment/moa/id/moduls/RequestStorage.java | 3 +- .../gv/egovernment/moa/id/moduls/SSOManager.java | 82 +- .../egovernment/moa/id/process/ProcessEngine.java | 2 +- .../moa/id/process/ProcessEngineImpl.java | 4 +- .../at/gv/egovernment/moa/id/process/api/Task.java | 2 +- .../moa/id/process/springweb/MoaIdTask.java | 2 +- .../AbstractAuthProtocolModulController.java | 4 +- .../protocols/ProtocolFinalizationController.java | 6 +- .../builder/attributes/BPKAttributeBuilder.java | 2 +- .../attributes/BirthdateAttributeBuilder.java | 2 +- .../protocols/builder/attributes/EIDAuthBlock.java | 2 +- .../id/protocols/builder/attributes/EIDCcsURL.java | 2 +- .../EIDCitizenQAALevelAttributeBuilder.java | 2 +- .../builder/attributes/EIDIdentityLinkBuilder.java | 2 +- .../EIDIssuingNationAttributeBuilder.java | 2 +- .../builder/attributes/EIDSTORKTOKEN.java | 2 +- .../attributes/EIDSectorForIDAttributeBuilder.java | 2 +- .../builder/attributes/EIDSignerCertificate.java | 2 +- .../protocols/builder/attributes/EIDSourcePIN.java | 2 +- .../builder/attributes/EIDSourcePINType.java | 2 +- .../attributes/EncryptedBPKAttributeBuilder.java | 2 +- .../attributes/GivenNameAttributeBuilder.java | 2 +- .../protocols/builder/attributes/HolderOfKey.java | 4 +- .../builder/attributes/IAttributeBuilder.java | 2 +- .../MandateFullMandateAttributeBuilder.java | 2 +- ...MandateLegalPersonFullNameAttributeBuilder.java | 2 +- ...andateLegalPersonSourcePinAttributeBuilder.java | 2 +- ...teLegalPersonSourcePinTypeAttributeBuilder.java | 2 +- .../MandateNaturalPersonBPKAttributeBuilder.java | 2 +- ...dateNaturalPersonBirthDateAttributeBuilder.java | 2 +- ...ateNaturalPersonFamilyNameAttributeBuilder.java | 2 +- ...dateNaturalPersonGivenNameAttributeBuilder.java | 2 +- ...dateNaturalPersonSourcePinAttributeBuilder.java | 2 +- ...NaturalPersonSourcePinTypeAttributeBuilder.java | 2 +- .../MandateProfRepDescAttributeBuilder.java | 2 +- .../MandateProfRepOIDAttributeBuilder.java | 2 +- .../MandateReferenceValueAttributeBuilder.java | 2 +- .../attributes/MandateTypeAttributeBuilder.java | 2 +- .../attributes/PVPVersionAttributeBuilder.java | 2 +- .../attributes/PrincipalNameAttributeBuilder.java | 2 +- .../id/protocols/pvp2x/AttributQueryAction.java | 14 +- .../id/protocols/pvp2x/AuthenticationAction.java | 6 +- .../moa/id/protocols/pvp2x/MetadataAction.java | 4 +- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 16 +- .../moa/id/protocols/pvp2x/SingleLogOutAction.java | 6 +- .../id/protocols/pvp2x/binding/PostBinding.java | 2 +- .../pvp2x/builder/AttributQueryBuilder.java | 4 +- .../pvp2x/builder/AuthResponseBuilder.java | 2 +- .../pvp2x/builder/PVPAttributeBuilder.java | 2 +- .../pvp2x/builder/PVPAuthnRequestBuilder.java | 2 +- .../pvp2x/builder/PVPMetadataBuilder.java | 2 +- .../pvp2x/builder/SingleLogOutBuilder.java | 6 +- .../builder/assertion/PVP2AssertionBuilder.java | 6 +- .../pvp2x/config/IDPPVPMetadataConfiguration.java | 2 +- .../protocols/pvp2x/config/PVPConfiguration.java | 4 +- .../exceptions/AssertionValidationExeption.java | 2 +- .../exceptions/AuthnRequestValidatorException.java | 2 +- .../protocols/pvp2x/exceptions/PVP2Exception.java | 2 +- .../pvp2x/metadata/MOAMetadataProvider.java | 12 +- .../pvp2x/metadata/SimpleMOAMetadataProvider.java | 2 +- .../signer/CredentialsNotAvailableException.java | 2 +- .../pvp2x/signer/IDPCredentialProvider.java | 2 +- .../protocols/pvp2x/utils/MOASAMLSOAPClient.java | 2 +- .../pvp2x/validation/ChainSAMLValidator.java | 2 +- .../protocols/pvp2x/validation/ISAMLValidator.java | 2 +- .../pvp2x/validation/SAMLSignatureValidator.java | 2 +- .../pvp2x/verification/ChainSAMLVerifier.java | 2 +- .../pvp2x/verification/EntityVerifier.java | 8 +- .../pvp2x/verification/ISAMLVerifier.java | 2 +- .../verification/SAMLVerificationEngineSP.java | 6 +- .../metadata/MOASPMetadataSignatureFilter.java | 2 +- .../metadata/MetadataSignatureFilter.java | 3 +- .../metadata/SchemaValidationFilter.java | 2 +- .../storage/DBAuthenticationSessionStoreage.java | 8 +- .../id/storage/IAuthenticationSessionStoreage.java | 2 +- .../moa/id/util/ErrorResponseUtils.java | 2 +- .../gv/egovernment/moa/id/util/FormBuildUtils.java | 136 ---- .../moa/id/util/IdentityLinkReSigner.java | 4 +- .../moa/id/util/MOAIDMessageProvider.java | 104 --- .../moa/id/util/ParamValidatorUtils.java | 6 +- .../at/gv/egovernment/moa/id/util/SSLUtils.java | 6 +- .../moa/id/util/VelocityLogAdapter.java | 99 --- .../egovernment/moa/id/util/VelocityProvider.java | 112 --- .../moa/id/util/legacy/LegacyHelper.java | 2 +- .../resources/properties/id_messages_de.properties | 1 + .../resources/resources/templates/css_template.css | 623 --------------- .../resources/templates/error_message.html | 37 - .../resources/templates/javascript_tempalte.js | 196 ----- .../resources/templates/loginFormFull.html | 92 --- .../resources/templates/redirectForm.html | 13 - .../resources/templates/sendAssertionFormFull.html | 68 -- .../resources/templates/slo_template.html | 94 --- .../resources/templates/sso_transfer_template.html | 59 -- .../moa/id/module/test/TestRequestImpl.java | 6 +- .../spring/test/task/CreateSAML1AssertionTask.java | 2 +- .../spring/test/task/GetIdentityLinkTask.java | 2 +- .../id/process/spring/test/task/SelectBKUTask.java | 2 +- .../spring/test/task/SignAuthBlockTask.java | 2 +- .../spring/test/task/ValidateIdentityLinkTask.java | 2 +- .../test/task/ValidateSignedAuthBlockTask.java | 2 +- .../moa/id/process/test/HalloWeltTask.java | 2 +- .../moa/id/process/test/HelloWorldTask.java | 2 +- .../at/gv/egovernment/moa/id/UnitTestCase.java | 3 +- id/server/moa-id-commons/pom.xml | 27 + .../moa/id/commons/MOAIDAuthConstants.java | 193 +++++ .../moa/id/commons/api/AuthConfiguration.java | 162 ++++ .../moa/id/commons/api/ConfigurationProvider.java | 66 ++ .../commons/api/ConnectionParameterInterface.java | 35 + .../moa/id/commons/api/IOAAuthParameters.java | 222 ++++++ .../egovernment/moa/id/commons/api/IRequest.java | 201 +++++ .../moa/id/commons/api/IStorkConfig.java | 51 ++ .../commons/api/data/BPKDecryptionParameters.java | 135 ++++ .../egovernment/moa/id/commons/api/data/CPEPS.java | 138 ++++ .../moa/id/commons/api/data/ProtocolAllowed.java | 91 +++ .../api/data/SAML1ConfigurationParameters.java | 276 +++++++ .../api/data/SignatureCreationParameter.java | 103 +++ .../api/data/SignatureVerificationParameter.java | 53 ++ .../moa/id/commons/api/data/StorkAttribute.java | 27 + .../api/data/StorkAttributeProviderPlugin.java | 81 ++ .../api/exceptions/ConfigurationException.java | 78 ++ .../id/commons/api/exceptions/MOAIDException.java | 222 ++++++ .../exceptions/SessionDataStorageException.java | 45 ++ .../moa/id/commons/utils/MOAIDMessageProvider.java | 104 +++ id/server/moa-id-frontend-resources/pom.xml | 23 +- .../AbstractGUIFormBuilderConfiguration.java | 106 +++ .../DefaultGUIFormBuilderConfiguration.java | 120 +++ .../auth/frontend/builder/GUIFormBuilderImpl.java | 221 ++++++ .../frontend/builder/IGUIBuilderConfiguration.java | 74 ++ .../id/auth/frontend/builder/IGUIFormBuilder.java | 67 ++ ...roviderSpecificGUIFormBuilderConfiguration.java | 186 +++++ .../auth/frontend/exception/GUIBuildException.java | 46 ++ .../moa/id/auth/frontend/utils/FormBuildUtils.java | 178 +++++ .../auth/frontend/velocity/VelocityLogAdapter.java | 99 +++ .../auth/frontend/velocity/VelocityProvider.java | 113 +++ .../src/main/resources/templates/css_template.css | 625 +++++++++++++++ .../main/resources/templates/error_message.html | 37 + .../resources/templates/javascript_tempalte.js | 200 +++++ .../main/resources/templates/loginFormFull.html | 92 +++ .../src/main/resources/templates/redirectForm.html | 13 + .../resources/templates/sendAssertionFormFull.html | 52 ++ .../src/main/resources/templates/slo_template.html | 94 +++ .../resources/templates/sso_transfer_template.html | 59 ++ .../moa/id/auth/MOAIDAuthSpringInitializer.java | 2 +- .../moa/id/auth/AuthenticationServer.java | 11 +- .../AuthenticationBlockAssertionBuilder.java | 4 +- .../auth/builder/GetIdentityLinkFormBuilder.java | 45 +- .../internal/DefaultCitizenCardAuthModuleImpl.java | 2 +- .../internal/tasks/CertificateReadRequestTask.java | 6 +- .../internal/tasks/CreateIdentityLinkFormTask.java | 8 +- .../modules/internal/tasks/GetForeignIDTask.java | 12 +- .../internal/tasks/GetMISSessionIDTask.java | 10 +- .../tasks/InitializeBKUAuthenticationTask.java | 6 +- .../tasks/PrepareAuthBlockSignatureTask.java | 4 +- .../internal/tasks/PrepareGetMISMandateTask.java | 10 +- .../tasks/VerifyAuthenticationBlockTask.java | 10 +- .../internal/tasks/VerifyCertificateTask.java | 12 +- .../internal/tasks/VerifyIdentityLinkTask.java | 8 +- .../CreateXMLSignatureResponseValidator.java | 8 +- .../VerifyXMLSignatureResponseValidator.java | 8 +- .../moa/id/auth/validator/parep/ParepUtils.java | 2 +- .../moa/id/util/CitizenCardServletUtils.java | 6 +- .../MOAIDCertificateManagerConfigurationImpl.java | 8 +- .../MOAeIDASSAMLEngineConfigurationImpl.java | 2 +- .../modules/eidas/config/ModifiedEncryptionSW.java | 4 +- .../engine/MOAeIDASChainingMetadataProvider.java | 2 +- .../EIDASEngineConfigurationException.java | 2 +- .../eidas/tasks/CreateIdentityLinkTask.java | 2 +- .../eidas/tasks/GenerateAuthnRequestTask.java | 12 +- .../eidas/tasks/ReceiveAuthnResponseTask.java | 2 +- .../moa/id/protocols/eidas/EIDASProtocol.java | 9 +- .../id/protocols/eidas/EidasMetaDataRequest.java | 4 +- .../eidas/eIDASAuthenticationRequest.java | 6 +- .../config/ELGAMandatesMetadataConfiguration.java | 2 +- .../controller/ELGAMandateMetadataController.java | 2 +- .../exceptions/ELGAMetadataException.java | 2 +- .../tasks/ELGAInitializeBKUAuthenticationTask.java | 4 +- .../elgamandates/tasks/RequestELGAMandateTask.java | 4 +- .../utils/ELGAMandateServiceMetadataProvider.java | 2 +- .../utils/ELGAMandatesCredentialProvider.java | 2 +- .../id/protocols/oauth20/OAuth20Configuration.java | 2 +- .../attributes/OAuth20AttributeBuilder.java | 2 +- .../attributes/OpenIdAudiencesAttribute.java | 2 +- .../OpenIdAuthenticationTimeAttribute.java | 2 +- .../attributes/OpenIdExpirationTimeAttribute.java | 2 +- .../attributes/OpenIdIssueInstantAttribute.java | 2 +- .../oauth20/attributes/OpenIdIssuerAttribute.java | 2 +- .../oauth20/attributes/OpenIdNonceAttribute.java | 2 +- .../OpenIdSubjectIdentifierAttribute.java | 2 +- .../attributes/ProfileDateOfBirthAttribute.java | 2 +- .../attributes/ProfileFamilyNameAttribute.java | 2 +- .../attributes/ProfileGivenNameAttribute.java | 2 +- .../oauth20/exceptions/OAuth20Exception.java | 2 +- .../oauth20/protocol/OAuth20AuthAction.java | 6 +- .../oauth20/protocol/OAuth20AuthRequest.java | 6 +- .../oauth20/protocol/OAuth20BaseRequest.java | 6 +- .../oauth20/protocol/OAuth20Protocol.java | 4 +- .../oauth20/protocol/OAuth20TokenAction.java | 4 +- .../oauth20/protocol/OAuth20TokenRequest.java | 6 +- .../modules/moa-id-module-ssoTransfer/pom.xml | 5 + .../data/SSOTransferAuthenticationData.java | 6 +- .../data/SSOTransferOnlineApplication.java | 19 +- .../ssotransfer/servlet/SSOTransferServlet.java | 61 +- .../servlet/SSOTransferSignalServlet.java | 4 +- .../task/InitializeRestoreSSOSessionTask.java | 13 +- .../ssotransfer/task/RestoreSSOSessionTask.java | 8 +- .../auth/modules/ssotransfer/utils/GUIUtils.java | 136 +--- .../ssotransfer/utils/SSOContainerUtils.java | 10 +- .../FederatedAuthenticationModuleImpl.java | 2 +- .../config/FederatedAuthMetadataConfiguration.java | 2 +- .../FederatedAuthMetadataController.java | 2 +- .../tasks/CreateAuthnRequestTask.java | 11 +- .../tasks/ReceiveAuthnResponseTask.java | 15 +- .../utils/FederatedAuthCredentialProvider.java | 2 +- id/server/modules/moa-id-modules-saml1/pom.xml | 7 + .../moa/id/protocols/saml1/GetArtifactAction.java | 6 +- .../saml1/GetAuthenticationDataService.java | 6 +- .../protocols/saml1/SAML1AuthenticationServer.java | 10 +- .../moa/id/protocols/saml1/SAML1Protocol.java | 11 +- .../moa/id/protocols/saml1/SAML1RequestImpl.java | 2 +- .../moa/id/auth/servlet/MonitoringServlet.java | 4 +- .../moa/id/monitoring/DatabaseTestModule.java | 2 +- .../moa/id/monitoring/IdentityLinkTestModule.java | 5 +- .../egovernment/moa/id/monitoring/TestManager.java | 4 +- id/server/pom.xml | 6 +- 325 files changed, 6555 insertions(+), 8637 deletions(-) create mode 100644 id/server/data/deploy/conf/moa-id/htmlTemplates/css_template.css create mode 100644 id/server/data/deploy/conf/moa-id/htmlTemplates/error_message.html create mode 100644 id/server/data/deploy/conf/moa-id/htmlTemplates/javascript_tempalte.js create mode 100644 id/server/data/deploy/conf/moa-id/htmlTemplates/redirectForm.html delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthConstants.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/GUILayoutBuilder.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/LoginFormBuilder.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/RedirectFormBuilder.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/SendAssertionFormBuilder.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/MOAIDException.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/exception/SessionDataStorageException.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/servlet/GUILayoutBuilderServlet.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationException.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConfigurationProvider.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/ConnectionParameterInterface.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfiguration.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/IOAAuthParameters.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/BPKDecryptionParameters.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/ProtocolAllowed.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/data/SAML1ConfigurationParameters.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/CPEPS.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/SignatureCreationParameter.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/SignatureVerificationParameter.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/StorkAttribute.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/StorkAttributeProviderPlugin.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/moduls/IRequest.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/FormBuildUtils.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/MOAIDMessageProvider.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityLogAdapter.java delete mode 100644 id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/VelocityProvider.java delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/css_template.css delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/error_message.html delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/javascript_tempalte.js delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/loginFormFull.html delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/redirectForm.html delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/slo_template.html delete mode 100644 id/server/idserverlib/src/main/resources/resources/templates/sso_transfer_template.html create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/ConfigurationProvider.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/ConnectionParameterInterface.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IRequest.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/BPKDecryptionParameters.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/CPEPS.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/ProtocolAllowed.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SAML1ConfigurationParameters.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SignatureCreationParameter.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SignatureVerificationParameter.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/StorkAttribute.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/StorkAttributeProviderPlugin.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/ConfigurationException.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/MOAIDException.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/SessionDataStorageException.java create mode 100644 id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAIDMessageProvider.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIBuilderConfiguration.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/exception/GUIBuildException.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/utils/FormBuildUtils.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityLogAdapter.java create mode 100644 id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java create mode 100644 id/server/moa-id-frontend-resources/src/main/resources/templates/css_template.css create mode 100644 id/server/moa-id-frontend-resources/src/main/resources/templates/error_message.html create mode 100644 id/server/moa-id-frontend-resources/src/main/resources/templates/javascript_tempalte.js create mode 100644 id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html create mode 100644 id/server/moa-id-frontend-resources/src/main/resources/templates/redirectForm.html create mode 100644 id/server/moa-id-frontend-resources/src/main/resources/templates/sendAssertionFormFull.html create mode 100644 id/server/moa-id-frontend-resources/src/main/resources/templates/slo_template.html create mode 100644 id/server/moa-id-frontend-resources/src/main/resources/templates/sso_transfer_template.html (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/id/ConfigWebTool/pom.xml b/id/ConfigWebTool/pom.xml index 71893fca2..aed716139 100644 --- a/id/ConfigWebTool/pom.xml +++ b/id/ConfigWebTool/pom.xml @@ -76,6 +76,11 @@ 1.0 + + MOA.id.server + moa-id-frontend-resources + + MOA.id.server moa-id-lib diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java index 12016a2bf..e3de84b0b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/pvp2/MetaDataVerificationFilter.java @@ -30,7 +30,7 @@ import org.opensaml.saml2.metadata.provider.MetadataFilter; import org.opensaml.xml.XMLObject; import org.opensaml.xml.security.x509.BasicX509Credential; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.filter.SignatureValidationException; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.EntityVerifier; diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java index ecf0d19d7..80800543b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/FormularCustomization.java @@ -36,6 +36,7 @@ import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; +import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.BKUSelectionCustomizationType; @@ -50,7 +51,6 @@ import at.gv.egovernment.moa.id.configuration.data.oa.OAGeneralConfig; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.configuration.validation.FormularCustomizationValitator; import at.gv.egovernment.moa.id.configuration.validation.oa.OAFileUploadValidation; -import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.util.MiscUtil; public class FormularCustomization implements IOnlineApplicationData { @@ -177,47 +177,47 @@ public class FormularCustomization implements IOnlineApplicationData { if (MiscUtil.isNotEmpty(formcustom.getBackGroundColor())) { backGroundColor = formcustom.getBackGroundColor(); - map.put(FormBuildUtils.MAIN_BACKGROUNDCOLOR, formcustom.getBackGroundColor()); + map.put(FormBuildUtils.PARAM_MAIN_BACKGROUNDCOLOR, formcustom.getBackGroundColor()); } if (MiscUtil.isNotEmpty(formcustom.getButtonBackGroundColor())) { button_BackGroundColor = formcustom.getButtonBackGroundColor(); - map.put(FormBuildUtils.BUTTON_BACKGROUNDCOLOR, formcustom.getButtonBackGroundColor()); + map.put(FormBuildUtils.PARAM_BUTTON_BACKGROUNDCOLOR, formcustom.getButtonBackGroundColor()); } if (MiscUtil.isNotEmpty(formcustom.getButtonBackGroundColorFocus())) { button_BackGroundColorFocus = formcustom.getButtonBackGroundColorFocus(); - map.put(FormBuildUtils.BUTTON_BACKGROUNDCOLOR_FOCUS, formcustom.getButtonBackGroundColorFocus()); + map.put(FormBuildUtils.PARAM_BUTTON_BACKGROUNDCOLOR_FOCUS, formcustom.getButtonBackGroundColorFocus()); } if (MiscUtil.isNotEmpty(formcustom.getButtonFontColor())) { button_FrontColor = formcustom.getButtonFontColor(); - map.put(FormBuildUtils.BUTTON_COLOR, formcustom.getButtonFontColor()); + map.put(FormBuildUtils.PARAM_BUTTON_COLOR, formcustom.getButtonFontColor()); } if (MiscUtil.isNotEmpty(formcustom.getFontType())) { fontType = formcustom.getFontType(); - map.put(FormBuildUtils.FONTFAMILY, formcustom.getFontType()); + map.put(FormBuildUtils.PARAM_FONTFAMILY, formcustom.getFontType()); } if (MiscUtil.isNotEmpty(formcustom.getFrontColor())) { frontColor = formcustom.getFrontColor(); - map.put(FormBuildUtils.MAIN_COLOR, formcustom.getFrontColor()); + map.put(FormBuildUtils.PARAM_MAIN_COLOR, formcustom.getFrontColor()); } if (MiscUtil.isNotEmpty(formcustom.getHeaderBackGroundColor())) { header_BackGroundColor = formcustom.getHeaderBackGroundColor(); - map.put(FormBuildUtils.HEADER_BACKGROUNDCOLOR, formcustom.getHeaderBackGroundColor()); + map.put(FormBuildUtils.PARAM_HEADER_BACKGROUNDCOLOR, formcustom.getHeaderBackGroundColor()); } if (MiscUtil.isNotEmpty(formcustom.getHeaderFrontColor())) { header_FrontColor = formcustom.getHeaderFrontColor(); - map.put(FormBuildUtils.HEADER_COLOR, formcustom.getHeaderFrontColor()); + map.put(FormBuildUtils.PARAM_HEADER_COLOR, formcustom.getHeaderFrontColor()); } if (MiscUtil.isNotEmpty(formcustom.getHeaderText())) { header_text = formcustom.getHeaderText(); - map.put(FormBuildUtils.HEADER_TEXT, formcustom.getHeaderText()); + map.put(FormBuildUtils.PARAM_HEADER_TEXT, formcustom.getHeaderText()); } } } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java index 58b0b9d17..b2cd18c26 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OABPKEncryption.java @@ -36,12 +36,12 @@ import org.apache.commons.lang.SerializationUtils; import org.apache.log4j.Logger; import at.gv.egovernment.moa.id.auth.exception.BuildException; +import at.gv.egovernment.moa.id.commons.api.data.BPKDecryptionParameters; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.AuthComponentOA; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.BPKDecryption; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.EncBPKInformation; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; -import at.gv.egovernment.moa.id.config.auth.data.BPKDecryptionParameters; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java index 9ddb41d83..71639abef 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/BasicOAAction.java @@ -22,22 +22,29 @@ */ package at.gv.egovernment.moa.id.configuration.struts.action; -import iaik.utils.URLDecoder; - +import java.io.BufferedReader; import java.io.ByteArrayInputStream; import java.io.File; import java.io.FileInputStream; import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.StringWriter; import java.util.ArrayList; import java.util.Arrays; +import java.util.Iterator; import java.util.LinkedHashMap; import java.util.List; import java.util.Map; +import java.util.Map.Entry; import org.apache.log4j.Logger; +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; import at.gv.egiz.components.configuration.meta.api.ConfigurationStorageException; -import at.gv.egovernment.moa.id.auth.builder.LoginFormBuilder; +import at.gv.egovernment.moa.id.auth.frontend.builder.ServiceProviderSpecificGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; +import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; import at.gv.egovernment.moa.id.commons.config.ConfigurationMigrationUtils; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; @@ -57,9 +64,9 @@ import at.gv.egovernment.moa.id.configuration.exception.BasicActionException; import at.gv.egovernment.moa.id.configuration.exception.BasicOAActionException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.configuration.helper.MailHelper; -import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.util.MiscUtil; +import iaik.utils.URLDecoder; /** * @author tlenz @@ -582,15 +589,16 @@ public class BasicOAAction extends BasicAction { log.info("NO MOA-ID instance URL configurated."); input.close(); throw new ConfigurationException("No MOA-ID instance configurated"); + } - - preview = LoginFormBuilder.getTemplate(input); - preview = preview.replace(LoginFormBuilder.CONTEXTPATH, contextpath); - - Map map = (Map) mapobj; - + + //set parameters + Map params = (Map) mapobj; + params.put( + ServiceProviderSpecificGUIFormBuilderConfiguration.PARAM_AUTHCONTEXT, + contextpath); + request.setCharacterEncoding("UTF-8"); - String module = request.getParameter(Constants.REQUEST_FORMCUSTOM_MODULE); String value = request.getParameter(Constants.REQUEST_FORMCUSTOM_VALUE); @@ -599,24 +607,36 @@ public class BasicOAAction extends BasicAction { value = query[1].substring("value=".length()); } - synchronized (map) { - + synchronized (params) { if (MiscUtil.isNotEmpty(module)) { - if (map.containsKey("#" + module + "#")) { + if (params.containsKey(module)) { if (MiscUtil.isNotEmpty(value)) { - if (FormBuildUtils.FONTFAMILY.contains(module) || FormBuildUtils.HEADER_TEXT.contains(module) + if (FormBuildUtils.PARAM_FONTFAMILY.contains(module) || FormBuildUtils.PARAM_HEADER_TEXT.contains(module) || value.startsWith("#")) - map.put("#" + module + "#", value); + params.put(module, value); else - map.put("#" + module + "#", "#" + value); + params.put(module, "#" + value); } else { - map.put("#" + module + "#", FormBuildUtils.getDefaultMap().get("#" + module + "#")); + params.put(module, FormBuildUtils.getDefaultMap().get(module)); } } } - preview = FormBuildUtils.customiceLayoutBKUSelection(preview, true, false, map, true); } + + //write preview + VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); + VelocityContext context = new VelocityContext(); + Iterator> interator = params.entrySet().iterator(); + while (interator.hasNext()) { + Entry el = interator.next(); + context.put(el.getKey(), el.getValue()); + + } + StringWriter writer = new StringWriter(); + engine.evaluate(context, writer, "BKUSelection_preview", + new BufferedReader(new InputStreamReader(input))); + stream = new ByteArrayInputStream(writer.toString().getBytes("UTF-8")); } else { preview = LanguageHelper.getErrorString("error.bkuformpreview.notpossible", request); @@ -629,7 +649,7 @@ public class BasicOAAction extends BasicAction { } - stream = new ByteArrayInputStream(preview.getBytes()); + return Constants.STRUTS_SUCCESS; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java index 1079932b9..a8dd48ca0 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/EditOAAction.java @@ -22,6 +22,14 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.configuration.struts.action; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import org.apache.log4j.Logger; + +import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.deprecated.StorkAttribute; @@ -29,17 +37,22 @@ import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.data.FormularCustomization; -import at.gv.egovernment.moa.id.configuration.data.oa.*; +import at.gv.egovernment.moa.id.configuration.data.oa.AttributeHelper; +import at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData; +import at.gv.egovernment.moa.id.configuration.data.oa.OAAuthenticationData; +import at.gv.egovernment.moa.id.configuration.data.oa.OABPKEncryption; +import at.gv.egovernment.moa.id.configuration.data.oa.OAOAuth20Config; +import at.gv.egovernment.moa.id.configuration.data.oa.OAPVP2Config; +import at.gv.egovernment.moa.id.configuration.data.oa.OARevisionsLogData; +import at.gv.egovernment.moa.id.configuration.data.oa.OASAML1Config; +import at.gv.egovernment.moa.id.configuration.data.oa.OASSOConfig; +import at.gv.egovernment.moa.id.configuration.data.oa.OASTORKConfig; +import at.gv.egovernment.moa.id.configuration.data.oa.OATargetConfiguration; import at.gv.egovernment.moa.id.configuration.exception.BasicActionException; import at.gv.egovernment.moa.id.configuration.exception.BasicOAActionException; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.configuration.helper.MailHelper; -import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.id.util.Random; -import at.gv.egovernment.moa.util.MiscUtil; -import org.apache.log4j.Logger; - -import java.util.*; public class EditOAAction extends BasicOAAction { @@ -74,7 +87,7 @@ public class EditOAAction extends BasicOAAction { OASTORKConfig storkOA = new OASTORKConfig(); formList.put(storkOA.getName(), storkOA); - + Map map = new HashMap(); map.putAll(FormBuildUtils.getDefaultMap()); FormularCustomization formOA = new FormularCustomization(map); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/VIDPAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/VIDPAction.java index 8588dd286..c00eb46a5 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/VIDPAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/VIDPAction.java @@ -26,12 +26,12 @@ import java.util.HashMap; import java.util.LinkedHashMap; import java.util.Map; +import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; import at.gv.egovernment.moa.id.configuration.data.FormularCustomization; import at.gv.egovernment.moa.id.configuration.data.oa.IOnlineApplicationData; import at.gv.egovernment.moa.id.configuration.data.oa.OAAuthenticationData; import at.gv.egovernment.moa.id.configuration.data.oa.OASTORKConfig; import at.gv.egovernment.moa.id.configuration.data.oa.OATargetConfiguration; -import at.gv.egovernment.moa.id.util.FormBuildUtils; /** * @author tlenz diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java index fd4226c5b..47c8f23b4 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/oa/OAAuthenticationDataValidation.java @@ -30,7 +30,7 @@ import javax.servlet.http.HttpServletRequest; import org.apache.log4j.Logger; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.id.configuration.data.oa.OAAuthenticationData; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html index 2b0115d4a..02b86472b 100644 --- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html +++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/loginFormFull.html @@ -4,847 +4,29 @@ - - - + + + + Anmeldung mittels Bürgerkarte oder Handy-Signatur
-

