From 4ef34e63ce36e20529d6350e81283617a8d69b96 Mon Sep 17 00:00:00 2001 From: Florian Reimair Date: Tue, 14 Jan 2014 14:02:32 +0100 Subject: outgoing auth request works --- .../moa/id/auth/AuthenticationServer.java | 208 +++++++++++---------- .../moa/id/auth/data/AuthenticationSession.java | 1 - .../id/config/auth/AuthConfigurationProvider.java | 3 +- .../moa/id/config/auth/OAAuthParameter.java | 31 +-- .../moa/id/config/stork/STORKConfig.java | 1 - 5 files changed, 114 insertions(+), 130 deletions(-) (limited to 'id/server') diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index 278f93f14..b30720501 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -29,8 +29,12 @@ import iaik.x509.X509Certificate; import iaik.x509.X509ExtensionInitException; import java.io.ByteArrayInputStream; +import java.io.CharArrayWriter; import java.io.IOException; import java.io.InputStream; +import java.io.StringWriter; +import java.net.HttpURLConnection; +import java.net.URL; import java.security.GeneralSecurityException; import java.security.Principal; import java.security.cert.CertificateException; @@ -50,8 +54,18 @@ import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.TransformerException; import org.apache.commons.lang.StringEscapeUtils; +import org.apache.velocity.Template; +import org.apache.velocity.VelocityContext; +import org.apache.velocity.app.VelocityEngine; import org.apache.xpath.XPathAPI; -import org.opensaml.saml2.metadata.RequestedAttribute; +import org.opensaml.Configuration; +import org.opensaml.common.SAMLObjectBuilder; +import org.opensaml.common.binding.BasicSAMLMessageContext; +import org.opensaml.saml2.binding.encoding.HTTPPostEncoder; +import org.opensaml.saml2.metadata.AssertionConsumerService; +import org.opensaml.saml2.metadata.Endpoint; +import org.opensaml.ws.transport.http.HTTPOutTransport; +import org.opensaml.ws.transport.http.HttpServletResponseAdapter; import org.opensaml.xml.util.Base64; import org.opensaml.xml.util.XMLHelper; import org.springframework.util.xml.DomUtils; @@ -91,6 +105,7 @@ import at.gv.egovernment.moa.id.auth.parser.InfoboxReadResponseParser; import at.gv.egovernment.moa.id.auth.parser.VerifyXMLSignatureResponseParser; import at.gv.egovernment.moa.id.auth.servlet.PEPSConnectorServlet; import at.gv.egovernment.moa.id.auth.stork.STORKAuthnRequestProcessor; +import at.gv.egovernment.moa.id.auth.stork.VelocityProvider; import at.gv.egovernment.moa.id.auth.validator.CreateXMLSignatureResponseValidator; import at.gv.egovernment.moa.id.auth.validator.IdentityLinkValidator; import at.gv.egovernment.moa.id.auth.validator.InfoboxValidator; @@ -103,6 +118,7 @@ import at.gv.egovernment.moa.id.auth.validator.parep.client.szrgw.SZRGWConstants import at.gv.egovernment.moa.id.client.SZRGWClient; import at.gv.egovernment.moa.id.client.SZRGWClientException; import at.gv.egovernment.moa.id.commons.db.dao.config.IdentificationNumber; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.config.ConfigurationException; import at.gv.egovernment.moa.id.config.ConnectionParameter; @@ -131,13 +147,21 @@ import at.gv.egovernment.moa.util.XPathUtils; import at.gv.util.xsd.srzgw.CreateIdentityLinkRequest; import at.gv.util.xsd.srzgw.CreateIdentityLinkResponse; import eu.stork.mw.messages.saml.STORKAuthnRequest; +import eu.stork.peps.auth.commons.PEPSUtil; +import eu.stork.peps.auth.commons.PersonalAttribute; +import eu.stork.peps.auth.commons.PersonalAttributeList; +import eu.stork.peps.auth.commons.STORKAuthnRequest; +import eu.stork.peps.auth.engine.SAMLEngine; +import eu.stork.peps.auth.engine.STORKSAMLEngine; +import eu.stork.peps.auth.engine.core.QAAAttribute; +import eu.stork.peps.auth.engine.core.RequestedAttribute; +import eu.stork.peps.auth.engine.core.RequestedAttributes; +import eu.stork.peps.auth.engine.core.impl.QAAAttributeBuilder; +import eu.stork.peps.auth.engine.core.impl.RequestedAttributeBuilder; +import eu.stork.peps.auth.engine.core.impl.RequestedAttributesBuilder; +import eu.stork.peps.exceptions.SAMLEngineException; +import eu.stork.peps.exceptions.STORKSAMLEngineException; import eu.stork.vidp.messages.builder.STORKMessagesBuilder; -import eu.stork.vidp.messages.common.STORKConstants; -import eu.stork.vidp.messages.exception.SAMLException; -import eu.stork.vidp.messages.exception.SAMLValidationException; -import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel; -import eu.stork.vidp.messages.stork.RequestedAttributes; -import eu.stork.vidp.messages.util.SAMLUtil; import eu.stork.vidp.messages.util.XMLUtil; /** @@ -1813,58 +1837,28 @@ public class AuthenticationServer implements MOAIDAuthConstants { String providerName= oaParam.getFriendlyName(); String issuerValue = HTTPUtils.getBaseURL(req); Logger.debug("Issuer value: " + issuerValue); - - - QualityAuthenticationAssuranceLevel