From 985bb947881f880216c97fda93491a305f33c6de Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Thu, 5 Jun 2014 16:27:18 +0200
Subject: add SSO session timeout to AuthData and SAML2 assertion

---
 .../id/auth/builder/AuthenticationDataBuilder.java | 22 +++++++++++--
 .../moa/id/auth/data/AuthenticationSession.java    | 14 +++++++-
 .../moa/id/data/AuthenticationData.java            | 17 ++++++++++
 .../at/gv/egovernment/moa/id/data/IAuthData.java   |  2 ++
 .../builder/assertion/PVP2AssertionBuilder.java    | 18 +++++------
 .../id/storage/AuthenticationSessionStoreage.java  | 37 +++++++++++-----------
 6 files changed, 80 insertions(+), 30 deletions(-)

(limited to 'id/server')

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
index 632227d79..c0e1dd3ca 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/AuthenticationDataBuilder.java
@@ -27,6 +27,8 @@ import iaik.x509.X509Certificate;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.ArrayList;
+import java.util.Date;
+import java.util.GregorianCalendar;
 import java.util.List;
 
 import javax.naming.ldap.LdapName;
@@ -445,6 +447,9 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
 		
 		authData.setSsoSession(true);
 		
+		if (assertion.getConditions() != null && assertion.getConditions().getNotOnOrAfter() != null)
+			authData.setSsoSessionValidTo(assertion.getConditions().getNotOnOrAfter().toDate());
+		
 		//only for SAML1
 		if (PVPConstants.STORK_QAA_1_4.equals(authData.getQAALevel()))
 			authData.setQualifiedCertificate(true);
@@ -454,7 +459,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
 	}
 	
 	private static void buildAuthDataFormMOASession(AuthenticationData authData, AuthenticationSession session, 
-			IOAAuthParameters oaParam) throws BuildException {
+			IOAAuthParameters oaParam) throws BuildException, ConfigurationException {
 
 		String target = oaParam.getTarget();
 		
@@ -465,7 +470,7 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
 		boolean businessService = oaParam.getBusinessService();
 
 		authData.setIssuer(session.getAuthURL());
-
+				
 		//baseID or wbpk in case of BusinessService without SSO or BusinessService SSO
 		authData.setIdentificationValue(identityLink.getIdentificationValue());
 		authData.setIdentificationType(identityLink.getIdentificationType());
@@ -529,6 +534,19 @@ public class AuthenticationDataBuilder implements MOAIDAuthConstants {
 
 			authData.setSsoSession(AuthenticationSessionStoreage.isSSOSession(session.getSessionID()));
 			
+			//set max. SSO session time
+			if (authData.isSsoSession()) {
+				long maxSSOSessionTime = AuthConfigurationProvider.getInstance().getTimeOuts().getMOASessionCreated().longValue() * 1000;		
+				Date ssoSessionValidTo = new Date(session.getSessionCreated().getTime() + maxSSOSessionTime);
+				authData.setSsoSessionValidTo(ssoSessionValidTo);
+				
+			} else {
+				//set valid to 5 min
+				Date ssoSessionValidTo = new Date(new Date().getTime() + 5 * 60 * 1000);
+				authData.setSsoSessionValidTo(ssoSessionValidTo);
+				
+			}
+			
 			
 			/* TODO: Support SSO Mandate MODE!
 			 * Insert functionality to translate mandates in case of SSO  
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
index c5ba49b2e..8726c1618 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/data/AuthenticationSession.java
@@ -42,6 +42,7 @@ import java.io.Serializable;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.CertificateException;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Vector;
@@ -78,6 +79,9 @@ public class AuthenticationSession implements Serializable {
 	 * session ID
 	 */
 	private String sessionID;
+	
+	private Date sessionCreated = null;
+	
 	/**
 	 * "Gesch&auml;ftsbereich" the online application belongs to; maybe <code>null</code> if the
 	 * online application is a business application
@@ -344,8 +348,9 @@ public class AuthenticationSession implements Serializable {
 	 * @param id
 	 *            Session ID
 	 */
-	public AuthenticationSession(String id) {
+	public AuthenticationSession(String id, Date created) {
 		sessionID = id;
+		sessionCreated = created;
 		// setTimestampStart();
 //		infoboxValidators = new ArrayList();
 	}
@@ -1050,6 +1055,13 @@ public class AuthenticationSession implements Serializable {
 		this.storkAuthnResponse = storkAuthnResponse;
 	}
 