Anmeldung an: #OAName#

+

Anmeldung an: $OAName

-

#HEADER_TEXT#

+

$HEADER_TEXT

-
+
+ onClick='document.getElementById("mandateCheckBox").setAttribute("aria-checked", document.getElementById("mandateCheckBox").checked);'$MANDATECHECKED> -
+

Home Country Selection

i @@ -907,16 +87,6 @@

-
diff --git a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html index 07d018a94..a9f0c4238 100644 --- a/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html +++ b/id/server/data/deploy/conf/moa-id-configuration/htmlTemplates/sendAssertionFormFull.html @@ -3,556 +3,7 @@ - - + Anmeldung an Online-Applikation @@ -574,25 +25,21 @@
-

Anmeldung an: #OAName#

+

Anmeldung an: $OAName

-
+ - - - - + +
-
+ - - - - + +
@@ -600,18 +47,6 @@
-
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/css_template.css b/id/server/data/deploy/conf/moa-id/htmlTemplates/css_template.css new file mode 100644 index 000000000..a8735be60 --- /dev/null +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/css_template.css @@ -0,0 +1,625 @@ +@charset "utf-8"; + @media screen and (min-width: 650px) { + + body { + margin:0; + padding:0; + color : #000; + background-color : #fff; + text-align: center; + background-color: #6B7B8B; + } + + .browserInfoButton{ + color: rgb(128, 128, 128); + } + + #localBKU p { + font-size: 0.7em; + } + + #localBKU input{ + font-size: 0.85em; + /*border-radius: 5px;*/ + } + + #bkuselectionarea input[type=button] { + font-size: 0.85em; + /*border-radius: 7px;*/ + margin-bottom: 25px; + min-width: 80px; + } + + #mandateLogin { + font-size: 0.85em; + } + + #bku_header h2 { + font-size: 0.8em; + } + + + #page { + display: block; + border: 2px solid rgb(0,0,0); + width: 650px; + height: 460px; + margin: 0 auto; + margin-top: 5%; + position: relative; + border-radius: 25px; + background: rgb(255,255,255); + } + + #page1 { + text-align: center; + } + + #main { + /* clear:both; */ + position:relative; + margin: 0 auto; + width: 250px; + text-align: center; + } + + .OA_header { + /* background-color: white;*/ + font-size: 20pt; + margin-bottom: 25px; + margin-top: 25px; + } + + #leftcontent { + /*float:left; */ + width:250px; + margin-bottom: 25px; + text-align: left; + border: 1px solid rgb(0,0,0); + } + + #selectArea { + font-size: 15px; + padding-bottom: 65px; + } + + #leftcontent { + width: 300px; + margin-top: 30px; + } + + #bku_header { + height: 5%; + padding-bottom: 3px; + padding-top: 3px; + } + + #bkulogin { + overflow:hidden; + min-width: 190px; + min-height: 180px; + /*height: 260px;*/ + } + + h2#tabheader{ + font-size: 1.1em; + padding-left: 2%; + padding-right: 2%; + position: relative; + } + + #stork h2 { + font-size: 1.0em; + margin-bottom: 2%; + } + + .setAssertionButton_full { + background: #efefef; + cursor: pointer; + margin-top: 15px; + width: 100px; + height: 30px + } + + #leftbutton { + width: 30%; + float:left; + margin-left: 40px; + } + + #rightbutton { + width: 30%; + float:right; + margin-right: 45px; + text-align: right; + } + + button { + height: 25px; + width: 75px; + margin-bottom: 10px; + } + + + + #validation { + position: absolute; + bottom: 0px; + margin-left: 270px; + padding-bottom: 10px; + } + + } + + @media screen and (max-width: 205px) { + #localBKU p { + font-size: 0.6em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + + #localBKU input { + font-size: 0.6em; + min-width: 60px; + /* max-width: 65px; */ + min-height: 1.0em; + /* border-radius: 5px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 0.7em; + min-width: 55px; + /*min-height: 1.1em; + border-radius: 5px;*/ + margin-bottom: 2% + } + + #mandateLogin { + font-size: 0.65em; + } + + #bku_header h2 { + font-size: 0.8em; + margin-top: -0.4em; + padding-top: 0.4em; + } + + #bkulogin { + min-height: 150px; + } + } + + @media screen and (max-width: 249px) and (min-width: 206px) { + #localBKU p { + font-size: 0.7em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + + #localBKU input { + font-size: 0.7em; + min-width: 70px; + /* max-width: 75px; */ + min-height: 0.95em; + /* border-radius: 6px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 0.75em; + min-width: 60px; + /* min-height: 0.95em; + border-radius: 6px; */ + margin-bottom: 5% + } + + #mandateLogin { + font-size: 0.75em; + } + + #bku_header h2 { + font-size: 0.9em; + margin-top: -0.45em; + padding-top: 0.45em; + } + + #bkulogin { + min-height: 180px; + } + } + + @media screen and (max-width: 299px) and (min-width: 250px) { + #localBKU p { + font-size: 0.9em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + + #localBKU input { + font-size: 0.8em; + min-width: 70px; + /* max-width: 75px; */ + /* border-radius: 6px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 0.85em; + /* min-height: 1.05em; + border-radius: 7px; */ + margin-bottom: 10%; + } + + #mandateLogin { + font-size: 1em; + } + + #bku_header h2 { + font-size: 1.0em; + margin-top: -0.50em; + padding-top: 0.50em; + } + } + + @media screen and (max-width: 399px) and (min-width: 300px) { + #localBKU p { + font-size: 0.9em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + #localBKU input { + font-size: 0.8em; + min-width: 70px; + /* max-width: 75px; */ + /* border-radius: 6px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 0.9em; + /* min-height: 1.2em; + border-radius: 8px; */ + margin-bottom: 10%; + max-width: 80px; + } + + #mandateLogin { + font-size: 1em; + } + + #bku_header h2 { + font-size: 1.1em; + margin-top: -0.55em; + padding-top: 0.55em; + } + } + + @media screen and (max-width: 649px) and (min-width: 400px) { + #localBKU p { + font-size: 0.9em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + #localBKU input { + font-size: 0.8em; + min-width: 70px; + /* max-width: 80px; */ + /* border-radius: 6px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 1.0em; + /* min-height: 1.3em; + border-radius: 10px; */ + margin-bottom: 10%; + max-width: 85px; + } + + #mandateLogin { + font-size: 1.2em; + } + + #bku_header h2 { + font-size: 1.3em; + margin-top: -0.65em; + padding-top: 0.65em; + } + } + + + + @media screen and (max-width: 649px) { + + body { + margin:0; + padding:0; + color : #000; + text-align: center; + font-size: 100%; + background-color: $MAIN_BACKGOUNDCOLOR; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + #page { + visibility: hidden; + margin-top: 0%; + } + + #page1 { + visibility: hidden; + } + + #main { + visibility: hidden; + } + + #validation { + visibility: hidden; + display: none; + } + + .OA_header { + margin-bottom: 0px; + margin-top: 0px; + font-size: 0pt; + visibility: hidden; + } + + #leftcontent { + visibility: visible; + margin-bottom: 0px; + text-align: left; + border:none; + vertical-align: middle; + min-height: 173px; + min-width: 204px; + + } + + #bku_header { + height: 10%; + min-height: 1.2em; + margin-top: 1%; + } + + h2#tabheader{ + padding-left: 2%; + padding-right: 2%; + position: relative; + top: 50%; + } + + #stork h2 { + font-size: 0.9em; + margin-bottom: 2%; + } + + #bkulogin { + min-width: 190px; + min-height: 155px; + } + + .setAssertionButton_full { + background: #efefef; + cursor: pointer; + margin-top: 15px; + width: 70px; + height: 25px; + } + + input[type=button] { +/* height: 11%; */ + width: 70%; + } + } + + * { + margin: 0; + padding: 0; + #if($FONTTYPE) + font-family: $FONTTYPE; + #end + } + + #selectArea { + padding-top: 10px; + padding-bottom: 55px; + padding-left: 10px; + } + + .setAssertionButton { + background: #efefef; + cursor: pointer; + margin-top: 15px; + width: 70px; + height: 25px; + } + + #leftbutton { + width: 35%; + float:left; + margin-left: 15px; + } + + #rightbutton { + width: 35%; + float:right; + margin-right: 25px; + text-align: right; + } + + #stork { + /*margin-bottom: 10px;*/ + /* margin-top: 5px; */ + } + + #mandateLogin { + padding-bottom: 4%; + padding-top: 4%; + height: 10%; + position: relative; + text-align: center; + } + + .verticalcenter { + vertical-align: middle; + } + + #mandateLogin div { + clear: both; + margin-top: -1%; + position: relative; + top: 50%; + } + + #bkuselectionarea { + position: relative; + display: block; + } + + #localBKU { + padding-bottom: 4%; + /*padding-top: 4%;*/ + position: relative; + clear: both; + text-align: center; + } + + #bkukarte { + float:left; + text-align:center; + width:40%; + min-height: 70px; + padding-left: 5%; + padding-top: 2%; + } + + #bkuhandy { + float:right; + text-align:center; + width:40%; + min-height: 90px; + padding-right: 5%; + padding-top: 2%; + } + + .bkuimage { + width: 90%; + height: auto; + } + + #mandate{ + text-align:center; + padding : 5px 5px 5px 5px; + } + +/* input[type=button], .sendButton { + background: $BUTTON_BACKGROUNDCOLOR; + color: $BUTTON_COLOR; +/* border:1px solid #000; */ +/* cursor: pointer; +/* box-shadow: 3px 3px 3px #222222; */ +/* } + +/* button:hover, button:focus, button:active, + .sendButton:hover , .sendButton:focus, .sendButton:active, + #mandateCheckBox:hover, #mandateCheckBox:focus, #mandateCheckBox:active { + background: $BUTTON_BACKGROUNDCOLOR_FOCUS; + color: $BUTTON_COLOR; +/* border:1px solid #000; */ +/* cursor: pointer; +/* box-shadow: -1px -1px 3px #222222; */ +/* } + +*/ + input { + /*border:1px solid #000;*/ + cursor: pointer; + } + + #localBKU input { +/* color: $BUTTON_COLOR; */ + /*border: 0px;*/ + display: inline-block; + + } + + #localBKU input:hover, #localBKU input:focus, #localBKU input:active { + /*text-decoration: underline;*/ + } + + #installJava, #BrowserNOK { + clear:both; + font-size:0.8em; + padding:4px; + } + + .selectText{ + + } + + .selectTextHeader{ + + } + + .sendButton { + width: 30%; + margin-bottom: 1%; + } + + #leftcontent a { + text-decoration:none; + color: #000; + /* display:block;*/ + padding:4px; + } + + #leftcontent a:hover, #leftcontent a:focus, #leftcontent a:active { + text-decoration:underline; + color: #000; + } + + .infobutton { + background-color: #005a00; + color: white; + font-family: serif; + text-decoration: none; + padding-top: 2px; + padding-right: 4px; + padding-bottom: 2px; + padding-left: 4px; + font-weight: bold; + } + + .hell { + background-color : $MAIN_BACKGOUNDCOLOR; + color: $MAIN_COLOR; + } + + .dunkel { + background-color: $HEADER_BACKGROUNDCOLOR; + color: $HEADER_COLOR; + } + + .main_header { + color: black; + font-size: 32pt; + position: absolute; + right: 10%; + top: 40px; + + } + + #ssoSessionTransferBlock { + font-size: 0.8em; + margin-left: 5px; + margin-bottom: 5px; + } + + #alert_area { + width: 500px; + padding-left: 80px; + } \ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/error_message.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/error_message.html new file mode 100644 index 000000000..4fd4d63cd --- /dev/null +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/error_message.html @@ -0,0 +1,37 @@ + + + + + + An error arise ... + + + +
+
+

Authentication error arise

+ + + + + +
+

The authentication stops on account of a process error:

+
+

Error Code: $errorCode

+

Error Message:$errorMsg

+
+ + + #if($stacktrace) +
+

Stacktrace: $stacktrace

+
+ #end + + + +
+
+ + \ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/javascript_tempalte.js b/id/server/data/deploy/conf/moa-id/htmlTemplates/javascript_tempalte.js new file mode 100644 index 000000000..e4e05bace --- /dev/null +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/javascript_tempalte.js @@ -0,0 +1,200 @@ +function isIE() { + return (/MSIE (\d+\.\d+);/.test(navigator.userAgent)); + } + function isFullscreen() { + try { + return ((top.innerWidth == screen.width) && (top.innerHeight == screen.height)); + } catch (e) { + return false; + } + } + function isActivexEnabled() { + var supported = null; + try { + supported = !!new ActiveXObject("htmlfile"); + } catch (e) { + supported = false; + } + return supported; + } + function isMetro() { + if (!isIE()) + return false; + return !isActivexEnabled() && isFullscreen(); + } + window.onload=function() { + document.getElementById("localBKU").style.display="block"; + return; + } + function bkuLocalClicked() { + setMandateSelection(); + } + + function bkuOnlineClicked() { + if (isMetro()) + document.getElementById("metroDetected").style.display="block"; + document.getElementById("localBKU").style.display="block"; +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var iFrameURL = "$contextPath$submitEndpoint" + "?"; + iFrameURL += "&pendingid=" + "$pendingReqID"; + + iFrameURL += "bkuURI=" + "$bkuOnline"; + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + + generateIFrame(iFrameURL); + } + function bkuHandyClicked() { + document.getElementById("localBKU").style.display="none"; +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var iFrameURL = "$contextPath$submitEndpoint" + "?"; + iFrameURL += "&pendingid=" + "$pendingReqID"; + + iFrameURL += "bkuURI=" + "$bkuHandy"; + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + + generateIFrame(iFrameURL); + } + function storkClicked() { + document.getElementById("localBKU").style.display="none"; +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var ccc = "AT"; + var countrySelection = document.getElementById("cccSelection"); + if (countrySelection != null) { + ccc = document.getElementById("cccSelection").value; + } + var iFrameURL = "$contextPath$submitEndpoint" + "?"; + iFrameURL += "&pendingid=" + "$pendingReqID"; + + #if($bkuOnline) + iFrameURL += "bkuURI=" + "$bkuOnline"; + #end + + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + iFrameURL += "&CCC=" + ccc; + + generateIFrame(iFrameURL); + } + function generateIFrame(iFrameURL) { + var el = document.getElementById("bkulogin"); + var width = el.clientWidth; + var heigth = el.clientHeight - 20; + var parent = el.parentNode; + + iFrameURL += "&heigth=" + heigth; + iFrameURL += "&width=" + width; + + var iframe = document.createElement("iframe"); + iframe.setAttribute("src", iFrameURL); + iframe.setAttribute("width", el.clientWidth - 1); + iframe.setAttribute("height", el.clientHeight - 1); + iframe.setAttribute("frameborder", "0"); + iframe.setAttribute("scrolling", "no"); + iframe.setAttribute("title", "Login"); + parent.replaceChild(iframe, el); + } + function setMandateSelection() { + document.getElementById("useMandate").value = "false"; + var checkbox = document.getElementById("mandateCheckBox"); + if (checkbox != null) { + if (document.getElementById("mandateCheckBox").checked) { + document.getElementById("useMandate").value = "true"; + } + } + } + function onChangeChecks() { + if (self.innerWidth < 650) { + document.getElementById("moaidform").setAttribute("target","_parent"); + } else { + document.getElementById("moaidform").removeAttribute("target"); + } + + } + + function checkIfBrowserSupportsJava(){ + console.log("Browser is Chrome: "+checkIfBrowserIsChrome()); + console.log("Browser is Safari: "+checkIfBrowserIsSafari()); + console.log("Browser is Edge: "+checkIfBrowserIsEdge()); + + var cnt = 0; + + if(checkIfBrowserIsChrome())cnt++; + if(checkIfBrowserIsEdge())cnt++; + if(checkIfBrowserIsSafari())cnt++; + + if(cnt==0 || cnt>1)//cnt>1 means perhaps wrong detection + return true; + + var image = document.getElementById("bkuimage"); + var srcatt = image.getAttribute("src"); + var last = srcatt.substring(srcatt.lastIndexOf('/')+1); + srcatt = srcatt.replace(last,'online-bku-deactivated.png'); + image.setAttribute("src",srcatt); + + + var button = document.getElementsByName("bkuButtonOnline")[0]; + button.setAttribute("class","browserInfoButton"); + button.setAttribute("title","Java wird nicht unterstützt, klicken für mehr Informationen."); + button.setAttribute("onClick","alert('Java wird von Ihrem Browser nicht unterstützt, ist jedoch für den Betrieb der Online Bürgerkartenumgebung notwendig.\\nWollen Sie dennoch die Online Bürgerkartenumgebung verwenden, wird zur Zeit Java noch von Firefox und MS Internet Explorer unterstützt. \\nAlternativ koennen Sie auch eine lokale Bürgerkartenumgebung verwenden, verfügbar unter www.buergerkarte.at.');"); + + return false; + + } + function checkIfBrowserIsChrome(){ + var chrome_defined = !!window.chrome;//chrome object defined + var webstore_defined = false; + if(window.chrome){ + webstore_defined = !!window.chrome.webstore; + } + return chrome_defined && webstore_defined; + } + function checkIfBrowserIsEdge(){//edge also defines the chrome object, but not the webapp + var chrome_defined = !!window.chrome;//chrome object defined + var webstore_defined = true; + if(window.chrome){ + webstore_defined = !!window.chrome.webstore; + } + return chrome_defined && !webstore_defined; + } + function checkIfBrowserIsSafari(){ + var cond1 = Object.prototype.toString.call(window.HTMLElement).indexOf('Constructor') > 0; + return cond1; + } +/* function setSSOSelection() { + document.getElementById("useSSO").value = "false"; + var checkbox = document.getElementById("SSOCheckBox"); + if (checkbox != null) { + if (document.getElementById("SSOCheckBox").checked) { + document.getElementById("useSSO").value = "true"; + } + } + } */ + +/* function checkMandateSSO() { + var sso = document.getElementById("SSOCheckBox"); + var mandate = document.getElementById("mandateCheckBox"); + + + if (sso.checked && mandate.checked) { + alert("Anmeldung in Vertretung in kombination mit Single Sign-On wird aktuell noch nicht unterstützt!") + mandate.checked = false; + sso.checked = false; + return true; + } else { + return false; + } + } */ \ No newline at end of file diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html index af133525e..02b86472b 100644 --- a/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/loginFormFull.html @@ -4,847 +4,29 @@ - - - + + + + Anmeldung mittels Bürgerkarte oder Handy-Signatur
-

Anmeldung an: #OAName#

+

Anmeldung an: $OAName

-

#HEADER_TEXT#

+

$HEADER_TEXT

-
+
+ onClick='document.getElementById("mandateCheckBox").setAttribute("aria-checked", document.getElementById("mandateCheckBox").checked);'$MANDATECHECKED> -
+

Home Country Selection

i @@ -907,16 +87,6 @@

-
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/redirectForm.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/redirectForm.html new file mode 100644 index 000000000..ac3242c89 --- /dev/null +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/redirectForm.html @@ -0,0 +1,13 @@ + + + + + + + + + CLICK to perform a + redirect back to Online Application + + diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html index 07d018a94..a9f0c4238 100644 --- a/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/sendAssertionFormFull.html @@ -3,556 +3,7 @@ - - + Anmeldung an Online-Applikation @@ -574,25 +25,21 @@
-

Anmeldung an: #OAName#

+

Anmeldung an: $OAName

-
+ - - - - + +
-
+ - - - - + +
@@ -600,18 +47,6 @@
-
diff --git a/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html b/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html index a9d73e0d3..b3eb18082 100644 --- a/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html +++ b/id/server/data/deploy/conf/moa-id/htmlTemplates/slo_template.html @@ -3,377 +3,7 @@ - + #if($timeoutURL) - - -Anmeldung mittels Bürgerkarte oder Handy-Signatur - - -
-
-

Anmeldung an: #OAName#

-
-
-
-

#HEADER_TEXT#

-
-
-
-
- - - -
-
-
-
- OnlineBKU -
-
- HandyBKU -
-
-
-
- - -
-
- - - - -
-

Home Country Selection

-

- - - i -

-
- - -
-
-
-
-
- - diff --git a/id/server/idserverlib/src/main/resources/resources/templates/redirectForm.html b/id/server/idserverlib/src/main/resources/resources/templates/redirectForm.html deleted file mode 100644 index 9bddee931..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/redirectForm.html +++ /dev/null @@ -1,13 +0,0 @@ - - - - - - - - - CLICK to perform a - redirect back to Online Application - - diff --git a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html b/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html deleted file mode 100644 index ecda6550b..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/sendAssertionFormFull.html +++ /dev/null @@ -1,68 +0,0 @@ - - - - - - - - Anmeldung an Online-Applikation - - - - -
- -
- - - -
-
-
-

- Anmeldeinformationen: -

-
- -
-

Anmeldung an: #OAName#

- - -
-
- - - - - -
-
-
-
- - - - - -
-
- -
-
-
-
- -
- - diff --git a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html b/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html deleted file mode 100644 index b3eb18082..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/slo_template.html +++ /dev/null @@ -1,94 +0,0 @@ - - - - - - - - #if($timeoutURL) - - #end - - Single LogOut Vorgang ... - - -#if($timeoutURL) - -#else - -#end - - -
-
-

MOA-ID Single LogOut Information

-
-
- - #if($errorMsg) -
-

$errorMsg

-
- #end - - #if($successMsg) -
-

$successMsg

-
- #end - - #if($redirectURLs) -
-

- Sie werden von allen Online-Applikationen abgemeldet.
- Dieser Vorgang kann einige Zeit in Anspruch nehmen. -

-
- #end - -
-
-
- -
- - - #foreach( $el in $redirectURLs ) - - #end - - \ No newline at end of file diff --git a/id/server/idserverlib/src/main/resources/resources/templates/sso_transfer_template.html b/id/server/idserverlib/src/main/resources/resources/templates/sso_transfer_template.html deleted file mode 100644 index e9c2fae76..000000000 --- a/id/server/idserverlib/src/main/resources/resources/templates/sso_transfer_template.html +++ /dev/null @@ -1,59 +0,0 @@ - - - - - - - - Single Sign-On Session Transfer - - - - - -
-
-