qaaLevel = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(oaParam.getQaaLevel().getValue()); - //Logger.debug("QAALevel: " + qaaLevel.getValue()); - - RequestedAttributes requestedAttributes = null; - - requestedAttributes = oaParam.getRequestedAttributes(); - requestedAttributes.detach(); - List reqAttributeList = new ArrayList(); - List oaReqAttributeList = null; - oaReqAttributeList = new ArrayList(oaParam.getRequestedAttributes().getRequestedAttributes()); - - //check if country specific attributes must be additionally requested - if (!cpeps.getCountrySpecificRequestedAttributes().isEmpty()) { - //add country specific attributes to be requested (Hierarchy: default oa attributes > country specific attributes > oa specific attributes - Logger.debug("We have addtional country specific attributes to be requested from the C-PEPS of country: " + moasession.getCcc()); - Logger.debug("The following attributes are requested for this specific country:"); - List countrySpecificReqAttributeList = new ArrayList(cpeps.getCountrySpecificRequestedAttributes()); - for (RequestedAttribute csReqAttr : countrySpecificReqAttributeList) { - csReqAttr.detach(); - if (!STORKConstants.DEFAULT_STORK_REQUESTED_ATTRIBUTE_SET.contains(csReqAttr.getName())) { - //this country specific attribute does not override default attribute - if (SAMLUtil.containsAttribute(oaReqAttributeList, csReqAttr.getName())) { - //the same attribute is requested for OA, applying hierachy - //remove oa attribute - oaReqAttributeList.remove(SAMLUtil.getAttribute(oaReqAttributeList, csReqAttr.getName())); - //add country specific attribute instead - Logger.debug("Requested Attribute (" + csReqAttr.getName() + ") is also requested by OA but we use Country Specific value instead"); - } - oaReqAttributeList.add(csReqAttr); - Logger.debug("Country specific requested attribute: " + csReqAttr.getName() + ", isRequired: " + csReqAttr.isRequired()); - } else { - Logger.debug("Country specific requested attribute: " + csReqAttr.getName() + ", isRequired: " + csReqAttr.isRequired() + " tries to overwrite default requested and required attributes, hence we skip it."); - } - - } - reqAttributeList.addAll(oaReqAttributeList); - } else { - //no country specific requested attributes - reqAttributeList.addAll(oaReqAttributeList); + + + + // prepare collection of required attributes + // - attributes for online application + List attributesFromConfig = oaParam.getRequestedAttributes(); + + // - prepare attribute list + PersonalAttributeList attributeList = new PersonalAttributeList(); + + // - fill container + for(OAStorkAttribute current : attributesFromConfig) { + PersonalAttribute newAttribute = new PersonalAttribute(); + newAttribute.setName(current.getName()); + newAttribute.setIsRequired(current.isMandatory()); + attributeList.add(newAttribute); } - - reqAttributeList = (List) SAMLUtil.releaseDOM(reqAttributeList); - requestedAttributes = STORKMessagesBuilder.buildRequestedAttributes(reqAttributeList); - + if (Logger.isDebugEnabled()) { Logger.debug("The following attributes are requested for this OA:"); - for (RequestedAttribute logReqAttr : reqAttributeList) { - Logger.debug("OA specific requested attribute: " + logReqAttr.getName() + ", isRequired: " + logReqAttr.isRequired()); - - } + for (OAStorkAttribute logReqAttr : attributesFromConfig) + Logger.debug("OA specific requested attribute: " + logReqAttr.getName() + ", isRequired: " + logReqAttr.isMandatory()); } @@ -1876,38 +1870,42 @@ public class AuthenticationServer implements MOAIDAuthConstants { String textToBeSigned = CreateXMLSignatureRequestBuilder.buildForeignIDTextToBeSigned("wie im Signaturzertifikat (as in my signature certificate)", oaParam, moasession); - - //generate AuthnRquest - STORKAuthnRequest storkAuthnRequest = STORKAuthnRequestProcessor.generateSTORKAuthnRequest( - destination, - acsURL, - providerName, - issuerValue, - qaaLevel, - requestedAttributes, - spSector, - spInstitution, - spApplication, - spCountry, - textToBeSigned, - "application/xhtml+xml"); - + + //generate AuthnRquest + STORKAuthnRequest authnRequest = new STORKAuthnRequest(); + authnRequest.setDestination(destination); + authnRequest.setAssertionConsumerServiceURL(acsURL); + authnRequest.setProviderName(providerName); + authnRequest.setIssuer(issuerValue); + authnRequest.setQaa(oaParam.getQaaLevel()); + authnRequest.setSpInstitution(spInstitution); + authnRequest.setCountry(spCountry); + authnRequest.setSpApplication(spApplication); + authnRequest.setSpSector(spSector); + authnRequest.setPersonalAttributeList(attributeList); + +// STORKAuthnRequestProcessor.generateSTORKAuthnRequest( +// destination, +// acsURL, +// providerName, +// issuerValue, +// qaaLevel, +// spInstitution, +// spApplication, +// spCountry, +// spSector, +// requestedAttributes, + +// textToBeSigned, +// "application/xhtml+xml"); + Logger.debug("STORK