From 3139b9126ae10976848be640d2b8648401e36137 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 16 Aug 2016 10:22:49 +0200
Subject: add eIDAS response LoA validation

---
 .../eidas/tasks/ReceiveAuthnResponseTask.java      | 28 ++++++++++++++++++----
 1 file changed, 24 insertions(+), 4 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
index fd7a19be8..7ba5aee1e 100644
--- a/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-module-eIDAS/src/main/java/at/gv/egovernment/moa/id/auth/modules/eidas/tasks/ReceiveAuthnResponseTask.java
@@ -24,6 +24,7 @@ import at.gv.egovernment.moa.logging.Logger;
 import at.gv.egovernment.moa.util.MiscUtil;
 import eu.eidas.auth.commons.EidasStringUtil;
 import eu.eidas.auth.commons.protocol.IAuthenticationResponse;
+import eu.eidas.auth.commons.protocol.eidas.LevelOfAssurance;
 import eu.eidas.auth.engine.ProtocolEngineI;
 import eu.eidas.engine.exceptions.EIDASSAMLEngineException;
 
@@ -73,13 +74,29 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 				throw new EIDASResponseNotSuccessException("eIDAS.11", new Object[]{samlResp.getStatusMessage()});
 				
 			}
+
+			// **********************************************************
+			// *******   MOA-ID specific response validation   **********
+			// **********************************************************
+			
+			//validate received LoA against minimum required LoA
+			LevelOfAssurance reqLoA = LevelOfAssurance.fromString(pendingReq.getOnlineApplicationConfiguration().getQaaLevel());
+			LevelOfAssurance respLoA = LevelOfAssurance.fromString(samlResp.getLevelOfAssurance()); 
+			if (respLoA.numericValue() < reqLoA.numericValue()) {
+				Logger.error("eIDAS Response LevelOfAssurance is lower than the required! "
+						+ "(Resp-LoA:" + respLoA.getValue() + " Req-LoA:" + reqLoA.getValue() + ")");
+				throw new MOAIDException("eIDAS.14", new Object[]{respLoA.getValue()});
+				
+			}
+
 			
-			//MOA-ID specific response validation
-			//TODO: implement MOA-ID specific response validation
+			// **********************************************************
+			// ******* Store resonse infos into session object **********
+			// **********************************************************
 			
 			//update MOA-Session data with received information			
 			Logger.debug("Store eIDAS response information into MOA-session.");
-			
+					
 			moasession.setQAALevel(samlResp.getLevelOfAssurance());
 						
 			moasession.setGenericDataToSession(
@@ -99,12 +116,15 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, 
 					MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED,
 					samlResp.getId());
+		
+		} catch (MOAIDException e) {
+			throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", e);
 			
 		}catch (EIDASSAMLEngineException e) {
 			Logger.error("eIDAS AuthnRequest generation FAILED.", e);
 			revisionsLogger.logEvent(pendingReq.getOnlineApplicationConfiguration(), pendingReq, 
 					MOAIDEventConstants.AUTHPROCESS_PEPS_RECEIVED_ERROR);
-			throw new TaskExecutionException(pendingReq, "eIDAS AuthnRequest generation FAILED.", 
+			throw new TaskExecutionException(pendingReq, "eIDAS Response processing FAILED.", 
 					new EIDASEngineException("eIDAS.09", new Object[]{e.getMessage()}, e));
 					
 		} catch (MOADatabaseException e) {
-- 
cgit v1.2.3