MOA-ID Single Sign-On Session Transfer Service

-
-
- - #if($errorMsg) -
-

$errorMsg

-
- #end - - #if($successMsg) -
-

$successMsg

-
- #end - - #if($QRImage) -
- -
- #end - -
-
-
- -
- - - \ No newline at end of file diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java index 125d83d6d..66dffe311 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/module/test/TestRequestImpl.java @@ -24,9 +24,9 @@ package at.gv.egovernment.moa.id.module.test; import java.util.Collection; -import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; /** * @author tlenz diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/CreateSAML1AssertionTask.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/CreateSAML1AssertionTask.java index 005ad8bcc..54515ab8e 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/CreateSAML1AssertionTask.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/CreateSAML1AssertionTask.java @@ -11,7 +11,7 @@ import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.api.Task; diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/GetIdentityLinkTask.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/GetIdentityLinkTask.java index 6ba2f24e4..266878d7e 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/GetIdentityLinkTask.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/GetIdentityLinkTask.java @@ -11,7 +11,7 @@ import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.api.Task; diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/SelectBKUTask.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/SelectBKUTask.java index 89b5a5e2a..915cb3b1e 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/SelectBKUTask.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/SelectBKUTask.java @@ -4,7 +4,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.api.Task; diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/SignAuthBlockTask.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/SignAuthBlockTask.java index 6c91c574c..41ccb4451 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/SignAuthBlockTask.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/SignAuthBlockTask.java @@ -11,7 +11,7 @@ import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.api.Task; diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/ValidateIdentityLinkTask.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/ValidateIdentityLinkTask.java index 766f9fadb..818e8b479 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/ValidateIdentityLinkTask.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/ValidateIdentityLinkTask.java @@ -6,7 +6,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.api.Task; diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/ValidateSignedAuthBlockTask.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/ValidateSignedAuthBlockTask.java index 7a4d5f70d..2ee67ec27 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/ValidateSignedAuthBlockTask.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/spring/test/task/ValidateSignedAuthBlockTask.java @@ -7,7 +7,7 @@ import org.slf4j.LoggerFactory; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.api.Task; diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/test/HalloWeltTask.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/test/HalloWeltTask.java index 32e7bda2f..1f77eadbc 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/test/HalloWeltTask.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/test/HalloWeltTask.java @@ -2,7 +2,7 @@ package at.gv.egovernment.moa.id.process.test; import org.springframework.stereotype.Service; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.api.Task; diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/test/HelloWorldTask.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/test/HelloWorldTask.java index 81fc32d24..bc640e97a 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/test/HelloWorldTask.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/process/test/HelloWorldTask.java @@ -2,7 +2,7 @@ package at.gv.egovernment.moa.id.process.test; import org.springframework.stereotype.Service; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.process.api.Task; diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/UnitTestCase.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/UnitTestCase.java index a645aa5a2..a05159c27 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/UnitTestCase.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/UnitTestCase.java @@ -46,10 +46,9 @@ package test.at.gv.egovernment.moa.id; +import at.gv.egovernment.moa.id.commons.api.ConfigurationProvider; import test.MOAIDTestCase; -import at.gv.egovernment.moa.id.config.ConfigurationProvider; - /** * Base class for MOA ID test cases. * diff --git a/id/server/moa-id-commons/pom.xml b/id/server/moa-id-commons/pom.xml index bbaba6a50..c722b265e 100644 --- a/id/server/moa-id-commons/pom.xml +++ b/id/server/moa-id-commons/pom.xml @@ -50,6 +50,33 @@ + + at.gv.util + egovutils + + + * + * + + + + + + org.opensaml + opensaml + + + * + * + + + + + + org.apache.commons + commons-lang3 + + at.gv.egiz.components egiz-configuration-api diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java new file mode 100644 index 000000000..8d893be9d --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/MOAIDAuthConstants.java @@ -0,0 +1,193 @@ + + + +package at.gv.egovernment.moa.id.commons; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.List; +import java.util.Map; + +import iaik.asn1.ObjectID; + + +/** + * Constants used throughout moa-id-auth component. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class MOAIDAuthConstants extends MOAIDConstants{ + + /** servlet parameter "Target" */ + public static final String PARAM_TARGET = "Target"; + /** servlet parameter "useMandate" */ + public static final String PARAM_USEMANDATE = "useMandate"; + public static final String PARAM_USEMISMANDATE = "useMISMandate"; + public static final String PARAM_USEELGAMANDATE = "useELGAMandate"; + /** servlet parameter "OA" */ + public static final String PARAM_OA = "OA"; + /** servlet parameter "bkuURI" */ + public static final String PARAM_BKU = "bkuURI"; + public static final String PARAM_MODUL = "MODUL"; + public static final String PARAM_ACTION = "ACTION"; + public static final String PARAM_SSO = "SSO"; + public static final String INTERFEDERATION_IDP = "interIDP"; + public static final String PARAM_TARGET_PENDINGREQUESTID = "pendingid"; + + public static final String PARAM_SLOSTATUS = "status"; + public static final String PARAM_SLORESTART = "restart"; + public static final String SLOSTATUS_SUCCESS = "success"; + public static final String SLOSTATUS_ERROR = "error"; + + /** servlet parameter "sourceID" */ + public static final String PARAM_SOURCEID = "sourceID"; + /** servlet parameter "BKUSelectionTemplate" */ + public static final String PARAM_BKUTEMPLATE = "BKUSelectionTemplate"; + /** servlet parameter "CCC (Citizen Country Code)" */ + public static final String PARAM_CCC = "CCC"; + /** servlet parameter "BKUSelectionTemplate" */ + public static final String PARAM_INPUT_PROCESSOR_SIGN_TEMPLATE = "InputProcessorSignTemplate"; + /** default BKU URL */ + public static final String DEFAULT_BKU = "http://localhost:3495/http-security-layer-request"; + /** default BKU URL for https connections*/ + public static final String DEFAULT_BKU_HTTPS = "https://127.0.0.1:3496/https-security-layer-request"; + /** servlet parameter "returnURI" */ + public static final String PARAM_RETURN = "returnURI"; + /** servlet parameter "Template" */ + public static final String PARAM_TEMPLATE = "Template"; + /** servlet parameter "MOASessionID" */ + public static final String PARAM_SESSIONID = "MOASessionID"; + /** servlet parameter "XMLResponse" */ + public static final String PARAM_XMLRESPONSE = "XMLResponse"; + /** servlet parameter "SAMLArtifact" */ + public static final String PARAM_SAMLARTIFACT = "SAMLArtifact"; + /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.StartAuthenticationServlet} is mapped to */ + public static final String REQ_START_AUTHENTICATION = "StartAuthentication"; + /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.VerifyIdentityLinkServlet} is mapped to */ + public static final String REQ_VERIFY_IDENTITY_LINK = "VerifyIdentityLink"; + /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.GetForeignIDServlet} is mapped to */ + public static final String REQ_GET_FOREIGN_ID = "GetForeignID"; + /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.VerifyCertificateServlet} is mapped to */ + public static final String REQ_VERIFY_CERTIFICATE = "VerifyCertificate"; + /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.GetMISSessionIDServlet} is mapped to */ + public static final String GET_MIS_SESSIONID = "GetMISSessionID"; + /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.ProcessValidatorInputServlet} is mapped to */ + public static final String REQ_PROCESS_VALIDATOR_INPUT = "ProcessInput"; + /** Request name {@link at.gv.egovernment.moa.id.auth.servlet.VerifyAuthenticationBlockServlet} is mapped to */ + public static final String REQ_VERIFY_AUTH_BLOCK = "VerifyAuthBlock"; + /** Logging hierarchy used for controlling debug output of XML structures to files */ + public static final String DEBUG_OUTPUT_HIERARCHY = "moa.id.auth"; + /** Header Name for controlling the caching mechanism of the browser */ + public static final String HEADER_EXPIRES = "Expires"; + /** Header Value for controlling the caching mechanism of the browser */ + public static final String HEADER_VALUE_EXPIRES = "Sat, 6 May 1995 12:00:00 GMT"; + /** Header Name for controlling the caching mechanism of the browser */ + public static final String HEADER_PRAGMA = "Pragma"; + /** Header Value for controlling the caching mechanism of the browser */ + public static final String HEADER_VALUE_PRAGMA = "no-cache"; + /** Header Name for controlling the caching mechanism of the browser */ + public static final String HEADER_CACHE_CONTROL = "Cache-control"; + /** Header Value for controlling the caching mechanism of the browser */ + public static final String HEADER_VALUE_CACHE_CONTROL = "no-store, no-cache, must-revalidate"; + /** Header Value for controlling the caching mechanism of the browser */ + public static final String HEADER_VALUE_CACHE_CONTROL_IE = "post-check=0, pre-check=0"; + /** + * the identity link signer X509Subject names of those identity link signer certificates + * not including the identity link signer OID. The authorisation for signing the identity + * link must be checked by using their issuer names. After february 19th 2007 the OID of + * the certificate will be used fo checking the authorisation for signing identity links. + */ + public static final String[] IDENTITY_LINK_SIGNERS_WITHOUT_OID = + new String[] {"T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitgieds der Datenschutzkommission", + "T=Dr.,CN=Nikolaus Schwab,O=BM f. Inneres i.A. des gf. Mitglieds der Datenschutzkommission"}; + + /** the number of the certifcate extension "Eigenschaft zur Ausstellung von Personenbindungen" */ + public static final String IDENTITY_LINK_SIGNER_OID_NUMBER = "1.2.40.0.10.1.7.1"; + /** + * the OID of the identity link signer certificate (Eigenschaft zur Ausstellung von Personenbindungen); + * used for checking the authorisation for signing the identity link for identity links signed after february 19th 2007 + */ + public static final ObjectID IDENTITY_LINK_SIGNER_OID = new ObjectID(IDENTITY_LINK_SIGNER_OID_NUMBER); + + /** the number of the certifcate extension for party representatives */ + public static final String PARTY_REPRESENTATION_OID_NUMBER = "1.2.40.0.10.3"; + +// /** the number of the certifcate extension for party organ representatives */ +// public static final String PARTY_ORGAN_REPRESENTATION_OID_NUMBER = PARTY_REPRESENTATION_OID_NUMBER + ".10"; + + /** OW */ + public static final String OW_ORGANWALTER = PARTY_REPRESENTATION_OID_NUMBER + ".4"; + + /** List of OWs */ + public static final List OW_LIST = Arrays.asList( + new ObjectID(OW_ORGANWALTER)); + + /**BKU type identifiers to use bkuURI from configuration*/ + public static final String REQ_BKU_TYPE_LOCAL = "local"; + public static final String REQ_BKU_TYPE_ONLINE = "online"; + public static final String REQ_BKU_TYPE_HANDY = "handy"; + public static final List REQ_BKU_TYPES = Arrays.asList(REQ_BKU_TYPE_LOCAL, REQ_BKU_TYPE_ONLINE, REQ_BKU_TYPE_HANDY); + + public static final List LEGACYPARAMETERWHITELIST + = Arrays.asList(PARAM_TARGET, PARAM_BKU, PARAM_OA, PARAM_TEMPLATE, PARAM_USEMANDATE, PARAM_CCC, PARAM_SOURCEID); + + public final static String EXT_SAML_MANDATE_OIDTEXTUALDESCRIPTION = "OIDTextualDescription"; + public final static String EXT_SAML_MANDATE_OID = "OID"; + public final static String EXT_SAML_MANDATE_RAW = "Mandate"; + public final static String EXT_SAML_MANDATE_NAME = "MandatorName"; + public final static String EXT_SAML_MANDATE_DOB = "MandatorDateOfBirth"; + public final static String EXT_SAML_MANDATE_WBPK = "MandatorWbpk"; + public final static String EXT_SAML_MANDATE_REPRESENTATIONTYPE = "RepresentationType"; + public final static String EXT_SAML_MANDATE_REPRESENTATIONTEXT = "Vollmachtsvertreter"; + public final static String EXT_SAML_MANDATE_CB_BASE_ID = "MandatorDomainIdentifier"; + + public static final String PARAM_APPLET_HEIGTH = "heigth"; + public static final String PARAM_APPLET_WIDTH = "width"; + + public static final Map COUNTRYCODE_XX_TO_NAME = + Collections.unmodifiableMap(new HashMap() { + private static final long serialVersionUID = 1L; + { + put("AT", "Other Countries");//"Workaround for PEPS Simulator" + put("BE", "België/Belgique"); + //put("CH", "Schweiz"); + put("EE", "Eesti"); + put("ES", "España"); + put("FI", "Suomi"); + put("IS", "Ísland"); + put("IT", "Italia"); + put("LI", "Liechtenstein"); + put("LT", "Lithuania"); + put("LU", "Luxemburg"); + put("PT", "Portugal"); + put("SE", "Sverige"); + put("SI", "Slovenija"); + } + }); + + public static final String COUNTRYCODE_AUSTRIA = "AT"; + + public static final String REGEX_PATTERN_TARGET = "^[A-Za-z]{2}(-.*)?$"; + + public static final String MDC_TRANSACTION_ID = "transactionId"; + public static final String MDC_SESSION_ID = "sessionId"; + + //AuthnRequest IssueInstant validation + public static final int TIME_JITTER = 5; //all 5 minutes time jitter + + public static final String PROCESSCONTEXT_PERFORM_INTERFEDERATION_AUTH = "interfederationAuthentication"; + public static final String PROCESSCONTEXT_REQUIRELOCALAUTHENTICATION = "requireLocalAuthentication"; + public static final String PROCESSCONTEXT_PERFORM_BKUSELECTION = "performBKUSelection"; + public static final String PROCESSCONTEXT_ISLEGACYREQUEST = "isLegacyRequest"; + + //General protocol-request data-store keys + public static final String AUTHPROCESS_DATA_TARGET = "authProces_Target"; + public static final String AUTHPROCESS_DATA_TARGETFRIENDLYNAME = "authProces_TargetFriendlyName"; + public static final String AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE = "authProces_SecurityLayerTemplate"; + + //General MOASession data-store keys + public static final String MOASESSION_DATA_HOLDEROFKEY_CERTIFICATE = "holderofkey_cert"; + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java new file mode 100644 index 000000000..fa08dcab6 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/AuthConfiguration.java @@ -0,0 +1,162 @@ +package at.gv.egovernment.moa.id.commons.api; + +import java.util.List; +import java.util.Map; +import java.util.Properties; + +import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.util.config.EgovUtilPropertiesConfiguration; + +public interface AuthConfiguration extends ConfigurationProvider{ + + public static final String DEFAULT_X509_CHAININGMODE = "pkix"; + + public Properties getGeneralPVP2ProperiesConfig(); + + public Properties getGeneralOAuth20ProperiesConfig(); + + public ProtocolAllowed getAllowedProtocols(); + + public Map getConfigurationWithPrefix(final String Prefix); + + public String getConfigurationWithKey(final String key); + + /** + * Get a configuration value from basic file based MOA-ID configuration + * + * @param key configuration key + * @return configuration value + */ + public String getBasicMOAIDConfiguration(final String key); + + public int getTransactionTimeOut(); + public int getSSOCreatedTimeOut(); + public int getSSOUpdatedTimeOut(); + + public String getAlternativeSourceID() throws ConfigurationException; + + public List getLegacyAllowedProtocols(); + + public IOAAuthParameters getOnlineApplicationParameter(String oaURL); + + public String getMoaSpAuthBlockTrustProfileID(boolean useTestTrustStore) throws ConfigurationException; + + public List getMoaSpAuthBlockVerifyTransformsInfoIDs() throws ConfigurationException; + + public ConnectionParameterInterface getMoaSpConnectionParameter() throws ConfigurationException; + + public ConnectionParameterInterface getForeignIDConnectionParameter() throws ConfigurationException; + + public ConnectionParameterInterface getOnlineMandatesConnectionParameter() throws ConfigurationException; + + public String getMoaSpIdentityLinkTrustProfileID(boolean useTestTrustStore) throws ConfigurationException; + + public List getTransformsInfos() throws ConfigurationException; + + public List getIdentityLinkX509SubjectNames() throws ConfigurationException; + + public List getSLRequestTemplates() throws ConfigurationException; + + public String getSLRequestTemplates(String type) throws ConfigurationException; + + public List getDefaultBKUURLs() throws ConfigurationException; + + public String getDefaultBKUURL(String type) throws ConfigurationException; + + public String getSSOTagetIdentifier() throws ConfigurationException; + + public String getSSOFriendlyName(); + + public String getSSOSpecialText(); + + public String getMOASessionEncryptionKey(); + + public String getMOAConfigurationEncryptionKey(); + + public boolean isIdentityLinkResigning(); + + public String getIdentityLinkResigningKey(); + + public boolean isMonitoringActive(); + + public String getMonitoringTestIdentityLinkURL(); + + public String getMonitoringMessageSuccess(); + + public boolean isAdvancedLoggingActive(); + + /** + * Returns the PublicURLPrefix. + * + * @return the PublicURLPrefix (one or more) of this IDP instance. All publicURLPrefix URLs are ends without / + * @throws ConfigurationException if no PublicURLPrefix is found. + */ + public List getPublicURLPrefix() throws ConfigurationException; + + public boolean isVirtualIDPsEnabled(); + + public boolean isPVP2AssertionEncryptionActive(); + + public boolean isCertifiacteQCActive(); + + public IStorkConfig getStorkConfig() throws ConfigurationException; + + public EgovUtilPropertiesConfiguration geteGovUtilsConfig(); + + public String getDocumentServiceUrl(); + + /** + * Notify, if the STORK fake IdentityLink functionality is active + * + * @return true/false + */ + public boolean isStorkFakeIdLActive(); + + /** + * Get a list of all STORK countries for which a faked IdentityLink should be created + * + * @return {List} of country codes + */ + public List getStorkFakeIdLCountries(); + + /** + * Get a list of all STORK countries for which no signature is required + * + * @return {List} of country codes + */ + public List getStorkNoSignatureCountries(); + + /** + * Get the MOA-SS key-group identifier for fake IdentityLink signing + * + * @return MOA-SS key-group identifier {String} + */ + public String getStorkFakeIdLResigningKey(); + + + /** + * Notify, if the PVP2x metadata schema validation is active + * + * @return true/false + */ + public boolean isPVPSchemaValidationActive(); + + /** + * Get all configuration values with prefix and wildcard + * + * @param key: Search key. * and % can be used as wildcards + * @return Key/Value pairs {Map}, which key maps the search key + */ + Map getConfigurationWithWildCard(String key); + + /** + * Get configured default revisions-log event codes which should be logged + * + * @return {List} if event codes or null + */ + List getDefaultRevisionsLogEventCodes(); + + @Deprecated + public boolean isHTTPAuthAllowed(); +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/ConfigurationProvider.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/ConfigurationProvider.java new file mode 100644 index 000000000..ca0a56049 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/ConfigurationProvider.java @@ -0,0 +1,66 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.api; + +/** + * @author tlenz + * + */ +public interface ConfigurationProvider { + + /** + * The name of the system property which contains the file name of the + * configuration file. + */ + public static final String CONFIG_PROPERTY_NAME = + "moa.id.configuration"; + + /** + * The name of the system property which contains the file name of the + * configuration file. + */ + public static final String PROXY_CONFIG_PROPERTY_NAME = + "moa.id.proxy.configuration"; + + /** + * The name of the generic configuration property giving the certstore directory path. + */ + public static final String DIRECTORY_CERTSTORE_PARAMETER_PROPERTY = + "DirectoryCertStoreParameters.RootDir"; + + /** + * The name of the generic configuration property switching the ssl revocation checking on/off + */ + public static final String TRUST_MANAGER_REVOCATION_CHECKING = + "TrustManager.RevocationChecking"; + + public String getRootConfigFileDir(); + + public String getDefaultChainingMode(); + + public String getTrustedCACertificates(); + + public String getCertstoreDirectory(); + + public boolean isTrustmanagerrevoationchecking(); +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/ConnectionParameterInterface.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/ConnectionParameterInterface.java new file mode 100644 index 000000000..89a21661b --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/ConnectionParameterInterface.java @@ -0,0 +1,35 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.commons.api; + +public interface ConnectionParameterInterface { + + + public boolean isHTTPSURL(); + public String getUrl(); + public String getAcceptedServerCertificates(); + + public String getClientKeyStore(); + public String getClientKeyStorePassword(); + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java new file mode 100644 index 000000000..be6d34275 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IOAAuthParameters.java @@ -0,0 +1,222 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.api; + +import java.security.PrivateKey; +import java.util.Collection; +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; + +/** + * @author tlenz + * + */ +public interface IOAAuthParameters { + + public static final String ONLINEBKU = "online"; + public static final String HANDYBKU = "handy"; + public static final String LOCALBKU = "local"; + public static final String INDERFEDERATEDIDP = "interfederated"; + + /** + * Get the full key/value configuration for this online application + * + * @return an unmodifiable map of key/value pairs + */ + public Map getFullConfiguration(); + + /** + * Get a configuration value from online application key/value configuration + * + * @param key: The key identifier of a configuration value * + * @return The configuration value {String} or null if the key does not exist + */ + public String getConfigurationValue(String key); + + public String getFriendlyName(); + + public String getPublicURLPrefix(); + + public String getOaType(); + + public boolean getBusinessService(); + + /** + * Get target of a public service-provider + * + * @return target identifier without prefix + */ + public String getTarget(); + + public String getTargetFriendlyName(); + + public boolean isInderfederationIDP(); + + public boolean isSTORKPVPGateway(); + + public boolean isRemovePBKFromAuthBlock(); + + /** + * Return the private-service domain-identifier with PreFix + * + * @return the identityLinkDomainIdentifier + */ + public String getIdentityLinkDomainIdentifier(); + + /** + * @return the keyBoxIdentifier + */ + public String getKeyBoxIdentifier(); + + public SAML1ConfigurationParameters getSAML1Parameter(); + + /** + * Get a list of online application specific trusted security layer templates + * + * @return a {List} with template URLs, maybe empty but never null + */ + public List getTemplateURL(); + + + /** + * Return the additional AuthBlock text for this online application + * + * @return authblock text {String} or null if no text is configured + */ + public String getAditionalAuthBlockText(); + + /** + * Return an online application specific BKU URL for a requested BKU type + * + * @param bkutype: defines the type of BKU + * @return BKU URL {String} or null if no BKU URL is configured + */ + public String getBKUURL(String bkutype); + + /** + * Return a list of all configured BKU URLs for this online application + * + * @return List of BKU URLs or an empty list if no BKU is configured + */ + public List getBKUURL(); + + public boolean useSSO(); + + public boolean useSSOQuestion(); + + /** + * Return all mandate-profile types configured for this online application + * + * @return the mandateProfiles {List} or null if no profile is defined + */ + public List getMandateProfiles(); + + /** + * @return the identityLinkDomainIdentifierType + */ + public String getIdentityLinkDomainIdentifierType(); + + public boolean isShowMandateCheckBox(); + + public boolean isOnlyMandateAllowed(); + + /** + * Shall we show the stork login in the bku selection frontend? + * + * @return true, if is we should show stork login + */ + public boolean isShowStorkLogin(); + + public Integer getQaaLevel(); + + public boolean isRequireConsentForStorkAttributes(); + + /** + * Return a {Collection} of requested STORK attributes + * + * @return {Collection} maybe empty but never null + */ + public Collection getRequestedSTORKAttributes(); + + public byte[] getBKUSelectionTemplate(); + + public byte[] getSendAssertionTemplate(); + + /** + * Return a {Collection} of configured STORK CPEPS + * + * @return {Collection} maybe empty but never null + */ + public Collection getPepsList(); + + public String getIDPAttributQueryServiceURL(); + + /** + * @return + */ + boolean isInboundSSOInterfederationAllowed(); + + /** + * @return + */ + boolean isInterfederationSSOStorageAllowed(); + + /** + * @return + */ + boolean isOutboundSSOInterfederationAllowed(); + + boolean isTestCredentialEnabled(); + + List getTestCredentialOIDs(); + + boolean isUseIDLTestTrustStore(); + boolean isUseAuthBlockTestTestStore(); + + PrivateKey getBPKDecBpkDecryptionKey(); + + /** + * @return + */ + boolean isPassivRequestUsedForInterfederation(); + + /** + * @return + */ + boolean isPerformLocalAuthenticationOnInterfederationError(); + + /** + * Get a {Collection} of configured STORK attribute provider plug-ins + * + * @return {Collection} maybe empty but never null + */ + public Collection getStorkAPs(); + + public List getReversionsLoggingEventCodes(); + +} \ No newline at end of file diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IRequest.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IRequest.java new file mode 100644 index 000000000..b23b4474b --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IRequest.java @@ -0,0 +1,201 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.commons.api; + +import java.util.Collection; + +import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; + +public interface IRequest { + + /** + * Indicates the module, which implements this authentication protocol. + * The class, which is referenced, had to implement the 'IModulInfo' interface. + * + * @return Full-qualified name of the class which implements this protocol + */ + public String requestedModule(); + + /** + * Indicates the protocol specific action, which should executed if the request is processed. + * The class, which is referenced, had to implement the 'IAction' interface. + * + * @return Full-qualified name of the class which implements the action + */ + public String requestedAction(); + + /** + * Unique identifier, which indicates the service provider. + * In case of SAML1 protocol, it is the OA http-GET parameter + * + * @return Unique identifier for the service provider + */ + public String getOAURL(); + + /** + * Indicates the passive flag in authentication requests. + * If the passive flag is set, the identification and authentication process + * failed if no active SSO session is found. + * + * @return true, if the is passive flag is set in authentication request, otherwise false + */ + public boolean isPassiv(); + + /** + * Indicates the force authentication flag in authentication request + * If this flag is set, a new identification and authentication process + * is carried out in any case. + * + * @return true, if the force authentication flag is set, otherwise false + */ + public boolean forceAuth(); + + + /** + * Returns a generic request-data object with is stored with a specific identifier + * + * @param key The specific identifier of the request-data object + * @return The request-data object or null if no data is found with this key + */ + public Object getGenericData(String key); + + /** + * Returns a generic request-data object with is stored with a specific identifier + * + * @param key The specific identifier of the request-data object + * @param clazz The class type which is stored with this key + * @return The request-data object or null if no data is found with this key + */ + public T getGenericData(String key, final Class clazz); + + /** + * Store a generic data-object to request with a specific identifier + * + * @param key Identifier for this data-object + * @param object Generic data-object which should be stored. This data-object had to be implement the 'java.io.Serializable' interface + * @throws SessionDataStorageException Error message if the data-object can not stored to generic request-data storage + */ + public void setGenericDataToSession(String key, Object object) throws SessionDataStorageException; + + /** + * Hold the identifier of this request object. + * This identifier can be used to load the request from request storage + * + * @return Request identifier + */ + public String getRequestID(); + + + /** + * Hold the identifier of the MOASession which is associated with this request + * + * @return MOASession identifier if a associated session exists, otherwise null + */ + public String getMOASessionIdentifier(); + + + /** + * Holds a unique transaction identifier, which could be used for looging + * This transaction identifier is unique for a single identification and authentication process + * + * @return Unique transaction identifier. + */ + public String getUniqueTransactionIdentifier(); + + /** + * Holds a unique session identifier, which could be used for logging + * This session identifier is unique for the full Single Sign-On session time + * + * @return Unique session identifier + */ + public String getUniqueSessionIdentifier(); + + + /** + * Hold the identifier if the process instance, which is associated with this request + * + * @return ProcessInstanceID if this request is associated with a authentication process, otherwise null + */ + public String getProcessInstanceId(); + + + /** + * get the IDP URL PreFix, which was used for authentication request + * + * @return IDP URL PreFix . The URL prefix always ends without / + */ + public String getAuthURL(); + public String getAuthURLWithOutSlash(); + + /** + * Indicates if this pending request needs authentication + * + * @return true if this request needs authentication, otherwise false + */ + public boolean isNeedAuthentication(); + + /** + * Indicates, if this pending request needs Single Sign-On (SSO) functionality + * + * @return true if this request needs SSO, otherwise false + */ + public boolean needSingleSignOnFunctionality(); + public void setNeedSingleSignOnFunctionality(boolean needSSO); + + /** + * Indicates, if this pending request is already authenticated + * + * @return true if this request is already authenticated, otherwise false + */ + public boolean isAuthenticated(); + public void setAuthenticated(boolean isAuthenticated); + + /** + * Get get Service-Provider configuration which is associated with this request. + * + * @return Service-Provider configuration + */ + public IOAAuthParameters getOnlineApplicationConfiguration(); + + /** + * Indicates, if this pending-request is aborted by the user + * + * @return true, if it is aborted, otherwise false + */ + public boolean isAbortedByUser(); + + /** + * Set the 'isAboredByUser' flag of this pending-request + * + * @param b true, if the user has abort the authentication process, otherwise false + */ + public void setAbortedByUser(boolean isAborted); + + /** + * This method get a Set of PVP 2.1 attribute, which are request by this pending-request. + * + * @return A set of PVP attribute names or null if no attributes are requested + * or the Service Provider, which sends this request needs no attributes + */ + public Collection getRequestedAttributes(); +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java new file mode 100644 index 000000000..b2d90aed4 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/IStorkConfig.java @@ -0,0 +1,51 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.api; + +import java.util.List; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.id.commons.api.data.SignatureCreationParameter; +import at.gv.egovernment.moa.id.commons.api.data.SignatureVerificationParameter; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; + +/** + * @author tlenz + * + */ +public interface IStorkConfig { + + SignatureCreationParameter getSignatureCreationParameter(); + + SignatureVerificationParameter getSignatureVerificationParameter(); + + Map getCpepsMap(); + + boolean isSTORKAuthentication(String ccc); + + CPEPS getCPEPS(String ccc); + + List getStorkAttributes(); + +} \ No newline at end of file diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/BPKDecryptionParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/BPKDecryptionParameters.java new file mode 100644 index 000000000..cb81fe79e --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/BPKDecryptionParameters.java @@ -0,0 +1,135 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.api.data; + +import java.io.ByteArrayInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.Serializable; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.PrivateKey; +import java.security.UnrecoverableKeyException; + +import org.apache.commons.lang3.SerializationUtils; + +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.KeyStoreUtils; + + +/** + * @author tlenz + * + */ +public class BPKDecryptionParameters implements Serializable{ + + private static final long serialVersionUID = 1L; + + private byte[] keyStore = null; + private String keyStorePassword = null; + private String keyAlias = null; + private String keyPassword = null; + + /** + * @return + * @throws IOException + */ + public PrivateKey getPrivateKey() { + InputStream in = null; + try { + in = new ByteArrayInputStream(keyStore); + KeyStore store = KeyStoreUtils.loadKeyStore(in , keyStorePassword); + + char[] chPassword = " ".toCharArray(); + if (keyPassword != null) + chPassword = keyPassword.toCharArray(); + +// Certificate test = store.getCertificate(keyAlias); +// Base64Utils.encode(test.getPublicKey().getEncoded()); + + return (PrivateKey) store.getKey(keyAlias, chPassword); + + + } catch (KeyStoreException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (IOException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (UnrecoverableKeyException e) { + Logger.error("Can not load private key from keystore.", e); + + } catch (NoSuchAlgorithmException e) { + Logger.error("Can not load private key from keystore.", e); + + } finally { + if (in != null) { + try { + in.close(); + } catch (IOException e) { + Logger.warn("Close InputStream failed." , e); + } + } + } + + return null; + } + + public byte[] serialize() { + return SerializationUtils.serialize(this); + + } + + /** + * @param keyStore the keyStore to set + */ + public void setKeyStore(byte[] keyStore) { + this.keyStore = keyStore; + } + + /** + * @param keyStorePassword the keyStorePassword to set + */ + public void setKeyStorePassword(String keyStorePassword) { + this.keyStorePassword = keyStorePassword; + } + + /** + * @param keyAlias the keyAlias to set + */ + public void setKeyAlias(String keyAlias) { + this.keyAlias = keyAlias; + } + + /** + * @param keyPassword the keyPassword to set + */ + public void setKeyPassword(String keyPassword) { + this.keyPassword = keyPassword; + } + + + + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/CPEPS.