AuthnRequest succesfully assembled."); - - //sign AuthnRequest - String keyStorePath = storkConfig.getSignatureCreationParameter().getKeyStorePath(); - String keyStorePassword = storkConfig.getSignatureCreationParameter().getKeyStorePassword(); - String keyName = storkConfig.getSignatureCreationParameter().getKeyName(); - String keyPassword = storkConfig.getSignatureCreationParameter().getKeyPassword(); - - Logger.debug("Starting signing process of STORK AuthnRequest."); - Logger.trace("Using the following Keystore and Key for that:"); - Logger.trace("KeyStore: " + keyStorePath); - Logger.trace("KeyName: " + keyName); - + + STORKSAMLEngine samlEngine = STORKSAMLEngine.getInstance("CONF0"); try { - storkAuthnRequest = STORKAuthnRequestProcessor.signSTORKAuthnRequest(storkAuthnRequest, keyStorePath, keyStorePassword, keyName, keyPassword); - } catch (SAMLException e) { + authnRequest = samlEngine.generateSTORKAuthnRequest(authnRequest); +// authnRequest = STORKAuthnRequestProcessor.signSTORKAuthnRequest(authnRequest, keyStorePath, keyStorePassword, keyName, keyPassword); + } catch (STORKSAMLEngineException e) { Logger.error("Could not sign STORK SAML AuthnRequest.", e); throw new MOAIDException("stork.00", null); } @@ -1916,8 +1914,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { //validate AuthnRequest try { - STORKAuthnRequestProcessor.validateSTORKAuthnRequest(storkAuthnRequest); - } catch (SAMLValidationException e) { + samlEngine.validateSTORKAuthnRequest(authnRequest.getTokenSaml()); + } catch (STORKSAMLEngineException e) { Logger.error("STORK SAML AuthnRequest not valid.", e); throw new MOAIDException("stork.01", null); } @@ -1925,26 +1923,36 @@ public class AuthenticationServer implements MOAIDAuthConstants { Logger.debug("STORK AuthnRequest successfully internally validated."); //send - moasession.setStorkAuthnRequest(storkAuthnRequest); + moasession.setStorkAuthnRequest(authnRequest); HttpSession httpSession = req.getSession(); httpSession.setAttribute("MOA-Session-ID", moasession.getSessionID()); - - Logger.debug("Preparing to send STORK AuthnRequest."); - + + + Logger.info("Preparing to send STORK AuthnRequest."); + Logger.info("prepared STORKAuthnRequest: "); + Logger.info(new String(authnRequest.getTokenSaml())); +// SAMLRequest = PEPSUtil.encodeSAMLToken(authnRequest.getTokenSaml()); + try { - STORKAuthnRequestProcessor.sendSTORKAuthnRequest(req, resp, storkAuthnRequest); + Logger.trace("Initialize VelocityEngine..."); + + VelocityEngine velocityEngine = VelocityProvider.getClassPathVelocityEngine(); + Template template = velocityEngine.getTemplate("/saml2-post-binding-moa.vm"); + VelocityContext context = new VelocityContext(); + context.put("SAMLRequest", PEPSUtil.encodeSAMLToken(authnRequest.getTokenSaml())); + context.put("action", destination); + + StringWriter writer = new StringWriter(); + template.merge(context, writer); + + resp.getOutputStream().write(writer.toString().getBytes()); } catch (Exception e) { Logger.error("Error sending STORK SAML AuthnRequest.", e); httpSession.invalidate(); throw new MOAIDException("stork.02", new Object[] { destination }); } - - Logger.info("STORK AuthnRequest successfully sent to: " + storkAuthnRequest.getDestination()); - Logger.debug("STORKAuthnRequest sent (pretty print): "); - Logger.debug(XMLHelper.prettyPrintXML(storkAuthnRequest.getDOM())); - Logger.trace("STORKAuthnRequest sent (original): "); - Logger.trace(XMLUtil.printXML(storkAuthnRequest.getDOM())); - + + Logger.info("STORK AuthnRequest successfully successfully prepared for client with target location: " + authnRequest.getDestination()); } /** diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java index 9aecefd43..43ba83f91 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java @@ -33,7 +33,6 @@ import at.gv.egovernment.moa.id.util.client.mis.simple.MISMandate; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; import at.gv.egovernment.moa.util.DOMUtils; -import eu.stork.mw.messages.saml.STORKAuthnRequest; /** * Session data to be stored between AuthenticationServer API calls. diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java index 29f567324..f44f21db9 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProvider.java @@ -88,11 +88,10 @@ import at.gv.egovernment.moa.id.config.stork.STORKConfig; import at.gv.egovernment.moa.id.data.IssuerAndSerial; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; -import eu.stork.vidp.messages.common.STORKBootstrap; /** * A class providing access to the Auth Part of the MOA-ID configuration data. - * + * *

Configuration data is read from an XML file, whose location is given by * the moa.id.configuration system property.

