From b9937af42fdab6b85aa1121148bda474c70f5e75 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 8 Mar 2016 11:10:19 +0100
Subject: finish first beta-version of ELGA mandate-service client-module

---
 .../FederatedAuthnRequestBuilderConfiguration.java | 17 +++-
 .../tasks/ReceiveAuthnResponseTask.java            | 94 +++++++---------------
 2 files changed, 47 insertions(+), 64 deletions(-)

(limited to 'id/server/modules/moa-id-modules-federated_authentication/src')

diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
index 4ae162f5a..19eae06d7 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthnRequestBuilderConfiguration.java
@@ -171,7 +171,22 @@ public class FederatedAuthnRequestBuilderConfiguration implements IPVPAuthnReque
 	 */
 	@Override
 	public String getSubjectNameIDFormat() {
-		// TODO Auto-generated method stub
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getRequestID()
+	 */
+	@Override
+	public String getRequestID() {
+		return null;
+	}
+
+	/* (non-Javadoc)
+	 * @see at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPAuthnRequestBuilderConfiguruation#getSubjectNameIDQualifier()
+	 */
+	@Override
+	public String getSubjectNameIDQualifier() {
 		return null;
 	}
 
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index a07a87c2b..d5c5354c0 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -32,12 +32,9 @@ import javax.servlet.http.HttpServletResponse;
 import javax.xml.transform.TransformerException;
 
 import org.opensaml.saml2.core.Attribute;
-import org.opensaml.saml2.core.AttributeQuery;
 import org.opensaml.saml2.core.Response;
 import org.opensaml.saml2.core.StatusCode;
 import org.opensaml.ws.message.decoder.MessageDecodingException;
-import org.opensaml.ws.soap.common.SOAPException;
-import org.opensaml.xml.XMLObject;
 import org.opensaml.xml.io.MarshallingException;
 import org.opensaml.xml.security.SecurityException;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -45,8 +42,11 @@ import org.springframework.stereotype.Component;
 
 import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants;
 import at.gv.egovernment.moa.id.auth.MOAIDAuthConstants;
+import at.gv.egovernment.moa.id.auth.builder.AuthenticationDataBuilder;
+import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionStorageConstants;
 import at.gv.egovernment.moa.id.auth.exception.BuildException;
 import at.gv.egovernment.moa.id.auth.exception.InvalidProtocolRequestException;
+import at.gv.egovernment.moa.id.auth.exception.MOAIDException;
 import at.gv.egovernment.moa.id.auth.exception.SessionDataStorageException;
 import at.gv.egovernment.moa.id.auth.modules.AbstractAuthServletTask;
 import at.gv.egovernment.moa.id.auth.modules.TaskExecutionException;
@@ -55,12 +55,12 @@ import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCr
 import at.gv.egovernment.moa.id.config.ConfigurationException;
 import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
 import at.gv.egovernment.moa.id.config.auth.OAAuthParameter;
-import at.gv.egovernment.moa.id.data.FederatedAuthenticatenContainer;
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.moduls.SSOManager;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
+import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.PostBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.RedirectBinding;
 import at.gv.egovernment.moa.id.protocols.pvp2x.builder.AttributQueryBuilder;
@@ -73,11 +73,9 @@ import at.gv.egovernment.moa.id.protocols.pvp2x.messages.MOAResponse;
 import at.gv.egovernment.moa.id.protocols.pvp2x.metadata.MOAMetadataProvider;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.AssertionAttributeExtractor;
-import at.gv.egovernment.moa.id.protocols.pvp2x.utils.MOASAMLSOAPClient;
 import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils;
-import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngine;
+import at.gv.egovernment.moa.id.protocols.pvp2x.verification.SAMLVerificationEngineSP;
 import at.gv.egovernment.moa.id.protocols.pvp2x.verification.TrustEngineFactory;
-import at.gv.egovernment.moa.id.storage.ITransactionStorage;
 import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 
@@ -88,11 +86,12 @@ import at.gv.egovernment.moa.util.MiscUtil;
 @Component("ReceiveFederatedAuthnResponseTask")
 public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 
-	@Autowired private SAMLVerificationEngine samlVerificationEngine;
+	@Autowired private SAMLVerificationEngineSP samlVerificationEngine;
 	@Autowired private FederatedAuthCredentialProvider credentialProvider;
 	@Autowired private SSOManager ssoManager;
 	@Autowired private AttributQueryBuilder attributQueryBuilder;
-	@Autowired private ITransactionStorage transactionStorage;
+	@Autowired private AuthenticationDataBuilder authDataBuilder;
+	
 	
 	
 	/* (non-Javadoc)
@@ -106,13 +105,16 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 		try {
 			
 			IDecoder decoder = null;
+			MOAURICompare comperator = null;
 			//select Response Binding
 			if (request.getMethod().equalsIgnoreCase("POST")) {
 				decoder = new PostBinding();
+				comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_POST);
 				Logger.trace("Receive PVP Response from federated IDP, by using POST-Binding.");
 				