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/CPEPS.java new file mode 100644 index 000000000..a88aa2171 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/CPEPS.java @@ -0,0 +1,138 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +/** + * + */ +package at.gv.egovernment.moa.id.commons.api.data; + +import java.net.URL; +import java.util.ArrayList; +import java.util.List; + +import org.opensaml.saml2.metadata.RequestedAttribute; + +/** + * Encpasulates C-PEPS information according MOA configuration + * + * @author bzwattendorfer + * + */ +public class CPEPS { + + /** Country Code of C-PEPS */ + private String countryCode; + + /** URL of C-PEPS */ + private URL pepsURL; + + private Boolean isXMLSignatureSupported; + + /** Specific attributes to be requested for this C-PEPS */ + private List countrySpecificRequestedAttributes = new ArrayList(); + + /** + * Constructs a C-PEPS + * @param countryCode ISO Country Code of C-PEPS + * @param pepsURL URL of C-PEPS + */ + public CPEPS(String countryCode, URL pepsURL, Boolean isXMLSignatureSupported) { + super(); + this.countryCode = countryCode; + this.pepsURL = pepsURL; + this.isXMLSignatureSupported = isXMLSignatureSupported; + } + + /** + * Gets the country code of this C-PEPS + * @return ISO country code + */ + public String getCountryCode() { + return countryCode; + } + + /** + * Sets the country code of this C-PEPS + * @param countryCode ISO country code + */ + public void setCountryCode(String countryCode) { + this.countryCode = countryCode; + } + + /** + * Gets the URL of this C-PEPS + * @return C-PEPS URL + */ + public URL getPepsURL() { + return pepsURL; + } + + /** + * Sets the C-PEPS URL + * @param pepsURL C-PEPS URL + */ + public void setPepsURL(URL pepsURL) { + this.pepsURL = pepsURL; + } + + /** + * Returns weather the C-PEPS supports XMl Signatures or not (important for ERnB) + */ + public Boolean isXMLSignatureSupported() { + return isXMLSignatureSupported; + } + + /** + * Sets weather the C-PEPS supports XMl Signatures or not (important for ERnB) + * @param isXMLSignatureSupported C-PEPS XML Signature support + */ + public void setXMLSignatureSupported(boolean isXMLSignatureSupported) { + this.isXMLSignatureSupported = isXMLSignatureSupported; + } + + /** + * Gets the country specific attributes of this C-PEPS + * @return List of country specific attributes + */ + public List getCountrySpecificRequestedAttributes() { + return countrySpecificRequestedAttributes; + } + + /** + * Sets the country specific attributes + * @param countrySpecificRequestedAttributes List of country specific requested attributes + */ + public void setCountrySpecificRequestedAttributes( + List countrySpecificRequestedAttributes) { + this.countrySpecificRequestedAttributes = countrySpecificRequestedAttributes; + } + + /** + * Adds a Requested attribute to the country specific attribute List + * @param countrySpecificRequestedAttribute Additional country specific requested attribute to add + */ + public void addCountrySpecificRequestedAttribute(RequestedAttribute countrySpecificRequestedAttribute) { + this.countrySpecificRequestedAttributes.add(countrySpecificRequestedAttribute); + } + + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/ProtocolAllowed.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/ProtocolAllowed.java new file mode 100644 index 000000000..4f63dca54 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/ProtocolAllowed.java @@ -0,0 +1,91 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.api.data; + +/** + * @author tlenz + * + */ +public class ProtocolAllowed { + + private boolean isSAML1Active = false; + private boolean isPVP21Active = true; + private boolean isOAUTHActive = true; + + /** + * + */ + public ProtocolAllowed() { + + } + + /** + * + */ + public ProtocolAllowed(boolean saml1, boolean pvp21, boolean oauth) { + this.isOAUTHActive = oauth; + this.isPVP21Active = pvp21; + this.isSAML1Active = saml1; + + } + + /** + * @return the isSAML1Active + */ + public boolean isSAML1Active() { + return isSAML1Active; + } + /** + * @param isSAML1Active the isSAML1Active to set + */ + public void setSAML1Active(boolean isSAML1Active) { + this.isSAML1Active = isSAML1Active; + } + /** + * @return the isPVP21Active + */ + public boolean isPVP21Active() { + return isPVP21Active; + } + /** + * @param isPVP21Active the isPVP21Active to set + */ + public void setPVP21Active(boolean isPVP21Active) { + this.isPVP21Active = isPVP21Active; + } + /** + * @return the isOAUTHActive + */ + public boolean isOAUTHActive() { + return isOAUTHActive; + } + /** + * @param isOAUTHActive the isOAUTHActive to set + */ + public void setOAUTHActive(boolean isOAUTHActive) { + this.isOAUTHActive = isOAUTHActive; + } + + + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SAML1ConfigurationParameters.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SAML1ConfigurationParameters.java new file mode 100644 index 000000000..eb709a6f1 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SAML1ConfigurationParameters.java @@ -0,0 +1,276 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.api.data; + +/** + * @author tlenz + * + */ +public class SAML1ConfigurationParameters { + + private boolean isActive = false; + private boolean provideBaseId = false; + private boolean provideAuthBlock = false; + private boolean provideIdl = false; + private boolean provideCertificate = false; + private boolean provideMandate = false; + private boolean provideAllErrors = true; + private boolean useCondition = false; + private String sourceID = null; + private String condition = new String(); + + + /** + * + */ + public SAML1ConfigurationParameters(boolean isActive, + boolean provideBaseId, boolean provideAuthBlock, + boolean provideIdl, boolean provideCertificate, + boolean provideMandate, boolean provideAllErrors, + boolean useCondition, String condition, + String sourceID) { + this.condition = condition; + this.isActive = isActive; + this.provideAllErrors = provideAllErrors; + this.provideAuthBlock = provideAuthBlock; + this.provideBaseId = provideBaseId; + this.provideCertificate = provideCertificate; + this.provideIdl = provideIdl; + this.provideMandate = provideMandate; + this.useCondition = useCondition; + this.sourceID = sourceID; + + } + + + /** + * + */ + public SAML1ConfigurationParameters() { + + } + + + /** + * Gets the value of the isActive property. + * + * @return + * possible object is + * {@link String } + * + */ + public Boolean isIsActive() { + return this.isActive; + } + + /** + * @param isActive the isActive to set + */ + public void setActive(boolean isActive) { + this.isActive = isActive; + } + + + /** + * @param provideBaseId the provideBaseId to set + */ + public void setProvideBaseId(boolean provideBaseId) { + this.provideBaseId = provideBaseId; + } + + + /** + * @param provideAuthBlock the provideAuthBlock to set + */ + public void setProvideAuthBlock(boolean provideAuthBlock) { + this.provideAuthBlock = provideAuthBlock; + } + + + /** + * @param provideIdl the provideIdl to set + */ + public void setProvideIdl(boolean provideIdl) { + this.provideIdl = provideIdl; + } + + + /** + * @param provideCertificate the provideCertificate to set + */ + public void setProvideCertificate(boolean provideCertificate) { + this.provideCertificate = provideCertificate; + } + + + /** + * @param provideMandate the provideMandate to set + */ + public void setProvideMandate(boolean provideMandate) { + this.provideMandate = provideMandate; + } + + + /** + * @param provideAllErrors the provideAllErrors to set + */ + public void setProvideAllErrors(boolean provideAllErrors) { + this.provideAllErrors = provideAllErrors; + } + + + /** + * @param useCondition the useCondition to set + */ + public void setUseCondition(boolean useCondition) { + this.useCondition = useCondition; + } + + + /** + * @param sourceID the sourceID to set + */ + public void setSourceID(String sourceID) { + this.sourceID = sourceID; + } + + + /** + * @param condition the condition to set + */ + public void setCondition(String condition) { + this.condition = condition; + } + + + /** + * Gets the value of the provideStammzahl property. + * + * @return + * possible object is + * {@link String } + * + */ + public Boolean isProvideStammzahl() { + return this.provideBaseId; + } + + /** + * Gets the value of the provideAUTHBlock property. + * + * @return + * possible object is + * {@link String } + * + */ + public Boolean isProvideAUTHBlock() { + return this.provideAuthBlock; + } + + /** + * Gets the value of the provideIdentityLink property. + * + * @return + * possible object is + * {@link String } + * + */ + public Boolean isProvideIdentityLink() { + return this.provideIdl; + } + + /** + * Gets the value of the provideCertificate property. + * + * @return + * possible object is + * {@link String } + * + */ + public Boolean isProvideCertificate() { + return this.provideCertificate; + } + + /** + * Gets the value of the provideFullMandatorData property. + * + * @return + * possible object is + * {@link String } + * + */ + public Boolean isProvideFullMandatorData() { + return this.provideMandate; + } + + /** + * Gets the value of the useCondition property. + * + * @return + * possible object is + * {@link String } + * + */ + public Boolean isUseCondition() { + return this.useCondition; + } + + /** + * Gets the value of the conditionLength property. + * + * @return + * possible object is + * {@link BigInteger } + * + */ + + public int getConditionLength() { + return condition.length(); + } + + /** + * Gets the value of the sourceID property. + * + * @return + * possible object is + * {@link String } + * + */ + public String getSourceID() { + return this.sourceID; + } + + /** + * Gets the value of the provideAllErrors property. + * + * @return + * possible object is + * {@link String } + * + */ + public Boolean isProvideAllErrors() { + return this.provideAllErrors; + } + +} + diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SignatureCreationParameter.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SignatureCreationParameter.java new file mode 100644 index 000000000..9bfd93977 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SignatureCreationParameter.java @@ -0,0 +1,103 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +package at.gv.egovernment.moa.id.commons.api.data; + +import java.util.Properties; + +/** + * Encapsulates signature creation parameters according MOA configuration + * + * @author bzwattendorfer + * + */ +public class SignatureCreationParameter { + + private static final String PROPS_PREFIX = "stork.samlsigningparameter.signaturecreation."; + private static final String PROPS_KEYSTORE_FILE = "keystore.file"; + private static final String PROPS_KEYSTORE_PASS = "keystore.password"; + private static final String PROPS_KEYNAME_NAME = "keyname.name"; + private static final String PROPS_KEYNAME_PASS = "keyname.password"; + + private Properties props; + private String basedirectory; + + public SignatureCreationParameter(Properties props, String basedirectory) { + this.props = props; + this.basedirectory = basedirectory; + } + + /** + * Gets the KeyStore Path + * @return File Path to KeyStore + */ + public String getKeyStorePath() { + return basedirectory + props.getProperty(PROPS_PREFIX+PROPS_KEYSTORE_FILE); + } + + /** + * Gets the KeyStore Password + * @return Password to KeyStore + */ + public String getKeyStorePassword() { + return props.getProperty(PROPS_PREFIX+PROPS_KEYSTORE_PASS); + } + + /** + * Gets the Signing Key Name + * @return Siging Key Name + */ + public String getKeyName() { + return props.getProperty(PROPS_PREFIX+PROPS_KEYNAME_NAME); + } + + /** + * Gets the Signing Key Password + * @return Signing Key Password + */ + public String getKeyPassword() { + return props.getProperty(PROPS_PREFIX+PROPS_KEYNAME_PASS); + } +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SignatureVerificationParameter.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SignatureVerificationParameter.java new file mode 100644 index 000000000..f408ea7fe --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/SignatureVerificationParameter.java @@ -0,0 +1,53 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +/** + * + */ +package at.gv.egovernment.moa.id.commons.api.data; + +/** + * Encapsulates Signature Verification data for STORK according MOA configuration + * + * @author bzwattendorfer + * + */ +public class SignatureVerificationParameter { + + /** ID of the MOA-SP TrustProfile to be used for STORK SAML signature verification */ + private String trustProfileID; + + public SignatureVerificationParameter(String trustProfileID2) { + this.trustProfileID = trustProfileID2; + } + + /** + * Gets the MOA-SP TrustProfileID + * @return TrustProfileID of MOA-SP for STORK signature verification + */ + public String getTrustProfileID() { + return trustProfileID; + } + + + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/StorkAttribute.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/StorkAttribute.java new file mode 100644 index 000000000..1bbb7d3fe --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/StorkAttribute.java @@ -0,0 +1,27 @@ +package at.gv.egovernment.moa.id.commons.api.data; + +public class StorkAttribute { + + protected Boolean mandatory; + protected String name; + + public StorkAttribute(String name, boolean mandatory) { + this.name = name; + this.mandatory = mandatory; + } + + public Boolean getMandatory() { + return mandatory; + } + public void setMandatory(Boolean mandatory) { + this.mandatory = mandatory; + } + public String getName() { + return name; + } + public void setName(String name) { + this.name = name; + } + + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/StorkAttributeProviderPlugin.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/StorkAttributeProviderPlugin.java new file mode 100644 index 000000000..070d304a6 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/data/StorkAttributeProviderPlugin.java @@ -0,0 +1,81 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.api.data; + +/** + * @author tlenz + * + */ +public class StorkAttributeProviderPlugin { + private String name = null; + private String url = null; + private String attributes = null; + + /** + * + */ + public StorkAttributeProviderPlugin(String name, String url, String attributes) { + this.name = name; + this.url = url; + this.attributes = attributes; + } + + /** + * @return the name + */ + public String getName() { + return name; + } + /** + * @param name the name to set + */ + public void setName(String name) { + this.name = name; + } + /** + * @return the url + */ + public String getUrl() { + return url; + } + /** + * @param url the url to set + */ + public void setUrl(String url) { + this.url = url; + } + /** + * @return the attributes + */ + public String getAttributes() { + return attributes; + } + /** + * @param attributes the attributes to set + */ + public void setAttributes(String attributes) { + this.attributes = attributes; + } + + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/ConfigurationException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/ConfigurationException.java new file mode 100644 index 000000000..e8f6da323 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/ConfigurationException.java @@ -0,0 +1,78 @@ +package at.gv.egovernment.moa.id.commons.api.exceptions; +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + +/** + * Exception signalling an error in the configuration. + * + * @author Patrick Peck + * @version $Id$ + */ +public class ConfigurationException extends MOAIDException { + + /** + * + */ + private static final long serialVersionUID = -7199539463319751278L; + +/** + * Create a MOAConfigurationException. + */ + public ConfigurationException(String messageId, Object[] parameters) { + super(messageId, parameters); + } + + /** + * Create a MOAConfigurationException. + */ + public ConfigurationException( + String messageId, + Object[] parameters, + Throwable wrapped) { + + super(messageId, parameters, wrapped); + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/MOAIDException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/MOAIDException.java new file mode 100644 index 000000000..955b0f5ea --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/MOAIDException.java @@ -0,0 +1,222 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.api.exceptions; + +import java.io.PrintStream; +import java.io.PrintWriter; + +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.w3c.dom.DOMImplementation; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; +import at.gv.egovernment.moa.util.Constants; + +/** + * Base class of technical MOA exceptions. + * + * Technical exceptions are exceptions that originate from system failure (e.g., + * a database connection fails, a component is not available, etc.) + * + * @author Patrick Peck, Ivancsics Paul + * @version $Id$ + */ +public class MOAIDException extends Exception { + /** + * + */ + private static final long serialVersionUID = -1507246171708083912L; +/** message ID */ + private String messageId; + /** wrapped exception */ + private Throwable wrapped; + + private Object[] parameters; + + /** + * Create a new MOAIDException. + * + * @param messageId The identifier of the message associated with this + * exception. + * @param parameters Additional message parameters. + */ + public MOAIDException(String messageId, Object[] parameters) { + super(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters)); + this.messageId = messageId; + this.parameters = parameters; + } + + /** + * Create a new MOAIDException. + * + * @param messageId The identifier of the message associated with this + * MOAIDException. + * @param parameters Additional message parameters. + * @param wrapped The exception wrapped by this + * MOAIDException. + */ + public MOAIDException( + String messageId, + Object[] parameters, + Throwable wrapped) { + + super(MOAIDMessageProvider.getInstance().getMessage(messageId, parameters)); + this.messageId = messageId; + this.wrapped = wrapped; + this.parameters = parameters; + } + + /** + * Print a stack trace of this exception to System.err. + * + * @see java.lang.Throwable#printStackTrace() + */ + public void printStackTrace() { + printStackTrace(System.err); + } + + /** + * Print a stack trace of this exception, including the wrapped exception. + * + * @param s The stream to write the stack trace to. + * @see java.lang.Throwable#printStackTrace(java.io.PrintStream) + */ + public void printStackTrace(PrintStream s) { + if (getWrapped() == null) + super.printStackTrace(s); + else { + s.print("Root exception: "); + getWrapped().printStackTrace(s); + } + } + + /** + * Print a stack trace of this exception, including the wrapped exception. + * + * @param s The stream to write the stacktrace to. + * @see java.lang.Throwable#printStackTrace(java.io.PrintWriter) + */ + public void printStackTrace(PrintWriter s) { + if (getWrapped() == null) + super.printStackTrace(s); + else { + s.print("Root exception: "); + getWrapped().printStackTrace(s); + } + } + + /** + * @return message ID + */ + public String getMessageId() { + return messageId; + } + + /** + * @return wrapped exception + */ + public Throwable getWrapped() { + return wrapped; + } + + + + /** + * @return the parameters + */ +public Object[] getParameters() { + return parameters; +} + +/** + * Convert this MOAIDException to an ErrorResponse + * element from the MOA namespace. + * + * @return An ErrorResponse element, containing the subelements + * ErrorCode and Info required by the MOA schema. + */ + public Element toErrorResponse() { + DocumentBuilder builder; + DOMImplementation impl; + Document doc; + Element errorResponse; + Element errorCode; + Element info; + + // create a new document + try { + builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + impl = builder.getDOMImplementation(); + } catch (ParserConfigurationException e) { + return null; + } + + // build the ErrorResponse element + doc = impl.createDocument(Constants.MOA_NS_URI, "ErrorResponse", null); + errorResponse = doc.getDocumentElement(); + + // add MOA namespace declaration + errorResponse.setAttributeNS( + Constants.XMLNS_NS_URI, + "xmlns", + Constants.MOA_NS_URI); + + // build the child elements + errorCode = doc.createElementNS(Constants.MOA_NS_URI, "ErrorCode"); + errorCode.appendChild(doc.createTextNode(messageId)); + info = doc.createElementNS(Constants.MOA_NS_URI, "Info"); + info.appendChild(doc.createTextNode(toString())); + errorResponse.appendChild(errorCode); + errorResponse.appendChild(info); + return errorResponse; + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/SessionDataStorageException.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/SessionDataStorageException.java new file mode 100644 index 000000000..9414556a2 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/api/exceptions/SessionDataStorageException.java @@ -0,0 +1,45 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.commons.api.exceptions; + +/** + * @author tlenz + * + */ +public class SessionDataStorageException extends MOAIDException { + + /** + * + */ + private static final long serialVersionUID = 5743057708136365929L; + + /** + * @param messageId + * @param parameters + */ + public SessionDataStorageException(String messageId, Object[] parameters) { + super(messageId, parameters); + + } + +} diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAIDMessageProvider.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAIDMessageProvider.java new file mode 100644 index 000000000..4d8a07a55 --- /dev/null +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/utils/MOAIDMessageProvider.java @@ -0,0 +1,104 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2003 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +package at.gv.egovernment.moa.id.commons.utils; + +import java.util.Locale; + +import at.gv.egovernment.moa.util.Messages; + +/** + * A singleton wrapper around a Message object, providing the messages used in MOA-ID. + * + * @author Paul Ivancsics + * @version $Id$ + */ +public class MOAIDMessageProvider { + + /** DEFAULT_MESSAGE_RESOURCES are resources/properties/id_messages */ + private static final String[] DEFAULT_MESSAGE_RESOURCES = + { "resources/properties/id_messages" }; + /** DEFAULT_MESSAGE_LOCALES are "de", "AT" */ + private static final Locale[] DEFAULT_MESSAGE_LOCALES = + new Locale[] { new Locale("de", "AT") }; + /** The instance for our singleton */ + private static MOAIDMessageProvider instance; + /** The Messages */ + private Messages messages; + + /** + * Returns the single instance of MOAIDMessageProvider. + * + * @return the single instance of MOAIDMessageProvider + */ + public static MOAIDMessageProvider getInstance() { + if (instance == null) + instance = new MOAIDMessageProvider(DEFAULT_MESSAGE_RESOURCES, DEFAULT_MESSAGE_LOCALES); + return instance; + } + + /** + * Create a MOAIDMessageProvider. + * + * @param resourceNames The names of the resources containing the messages. + * @param locales The corresponding locales. + */ + protected MOAIDMessageProvider(String[] resourceNames, Locale[] locales) { + this.messages = new Messages(resourceNames, locales); + } + + /** + * Get the message corresponding to a given message ID. + * + * @param messageId The ID of the message. + * @param parameters The parameters to fill in into the message arguments. + * @return The formatted message. + */ + public String getMessage(String messageId, Object[] parameters) { + return messages.getMessage(messageId, parameters); + } + +} diff --git a/id/server/moa-id-frontend-resources/pom.xml b/id/server/moa-id-frontend-resources/pom.xml index 4107e98e3..64ebc14b6 100644 --- a/id/server/moa-id-frontend-resources/pom.xml +++ b/id/server/moa-id-frontend-resources/pom.xml @@ -12,7 +12,7 @@ jar MOA-ID-Auth FrontEnd-Resources - Static FrontEnd resources for MOA-ID-Auth + FrontEnd resources for MOA-ID-Auth EGIZ https://www.egiz.gv.at @@ -29,7 +29,12 @@ ${basedir}/../../../../repository - + + + MOA.id.server + moa-id-commons + + org.springframework spring-webmvc @@ -40,6 +45,20 @@ + + + org.apache.velocity + velocity + 1.7 + + + + javax.servlet + javax.servlet-api + provided + + + \ No newline at end of file diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java new file mode 100644 index 000000000..71a4837d4 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/AbstractGUIFormBuilderConfiguration.java @@ -0,0 +1,106 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.util.HashMap; +import java.util.Map; + +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public abstract class AbstractGUIFormBuilderConfiguration implements IGUIBuilderConfiguration { + + public static final String PARAM_AUTHCONTEXT = "contextPath"; + public static final String PARAM_FORMSUBMITENDPOINT = "submitEndpoint"; + + public static final String PARAM_PENDINGREQUESTID = "pendingReqID"; + + private String authURL = null; + private String viewName = null; + private String formSubmitEndpoint = null; + + /** + * @param authURL IDP PublicURL-Prefix which should be used, but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + * + */ + public AbstractGUIFormBuilderConfiguration(String authURL, String viewName, String formSubmitEndpoint) { + this.viewName = viewName; + + if (authURL.endsWith("/")) + this.authURL = authURL.substring(0, authURL.length() - 1); + else + this.authURL = authURL; + + if (MiscUtil.isNotEmpty(formSubmitEndpoint)) { + if (formSubmitEndpoint.startsWith("/")) + this.formSubmitEndpoint = formSubmitEndpoint; + else + this.formSubmitEndpoint = "/" + formSubmitEndpoint; + } + } + + + /** + * Define the parameters, which should be evaluated in the template + * + * @return Map of parameters, which should be added to template + */ + abstract protected Map getSpecificViewParameters(); + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewName() + */ + @Override + public final String getViewName() { + return this.viewName; + + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() + */ + @Override + public final Map getViewParameters() { + //get parameters from detail implementation + Map specParams = getSpecificViewParameters(); + if (specParams == null) + specParams = new HashMap(); + + //add generic parameters + specParams.put(PARAM_AUTHCONTEXT, this.authURL); + if (this.formSubmitEndpoint != null) + specParams.put(PARAM_FORMSUBMITENDPOINT, this.formSubmitEndpoint); + + return specParams; + + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java new file mode 100644 index 000000000..2c2792b84 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/DefaultGUIFormBuilderConfiguration.java @@ -0,0 +1,120 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.InputStream; +import java.util.HashMap; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.api.IRequest; + +/** + * This class builds MOA-ID GUI forms from default resource paths + * + * @author tlenz + * + */ +public class DefaultGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration { + + public static final String VIEW_REDIRECT = "redirectForm.html"; + public static final String VIEW_ERRORMESSAGE = "error_message.html"; + public static final String VIEW_SINGLELOGOUT = "slo_template.html"; + public static final String VIEW_SSO_SESSION_TRANSFER = "sso_transfer_template.html"; + + private IRequest pendingReq; + private Map customParameters = null; + + + /** + * @param authURL PublicURLPrefix of the IDP but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public DefaultGUIFormBuilderConfiguration(String authURL, String viewName, String formSubmitEndpoint) { + super(authURL, viewName, formSubmitEndpoint); + } + + /** + * @param Current processed pending-request DAO but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public DefaultGUIFormBuilderConfiguration(IRequest pendingReq, String viewName, String formSubmitEndpoint) { + super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint); + this.pendingReq = pendingReq; + + + } + + public void putCustomParameter(String key, Object value) { + if (customParameters == null) + customParameters = new HashMap(); + + customParameters.put(key, value); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() + */ + @Override + public Map getSpecificViewParameters() { + Map params = new HashMap(); + if (pendingReq != null) { + params.put(PARAM_PENDINGREQUESTID, pendingReq.getRequestID()); + + } + if (customParameters != null) + params.putAll(customParameters); + + return params; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) + */ + @Override + public InputStream getTemplate(String viewName) { + return null; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getContentType() + */ + @Override + public String getDefaultContentType() { + return null; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getClasspathTemplateDir() + */ + @Override + public String getClasspathTemplateDir() { + return null; + + } +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java new file mode 100644 index 000000000..862c7edcf --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/GUIFormBuilderImpl.java @@ -0,0 +1,221 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.StringWriter; +import java.net.URI; +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; + +import javax.servlet.http.HttpServletResponse; + +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.stereotype.Service; + +import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; +import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +@Service("guiFormBuilder") +public class GUIFormBuilderImpl implements IGUIFormBuilder { + + private static final String DEFAULT_CONTENT_TYPE = "text/html;charset=UTF-8"; + private static final String CONFIG_HTMLTEMPLATES_DIR = "htmlTemplates"; + private static final String CLASSPATH_HTMLTEMPLATES_DIR = "templates"; + + @Autowired private AuthConfiguration authConfig; + private VelocityEngine engine; + + public GUIFormBuilderImpl() throws GUIBuildException { + try { + engine = VelocityProvider.getClassPathVelocityEngine(); + + } catch (Exception e) { + Logger.fatal("Initialization of Velocity-Engine to render GUI components FAILED.", e); + throw new GUIBuildException("Initialization of Velocity-Engine to render GUI components FAILED.", e); + + } + + } + + public void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String loggerName) throws GUIBuildException { + build(httpResp, config, getInternalContentType(config), loggerName); + + } + + + @Override + public void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, + String contentType, String loggerName) throws GUIBuildException { + + InputStream is = null; + try { + String viewName = config.getViewName(); + + //load Tempate + is = getInternalTemplate(config); + if (is == null) { + Logger.warn("No GUI with viewName:" + viewName + " FOUND."); + throw new GUIBuildException("No GUI with viewName:" + viewName + " FOUND."); + + } + + //build Velocity Context from input paramters + VelocityContext context = buildContextFromViewParams(config.getViewParameters()); + + //evaluate template + StringWriter writer = new StringWriter(); + engine.evaluate(context, writer, loggerName, new BufferedReader(new InputStreamReader(is))); + + //write template to response + httpResp.setStatus(HttpServletResponse.SC_OK); + httpResp.setContentType(contentType); + httpResp.getOutputStream().write(writer.toString().getBytes("UTF-8")); + + } catch (IOException e) { + Logger.error("GUI form-builder has an internal error.", e); + throw new GUIBuildException("GUI form-builder has an internal error.", e); + + } finally { + if (is != null) + try { + is.close(); + + } catch (IOException e) { + Logger.error("Can NOT close GUI-Template InputStream.", e); + + } + } + + } + + private String getInternalContentType(IGUIBuilderConfiguration config) { + if (MiscUtil.isEmpty(config.getDefaultContentType())) + return DEFAULT_CONTENT_TYPE; + + else + return config.getDefaultContentType(); + + } + + private InputStream getInternalTemplate(IGUIBuilderConfiguration config) throws GUIBuildException { + String viewName = config.getViewName(); + + //load specific template + InputStream is = config.getTemplate(viewName); + + if (is == null) { + //load template from default resources + try { + Logger.trace("Loading GUI template:" + viewName + " from default resources ... "); + String pathLocation = null; + try { + //load template from config directory + String rootconfigdir = authConfig.getRootConfigFileDir(); + pathLocation = rootconfigdir + CONFIG_HTMLTEMPLATES_DIR + + viewName; + File file = new File(new URI(pathLocation)); + is = new FileInputStream(file); + + } catch (Exception e) { + //load template from classpath as backup + Logger.info("GUI template:" + viewName + " is not found in configuration directory. " + + " Load template from project library ... "); + try { + pathLocation = getInternalClasspathTemplateDir(config) + viewName; + is = Thread.currentThread() + .getContextClassLoader() + .getResourceAsStream(pathLocation); + + } catch (Exception e1) { + Logger.error("GUI template:" + pathLocation + " is NOT loadable!", e); + throw new GUIBuildException("GUI template:" + pathLocation + " is NOT loadable!", e); + + } + } + + } catch (GUIBuildException e) { + throw e; + + } catch (Exception e) { + Logger.error("GUI builder has an internal error during template load operation", e); + throw new GUIBuildException("GUI builder has an internal error during template load operation", e); + + } + } + + return is; + + } + + + /** + * @return + */ + private String getInternalClasspathTemplateDir(IGUIBuilderConfiguration config) { + String dir = config.getClasspathTemplateDir(); + if (dir != null) { + if (!dir.endsWith("/")) + dir += "/"; + + return dir; + + } else + return CLASSPATH_HTMLTEMPLATES_DIR; + } + + /** + * @param viewParams + * @return + */ + private VelocityContext buildContextFromViewParams(Map viewParams) { + VelocityContext context = new VelocityContext(); + + if (viewParams != null) { + Iterator> interator = viewParams.entrySet().iterator(); + while (interator.hasNext()) { + Entry el = interator.next(); + context.put(el.getKey(), el.getValue()); + } + + } + + return context; + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIBuilderConfiguration.java new file mode 100644 index 000000000..51f6295c7 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIBuilderConfiguration.java @@ -0,0 +1,74 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.InputStream; +import java.util.Map; + +/** + * @author tlenz + * + */ +public interface IGUIBuilderConfiguration { + + + /** + * Define the name of the template (with suffix) which should be used + * + * @return templatename, but never null + */ + public String getViewName(); + + /** + * Define the parameters, which should be evaluated in the template + * + * @return Map of parameters, which should be added to template + */ + public Map getViewParameters(); + + + /** + * Get a specific classpath template-directory prefix, which is used + * to load a template from classpath by using ClassLoader.getResourceAsStream(...) + * + * @return Classpath directory, or null if the default directory should be used + */ + public String getClasspathTemplateDir(); + + /** + * Get the GUI template with a specific name + * + * @param viewName Name of the template + * @return Tempate as InputStream, or null if default getTemplate method should be used + */ + public InputStream getTemplate(String viewName); + + /** + * Get the contentType, which should be set in HTTP response + *

