From 1cf340e047d2d701d9bfe442f291231ec477d2f4 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 17 May 2018 17:13:03 +0200 Subject: fix some more bugs in SAML2 ATTRIBUTEQUERRY implementation for federated authentication --- .../moa/id/auth/builder/AuthenticationDataBuilder.java | 6 +++--- .../moa/id/protocols/pvp2x/AttributQueryAction.java | 6 +++++- .../moa/id/protocols/pvp2x/PVP2XProtocol.java | 2 +- .../id/protocols/pvp2x/builder/AttributQueryBuilder.java | 8 ++------ .../moa/id/protocols/pvp2x/config/PVPConfiguration.java | 4 ---- .../pvp2x/utils/AssertionAttributeExtractor.java | 16 +++++++++++----- 6 files changed, 22 insertions(+), 20 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java index cc716f9f8..b93de5119 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java @@ -189,7 +189,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { * @throws MOAIDException */ public AssertionAttributeExtractor getAuthDataFromAttributeQuery(List reqQueryAttr, - String userNameID, IOAAuthParameters idpConfig ) throws MOAIDException{ + String userNameID, IOAAuthParameters idpConfig, String spEntityID) throws MOAIDException{ String idpEnityID = idpConfig.getPublicURLPrefix(); try { @@ -203,7 +203,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { } //build attributQuery request - AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(userNameID, endpoint, reqQueryAttr); + AttributeQuery query = attributQueryBuilder.buildAttributQueryRequest(spEntityID, userNameID, endpoint, reqQueryAttr); //build SOAP request List xmlObjects = MOASAMLSOAPClient.send(endpoint, query); @@ -362,7 +362,7 @@ public class AuthenticationDataBuilder extends MOAIDAuthConstants { else { String qaaLevel = session.getGenericDataFromSession(PVPConstants.EID_CITIZEN_QAA_LEVEL_NAME, String.class); if (MiscUtil.isNotEmpty(qaaLevel)) { - Logger.debug("Find PVP-Attr: " + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + Logger.debug("Find PVP-Attr '" + PVPConstants.EID_CITIZEN_QAA_LEVEL_FRIENDLY_NAME + "':" + qaaLevel + " --> Parse QAA-Level from that attribute."); if (qaaLevel.startsWith(PVPConstants.STORK_QAA_PREFIX)) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java index 72691a034..4ef9fa05e 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/AttributQueryAction.java @@ -235,8 +235,12 @@ public class AttributQueryAction implements IAction { } //validation complete --> start AttributeQuery Request + /*TODO: + * 'pendingReq.getAuthURL() + "/sp/federated/metadata"' is implemented in federated_authentication module + * but used in moa-id-lib. This should be refactored!!! + */ AssertionAttributeExtractor extractor = authDataBuilder.getAuthDataFromAttributeQuery(reqAttributes, - nextIDPInformation.getUserNameID(), idp); + nextIDPInformation.getUserNameID(), idp, pendingReq.getAuthURL() + "/sp/federated/metadata"); //mark attribute request as used if (nextIDPInformation.isStoreSSOInformation()) { diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java index 4369a469a..4b9b21093 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/PVP2XProtocol.java @@ -634,7 +634,7 @@ public class PVP2XProtocol extends AbstractAuthProtocolModulController { //validate destination String destinaten = attrQuery.getDestination(); - if (!PVPConfiguration.getInstance().getIDPAttributeQueryService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) { + if (!PVPConfiguration.getInstance().getIDPSSOSOAPService(HTTPUtils.extractAuthURLFromRequest(request)).equals(destinaten)) { Logger.warn("AttributeQuery destination does not match IDP AttributeQueryService URL"); throw new AttributQueryException("AttributeQuery destination does not match IDP AttributeQueryService URL", null); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java index 4aa4f7419..f4cd7422c 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/AttributQueryBuilder.java @@ -101,7 +101,7 @@ public class AttributQueryBuilder { } - public AttributeQuery buildAttributQueryRequest(String nameID, + public AttributeQuery buildAttributQueryRequest(String spEntityID, String nameID, String endpoint, List requestedAttributes) throws AttributQueryException { @@ -125,7 +125,7 @@ public class AttributQueryBuilder { query.setIssueInstant(now); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); - nissuer.setValue(PVPConfiguration.getInstance().getIDPPublicPath().get(0)); + nissuer.setValue(spEntityID); nissuer.setFormat(NameID.ENTITY); query.setIssuer(nissuer); @@ -156,10 +156,6 @@ public class AttributQueryBuilder { return query; - } catch (ConfigurationException e) { - Logger.error("Build AttributQuery Request FAILED.", e); - throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); - } catch (CredentialsNotAvailableException e) { Logger.error("Build AttributQuery Request FAILED.", e); throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java index 480656e30..47c4b0736 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/config/PVPConfiguration.java @@ -138,10 +138,6 @@ public class PVPConfiguration { public String getIDPSSOSOAPService(String publicURLPrefix) throws ConfigurationException { return publicURLPrefix + PVP2_IDP_SOAP; } - - public String getIDPAttributeQueryService(String publicURLPrefix) throws ConfigurationException { - return publicURLPrefix + PVP2_IDP_ATTRIBUTEQUERY; - } public String getIDPSSOMetadataService(String publicURLPrefix) throws ConfigurationException { return publicURLPrefix + PVP2_METADATA; diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java index 106be8a09..9d585bc86 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/utils/AssertionAttributeExtractor.java @@ -52,12 +52,17 @@ public class AssertionAttributeExtractor { private Map> attributs = new HashMap>(); //private PersonalAttributeList storkAttributes = new PersonalAttributeList(); - private final List minimalAttributeNameList = Arrays.asList( + private final List minimalMDSAttributeNamesList = Arrays.asList( PVPConstants.PRINCIPAL_NAME_NAME, PVPConstants.GIVEN_NAME_NAME, - PVPConstants.ENC_BPK_LIST_NAME, + PVPConstants.BIRTHDATE_NAME, PVPConstants.BPK_NAME); - + + private final List minimalIDLAttributeNamesList = Arrays.asList( + PVPConstants.EID_IDENTITY_LINK_NAME, + PVPConstants.EID_SOURCE_PIN_NAME, + PVPConstants.EID_SOURCE_PIN_TYPE_NAME); + /** * Parse the SAML2 Response element and extracts included information *

@@ -132,7 +137,8 @@ public class AssertionAttributeExtractor { * @return */ public boolean containsAllRequiredAttributes() { - return containsAllRequiredAttributes(minimalAttributeNameList); + return containsAllRequiredAttributes(minimalMDSAttributeNamesList) + || containsAllRequiredAttributes(minimalIDLAttributeNamesList); } @@ -161,7 +167,7 @@ public class AssertionAttributeExtractor { return flag; else { - Logger.debug("Assertion contains no bPK or encryptedbPK."); + Logger.debug("Assertion contains no all minimum attributes from: " + attributeNameList.toString()); return false; } -- cgit v1.2.3