From cbc72b4eb01828e56e3244bcfe121d729e7e852a Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 17 May 2018 17:14:41 +0200
Subject: add some work-arounds into federated authentication module to make it
 usable with MOA-ID 3.2.0 to 3.2.2

---
 .../config/FederatedAuthMetadataConfiguration.java | 41 +++++++++++++++++++++-
 .../tasks/ReceiveAuthnResponseTask.java            | 38 +++++++++++++++++---
 2 files changed, 73 insertions(+), 6 deletions(-)

(limited to 'id/server/modules')

diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
index c3d5e8032..1fff56f8d 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/config/FederatedAuthMetadataConfiguration.java
@@ -22,7 +22,10 @@
  */
 package at.gv.egovernment.moa.id.auth.modules.federatedauth.config;
 
+import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
+import java.util.Iterator;
 import java.util.List;
 
 import org.opensaml.saml2.core.Attribute;
@@ -35,6 +38,10 @@ import org.opensaml.xml.security.credential.Credential;
 import at.gv.egovernment.moa.id.auth.modules.federatedauth.FederatedAuthConstants;
 import at.gv.egovernment.moa.id.auth.modules.federatedauth.utils.FederatedAuthCredentialProvider;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.id.data.Pair;
+import at.gv.egovernment.moa.id.data.Trible;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
+import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.IPVPMetadataBuilderConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.signer.CredentialsNotAvailableException;
@@ -263,7 +270,39 @@ public class FederatedAuthMetadataConfiguration implements IPVPMetadataBuilderCo
 	 */
 	@Override
 	public List<RequestedAttribute> getSPRequiredAttributes() {
-		return null;
+		/*TODO:
+		 * 		Work for bug in AttributeQuery Client that includes a wrong EntityID for SP
+		 */		
+		final List<Trible<String, String, Boolean>> REQUIRED_PVP_ATTRIBUTES = 
+				Collections.unmodifiableList(new ArrayList<Trible<String, String, Boolean>>() {
+					private static final long serialVersionUID = 1L;
+					{	
+						//add PVP Version attribute
+						add(Trible.newInstance(PVPConstants.PVP_VERSION_NAME, PVPConstants.PVP_VERSION_FRIENDLY_NAME, true));
+						
+						//request entity information
+						add(Trible.newInstance(PVPConstants.GIVEN_NAME_NAME, PVPConstants.GIVEN_NAME_FRIENDLY_NAME, true));
+						add(Trible.newInstance(PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.PRINCIPAL_NAME_FRIENDLY_NAME, true));
+						add(Trible.newInstance(PVPConstants.BIRTHDATE_NAME, PVPConstants.BIRTHDATE_FRIENDLY_NAME, true));
+						add(Trible.newInstance(PVPConstants.EID_CCS_URL_NAME, PVPConstants.EID_CCS_URL_FRIENDLY_NAME, false));
+						add(Trible.newInstance(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME, true));
+						add(Trible.newInstance(PVPConstants.EID_IDENTITY_LINK_NAME, PVPConstants.EID_IDENTITY_LINK_FRIENDLY_NAME, true));
+						add(Trible.newInstance(PVPConstants.EID_SOURCE_PIN_NAME, PVPConstants.EID_SOURCE_PIN_FRIENDLY_NAME, false));
+						add(Trible.newInstance(PVPConstants.EID_SOURCE_PIN_TYPE_NAME, PVPConstants.EID_SOURCE_PIN_TYPE_FRIENDLY_NAME, false));
+						add(Trible.newInstance(PVPConstants.EID_AUTH_BLOCK_NAME, PVPConstants.EID_AUTH_BLOCK_FRIENDLY_NAME, false));
+						add(Trible.newInstance(PVPConstants.EID_SIGNER_CERTIFICATE_NAME, PVPConstants.EID_SIGNER_CERTIFICATE_FRIENDLY_NAME, false));
+						add(Trible.newInstance(PVPConstants.MANDATE_FULL_MANDATE_NAME, PVPConstants.MANDATE_FULL_MANDATE_FRIENDLY_NAME, false));
+						
+						
+
+					}
+				});
+		
+		List<RequestedAttribute> requestedAttributes = new ArrayList<RequestedAttribute>();
+		for (Trible<String, String, Boolean> el : REQUIRED_PVP_ATTRIBUTES)
+			requestedAttributes.add(PVPAttributeBuilder.buildReqAttribute(el.getFirst(), el.getSecond(), el.getThird()));
+		
+		return requestedAttributes;
 	}
 