+ * DefaultValue: text/html;charset=UTF-8 + * + * @return ContentType, or null if default ContentType should be used. + */ + public String getDefaultContentType(); +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java new file mode 100644 index 000000000..198220e97 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/IGUIFormBuilder.java @@ -0,0 +1,67 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import javax.servlet.http.HttpServletResponse; + +import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; + +/** + * @author tlenz + * + */ +public interface IGUIFormBuilder { + + /** + * Parse a GUI template, with parameters into a http servlet-response + * and use the default http-response content-type. + *

+ * The parser use the VelocityEngine as internal template evaluator. + * + * @param httpResp http-response object + * @param viewName Name of the template (with suffix), which should be used. + * The template is selected by using the getTemplate(String viewName) method + * @param viewParams Map of parameters, which should be added to template + * @param loggerName String, which should be used from logger + * + * @throws GUIBuildException + */ + public void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String loggerName) throws GUIBuildException; + + /** + * Parse a GUI template, with parameters into a http servlet-response. + *

+ * The parser use the VelocityEngine as internal template evaluator. + * + * @param httpResp http-response object + * @param viewName Name of the template (with suffix), which should be used. + * The template is selected by using the getTemplate(String viewName) method + * @param viewParams Map of parameters, which should be added to template + * @param contentType http-response content-type, which should be set + * @param loggerName String, which should be used from logger + * + * @throws GUIBuildException + */ + void build(HttpServletResponse httpResp, IGUIBuilderConfiguration config, String contentType, + String loggerName) throws GUIBuildException; +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java new file mode 100644 index 000000000..73a0e7691 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/builder/ServiceProviderSpecificGUIFormBuilderConfiguration.java @@ -0,0 +1,186 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.builder; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; +import java.util.HashMap; +import java.util.Map; + +import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.logging.Logger; +import at.gv.egovernment.moa.util.MiscUtil; + +/** + * @author tlenz + * + */ +public class ServiceProviderSpecificGUIFormBuilderConfiguration extends AbstractGUIFormBuilderConfiguration { + + public static final String VIEW_BKUSELECTION = "/loginFormFull.html"; + public static final String VIEW_SENDASSERTION = "/sendAssertionFormFull.html"; + public static final String VIEW_TEMPLATE_CSS = "/css_template.css"; + public static final String VIEW_TEMPLATE_JS = "/javascript_tempalte.js"; + + public static final String PARAM_BKU_ONLINE = "bkuOnline"; + public static final String PARAM_BKU_HANDY = "bkuLocal"; + public static final String PARAM_BKU_LOCAL = "bkuHandy"; + + public static final String PARAM_OANAME = "OAName"; + public static final String PARAM_COUNTRYLIST = "countryList"; + + private IRequest pendingReq = null; + + /** + * @param authURL PublicURLPrefix of the IDP but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public ServiceProviderSpecificGUIFormBuilderConfiguration(String authURL, String viewName, + String formSubmitEndpoint) { + super(authURL, viewName, formSubmitEndpoint); + + } + + /** + * @param Current processed pending-request DAO but never null + * @param viewName Name of the template (with suffix) but never null + * @param formSubmitEndpoint EndPoint on which the form should be submitted, + * or null if the form must not submitted + */ + public ServiceProviderSpecificGUIFormBuilderConfiguration(IRequest pendingReq, String viewName, + String formSubmitEndpoint) { + super(pendingReq.getAuthURL(), viewName, formSubmitEndpoint); + this.pendingReq = pendingReq; + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.builder.IGUIBuilderConfiguration#getViewParameters() + */ + @Override + public Map getSpecificViewParameters() { + Map params = new HashMap(); + params.put(PARAM_BKU_ONLINE, IOAAuthParameters.ONLINEBKU); + params.put(PARAM_BKU_HANDY, IOAAuthParameters.HANDYBKU); + params.put(PARAM_BKU_LOCAL, IOAAuthParameters.LOCALBKU); + + if (pendingReq != null) { + params.put(PARAM_PENDINGREQUESTID, pendingReq.getRequestID()); + + //add service-provider specific GUI parameters + IOAAuthParameters oaParam = pendingReq.getOnlineApplicationConfiguration(); + if (oaParam != null) { + params.put(PARAM_OANAME, oaParam.getFriendlyName()); + + + if (oaParam.isShowStorkLogin()) + addCountrySelection(params, oaParam); + + FormBuildUtils.customiceLayoutBKUSelection(params, oaParam); + + } else + FormBuildUtils.defaultLayoutBKUSelection(params); + + + } else { + //add default GUI parameters + FormBuildUtils.defaultLayoutBKUSelection(params); + + } + + return params; + } + + /** + * @param params + * @param oaParam + */ + private void addCountrySelection(Map params, IOAAuthParameters oaParam) { + String pepslist = ""; + try { + for (CPEPS current : oaParam.getPepsList()) { + String countryName = null; + if (MiscUtil.isNotEmpty(MOAIDAuthConstants.COUNTRYCODE_XX_TO_NAME.get(current.getCountryCode().toUpperCase()))) + countryName = MOAIDAuthConstants.COUNTRYCODE_XX_TO_NAME.get(current.getCountryCode().toUpperCase()); + else + countryName = current.getCountryCode().toUpperCase(); + + pepslist += "\n"; + + } + params.put(PARAM_COUNTRYLIST, pepslist); + + } catch (NullPointerException e) { + Logger.warn("Can not at Countries to GUI. Msg:" + e.getMessage()); + + } + + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getClasspathTemplateDir() + */ + @Override + public String getClasspathTemplateDir() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getTemplate(java.lang.String) + */ + @Override + public InputStream getTemplate(String viewName) { + if (pendingReq != null && pendingReq.getOnlineApplicationConfiguration() != null) { + + byte[] oatemplate = null; + if (VIEW_BKUSELECTION.equals(viewName)) + oatemplate = pendingReq.getOnlineApplicationConfiguration().getBKUSelectionTemplate(); + + else if (VIEW_SENDASSERTION.equals(viewName)) + oatemplate = pendingReq.getOnlineApplicationConfiguration().getSendAssertionTemplate(); + + // OA specific template requires a size of 8 bits minimum + if (oatemplate != null && oatemplate.length > 7) + return new ByteArrayInputStream(oatemplate); + } + + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.auth.frontend.AbstractGUIFormBuilder#getDefaultContentType() + */ + @Override + public String getDefaultContentType() { + return null; + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/exception/GUIBuildException.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/exception/GUIBuildException.java new file mode 100644 index 000000000..fff458546 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/exception/GUIBuildException.java @@ -0,0 +1,46 @@ +/* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ +package at.gv.egovernment.moa.id.auth.frontend.exception; + +/** + * @author tlenz + * + */ +public class GUIBuildException extends Exception { + + private static final long serialVersionUID = -278663750102498205L; + + /** + * @param string + */ + public GUIBuildException(String msg) { + super(msg); + + } + + public GUIBuildException(String msg, Throwable e) { + super(msg, e); + + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/utils/FormBuildUtils.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/utils/FormBuildUtils.java new file mode 100644 index 000000000..71093a4d3 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/utils/FormBuildUtils.java @@ -0,0 +1,178 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.auth.frontend.utils; + + +import java.util.HashMap; +import java.util.Map; + +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; +import at.gv.egovernment.moa.util.MiscUtil; + +public class FormBuildUtils { + + private static Map defaultmap = null; + + public static String PARAM_MAIN_BACKGROUNDCOLOR = "MAIN_BACKGOUNDCOLOR"; + public static String PARAM_MAIN_COLOR = "MAIN_COLOR"; + public static String PARAM_HEADER_BACKGROUNDCOLOR = "HEADER_BACKGROUNDCOLOR"; + public static String PARAM_HEADER_COLOR = "HEADER_COLOR"; + public static String PARAM_BUTTON_BACKGROUNDCOLOR = "BUTTON_BACKGROUNDCOLOR"; + public static String PARAM_BUTTON_BACKGROUNDCOLOR_FOCUS = "BUTTON_BACKGROUNDCOLOR_FOCUS"; + public static String PARAM_BUTTON_COLOR = "BUTTON_COLOR"; + public static String PARAM_FONTFAMILY = "FONTTYPE"; + public static String PARAM_HEADER_TEXT = "HEADER_TEXT"; + public static String PARAM_REDIRECTTARGET = "REDIRECTTARGET"; + public static String PARAM_APPLET_HEIGHT = "APPLETHEIGHT"; + public static String PARAM_APPLET_WIDTH = "APPLETWIDTH"; + + private static String PARAM_MANDATEVISIBLE = "MANDATEVISIBLE"; + private static String PARAM_MANDATECHECKED = "MANDATECHECKED"; + + private static String PARAM_STORKVISIBLE = "STORKVISIBLE"; + + private static final String TEMPLATEVISIBLE = " display: none"; + private static final String TEMPLATEDISABLED = "disabled=\"true\""; + private static final String TEMPLATECHECKED = "checked=\"true\""; + private static final String TEMPLATE_ARIACHECKED = "aria-checked="; + + + static { + if (defaultmap == null) { + defaultmap = new HashMap(); + defaultmap.put(PARAM_MAIN_BACKGROUNDCOLOR, "#F7F8F7"); + defaultmap.put(PARAM_MAIN_COLOR, "#000000"); + + defaultmap.put(PARAM_HEADER_BACKGROUNDCOLOR, "#C3D2E2"); + defaultmap.put(PARAM_HEADER_COLOR, "#000000"); + defaultmap.put(PARAM_HEADER_TEXT, "Login"); + + defaultmap.put(PARAM_BUTTON_BACKGROUNDCOLOR, "#EBEBEB"); + defaultmap.put(PARAM_BUTTON_BACKGROUNDCOLOR_FOCUS, "#EBEBEB"); + defaultmap.put(PARAM_BUTTON_COLOR, "#000000"); + + defaultmap.put(PARAM_FONTFAMILY, "Verdana,Geneva,Arial,sans-serif"); + + defaultmap.put(PARAM_REDIRECTTARGET, "_top"); + } + } + + public static void customiceLayoutBKUSelection(Map params, IOAAuthParameters oaParam) { + + if (oaParam.isShowMandateCheckBox()) + params.put(PARAM_MANDATEVISIBLE, ""); + else + params.put(PARAM_MANDATEVISIBLE, TEMPLATEVISIBLE); + + if (oaParam.isOnlyMandateAllowed()) { + params.put(PARAM_MANDATECHECKED, TEMPLATECHECKED + " " + + TEMPLATEDISABLED + " " +TEMPLATE_ARIACHECKED + "\"true\""); + + } else + params.put(PARAM_MANDATECHECKED, TEMPLATE_ARIACHECKED + "\"false\""); + + if (oaParam.isShowStorkLogin()) + params.put(PARAM_STORKVISIBLE, ""); + else + params.put(PARAM_STORKVISIBLE, TEMPLATEVISIBLE); + + //add more SP specific infos + setFormCustomizatenFromSP(params, oaParam); + + //format parameter-value for fontss + String fonttype = (String) params.get(PARAM_FONTFAMILY); + if (MiscUtil.isNotEmpty(fonttype)) { + String[] fonttypeList = fonttype.split(","); + String fonttypeformated = "\"" + fonttypeList[0].trim().replace("\"", "") + "\""; + + for (int i=1; i getDefaultMap() { + return defaultmap; + } + + /** + * @param value + * @return + */ + public static void defaultLayoutBKUSelection(Map params) { + params.put(PARAM_MANDATEVISIBLE, TEMPLATEVISIBLE); + params.put(PARAM_MANDATECHECKED, TEMPLATE_ARIACHECKED + "\"false\""); + params.put(PARAM_STORKVISIBLE, TEMPLATEVISIBLE); + + params.putAll(getDefaultMap()); + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFormCustomizaten() + */ + private static void setFormCustomizatenFromSP(Map params, IOAAuthParameters spConfig) { + params.putAll(FormBuildUtils.getDefaultMap()); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BACKGROUNDCOLOR))) + params.put(FormBuildUtils.PARAM_MAIN_BACKGROUNDCOLOR, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BACKGROUNDCOLOR)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BUTTONBACKGROUNDCOLOR))) + params.put(FormBuildUtils.PARAM_BUTTON_BACKGROUNDCOLOR, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BUTTONBACKGROUNDCOLOR)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BUTTONBACLGROUNDCOLORFOCUS))) + params.put(FormBuildUtils.PARAM_BUTTON_BACKGROUNDCOLOR_FOCUS, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BUTTONBACLGROUNDCOLORFOCUS)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BUTTONFRONTCOLOR))) + params.put(FormBuildUtils.PARAM_BUTTON_COLOR, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BUTTONFRONTCOLOR)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_FONTTYPE))) + params.put(FormBuildUtils.PARAM_FONTFAMILY, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_FONTTYPE)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_FRONTCOLOR))) + params.put(FormBuildUtils.PARAM_MAIN_COLOR, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_FRONTCOLOR)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_HEADERBACKGROUNDCOLOR))) + params.put(FormBuildUtils.PARAM_HEADER_BACKGROUNDCOLOR, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_HEADERBACKGROUNDCOLOR)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_HEADERFRONTCOLOR))) + params.put(FormBuildUtils.PARAM_HEADER_COLOR, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_HEADERFRONTCOLOR)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_HEADERTEXT))) + params.put(FormBuildUtils.PARAM_HEADER_TEXT, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_HEADERTEXT)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET))) + params.put(FormBuildUtils.PARAM_REDIRECTTARGET, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT))) + params.put(FormBuildUtils.PARAM_APPLET_HEIGHT, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT)); + + if (MiscUtil.isNotEmpty(spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH))) + params.put(FormBuildUtils.PARAM_APPLET_WIDTH, spConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH)); + + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityLogAdapter.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityLogAdapter.java new file mode 100644 index 000000000..3d5c5ed2f --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityLogAdapter.java @@ -0,0 +1,99 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + *******************************************************************************/ +package at.gv.egovernment.moa.id.auth.frontend.velocity; + +import org.apache.velocity.app.Velocity; +import org.apache.velocity.runtime.RuntimeServices; +import org.apache.velocity.runtime.log.LogChute; + +import at.gv.egovernment.moa.logging.Logger; + +public class VelocityLogAdapter implements LogChute { + + public VelocityLogAdapter() { + try + { + /* + * register this class as a logger with the Velocity singleton + * (NOTE: this would not work for the non-singleton method.) + */ + Velocity.setProperty(Velocity.RUNTIME_LOG_LOGSYSTEM, this ); + Velocity.init(); + } + catch (Exception e) + { + Logger.error("Failed to register Velocity logger"); + } + } + + public void init(RuntimeServices arg0) throws Exception { + } + + public boolean isLevelEnabled(int arg0) { + switch(arg0) { + case LogChute.DEBUG_ID: + return Logger.isDebugEnabled(); + case LogChute.TRACE_ID: + return Logger.isTraceEnabled(); + default: + return true; + } + } + + public void log(int arg0, String arg1) { + switch(arg0) { + case LogChute.DEBUG_ID: + Logger.debug(arg1); + break; + case LogChute.TRACE_ID: + Logger.trace(arg1); + break; + case LogChute.INFO_ID: + Logger.info(arg1); + break; + case LogChute.WARN_ID: + Logger.warn(arg1); + break; + case LogChute.ERROR_ID: + default: + Logger.error(arg1); + break; + } + } + + public void log(int arg0, String arg1, Throwable arg2) { + switch(arg0) { + case LogChute.DEBUG_ID: + case LogChute.TRACE_ID: + case LogChute.INFO_ID: + case LogChute.WARN_ID: + Logger.warn(arg1, arg2); + break; + case LogChute.ERROR_ID: + default: + Logger.error(arg1, arg2); + break; + } + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java new file mode 100644 index 000000000..022c144f0 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/java/at/gv/egovernment/moa/id/auth/frontend/velocity/VelocityProvider.java @@ -0,0 +1,113 @@ +/******************************************************************************* + * Copyright 2014 Federal Chancellery Austria + * MOA-ID has been developed in a cooperation between BRZ, the Federal + * Chancellery Austria - ICT staff unit, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + ******************************************************************************/ +/* + * Copyright 2011 by Graz University of Technology, Austria + * The Austrian STORK Modules have been developed by the E-Government + * Innovation Center EGIZ, a joint initiative of the Federal Chancellery + * Austria and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by + * the European Commission - subsequent versions of the EUPL (the "Licence"); + * You may not use this work except in compliance with the Licence. + * You may obtain a copy of the Licence at: + * http://www.osor.eu/eupl/ + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the Licence is distributed on an "AS IS" basis, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the Licence for the specific language governing permissions and + * limitations under the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text + * file for details on the various modules and licenses. + * The "NOTICE" text file is part of the distribution. Any derivative works + * that you distribute must include a readable copy of the "NOTICE" text file. + */ + + +/** + * + */ +package at.gv.egovernment.moa.id.auth.frontend.velocity; + +import org.apache.velocity.app.VelocityEngine; +import org.apache.velocity.runtime.RuntimeConstants; + +/** + * Gets a Velocity Engine + * + * @author bzwattendorfer + * + */ +public class VelocityProvider { + + /** + * Gets velocityEngine from Classpath + * @return VelocityEngine + * @throws Exception + */ + public static VelocityEngine getClassPathVelocityEngine() throws Exception { + VelocityEngine velocityEngine = getBaseVelocityEngine(); + velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath"); + velocityEngine.setProperty("classpath.resource.loader.class", + "org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader"); + + + velocityEngine.init(); + + return velocityEngine; + } + + /** + * Gets VelocityEngine from File + * @param rootPath File Path to template file + * @return VelocityEngine + * @throws Exception + */ + public static VelocityEngine getFileVelocityEngine(String rootPath) throws Exception { + VelocityEngine velocityEngine = getBaseVelocityEngine(); + velocityEngine.setProperty(RuntimeConstants.RESOURCE_LOADER, "file"); + velocityEngine.setProperty("file.resource.loader.class", + "org.apache.velocity.runtime.resource.loader.FileResourceLoader"); + velocityEngine.setProperty("file.resource.loader.path", rootPath); + + velocityEngine.init(); + + return velocityEngine; + } + + /** + * Gets a basic VelocityEngine + * @return VelocityEngine + */ + private static VelocityEngine getBaseVelocityEngine() { + VelocityEngine velocityEngine = new VelocityEngine(); + velocityEngine.setProperty(RuntimeConstants.INPUT_ENCODING, "UTF-8"); + velocityEngine.setProperty(RuntimeConstants.OUTPUT_ENCODING, "UTF-8"); + velocityEngine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, + "org.apache.velocity.runtime.log.SimpleLog4JLogSystem"); + + return velocityEngine; + } + +} diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/css_template.css b/id/server/moa-id-frontend-resources/src/main/resources/templates/css_template.css new file mode 100644 index 000000000..a8735be60 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/css_template.css @@ -0,0 +1,625 @@ +@charset "utf-8"; + @media screen and (min-width: 650px) { + + body { + margin:0; + padding:0; + color : #000; + background-color : #fff; + text-align: center; + background-color: #6B7B8B; + } + + .browserInfoButton{ + color: rgb(128, 128, 128); + } + + #localBKU p { + font-size: 0.7em; + } + + #localBKU input{ + font-size: 0.85em; + /*border-radius: 5px;*/ + } + + #bkuselectionarea input[type=button] { + font-size: 0.85em; + /*border-radius: 7px;*/ + margin-bottom: 25px; + min-width: 80px; + } + + #mandateLogin { + font-size: 0.85em; + } + + #bku_header h2 { + font-size: 0.8em; + } + + + #page { + display: block; + border: 2px solid rgb(0,0,0); + width: 650px; + height: 460px; + margin: 0 auto; + margin-top: 5%; + position: relative; + border-radius: 25px; + background: rgb(255,255,255); + } + + #page1 { + text-align: center; + } + + #main { + /* clear:both; */ + position:relative; + margin: 0 auto; + width: 250px; + text-align: center; + } + + .OA_header { + /* background-color: white;*/ + font-size: 20pt; + margin-bottom: 25px; + margin-top: 25px; + } + + #leftcontent { + /*float:left; */ + width:250px; + margin-bottom: 25px; + text-align: left; + border: 1px solid rgb(0,0,0); + } + + #selectArea { + font-size: 15px; + padding-bottom: 65px; + } + + #leftcontent { + width: 300px; + margin-top: 30px; + } + + #bku_header { + height: 5%; + padding-bottom: 3px; + padding-top: 3px; + } + + #bkulogin { + overflow:hidden; + min-width: 190px; + min-height: 180px; + /*height: 260px;*/ + } + + h2#tabheader{ + font-size: 1.1em; + padding-left: 2%; + padding-right: 2%; + position: relative; + } + + #stork h2 { + font-size: 1.0em; + margin-bottom: 2%; + } + + .setAssertionButton_full { + background: #efefef; + cursor: pointer; + margin-top: 15px; + width: 100px; + height: 30px + } + + #leftbutton { + width: 30%; + float:left; + margin-left: 40px; + } + + #rightbutton { + width: 30%; + float:right; + margin-right: 45px; + text-align: right; + } + + button { + height: 25px; + width: 75px; + margin-bottom: 10px; + } + + + + #validation { + position: absolute; + bottom: 0px; + margin-left: 270px; + padding-bottom: 10px; + } + + } + + @media screen and (max-width: 205px) { + #localBKU p { + font-size: 0.6em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + + #localBKU input { + font-size: 0.6em; + min-width: 60px; + /* max-width: 65px; */ + min-height: 1.0em; + /* border-radius: 5px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 0.7em; + min-width: 55px; + /*min-height: 1.1em; + border-radius: 5px;*/ + margin-bottom: 2% + } + + #mandateLogin { + font-size: 0.65em; + } + + #bku_header h2 { + font-size: 0.8em; + margin-top: -0.4em; + padding-top: 0.4em; + } + + #bkulogin { + min-height: 150px; + } + } + + @media screen and (max-width: 249px) and (min-width: 206px) { + #localBKU p { + font-size: 0.7em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + + #localBKU input { + font-size: 0.7em; + min-width: 70px; + /* max-width: 75px; */ + min-height: 0.95em; + /* border-radius: 6px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 0.75em; + min-width: 60px; + /* min-height: 0.95em; + border-radius: 6px; */ + margin-bottom: 5% + } + + #mandateLogin { + font-size: 0.75em; + } + + #bku_header h2 { + font-size: 0.9em; + margin-top: -0.45em; + padding-top: 0.45em; + } + + #bkulogin { + min-height: 180px; + } + } + + @media screen and (max-width: 299px) and (min-width: 250px) { + #localBKU p { + font-size: 0.9em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + + #localBKU input { + font-size: 0.8em; + min-width: 70px; + /* max-width: 75px; */ + /* border-radius: 6px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 0.85em; + /* min-height: 1.05em; + border-radius: 7px; */ + margin-bottom: 10%; + } + + #mandateLogin { + font-size: 1em; + } + + #bku_header h2 { + font-size: 1.0em; + margin-top: -0.50em; + padding-top: 0.50em; + } + } + + @media screen and (max-width: 399px) and (min-width: 300px) { + #localBKU p { + font-size: 0.9em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + #localBKU input { + font-size: 0.8em; + min-width: 70px; + /* max-width: 75px; */ + /* border-radius: 6px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 0.9em; + /* min-height: 1.2em; + border-radius: 8px; */ + margin-bottom: 10%; + max-width: 80px; + } + + #mandateLogin { + font-size: 1em; + } + + #bku_header h2 { + font-size: 1.1em; + margin-top: -0.55em; + padding-top: 0.55em; + } + } + + @media screen and (max-width: 649px) and (min-width: 400px) { + #localBKU p { + font-size: 0.9em; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + #localBKU input { + font-size: 0.8em; + min-width: 70px; + /* max-width: 80px; */ + /* border-radius: 6px; */ + } + + #bkuselectionarea input[type=button] { + font-size: 1.0em; + /* min-height: 1.3em; + border-radius: 10px; */ + margin-bottom: 10%; + max-width: 85px; + } + + #mandateLogin { + font-size: 1.2em; + } + + #bku_header h2 { + font-size: 1.3em; + margin-top: -0.65em; + padding-top: 0.65em; + } + } + + + + @media screen and (max-width: 649px) { + + body { + margin:0; + padding:0; + color : #000; + text-align: center; + font-size: 100%; + background-color: $MAIN_BACKGOUNDCOLOR; + } + .browserInfoButton{ + color: rgb(128, 128, 128); + } + #page { + visibility: hidden; + margin-top: 0%; + } + + #page1 { + visibility: hidden; + } + + #main { + visibility: hidden; + } + + #validation { + visibility: hidden; + display: none; + } + + .OA_header { + margin-bottom: 0px; + margin-top: 0px; + font-size: 0pt; + visibility: hidden; + } + + #leftcontent { + visibility: visible; + margin-bottom: 0px; + text-align: left; + border:none; + vertical-align: middle; + min-height: 173px; + min-width: 204px; + + } + + #bku_header { + height: 10%; + min-height: 1.2em; + margin-top: 1%; + } + + h2#tabheader{ + padding-left: 2%; + padding-right: 2%; + position: relative; + top: 50%; + } + + #stork h2 { + font-size: 0.9em; + margin-bottom: 2%; + } + + #bkulogin { + min-width: 190px; + min-height: 155px; + } + + .setAssertionButton_full { + background: #efefef; + cursor: pointer; + margin-top: 15px; + width: 70px; + height: 25px; + } + + input[type=button] { +/* height: 11%; */ + width: 70%; + } + } + + * { + margin: 0; + padding: 0; + #if($FONTTYPE) + font-family: $FONTTYPE; + #end + } + + #selectArea { + padding-top: 10px; + padding-bottom: 55px; + padding-left: 10px; + } + + .setAssertionButton { + background: #efefef; + cursor: pointer; + margin-top: 15px; + width: 70px; + height: 25px; + } + + #leftbutton { + width: 35%; + float:left; + margin-left: 15px; + } + + #rightbutton { + width: 35%; + float:right; + margin-right: 25px; + text-align: right; + } + + #stork { + /*margin-bottom: 10px;*/ + /* margin-top: 5px; */ + } + + #mandateLogin { + padding-bottom: 4%; + padding-top: 4%; + height: 10%; + position: relative; + text-align: center; + } + + .verticalcenter { + vertical-align: middle; + } + + #mandateLogin div { + clear: both; + margin-top: -1%; + position: relative; + top: 50%; + } + + #bkuselectionarea { + position: relative; + display: block; + } + + #localBKU { + padding-bottom: 4%; + /*padding-top: 4%;*/ + position: relative; + clear: both; + text-align: center; + } + + #bkukarte { + float:left; + text-align:center; + width:40%; + min-height: 70px; + padding-left: 5%; + padding-top: 2%; + } + + #bkuhandy { + float:right; + text-align:center; + width:40%; + min-height: 90px; + padding-right: 5%; + padding-top: 2%; + } + + .bkuimage { + width: 90%; + height: auto; + } + + #mandate{ + text-align:center; + padding : 5px 5px 5px 5px; + } + +/* input[type=button], .sendButton { + background: $BUTTON_BACKGROUNDCOLOR; + color: $BUTTON_COLOR; +/* border:1px solid #000; */ +/* cursor: pointer; +/* box-shadow: 3px 3px 3px #222222; */ +/* } + +/* button:hover, button:focus, button:active, + .sendButton:hover , .sendButton:focus, .sendButton:active, + #mandateCheckBox:hover, #mandateCheckBox:focus, #mandateCheckBox:active { + background: $BUTTON_BACKGROUNDCOLOR_FOCUS; + color: $BUTTON_COLOR; +/* border:1px solid #000; */ +/* cursor: pointer; +/* box-shadow: -1px -1px 3px #222222; */ +/* } + +*/ + input { + /*border:1px solid #000;*/ + cursor: pointer; + } + + #localBKU input { +/* color: $BUTTON_COLOR; */ + /*border: 0px;*/ + display: inline-block; + + } + + #localBKU input:hover, #localBKU input:focus, #localBKU input:active { + /*text-decoration: underline;*/ + } + + #installJava, #BrowserNOK { + clear:both; + font-size:0.8em; + padding:4px; + } + + .selectText{ + + } + + .selectTextHeader{ + + } + + .sendButton { + width: 30%; + margin-bottom: 1%; + } + + #leftcontent a { + text-decoration:none; + color: #000; + /* display:block;*/ + padding:4px; + } + + #leftcontent a:hover, #leftcontent a:focus, #leftcontent a:active { + text-decoration:underline; + color: #000; + } + + .infobutton { + background-color: #005a00; + color: white; + font-family: serif; + text-decoration: none; + padding-top: 2px; + padding-right: 4px; + padding-bottom: 2px; + padding-left: 4px; + font-weight: bold; + } + + .hell { + background-color : $MAIN_BACKGOUNDCOLOR; + color: $MAIN_COLOR; + } + + .dunkel { + background-color: $HEADER_BACKGROUNDCOLOR; + color: $HEADER_COLOR; + } + + .main_header { + color: black; + font-size: 32pt; + position: absolute; + right: 10%; + top: 40px; + + } + + #ssoSessionTransferBlock { + font-size: 0.8em; + margin-left: 5px; + margin-bottom: 5px; + } + + #alert_area { + width: 500px; + padding-left: 80px; + } \ No newline at end of file diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/error_message.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/error_message.html new file mode 100644 index 000000000..4fd4d63cd --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/error_message.html @@ -0,0 +1,37 @@ + + + + + + An error arise ... + + + +
+
+