+	/**
+	 * @return the sessionCreated
+	 */
+	public Date getSessionCreated() {
+		return sessionCreated;
+	}
+
 	
 	
 	
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
index 33e62d3d0..5685977bc 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/AuthenticationData.java
@@ -135,6 +135,7 @@ public class AuthenticationData  implements IAuthData, Serializable {
 	  private String QAALevel = null;
 	  
 	  private boolean ssoSession = false;
+	  private Date ssoSessionValidTo = null;
 
 	  private boolean interfederatedSSOSession = false;
 	  private String interfederatedIDP = null;
@@ -656,7 +657,23 @@ public class AuthenticationData  implements IAuthData, Serializable {
 	public void setInterfederatedIDP(String interfederatedIDP) {
 		this.interfederatedIDP = interfederatedIDP;
 	}
+
+	/**
+	 * @return the ssoSessionValidTo
+	 */
+	public Date getSsoSessionValidTo() {
+		return ssoSessionValidTo;
+	}
+
+	/**
+	 * @param ssoSessionValidTo the ssoSessionValidTo to set
+	 */
+	public void setSsoSessionValidTo(Date ssoSessionValidTo) {
+		this.ssoSessionValidTo = ssoSessionValidTo;
+	}
+
 	
+
 	
 	
 }
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
index 4ea81f134..7e421da0f 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/data/IAuthData.java
@@ -53,6 +53,8 @@ public interface IAuthData {
 	 String getBPK();
 	 String getBPKType();
 	 
+	 Date getSsoSessionValidTo();
+	 
 	 String getInterfederatedIDP();
 	 
 	 String getIdentificationValue();
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
index 4d6343fce..fa5d252bd 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/protocols/pvp2x/builder/assertion/PVP2AssertionBuilder.java
@@ -135,7 +135,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		SubjectConfirmationData subjectConfirmationData = null;
 		
 		return buildGenericAssertion(attrQuery.getIssuer().getValue(), date, 
-				authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex);
+				authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex,
+				new DateTime(authData.getSsoSessionValidTo().getTime()));
 	}
 		
 	public static Assertion buildAssertion(AuthnRequest authnRequest,
@@ -393,8 +394,8 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		SubjectConfirmationData subjectConfirmationData = SAML2Utils
 				.createSAMLObject(SubjectConfirmationData.class);
 		subjectConfirmationData.setInResponseTo(authnRequest.getID());
-		subjectConfirmationData.setNotOnOrAfter(date.plusMinutes(5));
-				
+		subjectConfirmationData.setNotOnOrAfter(new DateTime(authData.getSsoSessionValidTo().getTime()));
+		
 		subjectConfirmationData.setRecipient(assertionConsumerService.getLocation());
 		
 		//set SLO information
@@ -402,13 +403,13 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		sloInformation.setNameIDFormat(subjectNameID.getFormat());
 		sloInformation.setSessionIndex(sessionIndex);
 		
-		return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex);
+		return buildGenericAssertion(peerEntity.getEntityID(), date, authnContextClassRef, attrList, subjectNameID, subjectConfirmationData, sessionIndex, subjectConfirmationData.getNotOnOrAfter());
 	}
 	
 	private static Assertion buildGenericAssertion(String entityID, DateTime date, 
 			AuthnContextClassRef authnContextClassRef, List<Attribute> attrList, 
 			NameID subjectNameID, SubjectConfirmationData subjectConfirmationData, 
-			String sessionIndex) throws ConfigurationException {
+			String sessionIndex, DateTime isValidTo) throws ConfigurationException {
 		Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class);
 		