 	/* (non-Javadoc)
diff --git a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
index 8f5a231ee..dea5e4894 100644
--- a/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
+++ b/id/server/modules/moa-id-modules-federated_authentication/src/main/java/at/gv/egovernment/moa/id/auth/modules/federatedauth/tasks/ReceiveAuthnResponseTask.java
@@ -23,6 +23,7 @@
 package at.gv.egovernment.moa.id.auth.modules.federatedauth.tasks;
 
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
 import java.util.Set;
@@ -57,6 +58,7 @@ import at.gv.egovernment.moa.id.commons.api.exceptions.SessionDataStorageExcepti
 import at.gv.egovernment.moa.id.moduls.RequestImpl;
 import at.gv.egovernment.moa.id.moduls.SSOManager;
 import at.gv.egovernment.moa.id.process.api.ExecutionContext;
+import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants;
 import at.gv.egovernment.moa.id.protocols.pvp2x.PVPTargetConfiguration;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.IDecoder;
 import at.gv.egovernment.moa.id.protocols.pvp2x.binding.MOAURICompare;
@@ -244,12 +246,23 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 	private void getAuthDataFromInterfederation(AssertionAttributeExtractor extractor, IOAAuthParameters spConfig, 
 			IOAAuthParameters idpConfig) throws BuildException, ConfigurationException{
 		
+		/*TODO: 
+		 *   only workaround for oe.gv.at project
+		 */
+		final List<String> minimalIDLAttributeNamesList = Arrays.asList(
+				PVPConstants.EID_IDENTITY_LINK_NAME,			
+				PVPConstants.EID_SOURCE_PIN_NAME,
+				PVPConstants.EID_SOURCE_PIN_TYPE_NAME);
+		
 		try {
 			Logger.debug("Service Provider is no federated IDP --> start Attribute validation or requesting ... ");
 			Collection<String> requestedAttr = pendingReq.getRequestedAttributes(metadataProvider);
 						
 			//check if SAML2 Assertion contains a minimal set of attributes
-			if (!extractor.containsAllRequiredAttributes()) {
+			
+			//TODO: switch back to correct attribute query
+			if (!extractor.containsAllRequiredAttributes() 
+					&& !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) {
 				Logger.info("Received assertion does no contain a minimum set of attributes. Starting AttributeQuery process ...");				
 				
 				//build attributQuery request
@@ -257,16 +270,19 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 						attributQueryBuilder.buildSAML2AttributeList(spConfig, requestedAttr.iterator());
 			
 				//request IDP to get additional attributes
-				extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), idpConfig);
+				extractor = authDataBuilder.getAuthDataFromAttributeQuery(attributs, extractor.getNameID(), 
+						idpConfig, pendingReq.getAuthURL() + FederatedAuthConstants.ENDPOINT_METADATA);
 								
 			} else {
 				Logger.info("Interfedation response include a minimal set of attributes with are required. Skip AttributQuery request step. ");
 				
 			}														
 			
+			//TODO: switch back to correct attribute query
 			//check if all attributes are include
-			if (!extractor.containsAllRequiredAttributes(
-					pendingReq.getRequestedAttributes(metadataProvider))) {
+			//if (!extractor.containsAllRequiredAttributes(requestedAttr)) {
+			if (!extractor.containsAllRequiredAttributes() 
+					&& !extractor.containsAllRequiredAttributes(minimalIDLAttributeNamesList)) {
 				Logger.warn("PVP Response from federated IDP contains not all requested attributes.");
 				throw new AssertionValidationExeption("sp.pvp2.06", new Object[]{FederatedAuthConstants.MODULE_NAME_FOR_LOGGING});
 				
@@ -275,7 +291,19 @@ public class ReceiveAuthnResponseTask extends AbstractAuthServletTask {
 			//copy attributes into MOASession
 			Set<String> includedAttrNames = extractor.getAllIncludeAttributeNames();
 			for (String el : includedAttrNames) {
-				moasession.setGenericDataToSession(el, extractor.getSingleAttributeValue(el));
+				String value = extractor.getSingleAttributeValue(el);
+				
+				//TODO: check in future version
+				//update PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME to prefixed version
+				if (el.equals(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME)) {
+					Logger.trace("Find PVP-attribute " + el + ". Start mapping if neccessary ... ");					
+					if (!value.startsWith(PVPConstants.STORK_QAA_PREFIX)) {
+						value = PVPConstants.STORK_QAA_PREFIX + value;
+						Logger.debug("Prefix '" + el + "' with: "+ PVPConstants.STORK_QAA_PREFIX);
+					}					
+				} 
+				
+				moasession.setGenericDataToSession(el, value);				
 				Logger.debug("Add PVP-attribute " + el + " into MOASession");
 				
 			}
-- 
cgit v1.2.3