Authentication error arise

+ + + + + +
+

The authentication stops on account of a process error:

+
+

Error Code: $errorCode

+

Error Message:$errorMsg

+
+ + + #if($stacktrace) +
+

Stacktrace: $stacktrace

+
+ #end + + + +
+
+ + \ No newline at end of file diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/javascript_tempalte.js b/id/server/moa-id-frontend-resources/src/main/resources/templates/javascript_tempalte.js new file mode 100644 index 000000000..e4e05bace --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/javascript_tempalte.js @@ -0,0 +1,200 @@ +function isIE() { + return (/MSIE (\d+\.\d+);/.test(navigator.userAgent)); + } + function isFullscreen() { + try { + return ((top.innerWidth == screen.width) && (top.innerHeight == screen.height)); + } catch (e) { + return false; + } + } + function isActivexEnabled() { + var supported = null; + try { + supported = !!new ActiveXObject("htmlfile"); + } catch (e) { + supported = false; + } + return supported; + } + function isMetro() { + if (!isIE()) + return false; + return !isActivexEnabled() && isFullscreen(); + } + window.onload=function() { + document.getElementById("localBKU").style.display="block"; + return; + } + function bkuLocalClicked() { + setMandateSelection(); + } + + function bkuOnlineClicked() { + if (isMetro()) + document.getElementById("metroDetected").style.display="block"; + document.getElementById("localBKU").style.display="block"; +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var iFrameURL = "$contextPath$submitEndpoint" + "?"; + iFrameURL += "&pendingid=" + "$pendingReqID"; + + iFrameURL += "bkuURI=" + "$bkuOnline"; + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + + generateIFrame(iFrameURL); + } + function bkuHandyClicked() { + document.getElementById("localBKU").style.display="none"; +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var iFrameURL = "$contextPath$submitEndpoint" + "?"; + iFrameURL += "&pendingid=" + "$pendingReqID"; + + iFrameURL += "bkuURI=" + "$bkuHandy"; + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + + generateIFrame(iFrameURL); + } + function storkClicked() { + document.getElementById("localBKU").style.display="none"; +/* if (checkMandateSSO()) + return; */ + + setMandateSelection(); +/* setSSOSelection(); */ + + var ccc = "AT"; + var countrySelection = document.getElementById("cccSelection"); + if (countrySelection != null) { + ccc = document.getElementById("cccSelection").value; + } + var iFrameURL = "$contextPath$submitEndpoint" + "?"; + iFrameURL += "&pendingid=" + "$pendingReqID"; + + #if($bkuOnline) + iFrameURL += "bkuURI=" + "$bkuOnline"; + #end + + iFrameURL += "&useMandate=" + document.getElementById("useMandate").value; + iFrameURL += "&CCC=" + ccc; + + generateIFrame(iFrameURL); + } + function generateIFrame(iFrameURL) { + var el = document.getElementById("bkulogin"); + var width = el.clientWidth; + var heigth = el.clientHeight - 20; + var parent = el.parentNode; + + iFrameURL += "&heigth=" + heigth; + iFrameURL += "&width=" + width; + + var iframe = document.createElement("iframe"); + iframe.setAttribute("src", iFrameURL); + iframe.setAttribute("width", el.clientWidth - 1); + iframe.setAttribute("height", el.clientHeight - 1); + iframe.setAttribute("frameborder", "0"); + iframe.setAttribute("scrolling", "no"); + iframe.setAttribute("title", "Login"); + parent.replaceChild(iframe, el); + } + function setMandateSelection() { + document.getElementById("useMandate").value = "false"; + var checkbox = document.getElementById("mandateCheckBox"); + if (checkbox != null) { + if (document.getElementById("mandateCheckBox").checked) { + document.getElementById("useMandate").value = "true"; + } + } + } + function onChangeChecks() { + if (self.innerWidth < 650) { + document.getElementById("moaidform").setAttribute("target","_parent"); + } else { + document.getElementById("moaidform").removeAttribute("target"); + } + + } + + function checkIfBrowserSupportsJava(){ + console.log("Browser is Chrome: "+checkIfBrowserIsChrome()); + console.log("Browser is Safari: "+checkIfBrowserIsSafari()); + console.log("Browser is Edge: "+checkIfBrowserIsEdge()); + + var cnt = 0; + + if(checkIfBrowserIsChrome())cnt++; + if(checkIfBrowserIsEdge())cnt++; + if(checkIfBrowserIsSafari())cnt++; + + if(cnt==0 || cnt>1)//cnt>1 means perhaps wrong detection + return true; + + var image = document.getElementById("bkuimage"); + var srcatt = image.getAttribute("src"); + var last = srcatt.substring(srcatt.lastIndexOf('/')+1); + srcatt = srcatt.replace(last,'online-bku-deactivated.png'); + image.setAttribute("src",srcatt); + + + var button = document.getElementsByName("bkuButtonOnline")[0]; + button.setAttribute("class","browserInfoButton"); + button.setAttribute("title","Java wird nicht unterstützt, klicken für mehr Informationen."); + button.setAttribute("onClick","alert('Java wird von Ihrem Browser nicht unterstützt, ist jedoch für den Betrieb der Online Bürgerkartenumgebung notwendig.\\nWollen Sie dennoch die Online Bürgerkartenumgebung verwenden, wird zur Zeit Java noch von Firefox und MS Internet Explorer unterstützt. \\nAlternativ koennen Sie auch eine lokale Bürgerkartenumgebung verwenden, verfügbar unter www.buergerkarte.at.');"); + + return false; + + } + function checkIfBrowserIsChrome(){ + var chrome_defined = !!window.chrome;//chrome object defined + var webstore_defined = false; + if(window.chrome){ + webstore_defined = !!window.chrome.webstore; + } + return chrome_defined && webstore_defined; + } + function checkIfBrowserIsEdge(){//edge also defines the chrome object, but not the webapp + var chrome_defined = !!window.chrome;//chrome object defined + var webstore_defined = true; + if(window.chrome){ + webstore_defined = !!window.chrome.webstore; + } + return chrome_defined && !webstore_defined; + } + function checkIfBrowserIsSafari(){ + var cond1 = Object.prototype.toString.call(window.HTMLElement).indexOf('Constructor') > 0; + return cond1; + } +/* function setSSOSelection() { + document.getElementById("useSSO").value = "false"; + var checkbox = document.getElementById("SSOCheckBox"); + if (checkbox != null) { + if (document.getElementById("SSOCheckBox").checked) { + document.getElementById("useSSO").value = "true"; + } + } + } */ + +/* function checkMandateSSO() { + var sso = document.getElementById("SSOCheckBox"); + var mandate = document.getElementById("mandateCheckBox"); + + + if (sso.checked && mandate.checked) { + alert("Anmeldung in Vertretung in kombination mit Single Sign-On wird aktuell noch nicht unterstützt!") + mandate.checked = false; + sso.checked = false; + return true; + } else { + return false; + } + } */ \ No newline at end of file diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html new file mode 100644 index 000000000..02b86472b --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/loginFormFull.html @@ -0,0 +1,92 @@ + + + + + + + + + + + + +Anmeldung mittels Bürgerkarte oder Handy-Signatur + + +
+
+

Anmeldung an: $OAName

+
+
+
+

$HEADER_TEXT

+
+
+
+
+ + + +
+
+
+
+ OnlineBKU +
+
+ HandyBKU +
+
+
+
+ + + + + + +
+
+ + + + +
+

Home Country Selection

+

+ + + i +

+
+ + +
+
+
+
+
+ + diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/redirectForm.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/redirectForm.html new file mode 100644 index 000000000..ac3242c89 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/redirectForm.html @@ -0,0 +1,13 @@ + + + + + + + + + CLICK to perform a + redirect back to Online Application + + diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/sendAssertionFormFull.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/sendAssertionFormFull.html new file mode 100644 index 000000000..a9f0c4238 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/sendAssertionFormFull.html @@ -0,0 +1,52 @@ + + + + + + + + Anmeldung an Online-Applikation + + + + +
+ +
+ + + +
+
+
+

+ Anmeldeinformationen: +

+
+ +
+

Anmeldung an: $OAName

+ + +
+
+ + + +
+
+
+
+ + + +
+
+ +
+
+
+
+
+ + diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/slo_template.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/slo_template.html new file mode 100644 index 000000000..b3eb18082 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/slo_template.html @@ -0,0 +1,94 @@ + + + + + + + + #if($timeoutURL) + + #end + + Single LogOut Vorgang ... + + +#if($timeoutURL) + +#else + +#end + + +
+
+

MOA-ID Single LogOut Information

+
+
+ + #if($errorMsg) +
+

$errorMsg

+
+ #end + + #if($successMsg) +
+

$successMsg

+
+ #end + + #if($redirectURLs) +
+

+ Sie werden von allen Online-Applikationen abgemeldet.
+ Dieser Vorgang kann einige Zeit in Anspruch nehmen. +

+
+ #end + +
+
+
+ +
+ + + #foreach( $el in $redirectURLs ) + + #end + + \ No newline at end of file diff --git a/id/server/moa-id-frontend-resources/src/main/resources/templates/sso_transfer_template.html b/id/server/moa-id-frontend-resources/src/main/resources/templates/sso_transfer_template.html new file mode 100644 index 000000000..e9c2fae76 --- /dev/null +++ b/id/server/moa-id-frontend-resources/src/main/resources/templates/sso_transfer_template.html @@ -0,0 +1,59 @@ + + + + + + + + Single Sign-On Session Transfer + + + + + +
+
+

MOA-ID Single Sign-On Session Transfer Service

+
+
+ + #if($errorMsg) +
+

$errorMsg

+
+ #end + + #if($successMsg) +
+

$successMsg

+
+ #end + + #if($QRImage) +
+ +
+ #end + +
+
+
+ +
+ + + \ No newline at end of file diff --git a/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java b/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java index cc5552e81..636a3ed03 100644 --- a/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java +++ b/id/server/moa-id-spring-initializer/src/main/java/at/gv/egovernment/moa/id/auth/MOAIDAuthSpringInitializer.java @@ -17,7 +17,7 @@ import org.springframework.web.context.support.ServletContextResource; import org.springframework.web.servlet.DispatcherServlet; import at.gv.egiz.components.spring.api.SpringLoader; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; /** diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index ea4dd868b..7122c6577 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -43,7 +43,6 @@ import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BKUException; import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.ServiceException; import at.gv.egovernment.moa.id.auth.exception.ValidateException; @@ -57,11 +56,13 @@ import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.MISMandate; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.XMLUtil; import at.gv.egovernment.moa.logging.LogMsg; diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java index f00f4386f..e51700111 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationBlockAssertionBuilder.java @@ -48,10 +48,10 @@ import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.ParseException; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.util.Random; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java index dc981ba33..18495381e 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/builder/GetIdentityLinkFormBuilder.java @@ -49,11 +49,11 @@ package at.gv.egovernment.moa.id.auth.builder; import java.io.IOException; import java.io.StringReader; import java.io.StringWriter; -import java.util.Map; import at.gv.egovernment.moa.id.auth.exception.BuildException; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.util.FormBuildUtils; +import at.gv.egovernment.moa.id.auth.frontend.utils.FormBuildUtils; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.util.MiscUtil; /** @@ -165,31 +165,32 @@ public class GetIdentityLinkFormBuilder extends Builder { htmlForm = replaceTag(htmlForm, PUSHINFOBOX_TAG, pushInfobox, false, ALL); //new:wird oben mitreplaced htmlForm = replaceTag(htmlForm, BKU_TAG, bkuURL); - //removed in MOA-ID 2.0 -// htmlForm = replaceTag(htmlForm, CERTINFO_XMLREQUEST_TAG, encodeParameter(certInfoXMLRequest), true, ALL); -// htmlForm = replaceTag(htmlForm, CERTINFO_DATAURL_TAG, certInfoDataURL, true, ALL); + + //set applet-background coller + if (oaParam != null && MiscUtil.isNotEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BACKGROUNDCOLOR))) + htmlForm = replaceTag(htmlForm, COLOR_TAG, + oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_BACKGROUNDCOLOR), false, ALL); + else + htmlForm = replaceTag(htmlForm, COLOR_TAG, FormBuildUtils.getDefaultMap().get(FormBuildUtils.PARAM_MAIN_BACKGROUNDCOLOR), false, ALL); + + //set redirect target + if (oaParam != null && MiscUtil.isNotEmpty(oaParam.getConfigurationValue(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET)))) + htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, + oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETREDIRECTTARGET), false, ALL); + else + htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, FormBuildUtils.getDefaultMap().get(FormBuildUtils.PARAM_REDIRECTTARGET), false, ALL); - Map map = null; - - if (oaParam != null) { - map = oaParam.getFormCustomizaten(); - htmlForm = replaceTag(htmlForm, COLOR_TAG, map.get(FormBuildUtils.MAIN_BACKGROUNDCOLOR), false, ALL); - htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, map.get(FormBuildUtils.REDIRECTTARGET), false, ALL); - - } else { - htmlForm = replaceTag(htmlForm, COLOR_TAG, FormBuildUtils.getDefaultMap().get(FormBuildUtils.MAIN_BACKGROUNDCOLOR), false, ALL); - htmlForm = replaceTag(htmlForm, REDIRECTTARGETTAG, FormBuildUtils.getDefaultMap().get(FormBuildUtils.REDIRECTTARGET), false, ALL); - } - - if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_HEIGHT))) - htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, map.get(FormBuildUtils.APPLET_HEIGHT), false, ALL); + //set applet heigh + if (oaParam != null && MiscUtil.isNotEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT))) + htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETHEIGHT), false, ALL); else if (MiscUtil.isNotEmpty(appletheigth)) htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, appletheigth, false, ALL); else htmlForm = replaceTag(htmlForm, APPLETHEIGHT_TAG, "160", false, ALL); - if (map != null && MiscUtil.isNotEmpty(map.get(FormBuildUtils.APPLET_WIDTH))) - htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, map.get(FormBuildUtils.APPLET_WIDTH), false, ALL); + //set applet width + if (oaParam != null && MiscUtil.isNotEmpty(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH))) + htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_AUTH_TEMPLATES_CUSTOMIZATION_APPLETWIDTH), false, ALL); else if (MiscUtil.isNotEmpty(appletwidth)) htmlForm = replaceTag(htmlForm, APPLETWIDTH_TAG, appletwidth, false, ALL); else diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java index cbdef7093..4f9936c94 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/DefaultCitizenCardAuthModuleImpl.java @@ -3,8 +3,8 @@ package at.gv.egovernment.moa.id.auth.modules.internal; import org.apache.commons.lang3.StringUtils; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.modules.AuthModule; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.process.api.ExecutionContext; /** diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java index aff6b1ca6..000a47438 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CertificateReadRequestTask.java @@ -1,6 +1,6 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_VERIFY_CERTIFICATE; +import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.REQ_VERIFY_CERTIFICATE; import java.io.IOException; @@ -14,9 +14,9 @@ import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.builder.InfoboxReadRequestBuilderCertificate; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.CitizenCardServletUtils; @@ -32,7 +32,7 @@ import at.gv.egovernment.moa.logging.Logger; * * Expects: *
    - *
  • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
    • + *
  • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
    • *
* Result: *
    diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java index cbaaa5ec7..e82aa8fbb 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/CreateIdentityLinkFormTask.java @@ -13,10 +13,10 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.StringUtils; @@ -26,14 +26,14 @@ import at.gv.egovernment.moa.util.StringUtils; * In detail: *
      *
    • Renames the moa session id.
      • - *
    • Removes ExecutionContext property {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}.
      • + *
    • Removes ExecutionContext property {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}.
      • *
    • Creates the http form mentioned above.
      • *
    • Returns the http form via HttpServletResponse.
      • *
    * Expects: *
      - *
    • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID} or
      • - *
    • ExecutionContext property {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID} (in case of legacy authentication without CCE selection, where the moa session is not provided by request parameter).
      • + *
    • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID} or
      • + *
    • ExecutionContext property {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID} (in case of legacy authentication without CCE selection, where the moa session is not provided by request parameter).
      • *
    * Result: *
      diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java index 204e39b8c..7cc9df30c 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetForeignIDTask.java @@ -1,7 +1,7 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_XMLRESPONSE; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_VERIFY_AUTH_BLOCK; +import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.PARAM_XMLRESPONSE; +import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.REQ_VERIFY_AUTH_BLOCK; import java.io.ByteArrayInputStream; import java.io.IOException; @@ -22,7 +22,6 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; @@ -31,6 +30,7 @@ import at.gv.egovernment.moa.id.auth.parser.CreateXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.client.SZRGWClientException; import at.gv.egovernment.moa.id.client.utils.SZRGWClientUtils; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -44,7 +44,7 @@ import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse; * In detail: *
        *
      • Renames the moa session id.
        • - *
      • Parses the CreateXMLSignatureResponse retrieved from POST parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}.
        • + *
      • Parses the CreateXMLSignatureResponse retrieved from POST parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}.
        • *
      • Extracts signature and signer certificate.
        • *
      • Send request to SZR Gateway in order to get an identity link.
        • *
      • Updates moa session (sets identity link, QAA level 4, authentication data and foreigner flag).
        • @@ -52,8 +52,8 @@ import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse; *
      * Expects: *
        - *
      • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
        • - *
      • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE} containing a {@code CreateXMLSignatureResponse}.
        • + *
      • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
        • + *
      • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE} containing a {@code CreateXMLSignatureResponse}.
        • *
      * Result: *
        diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java index 0a1e3c8f5..c172c3b9c 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/GetMISSessionIDTask.java @@ -1,6 +1,6 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.GET_MIS_SESSIONID; +import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.GET_MIS_SESSIONID; import java.security.GeneralSecurityException; import java.util.List; @@ -18,10 +18,10 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; -import at.gv.egovernment.moa.id.config.ConnectionParameter; +import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.MISMandate; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.SSLUtils; @@ -42,7 +42,7 @@ import iaik.pki.PKIException; *
      * Expects: *
        - *
      • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
        • + *
      • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
        • *
      * Result: *
        @@ -72,7 +72,7 @@ public class GetMISSessionIDTask extends AbstractAuthServletTask { String misSessionID = moasession.getMISSessionID(); //get mandates from MIS - ConnectionParameter connectionParameters = authConfig + ConnectionParameterInterface connectionParameters = authConfig .getOnlineMandatesConnectionParameter(); SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory( authConfig, diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java index b1b87f68d..d3d736a9c 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/InitializeBKUAuthenticationTask.java @@ -31,15 +31,15 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.parser.StartAuthentificationParameterParser; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.FileUtils; diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java index b9a8fecf6..ed49201b8 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareAuthBlockSignatureTask.java @@ -8,9 +8,9 @@ import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.CitizenCardServletUtils; import at.gv.egovernment.moa.logging.Logger; @@ -25,7 +25,7 @@ import at.gv.egovernment.moa.logging.Logger; *
      * Expects: *
        - *
      • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
        • + *
      • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
        • *
      * Result: *
        diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java index f976c0b49..afbb87f10 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/PrepareGetMISMandateTask.java @@ -22,7 +22,7 @@ */ package at.gv.egovernment.moa.id.auth.modules.internal.tasks; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.GET_MIS_SESSIONID; +import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.GET_MIS_SESSIONID; import java.util.List; @@ -39,12 +39,12 @@ import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.MISSimpleClientException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.ConnectionParameterInterface; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.ConnectionParameter; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.SSLUtils; import at.gv.egovernment.moa.id.util.client.mis.simple.MISSessionId; @@ -72,7 +72,7 @@ public class PrepareGetMISMandateTask extends AbstractAuthServletTask { //perform default task initialization defaultTaskInitialization(request, executionContext); - ConnectionParameter connectionParameters = authConfig.getOnlineMandatesConnectionParameter(); + ConnectionParameterInterface connectionParameters = authConfig.getOnlineMandatesConnectionParameter(); SSLSocketFactory sslFactory = SSLUtils.getSSLSocketFactory(authConfig, connectionParameters); // get identitity link as byte[] diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java index b52778577..516e9501b 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyAuthenticationBlockTask.java @@ -1,6 +1,6 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.PARAM_XMLRESPONSE; +import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.PARAM_XMLRESPONSE; import java.io.IOException; import java.util.Map; @@ -15,10 +15,10 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; @@ -28,15 +28,15 @@ import at.gv.egovernment.moa.logging.Logger; * In detail: *
          *
        • Renames the moa session id.
          • - *
        • Takes the {@code CreateXMLSignatureResponse} from POST parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}.
          • + *
        • Takes the {@code CreateXMLSignatureResponse} from POST parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}.
          • *
        • Verifies the {@code CreateXMLSignatureResponse}.
          • *
        • Updates moa session.
          • *
        • Redirects back to {@code /dispatcher} in order to finalize the authentication.
          • *
        * Expects: *
          - *
        • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
          • - *
        • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE} containing a {@code CreateXMLSignatureResponse}.
          • + *
        • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
          • + *
        • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE} containing a {@code CreateXMLSignatureResponse}.
          • *
        * Result: *
          diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java index cd444f7c8..df158a7ec 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyCertificateTask.java @@ -1,6 +1,6 @@ package at.gv.egovernment.moa.id.auth.modules.internal.tasks; -import static at.gv.egovernment.moa.id.auth.MOAIDAuthConstants.REQ_GET_FOREIGN_ID; +import static at.gv.egovernment.moa.id.commons.MOAIDAuthConstants.REQ_GET_FOREIGN_ID; import java.io.IOException; import java.util.Map; @@ -17,9 +17,9 @@ import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.CitizenCardServletUtils; @@ -28,11 +28,11 @@ import at.gv.egovernment.moa.spss.util.CertificateUtils; import iaik.x509.X509Certificate; /** - * Parses the certificate from {@code InfoBoxReadResponse} (via POST parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}), creates the auth block to be signed and returns a {@code CreateXMLSignatureRequest} for auth block signature.

          + * Parses the certificate from {@code InfoBoxReadResponse} (via POST parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}), creates the auth block to be signed and returns a {@code CreateXMLSignatureRequest} for auth block signature.