 		AuthnContext authnContext = SAML2Utils
@@ -448,10 +449,9 @@ public class PVP2AssertionBuilder implements PVPConstants {
 		
 		audience.setAudienceURI(entityID);
 		audienceRestriction.getAudiences().add(audience);
-		conditions.setNotBefore(date);
-		
-		conditions.setNotOnOrAfter(date.plusMinutes(5));
-		
+		conditions.setNotBefore(date);		
+		conditions.setNotOnOrAfter(isValidTo);
+				
 		conditions.getAudienceRestrictions().add(audienceRestriction);
 
 		assertion.setConditions(conditions);
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
index 5daca0888..1c74aea55 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/storage/AuthenticationSessionStoreage.java
@@ -72,19 +72,20 @@ public class AuthenticationSessionStoreage {
 		}
 	}
 
-	public static AuthenticationSession createSession() throws MOADatabaseException {
+	public static AuthenticationSession createSession() throws MOADatabaseException, BuildException {
 		String id = Random.nextRandom();
-		AuthenticationSession session = new AuthenticationSession(id);
-		
+
 		AuthenticatedSessionStore dbsession = new AuthenticatedSessionStore();
 		dbsession.setSessionid(id);
 		dbsession.setAuthenticated(false);
 		
-		//set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1 
-		dbsession.setCreated(new Date());
-		dbsession.setUpdated(new Date());
+		//set Timestamp in this state, because automated timestamp generation is buggy in Hibernate 4.2.1
+		Date now = new Date();
+		dbsession.setCreated(now);
+		dbsession.setUpdated(now);
 		
-		dbsession.setSession(SerializationUtils.serialize(session));
+		AuthenticationSession session = new AuthenticationSession(id, now);
+		encryptSession(session, dbsession);
 		
 		//store AssertionStore element to Database
 		try {
@@ -674,7 +675,7 @@ public class AuthenticationSessionStoreage {
 		  return result.get(0).getInderfederation().get(0);
 	}
 	
-	public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption {		
+	public static String createInterfederatedSession(IRequest req, boolean isAuthenticated, String ssoID) throws MOADatabaseException, AssertionAttributeExtractorExeption, BuildException {		
 		AuthenticatedSessionStore dbsession = null;
 		
 		//search for active SSO session
@@ -692,28 +693,28 @@ public class AuthenticationSessionStoreage {
 		
 		String id = null;
 		Date now = new Date();
-		
 		//create new MOASession if any exists
+		AuthenticationSession session = null;
 		if (dbsession == null) {
 			id = Random.nextRandom();
 			dbsession = new AuthenticatedSessionStore();
 			dbsession.setSessionid(id);
 			dbsession.setCreated(now);
-			
+			session = new AuthenticationSession(id, now);
+		
 		} else {
 			id = dbsession.getSessionid();
-			
+			session = decryptSession(dbsession);
+		
 		}
-				
+			
 		dbsession.setInterfederatedSSOSession(true);
 		dbsession.setAuthenticated(isAuthenticated);
-		dbsession.setUpdated(now);
-		
-		AuthenticationSession session = new AuthenticationSession(id);
+		dbsession.setUpdated(now);		
 		session.setAuthenticated(true);
-		session.setAuthenticatedUsed(false);
-		dbsession.setSession(SerializationUtils.serialize(session));
-		
+		session.setAuthenticatedUsed(false);		
+		encryptSession(session, dbsession);
+			
 		//add interfederation information
 		List<InterfederationSessionStore> idpList = dbsession.getInderfederation();
 		InterfederationSessionStore idp = null;
-- 
cgit v1.2.3