 			}  else if (request.getMethod().equalsIgnoreCase("GET")) {
 				decoder = new RedirectBinding();
+				comperator = new MOAURICompare(pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_REDIRECT);
 				Logger.trace("Receive PVP Response from federated IDP, by using Redirect-Binding.");
 				
 			} else {
@@ -123,7 +125,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			}
 			
 			//decode PVP response object
-			msg = (InboundMessage) decoder.decode(request, response, MOAMetadataProvider.getInstance(), true);
+			msg = (InboundMessage) decoder.decode(
+					request, response, MOAMetadataProvider.getInstance(), true,
+					comperator);
 			 
 			if (MiscUtil.isEmpty(msg.getEntityID())) {
 				throw new InvalidProtocolRequestException("sp.pvp2.04", new Object[] {FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
@@ -179,8 +183,7 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			} else {
 				//SP is real Service-Provider  --> check attributes in response 
 				// and start Attribute-Query if required 
-				
-				//get authenticationData and store it into MOASession
+												
 				getAuthDataFromInterfederation(extractor, pendingReq.getOnlineApplicationConfiguration(), 
 						idpConfig);	
 
@@ -197,7 +200,8 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 
 			//store valid assertion into pending-request
 			pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_RESPONSE, processedMsg);
-						
+			pendingReq.setGenericDataToSession(RequestImpl.DATAID_INTERFEDERATIOIDP_ENTITYID, processedMsg.getEntityID());
+			
 			//store pending-request
 			requestStoreage.storePendingRequest(pendingReq);
 			
@@ -245,55 +249,17 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 		try {
 			Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
 			Collection<String> requestedAttr = pendingReq.getRequestedAttributes();
-							
+						
 			//check if SAML2 Assertion contains a minimal set of attributes
 			if (!extractor.containsAllRequiredAttributes()) {
-				Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");
-				//collect attributes by using BackChannel communication
-				String endpoint = idpConfig.getIDPAttributQueryServiceURL();			
-				if (MiscUtil.isEmpty(endpoint)) {
-					Logger.error("No AttributeQueryURL for interfederationIDP " + idpConfig.getPublicURLPrefix());
-					throw new ConfigurationException("config.26", new Object[]{idpConfig.getPublicURLPrefix()});
-					
-				}
-													
+				Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");				
+				
 				//build attributQuery request
 				List<Attribute> attributs = 
 						attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
-				AttributeQuery query = 
-						attributQueryBuilder.buildAttributQueryRequest(extractor.getNameID(), endpoint, attributs);
-			
-				//build SOAP request				
-				List<XMLObject> xmlObjects = MOASAMLSOAPClient.send(endpoint, query);
 			
-				if (xmlObjects.size() == 0) {
-					Logger.error("Receive emptry AttributeQuery response-body.");
-					throw new AttributQueryException("Receive emptry AttributeQuery response-body.", null);
-				
-				}
-			
-				if (xmlObjects.get(0) instanceof Response) {
-					Response intfResp = (Response) xmlObjects.get(0);
-				
-					//validate PVP 2.1 response
-					try {
-						samlVerificationEngine.verifyIDPResponse(intfResp, 
-								TrustEngineFactory.getSignatureKnownKeysTrustEngine(
-										MOAMetadataProvider.getInstance()));
-						
-						//create assertion attribute extractor from AttributeQuery response
-						extractor = new AssertionAttributeExtractor(intfResp);
-										
-					} catch (Exception e) {
-						Logger.warn("PVP 2.1 assertion validation FAILED.", e);
-						throw new AssertionValidationExeption("PVP 2.1 assertion validation FAILED.", null, e);
-					}
-												
-				} else {
-					Logger.error("Receive AttributeQuery response-body include no PVP 2.1 response");
-					throw new AttributQueryException("Receive AttributeQuery response-body include no PVP 2.1 response.", null);
-				
-				}
+				//request IDP to get additional attributes
+				extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig);
 								
 			} else {
 				Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
@@ -314,14 +280,13 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 				moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
 				Logger.debug("Add PVP-attribute " + el + " into MOASession");
 				
-			}	
-									
-		} catch (SOAPException e) {
-			throw new BuildException("builder.06", null, e);
-			
-		} catch (SecurityException e) {
-			throw new BuildException("builder.06", null, e);
+			}
 			
+			//set validTo from this federated IDP response
+			moasession.setGenericDataToSession(
+					AuthenticationSessionStorageConstants.FEDERATION_RESPONSE_VALIDE_TO, 
+					extractor.getAssertionNotOnOrAfter());
+									
 		} catch (AttributQueryException e) {
 			throw new BuildException("builder.06", null, e);
 			
@@ -334,6 +299,9 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 		} catch (AssertionAttributeExtractorExeption e) {
 			throw new BuildException("builder.06", null, e);
 			
+		} catch (MOAIDException e) {
+			throw new BuildException("builder.06", null, e);
+			
 		}
 	}
 	
-- 
cgit v1.2.3