          * In detail: *

            *
          • Renames the moa session id.
            • - *
          • Retrieves the certificate via {@code InfoBoxReadResponse} from POST parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}.
            • + *
          • Retrieves the certificate via {@code InfoBoxReadResponse} from POST parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}.
            • *
          • Verifies the certificate.
            • *
          • Creates the auth block to be signed using information from the certificate (Organwalter, foreign citizen.
            • *
          • Puts it in a {@code CreateXMLSignatureRequest}.
            • @@ -41,8 +41,8 @@ import iaik.x509.X509Certificate; *
          * Expects: *
            - *
          • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
            • - *
          • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_SESSIONID} containing a {@code InfoBoxReadResponse}.
            • + *
          • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
            • + *
          • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_SESSIONID} containing a {@code InfoBoxReadResponse}.
            • *
          * Result: *
            diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java index 23e92c0c0..0deda4d43 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/internal/tasks/VerifyIdentityLinkTask.java @@ -12,10 +12,10 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.logging.Logger; @@ -24,15 +24,15 @@ import at.gv.egovernment.moa.logging.Logger; * In detail: *
              *
            • Renames the moa session id.
              • - *
            • Parses the identity link retrieved as {@code InfoBoxReadResponse} from POST parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}.
              • + *
            • Parses the identity link retrieved as {@code InfoBoxReadResponse} from POST parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE}.
              • *
            • Verifies the identity link.
              • *
            • Updates moa session.
              • *
            • Puts boolean flag {@code identityLinkAvailable} into {@code ExecutionContext}.
              • *
            * Expects: *
              - *
            • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
              • - *
            • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.auth.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE} containing a {@code InfoBoxReadResponse}.
              • + *
            • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_SESSIONID PARAM_SESSIONID}
              • + *
            • HttpServletRequest parameter {@linkplain at.gv.egovernment.moa.id.commons.MOAIDAuthConstants#PARAM_XMLRESPONSE PARAM_XMLRESPONSE} containing a {@code InfoBoxReadResponse}.
              • *
            * Result: *
              diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java index 5e0a69fd4..4b0e7b869 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/CreateXMLSignatureResponseValidator.java @@ -56,7 +56,6 @@ import javax.xml.bind.DatatypeConverter; import org.jaxen.SimpleNamespaceContext; import org.w3c.dom.Element; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.builder.AuthenticationBlockAssertionBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.CreateXMLSignatureResponse; @@ -64,11 +63,12 @@ import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.SAMLAttribute; import at.gv.egovernment.moa.id.auth.exception.ValidateException; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.MiscUtil; diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java index ac528c89d..df101f5b7 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/VerifyXMLSignatureResponseValidator.java @@ -61,14 +61,14 @@ import java.util.Iterator; import java.util.List; import java.util.Set; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; import at.gv.egovernment.moa.id.auth.data.VerifyXMLSignatureResponse; import at.gv.egovernment.moa.id.auth.exception.ValidateException; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.logging.Logger; /** diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java index 1850ff671..55562176d 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/auth/validator/parep/ParepUtils.java @@ -69,7 +69,7 @@ import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWClientException; import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.BoolUtils; import at.gv.egovernment.moa.util.Constants; diff --git a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java index 36bab9355..2a8d26566 100644 --- a/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java +++ b/id/server/modules/moa-id-modul-citizencard_authentication/src/main/java/at/gv/egovernment/moa/id/util/CitizenCardServletUtils.java @@ -55,11 +55,11 @@ import java.net.URLEncoder; import javax.servlet.http.HttpServletResponse; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.builder.DataURLBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.logging.Logger; /** diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAIDCertificateManagerConfigurationImpl.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAIDCertificateManagerConfigurationImpl.java index 9b634ff4d..1759a7281 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAIDCertificateManagerConfigurationImpl.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAIDCertificateManagerConfigurationImpl.java @@ -54,7 +54,7 @@ public class MOAIDCertificateManagerConfigurationImpl extends try { initalizeConfiguration(); - } catch (at.gv.egovernment.moa.id.config.ConfigurationException e) { + } catch (at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException e) { Logger.error("eIDAS SAML-engine initialization FAILED", e); } @@ -89,7 +89,7 @@ public class MOAIDCertificateManagerConfigurationImpl extends try { initalizeConfiguration(); - } catch (at.gv.egovernment.moa.id.config.ConfigurationException e) { + } catch (at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException e) { Logger.error("eIDAS SAML-engine initialization FAILED", e); } @@ -103,10 +103,10 @@ public class MOAIDCertificateManagerConfigurationImpl extends /** * Initialize eIDAS SAML-engine from MOA-ID configuration - * @throws at.gv.egovernment.moa.id.config.ConfigurationException + * @throws at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException * */ - private void initalizeConfiguration() throws at.gv.egovernment.moa.id.config.ConfigurationException { + private void initalizeConfiguration() throws at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException { //initialize configuration MOAeIDASSAMLEngineConfigurationImpl tmp = new MOAeIDASSAMLEngineConfigurationImpl(); tmp.initialize(); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java index 584910ea5..5d1874157 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/MOAeIDASSAMLEngineConfigurationImpl.java @@ -37,7 +37,7 @@ import java.util.Properties; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineConfigurationException; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.FileUtils; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java index bdd8c8e72..1ba344fd1 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/config/ModifiedEncryptionSW.java @@ -1,7 +1,7 @@ package at.gv.egovernment.moa.id.auth.modules.eidas.config; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.logging.Logger; import eu.eidas.auth.engine.core.impl.EncryptionSW; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java index 55504dcb0..d0454688a 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/engine/MOAeIDASChainingMetadataProvider.java @@ -26,9 +26,9 @@ import org.opensaml.saml2.metadata.provider.ObservableMetadataProvider; import org.opensaml.xml.XMLObject; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.ex.MOAHttpProtocolSocketFactoryException; import at.gv.egovernment.moa.id.commons.utils.MOAHttpProtocolSocketFactory; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.config.auth.IGarbageCollectorProcessing; import at.gv.egovernment.moa.id.config.auth.MOAGarbageCollector; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineConfigurationException.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineConfigurationException.java index 98bc559d2..20f18b772 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineConfigurationException.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/exceptions/EIDASEngineConfigurationException.java @@ -22,7 +22,7 @@ */ package at.gv.egovernment.moa.id.auth.modules.eidas.exceptions; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; /** * @author tlenz diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java index 515ce2913..7a696cd2f 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/CreateIdentityLinkTask.java @@ -39,12 +39,12 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.eIDASAttributeException; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.IdentityLinkReSigner; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java index 2156720e8..6de446e01 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/GenerateAuthnRequestTask.java @@ -36,19 +36,19 @@ import org.apache.velocity.VelocityContext; import org.apache.velocity.app.VelocityEngine; import org.springframework.stereotype.Component; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.stork.CPEPS; -import at.gv.egovernment.moa.id.config.stork.StorkAttribute; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; -import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import eu.eidas.auth.commons.EIDASAuthnRequest; import eu.eidas.auth.commons.EIDASUtil; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java index 9858d6004..082fdbbbf 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java @@ -6,13 +6,13 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java index 1e3b0f507..83fadb04e 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EIDASProtocol.java @@ -32,13 +32,12 @@ import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.logging.Logger; @@ -167,7 +166,7 @@ public class EIDASProtocol extends AbstractAuthProtocolModulController { pendingReq.setOAURL(samlReq.getIssuer()); // - memorize OA config - OAAuthParameter oaConfig = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(pendingReq.getOAURL()); + IOAAuthParameters oaConfig = authConfig.getOnlineApplicationParameter(pendingReq.getOAURL()); if (oaConfig == null) throw new AuthenticationException("stork.12", new Object[]{pendingReq.getOAURL()}); pendingReq.setOnlineApplicationConfiguration(oaConfig); diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java index 4e34902e2..55f4f44d4 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java @@ -23,14 +23,14 @@ import org.slf4j.Logger; import org.springframework.http.MediaType; import org.springframework.stereotype.Service; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.exceptions.EIDASEngineException; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; -import at.gv.egovernment.moa.id.moduls.IRequest; import eu.eidas.auth.engine.EIDASSAMLEngine; import eu.eidas.auth.engine.metadata.MetadataConfigParams; import eu.eidas.auth.engine.metadata.MetadataGenerator; diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java index 5f3f89aee..4ab587159 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/eIDASAuthenticationRequest.java @@ -37,17 +37,17 @@ import org.springframework.http.MediaType; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.Constants; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASChainingMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.eidas.engine.MOAeIDASMetadataProviderDecorator; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.MOAPersonalAttributeList; import at.gv.egovernment.moa.id.auth.modules.eidas.utils.SAMLEngineUtils; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; -import at.gv.egovernment.moa.id.moduls.IRequest; -import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import eu.eidas.auth.commons.EIDASAuthnResponse; import eu.eidas.auth.commons.EIDASStatusCode; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java index a64fc8bf7..22cb22c6d 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java @@ -35,7 +35,7 @@ import org.opensaml.xml.security.credential.Credential; import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants; import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java index 3fa43d0a3..29bc5ee12 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/controller/ELGAMandateMetadataController.java @@ -36,7 +36,7 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConsta import at.gv.egovernment.moa.id.auth.modules.elgamandates.config.ELGAMandatesMetadataConfiguration; import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider; import at.gv.egovernment.moa.id.auth.servlet.AbstractController; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPMetadataBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; import at.gv.egovernment.moa.id.util.HTTPUtils; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/exceptions/ELGAMetadataException.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/exceptions/ELGAMetadataException.java index 6b7c13804..d27353809 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/exceptions/ELGAMetadataException.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/exceptions/ELGAMetadataException.java @@ -22,7 +22,7 @@ */ package at.gv.egovernment.moa.id.auth.modules.elgamandates.exceptions; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; /** * @author tlenz diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java index 03711aa40..fb9628909 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/ELGAInitializeBKUAuthenticationTask.java @@ -29,11 +29,11 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.stereotype.Component; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants; import at.gv.egovernment.moa.id.auth.modules.internal.tasks.InitializeBKUAuthenticationTask; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.utils.KeyValueUtils; import at.gv.egovernment.moa.id.process.api.ExecutionContext; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index d25921167..26fd5fe5b 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -36,7 +36,6 @@ import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants; @@ -44,7 +43,8 @@ import at.gv.egovernment.moa.id.auth.modules.elgamandates.config.ELGAMandatesReq import at.gv.egovernment.moa.id.auth.modules.elgamandates.exceptions.ELGAMetadataException; import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandateServiceMetadataProvider; import at.gv.egovernment.moa.id.auth.modules.elgamandates.utils.ELGAMandatesCredentialProvider; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAuthnRequestBuilder; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java index 49f131983..1c564b20d 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandateServiceMetadataProvider.java @@ -37,7 +37,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.SimpleMOAMetadataProvider; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.MOASPMetadataSignatureFilter; import at.gv.egovernment.moa.id.protocols.pvp2x.verification.metadata.SchemaValidationFilter; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandatesCredentialProvider.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandatesCredentialProvider.java index c6434b901..f5bcdb70b 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandatesCredentialProvider.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/utils/ELGAMandatesCredentialProvider.java @@ -26,7 +26,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider; import at.gv.egovernment.moa.util.FileUtils; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java index e2ac97535..9060f35c5 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/OAuth20Configuration.java @@ -24,7 +24,7 @@ package at.gv.egovernment.moa.id.protocols.oauth20; import java.util.Properties; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.util.FileUtils; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java index 21fe4e5fa..9b19e0a4d 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OAuth20AttributeBuilder.java @@ -31,7 +31,7 @@ import com.google.gson.JsonObject; import com.google.gson.JsonPrimitive; import at.gv.egovernment.moa.id.auth.stork.STORKConstants; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.protocols.builder.attributes.BPKAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java index e81132ca7..a43c8fce9 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAudiencesAttribute.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java index c4260db82..c6775b692 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdAuthenticationTimeAttribute.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java index 6008eede1..5f32e32a2 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdExpirationTimeAttribute.java @@ -24,7 +24,7 @@ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; import java.util.Date; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java index ad7fe68b9..04f38faf6 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssueInstantAttribute.java @@ -24,7 +24,7 @@ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; import java.util.Date; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java index 5c4fe02df..ff19a618a 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdIssuerAttribute.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java index d08a3b4f0..eda276df2 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdNonceAttribute.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeGenerator; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java index 10af9cc32..7de90e98e 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/OpenIdSubjectIdentifierAttribute.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java index 4262d6bb3..3ebadba52 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileDateOfBirthAttribute.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java index da4f76e2d..89209b062 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileFamilyNameAttribute.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java index 04a6ec60b..895037b2e 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/attributes/ProfileGivenNameAttribute.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.attributes; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java index 307615fbd..d7fecd1b5 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/exceptions/OAuth20Exception.java @@ -22,7 +22,7 @@ *******************************************************************************/ package at.gv.egovernment.moa.id.protocols.oauth20.exceptions; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; +import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; public class OAuth20Exception extends RuntimeException { diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java index 518a694b0..803ae388f 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthAction.java @@ -35,14 +35,14 @@ import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.Pair; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; import at.gv.egovernment.moa.id.protocols.oauth20.attributes.OAuth20AttributeBuilder; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java index 055d14ef3..98fcdc8dc 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20AuthRequest.java @@ -32,10 +32,10 @@ import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Component; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.builder.attributes.IAttributeBuilder; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; @@ -187,7 +187,7 @@ public class OAuth20AuthRequest extends OAuth20BaseRequest { // check if client id and redirect uri are ok try { // OAOAUTH20 cannot be null at this point. check was done in base request - OAAuthParameter oAuthConfig = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(this.getOAURL()); + IOAAuthParameters oAuthConfig = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(this.getOAURL()); if (!this.getClientID().equals(oAuthConfig.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID)) diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java index 4eae5ac3b..88669bd90 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20BaseRequest.java @@ -31,10 +31,10 @@ import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; @@ -71,7 +71,7 @@ abstract class OAuth20BaseRequest extends RequestImpl { throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); } this.setOAURL(oaURL); - OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaURL); + IOAAuthParameters oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(oaURL); if (oaParam == null) { throw new OAuth20WrongParameterException(OAuth20Constants.PARAM_CLIENT_ID); diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java index b29d33a8d..2f8c43e23 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20Protocol.java @@ -19,9 +19,9 @@ import com.google.gson.JsonObject; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java index bb0126a7b..9d78418cd 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenAction.java @@ -33,12 +33,12 @@ import com.google.gson.JsonObject; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.advancedlogging.MOAReversionLogger; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20SessionObject; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Util; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20ServerErrorException; diff --git a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java index 75fbb4120..f35de9c58 100644 --- a/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java +++ b/id/server/modules/moa-id-module-openID/src/main/java/at/gv/egovernment/moa/id/protocols/oauth20/protocol/OAuth20TokenRequest.java @@ -30,10 +30,10 @@ import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Component; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; -import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.protocols.oauth20.OAuth20Constants; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20AccessDeniedException; import at.gv.egovernment.moa.id.protocols.oauth20.exceptions.OAuth20Exception; @@ -140,7 +140,7 @@ class OAuth20TokenRequest extends OAuth20BaseRequest { // check if client id and secret are ok try { // OAOAUTH20 cannot be null at this point. check was done in base request - OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(this.getOAURL()); + IOAAuthParameters oaParam = AuthConfigurationProviderFactory.getInstance().getOnlineApplicationParameter(this.getOAURL()); if (!this.getClientID().equals(oaParam.getConfigurationValue(MOAIDConfigurationConstants.SERVICE_PROTOCOLS_OPENID_CLIENTID))) { throw new OAuth20AccessDeniedException(); diff --git a/id/server/modules/moa-id-module-ssoTransfer/pom.xml b/id/server/modules/moa-id-module-ssoTransfer/pom.xml index 8207fc502..b15d7dc85 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/pom.xml +++ b/id/server/modules/moa-id-module-ssoTransfer/pom.xml @@ -46,6 +46,11 @@ 1.52 + + MOA.id.server + moa-id-frontend-resources + + \ No newline at end of file diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java index 103a03063..f9cb4c636 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferAuthenticationData.java @@ -28,11 +28,11 @@ import java.util.List; import org.w3c.dom.Element; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.data.IdentityLink; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.data.AuthenticationRole; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java index 4ba2e1a01..af180ff10 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/data/SSOTransferOnlineApplication.java @@ -27,11 +27,11 @@ import java.util.Collection; import java.util.List; import java.util.Map; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters; -import at.gv.egovernment.moa.id.config.stork.CPEPS; -import at.gv.egovernment.moa.id.config.stork.StorkAttribute; -import at.gv.egovernment.moa.id.config.stork.StorkAttributeProviderPlugin; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.data.CPEPS; +import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttribute; +import at.gv.egovernment.moa.id.commons.api.data.StorkAttributeProviderPlugin; /** * @author tlenz @@ -261,15 +261,6 @@ public class SSOTransferOnlineApplication implements IOAAuthParameters { return false; } - /* (non-Javadoc) - * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getFormCustomizaten() - */ - @Override - public Map getFormCustomizaten() { - // TODO Auto-generated method stub - return null; - } - /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.auth.IOAAuthParameters#getQaaLevel() */ diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java index 48ef5b526..2bb31f700 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferServlet.java @@ -56,7 +56,6 @@ import javax.security.cert.X509Certificate; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.velocity.VelocityContext; import org.bouncycastle.asn1.x500.X500Name; import org.bouncycastle.asn1.x509.BasicConstraints; import org.bouncycastle.asn1.x509.Extension; @@ -80,17 +79,18 @@ import com.google.gson.JsonParser; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; -import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException; +import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.Pair; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferContainer; -import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; @@ -124,6 +124,7 @@ public class SSOTransferServlet{ @Autowired ITransactionStorage transactionStorage; @Autowired IDPCredentialProvider idpCredentials; @Autowired AuthConfiguration authConfig; + @Autowired IGUIFormBuilder guiBuilder; public SSOTransferServlet() { super(); @@ -145,8 +146,6 @@ public class SSOTransferServlet{ method = {RequestMethod.GET}) public void testTransferSSOSessionGUIWithoutAuthentication(HttpServletRequest req, HttpServletResponse resp) throws IOException { try { - VelocityContext context = new VelocityContext(); - //create first step of SSO Transfer GUI String authURL = HTTPUtils.extractAuthURLFromRequest(req); if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix().contains(authURL)) { @@ -155,8 +154,13 @@ public class SSOTransferServlet{ } + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authURL, + DefaultGUIFormBuilderConfiguration.VIEW_SSO_SESSION_TRANSFER, + null); + internalCreateQRCodeForTransfer(resp, authURL, - "123456", "/TestTransmitSSOSession", context); + "123456", "/TestTransmitSSOSession", config); } catch (MOAIDException | MOADatabaseException e) { e.printStackTrace(); @@ -388,28 +392,32 @@ public class SSOTransferServlet{ //search SSO session String ssoid = ssomanager.getSSOSessionID(req); - VelocityContext context = new VelocityContext(); - try { + String authURL = HTTPUtils.extractAuthURLFromRequest(req); + if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). + contains(authURL)) { + Logger.warn("Requested URL is not allowed.");; + resp.sendError(500, "Requested URL is not allowed."); + + } + + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authURL, + DefaultGUIFormBuilderConfiguration.VIEW_SSO_SESSION_TRANSFER, + null); + if (ssomanager.isValidSSOSession(ssoid, null)) { //Object createQRObj = req.getParameter(SSOTransferConstants.REQ_PARAM_GENERATE_QR); //create first step of SSO Transfer GUI - String authURL = HTTPUtils.extractAuthURLFromRequest(req); - if (!AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix(). - contains(authURL)) { - Logger.warn("Requested URL is not allowed.");; - resp.sendError(500, "Requested URL is not allowed."); - - } - + String moaSessionID = authenticationSessionStorage.getMOASessionSSOID(ssoid); if (MiscUtil.isNotEmpty(moaSessionID)) { AuthenticationSession authSession = authenticationSessionStorage.getSession(moaSessionID); if(authSession != null) { internalCreateQRCodeForTransfer(resp, authURL, authSession.getSessionID(), - SSOTransferConstants.SERVLET_SSOTRANSFER_TO_SMARTPHONE, context); + SSOTransferConstants.SERVLET_SSOTRANSFER_TO_SMARTPHONE, config); return; } @@ -417,9 +425,10 @@ public class SSOTransferServlet{ } - context.put("errorMsg", + config.putCustomParameter("errorMsg", "No active Single Sign-On session found! SSO Session transfer is not possible."); - GUIUtils.printSSOTransferGUI(context, resp); + + guiBuilder.build(resp, config, "SSO-Transfer-Module"); } catch (MOAIDException | MOADatabaseException e) { e.printStackTrace(); @@ -505,7 +514,7 @@ public class SSOTransferServlet{ } private void internalCreateQRCodeForTransfer(HttpServletResponse resp, String authURL, - String moaSessionID, String servletEndPoint, VelocityContext context) throws Exception { + String moaSessionID, String servletEndPoint, DefaultGUIFormBuilderConfiguration config) throws Exception { SSOTransferContainer container = new SSOTransferContainer(); String token = Random.nextRandom(); @@ -558,12 +567,12 @@ public class SSOTransferServlet{ ByteArrayOutputStream qrStream = QRCode.from(qrResult.toString()).to(ImageType.GIF).withSize(350, 350).stream(); String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray()); - context.put("QRImage", base64EncodedImage); + config.putCustomParameter("QRImage", base64EncodedImage); - context.put("successMsg", "Scan the QR-Code with your SSO-Transfer App to start the transfer operation."); + config.putCustomParameter("successMsg", "Scan the QR-Code with your SSO-Transfer App to start the transfer operation."); - GUIUtils.printSSOTransferGUI(context, resp); - + + guiBuilder.build(resp, config, "SSO-Session Transfer-Module"); } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java index 0b3bd892a..cd18afb71 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/servlet/SSOTransferSignalServlet.java @@ -33,9 +33,9 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egovernment.moa.id.advancedlogging.TransactionIDUtils; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.servlet.AbstractProcessEngineSignalController; -import at.gv.egovernment.moa.id.moduls.IRequest; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.logging.Logger; /** diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java index e84c60ec5..e3c8efb50 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/InitializeRestoreSSOSessionTask.java @@ -25,14 +25,14 @@ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.task; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; -import org.apache.velocity.VelocityContext; +import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; -import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; +import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.util.HTTPUtils; @@ -45,6 +45,8 @@ import at.gv.egovernment.moa.logging.Logger; @Component("InitializeRestoreSSOSessionTask") public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { + @Autowired IGUIFormBuilder guiBuilder; + /* (non-Javadoc) * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) */ @@ -63,11 +65,10 @@ public class InitializeRestoreSSOSessionTask extends AbstractAuthServletTask { } - VelocityContext context = GUIUtils.buildSSOTransferGUI(authURL, pendingReq.getRequestID()); - GUIUtils.printSSOTransferGUI(context, response); + GUIUtils.buildSSOTransferGUI(guiBuilder, response, authURL, pendingReq.getRequestID()); - } catch (WrongParametersException | AuthenticationException e) { + } catch (MOAIDException e) { throw new TaskExecutionException(pendingReq, e.getMessage(), e); } catch (Exception e) { diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java index d52e03c09..526f45be3 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/task/RestoreSSOSessionTask.java @@ -38,12 +38,13 @@ import org.springframework.stereotype.Component; import com.google.gson.JsonObject; import com.google.gson.JsonParser; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.GUIUtils; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils.SSOContainerUtils; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.id.process.api.ExecutionContext; @@ -60,6 +61,7 @@ import at.gv.egovernment.moa.util.MiscUtil; public class RestoreSSOSessionTask extends AbstractAuthServletTask { @Autowired SSOContainerUtils ssoTransferUtils; + @Autowired IGUIFormBuilder guiBuilder; /* (non-Javadoc) * @see at.gv.egovernment.moa.id.process.springweb.MoaIdTask#execute(at.gv.egovernment.moa.id.process.api.ExecutionContext, javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) @@ -180,8 +182,8 @@ public class RestoreSSOSessionTask extends AbstractAuthServletTask { } - context = GUIUtils.buildSSOTransferGUI(authURL, pendingReq.getRequestID()); - GUIUtils.printSSOTransferGUI(context, response); + GUIUtils.buildSSOTransferGUI(guiBuilder, response, + authURL, pendingReq.getRequestID()); } catch (IOException | MOAIDException e) { throw new TaskExecutionException(pendingReq, e.getMessage(), e); diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java index ee7a397aa..b1446c4d2 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/GUIUtils.java @@ -22,29 +22,19 @@ */ package at.gv.egovernment.moa.id.auth.modules.ssotransfer.utils; -import java.io.BufferedReader; import java.io.ByteArrayOutputStream; -import java.io.File; -import java.io.FileInputStream; import java.io.IOException; -import java.io.InputStream; -import java.io.InputStreamReader; -import java.io.StringWriter; -import java.net.URI; import javax.servlet.http.HttpServletResponse; -import org.apache.velocity.VelocityContext; -import org.apache.velocity.app.VelocityEngine; - import com.google.gson.JsonObject; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.frontend.builder.DefaultGUIFormBuilderConfiguration; +import at.gv.egovernment.moa.id.auth.frontend.builder.IGUIFormBuilder; +import at.gv.egovernment.moa.id.auth.frontend.exception.GUIBuildException; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.util.VelocityProvider; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Base64Utils; import net.glxn.qrgen.QRCode; @@ -54,95 +44,43 @@ import net.glxn.qrgen.image.ImageType; * @author tlenz * */ -public class GUIUtils { - private static final String HTMLTEMPLATESDIR = "htmlTemplates/"; - private static final String GUI_HTML_TEMPLATE = "sso_transfer_template.html"; - +public class GUIUtils { public static final int REFESH_TIMEOUT = 5 * 1000; //5 sec - public static VelocityContext buildSSOTransferGUI(String authURL, String pendingReqID) throws ConfigurationException, IOException { - String containerURL = authURL - + SSOTransferConstants.SERVLET_SSOTRANSFER_FROM_SMARTPHONE - + "?" + MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID + "=" + pendingReqID; + public static void buildSSOTransferGUI( + IGUIFormBuilder guiBuilder, HttpServletResponse httpResp, + String authURL, String pendingReqID) throws ConfigurationException, IOException { + try { + String containerURL = authURL + + SSOTransferConstants.SERVLET_SSOTRANSFER_FROM_SMARTPHONE + + "?" + MOAIDAuthConstants.PARAM_TARGET_PENDINGREQUESTID + "=" + pendingReqID; - JsonObject qrResult = new JsonObject(); - qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, - SSOTransferConstants.SSOCONTAINER_VALUE_TYPE_TRANSER); - qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_URL, containerURL); + JsonObject