*

This class implements the Singleton pattern. The reload() diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java index 3edb3cad9..60803bb8a 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/OAAuthParameter.java @@ -37,6 +37,7 @@ import at.gv.egovernment.moa.id.commons.db.dao.config.Mandates; import at.gv.egovernment.moa.id.commons.db.dao.config.OAPVP2; import at.gv.egovernment.moa.id.commons.db.dao.config.OASAML1; import at.gv.egovernment.moa.id.commons.db.dao.config.OASSO; +import at.gv.egovernment.moa.id.commons.db.dao.config.OAStorkAttribute; import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplateType; import at.gv.egovernment.moa.id.commons.db.dao.config.TemplatesType; @@ -46,10 +47,6 @@ import at.gv.egovernment.moa.id.config.OAParameter; import at.gv.egovernment.moa.id.util.FormBuildUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; -import eu.stork.vidp.messages.builder.STORKMessagesBuilder; -import eu.stork.vidp.messages.common.STORKConstants; -import eu.stork.vidp.messages.stork.QualityAuthenticationAssuranceLevel; -import eu.stork.vidp.messages.stork.RequestedAttributes; /** * Configuration parameters belonging to an online application, @@ -78,21 +75,6 @@ public class OAAuthParameter extends OAParameter { this.keyBoxIdentifier = oa.getKeyBoxIdentifier().value(); } - - /** - * STORK QAA Level, Default = 4 - */ - private QualityAuthenticationAssuranceLevel qaaLevel = STORKMessagesBuilder.buildQualityAuthenticationAssuranceLevel(4); - - /** - * STORK RequestedAttributes for Online Application - * Default RequestedAttributes are: eIdentifier, givenName, surname, dateOfBirth - */ - private RequestedAttributes requestedAttributes = STORKMessagesBuilder.buildRequestedAttributes( - STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_EIDENTIFIER, true, null), - STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_GIVENNAME, true, null), - STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_SURNAME, true, null), - STORKMessagesBuilder.buildRequestedAttribute(STORKConstants.STORK_ATTRIBUTE_DATEOFBIRTH, false, null)); private String keyBoxIdentifier; @@ -317,18 +299,15 @@ public Map getFormCustomizaten() { return map; } -/** - * @return the qaaLevel - */ -public QualityAuthenticationAssuranceLevel getQaaLevel() { - return qaaLevel; +public Integer getQaaLevel() { + return oa_auth.getOASTORK().getQaa(); } /** * @return the requestedAttributes */ -public RequestedAttributes getRequestedAttributes() { - return requestedAttributes; +public List getRequestedAttributes() { + return oa_auth.getOASTORK().getOAAttributes(); } diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java index 6a3f4cc9e..25f12af62 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/stork/STORKConfig.java @@ -22,7 +22,6 @@ import org.xml.sax.SAXException; import eu.stork.vidp.messages.util.SAMLUtil; import eu.stork.vidp.messages.util.XMLUtil; -import at.gv.egovernment.moa.id.commons.db.dao.config.RequestedAttributeType; import at.gv.egovernment.moa.id.commons.db.dao.config.SAMLSigningParameter; import at.gv.egovernment.moa.id.commons.db.dao.config.STORK; import at.gv.egovernment.moa.id.commons.db.dao.config.SignatureVerificationParameterType; -- cgit v1.2.3