/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. ******************************************************************************/ package at.gv.egovernment.moa.id.auth.parser; import java.util.List; import javax.servlet.http.HttpServletRequest; import org.apache.commons.lang.StringEscapeUtils; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import at.gv.egiz.eaaf.core.api.IRequest; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.EAAFException; import at.gv.egiz.eaaf.core.impl.utils.FileUtils; import at.gv.egovernment.moa.id.auth.exception.AuthenticationException; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper; import at.gv.egovernment.moa.id.config.auth.PropertyBasedAuthConfigurationProvider; import at.gv.egovernment.moa.id.util.ParamValidatorUtils; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.MiscUtil; import at.gv.egovernment.moa.util.StringUtils; @Service("StartAuthentificationParameterParser") public class StartAuthentificationParameterParser extends MOAIDAuthConstants{ @Autowired AuthConfiguration authConfig; public void parse(IAuthenticationSession moasession, String reqTarget, String oaURL, String bkuURL, String templateURL, String useMandate, String ccc, HttpServletRequest req, IRequest protocolReq) throws WrongParametersException, MOAIDException, EAAFException { String resultTargetFriendlyName = null; String resultTarget = null; // escape parameter strings reqTarget = StringEscapeUtils.escapeHtml(reqTarget); bkuURL = StringEscapeUtils.escapeHtml(bkuURL); templateURL = StringEscapeUtils.escapeHtml(templateURL); useMandate = StringEscapeUtils.escapeHtml(useMandate); ccc = StringEscapeUtils.escapeHtml(ccc); //validate parameters if (!ParamValidatorUtils.isValidUseMandate(useMandate)) throw new WrongParametersException("StartAuthentication", PARAM_USEMANDATE, "auth.12"); if (!ParamValidatorUtils.isValidCCC(ccc)) throw new WrongParametersException("StartAuthentication", PARAM_CCC, "auth.12"); //check UseMandate flag String useMandateString = null; boolean useMandateBoolean = false; if ((useMandate != null) && (useMandate.compareTo("") != 0)) { useMandateString = useMandate; } else { useMandateString = "false"; } if (useMandateString.compareToIgnoreCase("true") == 0) useMandateBoolean = true; else useMandateBoolean = false; moasession.setUseMandate(useMandateString); //load OnlineApplication configuration IOAAuthParameters oaParam = protocolReq.getServiceProviderConfiguration(IOAAuthParameters.class); if (oaParam == null) throw new AuthenticationException("auth.00", new Object[] { protocolReq.getSPEntityId() }); // get target and target friendly name from config String targetConfig = oaParam.getAreaSpecificTargetIdentifier(); String targetFriendlyNameConfig = oaParam.getAreaSpecificTargetIdentifierFriendlyName(); //SAML1 legacy work-around for public area targets in request if (protocolReq.requestedModule().equals("at.gv.egovernment.moa.id.protocols.saml1.SAML1Protocol") && !StringUtils.isEmpty(reqTarget)) { //INFO: ONLY SAML1 legacy mode // if SAML1 is used and target attribute is given in request // use requested target // check target parameter if (!ParamValidatorUtils.isValidTarget(reqTarget)) { Logger.error("Selected target is invalid. Used target: " + reqTarget); throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.12"); } resultTarget = MOAIDAuthConstants.PREFIX_CDID + reqTarget; String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget); if (MiscUtil.isNotEmpty(sectorName)) resultTargetFriendlyName = sectorName; else { //check target contains subSector int delimiter = reqTarget.indexOf("-"); if (delimiter > 0) { resultTargetFriendlyName = TargetToSectorNameMapper.getSectorNameViaTarget(reqTarget.substring(0, delimiter)); } } if (MiscUtil.isNotEmpty(targetConfig) && MiscUtil.isEmpty(resultTargetFriendlyName)) resultTargetFriendlyName = targetFriendlyNameConfig; //set info's into request-context. (It's required to support SAML1 requested target parameters) protocolReq.setRawDataToTransaction(MOAIDAuthConstants.AUTHPROCESS_DATA_TARGET, resultTarget); protocolReq.setRawDataToTransaction( MOAIDAuthConstants.AUTHPROCESS_DATA_TARGETFRIENDLYNAME, resultTargetFriendlyName); } else { Logger.trace("Use oa sector-identifier from configuration"); resultTarget = targetConfig; resultTargetFriendlyName = targetFriendlyNameConfig; } //check if target is found if (MiscUtil.isEmpty(resultTarget)) throw new WrongParametersException("StartAuthentication", PARAM_TARGET, "auth.05"); //check if mandates are allowed if (useMandateBoolean && oaParam.hasBaseIdInternalProcessingRestriction()) { Logger.error("Online-Mandate Mode for business application not supported."); throw new AuthenticationException("auth.17", null); } if (resultTarget.startsWith(MOAIDAuthConstants.PREFIX_CDID)) Logger.debug("Service-Provider is of type 'PublicService' with DomainIdentifier:" + resultTarget); else Logger.debug("Service-Provider is of type 'PrivateService' with DomainIdentifier:" + resultTarget); //Validate BKU URI List allowedbkus = oaParam.getBKUURL(); allowedbkus.addAll(authConfig.getDefaultBKUURLs()); if (!ParamValidatorUtils.isValidBKUURI(bkuURL, allowedbkus)) throw new WrongParametersException("StartAuthentication", PARAM_BKU, "auth.12"); moasession.setBkuURL(bkuURL); //validate securityLayer-template if (MiscUtil.isEmpty(templateURL)) { List templateURLList = oaParam.getTemplateURL(); List defaulTemplateURLList = authConfig.getSLRequestTemplates(); if ( templateURLList != null && !templateURLList.isEmpty() && MiscUtil.isNotEmpty(templateURLList.get(0)) ) { templateURL = FileUtils.makeAbsoluteURL( oaParam.getTemplateURL().get(0), authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")"); } else if ( !defaulTemplateURLList.isEmpty() && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) { templateURL = FileUtils.makeAbsoluteURL( defaulTemplateURLList.get(0), authConfig.getRootConfigFileDir()); Logger.info("No SL-Template in request, load SL-Template from general configuration (URL: " + templateURL + ")"); } else { Logger.error("NO SL-Tempalte found in OA config"); throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); } } if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL(), authConfig.getBasicConfigurationBoolean( PropertyBasedAuthConfigurationProvider.PROP_STRICT_SAML1_PARAM_VALIDATION, false))) { throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12"); } protocolReq.setRawDataToTransaction( MOAIDAuthConstants.AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE, templateURL); //validate SSO functionality String domainIdentifier = authConfig.getSSOTagetIdentifier(); if (MiscUtil.isEmpty(domainIdentifier) && protocolReq.needSingleSignOnFunctionality()) { //do not use SSO if no Target is set Logger.warn("NO SSO-Target found in configuration. Single Sign-On is deaktivated!"); protocolReq.setNeedSingleSignOnFunctionality(false); } if (protocolReq.needSingleSignOnFunctionality() && useMandateBoolean) { Logger.info("Usage of Mandate-Service does not allow Single Sign-On. --> SSO is disabled for this request."); protocolReq.setNeedSingleSignOnFunctionality(false); } } public void parse(ExecutionContext ec, IAuthenticationSession moasession, HttpServletRequest req, IRequest pendingReq) throws WrongParametersException, MOAIDException, EAAFException { //get Parameters from request String oaURL = (String) ec.get(PARAM_OA); String bkuURL = (String) ec.get(PARAM_BKU); String templateURL = (String) ec.get(PARAM_TEMPLATE); String useMandate = (String) ec.get(PARAM_USEMANDATE); String ccc = (String) ec.get(PARAM_CCC); if (pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class) != null && pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class).isOnlyMandateAllowed()) { Logger.debug("Service " + pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class).getPublicURLPrefix() + " only allows authentication with mandates. --> Set useMandate to TRUE."); useMandate = String.valueOf(pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class).isOnlyMandateAllowed()); } oaURL = pendingReq.getSPEntityId(); //only needed for SAML1 String target = pendingReq.getRawData("saml1_target", String.class); parse(moasession, target, oaURL, bkuURL, templateURL, useMandate, ccc, req, pendingReq); } }