qrResult = new JsonObject(); + qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_TYPE, + SSOTransferConstants.SSOCONTAINER_VALUE_TYPE_TRANSER); + qrResult.addProperty(SSOTransferConstants.SSOCONTAINER_KEY_URL, containerURL); - ByteArrayOutputStream qrStream = - QRCode.from(qrResult.toString()).to(ImageType.GIF).withSize(300, 300).stream(); - String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray()); - VelocityContext context = new VelocityContext(); - context.put("QRImage", base64EncodedImage); - - context.put("successMsg", "Select the SSO Session in your SSO-Transfer App and scan the QR-Code to start the process."); - - context.put("timeoutURL", containerURL); - context.put("timeout", REFESH_TIMEOUT); - - return context; - - } - - public static void printSSOTransferGUI(VelocityContext context, HttpServletResponse httpResp) throws MOAIDException { - try { - Logger.trace("Initialize VelocityEngine..."); - - InputStream is = null; - String pathLocation = null; - try { - String rootconfigdir = AuthConfigurationProviderFactory.getInstance().getRootConfigFileDir(); - pathLocation = rootconfigdir + HTMLTEMPLATESDIR + GUI_HTML_TEMPLATE; - File file = new File(new URI(pathLocation)); - is = new FileInputStream(file); - evaluateTemplate(context, httpResp, is); - - } catch (Exception e) { - Logger.warn("SLO Template is not found in configuration directory (" + - pathLocation + "). Load template from project library ... "); - - try { - pathLocation = GUI_HTML_TEMPLATE; - is = Thread.currentThread() - .getContextClassLoader() - .getResourceAsStream(pathLocation); - evaluateTemplate(context, httpResp, is); + ByteArrayOutputStream qrStream = + QRCode.from(qrResult.toString()).to(ImageType.GIF).withSize(300, 300).stream(); + String base64EncodedImage = Base64Utils.encode(qrStream.toByteArray()); - } catch (Exception e1) { - Logger.error("Single LogOut form can not created.", e); - throw new MOAIDException("Create Single LogOut information FAILED.", null, e); - } - - } finally { - if (is != null) - is.close(); + DefaultGUIFormBuilderConfiguration config = new DefaultGUIFormBuilderConfiguration( + authURL, + DefaultGUIFormBuilderConfiguration.VIEW_SSO_SESSION_TRANSFER, + null); + + config.putCustomParameter("QRImage", base64EncodedImage); + config.putCustomParameter("successMsg", "Select the SSO Session in your SSO-Transfer App and scan the QR-Code to start the process."); + config.putCustomParameter("timeoutURL", containerURL); + config.putCustomParameter("timeout", REFESH_TIMEOUT); - } + guiBuilder.build(httpResp, config, "SSO-Transfer-Module"); - } catch (Exception e) { - Logger.error("Single LogOut form can not created.", e); - throw new MOAIDException("Create Single LogOut information FAILED.", null, e); - } - } - - private static void evaluateTemplate(VelocityContext context, HttpServletResponse httpResp, InputStream is) throws Exception { - - VelocityEngine engine = VelocityProvider.getClassPathVelocityEngine(); - - BufferedReader reader = new BufferedReader(new InputStreamReader(is )); - - //set default elements to velocity context - context.put("contextpath", AuthConfigurationProviderFactory.getInstance().getPublicURLPrefix()); - - StringWriter writer = new StringWriter(); - //velocityEngine.evaluate(context, writer, "SLO_Template", reader); - engine.evaluate(context, writer, "SSO Transfer Template", reader); - - - httpResp.setContentType("text/html;charset=UTF-8"); - httpResp.getOutputStream().write(writer.toString().getBytes("UTF-8")); - - } - + } catch (GUIBuildException e) { + Logger.warn("Can not build GUI:'BKU-Selection'. Msg:" + e.getMessage(), e); + throw new ConfigurationException("builder.09", new Object[]{e.getMessage()}, e); + + } + + } } diff --git a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java index b2ab8b119..5f2642cf8 100644 --- a/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java +++ b/id/server/modules/moa-id-module-ssoTransfer/src/main/java/at/gv/egovernment/moa/id/auth/modules/ssotransfer/utils/SSOContainerUtils.java @@ -81,19 +81,19 @@ import org.w3c.dom.NodeList; import com.google.gson.JsonObject; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ParseException; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.SSOTransferConstants; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferAuthenticationData; import at.gv.egovernment.moa.id.auth.modules.ssotransfer.data.SSOTransferOnlineApplication; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.MISMandate; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion.PVP2AssertionBuilder; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java index 6abc60c46..49275c6eb 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/FederatedAuthenticationModuleImpl.java @@ -22,8 +22,8 @@ */ package at.gv.egovernment.moa.id.auth.modules.federatedauth; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.modules.AuthModule; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.process.api.ExecutionContext; /** diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java index 0f2c85350..0cee2dde3 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java @@ -34,7 +34,7 @@ import org.opensaml.xml.security.credential.Credential; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; -import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java index c06800079..98240a636 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/controller/FederatedAuthMetadataController.java @@ -36,7 +36,7 @@ import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstant import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthMetadataConfiguration; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; import at.gv.egovernment.moa.id.auth.servlet.AbstractController; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPMetadataBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration; import at.gv.egovernment.moa.id.util.HTTPUtils; diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java index 06664af45..d581e7e75 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/CreateAuthnRequestTask.java @@ -35,15 +35,14 @@ import org.opensaml.xml.security.SecurityException; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.auth.modules.federatedauth.config.FederatedAuthnRequestBuilderConfiguration; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.process.api.ExecutionContext; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; @@ -82,7 +81,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { } //load IDP configuration from MOA-ID Configuration - OAAuthParameter idpConfig = authConfig.getOnlineApplicationParameter(idpEntityID); + IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(idpEntityID); //validate IDP if (!idpConfig.isInderfederationIDP() || !idpConfig.isInboundSSOInterfederationAllowed()) { Logger.info("Requested interfederation IDP " + idpEntityID + " is not valid for interfederation."); @@ -139,7 +138,7 @@ public class CreateAuthnRequestTask extends AbstractAuthServletTask { * @param objects * @throws AuthnRequestBuildException */ - private void handleAuthnRequestBuildProblem(ExecutionContext executionContext, OAAuthParameter idpConfig, String msgCode, Object[] objects) throws AuthnRequestBuildException { + private void handleAuthnRequestBuildProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, String msgCode, Object[] objects) throws AuthnRequestBuildException { if (idpConfig.isPerformLocalAuthenticationOnInterfederationError()) { Logger.info("Switch to local authentication on this IDP ... "); diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java index 01163efd6..1c3134b77 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java @@ -41,20 +41,19 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Component; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.exception.BuildException; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; -import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException; import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask; import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageException; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.moduls.SSOManager; import at.gv.egovernment.moa.id.process.api.ExecutionContext; @@ -225,7 +224,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { } catch (AssertionValidationExeption | AuthnResponseValidationException e) { Logger.info("PVP response validation FAILED. Msg:" + e.getMessage()); if (msg != null) { - OAAuthParameter idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); + IOAAuthParameters idpConfig = authConfig.getOnlineApplicationParameter(msg.getEntityID()); //remove federated IDP from SSO session if exists ssoManager.removeInterfederatedSSOIDP(msg.getEntityID(), request); @@ -313,7 +312,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask { * @throws TaskExecutionException * @throws Throwable */ - private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, OAAuthParameter idpConfig, Throwable e) throws TaskExecutionException { + private void handleAuthnResponseValidationProblem(ExecutionContext executionContext, IOAAuthParameters idpConfig, Throwable e) throws TaskExecutionException { if (idpConfig != null && idpConfig.isPerformLocalAuthenticationOnInterfederationError()) { Logger.info("Switch to local authentication on this IDP ... "); diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java index 1168250ad..aac253083 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/utils/FederatedAuthCredentialProvider.java @@ -26,7 +26,7 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.AbstractCredentialProvider; import at.gv.egovernment.moa.util.FileUtils; diff --git a/id/server/modules/moa-id-modules-saml1/pom.xml b/id/server/modules/moa-id-modules-saml1/pom.xml index f19802a01..323edee8d 100644 --- a/id/server/modules/moa-id-modules-saml1/pom.xml +++ b/id/server/modules/moa-id-modules-saml1/pom.xml @@ -44,6 +44,13 @@ test --> + + MOA.id.server + moa-id-commons + test + test-jar + + MOA.id.server.modules moa-id-modul-citizencard_authentication diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java index b184aa4fe..c421bf8cc 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetArtifactAction.java @@ -30,17 +30,17 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants; import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; import at.gv.egovernment.moa.id.data.IAuthData; import at.gv.egovernment.moa.id.data.SLOInformationImpl; import at.gv.egovernment.moa.id.data.SLOInformationInterface; import at.gv.egovernment.moa.id.moduls.IAction; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.URLEncoder; import eu.eidas.auth.commons.IPersonalAttributeList; diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java index fc5837e51..b01ea666d 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/GetAuthenticationDataService.java @@ -71,13 +71,13 @@ import org.xml.sax.SAXException; import at.gv.egovernment.moa.id.auth.builder.SAMLResponseBuilder; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; +import at.gv.egovernment.moa.id.auth.frontend.velocity.VelocityProvider; import at.gv.egovernment.moa.id.auth.servlet.AbstractController; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; +import at.gv.egovernment.moa.id.commons.utils.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.ErrorResponseUtils; import at.gv.egovernment.moa.id.util.HTTPUtils; -import at.gv.egovernment.moa.id.util.MOAIDMessageProvider; import at.gv.egovernment.moa.id.util.Random; -import at.gv.egovernment.moa.id.util.VelocityProvider; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java index 9d0dac0f8..0ec0d95a2 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1AuthenticationServer.java @@ -46,7 +46,6 @@ import org.xml.sax.SAXException; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandator; import at.gv.egovernment.moa.id.auth.AuthenticationServer; -import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants; import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataAssertionBuilder; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.builder.PersonDataBuilder; @@ -61,13 +60,14 @@ import at.gv.egovernment.moa.id.auth.exception.ServiceException; import at.gv.egovernment.moa.id.auth.exception.ValidateException; import at.gv.egovernment.moa.id.auth.parser.SAMLArtifactParser; import at.gv.egovernment.moa.id.auth.validator.parep.ParepUtils; +import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; -import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.data.IAuthData; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.storage.ITransactionStorage; import at.gv.egovernment.moa.id.util.Random; diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java index 8cc894040..37d66d29b 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1Protocol.java @@ -37,14 +37,14 @@ import org.springframework.web.bind.annotation.RequestMethod; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException; -import at.gv.egovernment.moa.id.auth.exception.MOAIDException; import at.gv.egovernment.moa.id.auth.exception.ProtocolNotActiveException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.auth.servlet.RedirectServlet; +import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; +import at.gv.egovernment.moa.id.commons.api.IRequest; +import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; +import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; -import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters; -import at.gv.egovernment.moa.id.moduls.IRequest; import at.gv.egovernment.moa.id.protocols.AbstractAuthProtocolModulController; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; @@ -163,8 +163,7 @@ public class SAML1Protocol extends AbstractAuthProtocolModulController { //load Target only from OA config - OAAuthParameter oaParam = AuthConfigurationProviderFactory.getInstance() - .getOnlineApplicationParameter(oaURL); + IOAAuthParameters oaParam = authConfig.getOnlineApplicationParameter(oaURL); if (oaParam == null) throw new InvalidProtocolRequestException("auth.00", diff --git a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java index d93aebcec..42fafc01e 100644 --- a/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java +++ b/id/server/modules/moa-id-modules-saml1/src/main/java/at/gv/egovernment/moa/id/protocols/saml1/SAML1RequestImpl.java @@ -30,7 +30,7 @@ import org.springframework.beans.factory.config.BeanDefinition; import org.springframework.context.annotation.Scope; import org.springframework.stereotype.Component; -import at.gv.egovernment.moa.id.config.auth.data.SAML1ConfigurationParameters; +import at.gv.egovernment.moa.id.commons.api.data.SAML1ConfigurationParameters; import at.gv.egovernment.moa.id.moduls.RequestImpl; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringServlet.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringServlet.java index 4e5bed97c..70448ef09 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringServlet.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/auth/servlet/MonitoringServlet.java @@ -36,8 +36,8 @@ import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.monitoring.TestManager; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/DatabaseTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/DatabaseTestModule.java index 13fb59038..5e4183146 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/DatabaseTestModule.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/DatabaseTestModule.java @@ -29,11 +29,11 @@ import java.util.List; import org.hibernate.Query; import org.hibernate.Session; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.db.MOASessionDBUtils; import at.gv.egovernment.moa.id.commons.db.StatisticLogDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.session.AssertionStore; import at.gv.egovernment.moa.id.commons.db.dao.statistic.StatisticLog; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java index 824791797..7994e7a06 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/IdentityLinkTestModule.java @@ -37,9 +37,8 @@ import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.VerifyXMLSignatureResponseValidator; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; -import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters; import at.gv.egovernment.moa.id.config.auth.data.DynamicOAAuthParameters; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; @@ -71,7 +70,7 @@ public class IdentityLinkTestModule implements TestModuleInterface { .getMoaSpIdentityLinkTrustProfileID(false)); // invokes the call - Element domVerifyXMLSignatureResponse = new SignatureVerificationInvoker() + Element domVerifyXMLSignatureResponse = SignatureVerificationInvoker.getInstance() .verifyXMLSignature(domVerifyXMLSignatureRequest); // parses the try { diff --git a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/TestManager.java b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/TestManager.java index 3c2b143b3..b25eed520 100644 --- a/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/TestManager.java +++ b/id/server/modules/module-monitoring/src/main/java/at/gv/egovernment/moa/id/monitoring/TestManager.java @@ -27,8 +27,8 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import at.gv.egovernment.moa.id.config.ConfigurationException; -import at.gv.egovernment.moa.id.config.auth.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; +import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.FileUtils; diff --git a/id/server/pom.xml b/id/server/pom.xml index 2fbd3dd06..56d317cf5 100644 --- a/id/server/pom.xml +++ b/id/server/pom.xml @@ -18,11 +18,11 @@ + moa-id-spring-initializer + moa-id-frontend-resources idserverlib moa-id-commons - modules - moa-id-spring-initializer - moa-id-frontend-resources + modules auth-final auth-edu -- cgit v1.2.3 From db813d7524890a60bbd13f60c9c448dc1ef6cfd6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Wed, 23 Mar 2016 15:16:19 +0100 Subject: add additional parameters to ELGA mandate-service client implementation --- .../pvp2x/builder/PVPAuthnRequestBuilder.java | 16 ++++ .../pvp2x/builder/PVPMetadataBuilder.java | 6 +- .../pvp2x/config/IDPPVPMetadataConfiguration.java | 16 ++++ .../IPVPAuthnRequestBuilderConfiguruation.java | 18 +++- .../config/IPVPMetadataBuilderConfiguration.java | 14 +++ .../id/protocols/eidas/EidasMetaDataRequest.java | 9 +- .../elgamandates/ELGAMandatesAuthConstants.java | 7 ++ .../config/ELGAMandatesMetadataConfiguration.java | 26 +++++- .../ELGAMandatesRequestBuilderConfiguration.java | 103 +++++++++++++++++++-- .../elgamandates/tasks/RequestELGAMandateTask.java | 16 +++- .../config/FederatedAuthMetadataConfiguration.java | 19 +++- .../FederatedAuthnRequestBuilderConfiguration.java | 17 ++++ 12 files changed, 245 insertions(+), 22 deletions(-) (limited to 'id/server/modules/moa-id-modules-federated_authentication/src/main') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java index ba5c19de7..01ef4a43d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPAuthnRequestBuilder.java @@ -38,6 +38,8 @@ import org.opensaml.saml2.core.NameIDPolicy; import org.opensaml.saml2.core.NameIDType; import org.opensaml.saml2.core.RequestedAuthnContext; import org.opensaml.saml2.core.Subject; +import org.opensaml.saml2.core.SubjectConfirmation; +import org.opensaml.saml2.core.SubjectConfirmationData; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.SingleSignOnService; import org.opensaml.ws.message.encoder.MessageEncodingException; @@ -175,6 +177,20 @@ public class PVPAuthnRequestBuilder { subjectNameID.setFormat(NameID.TRANSIENT); reqSubject.setNameID(subjectNameID); + + if (config.getSubjectConformationDate() != null) { + SubjectConfirmation subjectConformation = SAML2Utils.createSAMLObject(SubjectConfirmation.class); + SubjectConfirmationData subjectConformDate = SAML2Utils.createSAMLObject(SubjectConfirmationData.class); + subjectConformation.setSubjectConfirmationData(subjectConformDate); + reqSubject.getSubjectConfirmations().add(subjectConformation ); + + if (config.getSubjectConformationMethode() != null) + subjectConformation.setMethod(config.getSubjectConformationMethode()); + + subjectConformDate.setDOM(config.getSubjectConformationDate()); + + } + authReq.setSubject(reqSubject ); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java index 62e3b9620..ab96e4df7 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/PVPMetadataBuilder.java @@ -214,8 +214,8 @@ public class PVPMetadataBuilder { private RoleDescriptor generateSPMetadata(IPVPMetadataBuilderConfiguration config) throws CredentialsNotAvailableException, SecurityException, ConfigurationException { SPSSODescriptor spSSODescriptor = SAML2Utils.createSAMLObject(SPSSODescriptor.class); spSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); - spSSODescriptor.setAuthnRequestsSigned(true); - spSSODescriptor.setWantAssertionsSigned(false); + spSSODescriptor.setAuthnRequestsSigned(config.wantAuthnRequestSigned()); + spSSODescriptor.setWantAssertionsSigned(config.wantAssertionSigned()); KeyInfoGenerator keyInfoGenerator = keyInfoFactory.newInstance(); @@ -367,7 +367,7 @@ public class PVPMetadataBuilder { idpSSODescriptor.addSupportedProtocol(SAMLConstants.SAML20P_NS); //set ass default value, because PVP 2.x specification defines this feature as MUST - idpSSODescriptor.setWantAuthnRequestsSigned(true); + idpSSODescriptor.setWantAuthnRequestsSigned(config.wantAuthnRequestSigned()); // add WebSSO descriptor for POST-Binding if (MiscUtil.isNotEmpty(config.getIDPWebSSOPostBindingURL())) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java index 5bb1131a6..c0fb5bf5b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IDPPVPMetadataConfiguration.java @@ -300,4 +300,20 @@ public class IDPPVPMetadataConfiguration implements IPVPMetadataBuilderConfigura return "MOA-ID-Auth"; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned() + */ + @Override + public boolean wantAssertionSigned() { + return false; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned() + */ + @Override + public boolean wantAuthnRequestSigned() { + return true; + } + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java index 6e1798ed1..814a2387d 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPAuthnRequestBuilderConfiguruation.java @@ -25,6 +25,7 @@ package at.gv.egovernment.moa.id.protocols.pvp2x.config; import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.xml.security.credential.Credential; +import org.w3c.dom.Element; /** * @author tlenz @@ -136,11 +137,26 @@ public interface IPVPAuthnRequestBuilderConfiguruation { public String getSubjectNameIDFormat(); /** - * Define a SP specific SAMK2 requestID + * Define a SP specific SAML2 requestID * * @return requestID, or null if the requestID should be generated automatically */ public String getRequestID(); + /** + * Defines the 'method' attribute in 'SubjectConformation' element + * + * @return method, or null if no method should set + */ + public String getSubjectConformationMethode(); + + /** + * Define the information, which should be added as 'subjectConformationDate' + * in 'SubjectConformation' element + * + * @return subjectConformation information or null if no subjectConformation should be set + */ + public Element getSubjectConformationDate(); + } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java index 56274535b..3a8404cae 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/IPVPMetadataBuilderConfiguration.java @@ -221,4 +221,18 @@ public interface IPVPMetadataBuilderConfiguration { * @return a List of SAML2 nameID types */ public List getSPAllowedNameITTypes(); + + /** + * Set the 'wantAssertionSigned' attribute in SP metadata + * + * @return + */ + public boolean wantAssertionSigned(); + + /** + * Set the 'wantAuthnRequestSigned' attribute + * + * @return + */ + public boolean wantAuthnRequestSigned(); } diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java index 55f4f44d4..557b83487 100644 --- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java +++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/protocols/eidas/EidasMetaDataRequest.java @@ -104,13 +104,14 @@ public class EidasMetaDataRequest implements IAction { generator.setConfigParams(mcp); generator.initialize(engine); mcp.setEntityID(metadata_url); - - generator.addSPRole(); + String returnUrl = sp_return_url; mcp.setAssertionConsumerUrl(returnUrl); - - generator.addIDPRole(); mcp.setAssuranceLevel("http://eidas.europa.eu/LoA/substantial"); // TODO make configurable + + generator.addSPRole(); + generator.addIDPRole(); + metadata = generator.generateMetadata(); return metadata; diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java index 60dd95338..7ca4590bb 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/ELGAMandatesAuthConstants.java @@ -98,6 +98,13 @@ public class ELGAMandatesAuthConstants { public static final String CONFIG_DEFAULT_QAA_STORK_LEVEL = "http://www.stork.gov.eu/1.0/citizenQAALevel/4"; public static final String CONFIG_DEFAULT_QAA_SECCLASS_LEVEL = "http://www.ref.gv.at/ns/names/agiz/pvp/secclass/0-3"; + public static final String SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE = "rc"; + public static final String SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE_URI = "http://egiz.gv.at/namespace/subjectconformationdate/elga"; + public static final String SUBJECTCONFORMATIONDATE_ELEMENT_ROOT = SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE + ":Representative"; + public static final String SUBJECTCONFORMATIONDATE_ELEMENT_FAMILYNAME = SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE + ":FamilyName"; + public static final String SUBJECTCONFORMATIONDATE_ELEMENT_GIVENNAME = SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE + ":GivenName"; + public static final String SUBJECTCONFORMATIONDATE_ELEMENT_DATEOFBIRTH = SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE + ":DateOfBirth"; + public static List getRequiredAttributeNames() { List list = new ArrayList(); for (Pair el : REQUIRED_PVP_ATTRIBUTES) diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java index 22cb22c6d..5743590f9 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesMetadataConfiguration.java @@ -223,7 +223,8 @@ public class ELGAMandatesMetadataConfiguration implements IPVPMetadataBuilderCon */ @Override public String getSPSLOPostBindingURL() { - return authURL + ELGAMandatesAuthConstants.ENDPOINT_POST; + //return authURL + ELGAMandatesAuthConstants.ENDPOINT_POST; + return null; } /* (non-Javadoc) @@ -231,7 +232,8 @@ public class ELGAMandatesMetadataConfiguration implements IPVPMetadataBuilderCon */ @Override public String getSPSLORedirectBindingURL() { - return authURL + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT; + //return authURL + ELGAMandatesAuthConstants.ENDPOINT_REDIRECT; + return null; } /* (non-Javadoc) @@ -288,4 +290,24 @@ public class ELGAMandatesMetadataConfiguration implements IPVPMetadataBuilderCon public String getSPNameForLogging() { return ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING; } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned() + */ + @Override + public boolean wantAssertionSigned() { + return true; + + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned() + */ + @Override + public boolean wantAuthnRequestSigned() { + return true; + + } } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java index 320c4fdc6..60025075f 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/config/ELGAMandatesRequestBuilderConfiguration.java @@ -22,13 +22,26 @@ */ package at.gv.egovernment.moa.id.auth.modules.elgamandates.config; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.opensaml.Configuration; import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.core.NameID; +import org.opensaml.saml2.core.SubjectConfirmation; +import org.opensaml.saml2.core.SubjectConfirmationData; import org.opensaml.saml2.metadata.EntityDescriptor; +import org.opensaml.xml.io.Marshaller; +import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.security.credential.Credential; +import org.w3c.dom.Document; +import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.modules.elgamandates.ELGAMandatesAuthConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation; +import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; +import at.gv.egovernment.moa.logging.Logger; /** * @author tlenz @@ -36,14 +49,15 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderCo */ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequestBuilderConfiguruation { - private boolean isPassive; - private String SPEntityID; - private String QAA_Level; - private EntityDescriptor idpEntity; - private Credential signCred; - private String subjectNameID; - private String subjectNameIDQualifier; - private String requestID; + private boolean isPassive = false; + private String SPEntityID = null; + private String QAA_Level = null; + private EntityDescriptor idpEntity = null; + private Credential signCred = null; + private String subjectNameID = null; + private String subjectNameIDQualifier = null; + private String requestID = null; + private Element subjectConformationDate = null; /* (non-Javadoc) @@ -216,8 +230,77 @@ public class ELGAMandatesRequestBuilderConfiguration implements IPVPAuthnRequest public void setSubjectNameIDQualifier(String subjectNameIDQualifier) { this.subjectNameIDQualifier = subjectNameIDQualifier; } - - + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode() + */ + @Override + public String getSubjectConformationMethode() { + return SubjectConfirmation.METHOD_BEARER; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate() + */ + @Override + public Element getSubjectConformationDate() { + return subjectConformationDate; + } + + /** + * @param subjectConformationDate the subjectConformationDate to set + */ + public void setSubjectConformationDate(String givenName, String familyName, String dateOfBirth) { + try { + SubjectConfirmationData subjectConformDate = SAML2Utils.createSAMLObject(SubjectConfirmationData.class); + + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setNamespaceAware(true); + DocumentBuilder builder = dbf.newDocumentBuilder(); + Document doc = builder.newDocument(); + + Marshaller out = Configuration.getMarshallerFactory() + .getMarshaller(subjectConformDate); + out.marshall(subjectConformDate, doc); + + //build root element + Element rootDom = doc.createElementNS( + ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE_URI, + ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_ROOT); + rootDom.setPrefix(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE); + rootDom.setAttributeNS("http://www.w3.org/2000/xmlns/", + "xmlns:" + ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE, + ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE_URI); + + //build personal information + Element familyNameDom = doc.createElement(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_FAMILYNAME); + //familyNameDom.setPrefix(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE); + familyNameDom.setTextContent(familyName); + + Element givenNameDom = doc.createElement(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_GIVENNAME); + //givenNameDom.setPrefix(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE); + givenNameDom.setTextContent(givenName); + + Element dateOfBirthDom = doc.createElement(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_DATEOFBIRTH); + //dateOfBirthDom.setPrefix(ELGAMandatesAuthConstants.SUBJECTCONFORMATIONDATE_ELEMENT_NAMESPACE); + dateOfBirthDom.setTextContent(dateOfBirth); + + //add information to root element + doc.getFirstChild().appendChild(rootDom); + rootDom.appendChild(givenNameDom); + rootDom.appendChild(familyNameDom); + rootDom.appendChild(dateOfBirthDom); + + this.subjectConformationDate = doc.getDocumentElement(); + + } catch (ParserConfigurationException | MarshallingException e) { + Logger.error("Can not generate 'SubjectConformationDate' for " + + ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING); + + } + + + } + } diff --git a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java index 5d98eb46e..6a7858575 100644 --- a/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java +++ b/id/server/modules/moa-id-module-elga_mandate_service/src/main/java/at/gv/egovernment/moa/id/auth/modules/elgamandates/tasks/RequestELGAMandateTask.java @@ -122,7 +122,15 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { } } - + + //check if identityLink exists in moaSession DAO + if (moasession.getIdentityLink() == null) { + Logger.error("Connect ELGA Mandate-Service FAILED -> NO identityLink in moaSession DAO"); + throw new MOAIDException("service.10", + new Object[]{ELGAMandatesAuthConstants.MODULE_NAME_FOR_LOGGING, "NO identityLink in moaSession DAO."}); + + } + String sourcePinType = moasession.getIdentityLink().getIdentificationType(); String sourcePinValue = moasession.getIdentityLink().getIdentificationValue(); if (sourcePinType.startsWith(Constants.URN_PREFIX_BASEID)) { @@ -152,6 +160,12 @@ public class RequestELGAMandateTask extends AbstractAuthServletTask { PVPTargetConfiguration.DATAID_INTERFEDERATION_REQUESTID, authnReqConfig.getRequestID()); + //set SubjectConformationDate + authnReqConfig.setSubjectConformationDate( + moasession.getIdentityLink().getGivenName(), + moasession.getIdentityLink().getFamilyName(), + moasession.getIdentityLink().getDateOfBirth()); + //store pending-request requestStoreage.storePendingRequest(pendingReq); diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java index 0cee2dde3..c3d5e8032 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java @@ -263,7 +263,6 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo */ @Override public List getSPRequiredAttributes() { - // TODO Auto-generated method stub return null; } @@ -287,4 +286,22 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo return FederatedAuthConstants.MODULE_NAME_FOR_LOGGING; } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAssertionSigned() + */ + @Override + public boolean wantAssertionSigned() { + return false; + } + + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration#wantAuthnRequestSigned() + */ + @Override + public boolean wantAuthnRequestSigned() { + return true; + } + } diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java index 19eae06d7..000590923 100644 --- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java +++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java @@ -26,6 +26,7 @@ import org.opensaml.saml2.core.AuthnContextComparisonTypeEnumeration; import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.xml.security.credential.Credential; +import org.w3c.dom.Element; import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation; @@ -190,5 +191,21 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque return null; } + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationMethode() + */ + @Override + public String getSubjectConformationMethode() { + return null; + } + + /* (non-Javadoc) + * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectConformationDate() + */ + @Override + public Element getSubjectConformationDate() { + return null; + } + } -- cgit v1.2.3