/* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egovernment.moa.id.protocols.pvp2x.builder; import java.util.ArrayList; import java.util.Iterator; import java.util.List; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import org.joda.time.DateTime; import org.opensaml.Configuration; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeQuery; import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.core.impl.AttributeQueryBuilder; import org.opensaml.xml.io.Marshaller; import org.opensaml.xml.io.MarshallingException; import org.opensaml.xml.security.x509.X509Credential; import org.opensaml.xml.signature.Signature; import org.opensaml.xml.signature.SignatureConstants; import org.opensaml.xml.signature.SignatureException; import org.opensaml.xml.signature.Signer; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.w3c.dom.Document; import at.gv.egiz.eaaf.modules.pvp2.exception.AttributQueryException; import at.gv.egiz.eaaf.modules.pvp2.exception.CredentialsNotAvailableException; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PVPAttributeBuilder; import at.gv.egiz.eaaf.modules.pvp2.impl.builder.SamlAttributeGenerator; import at.gv.egiz.eaaf.modules.pvp2.impl.utils.SAML2Utils; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.signer.IDPCredentialProvider; import at.gv.egovernment.moa.logging.Logger; /** * @author tlenz * */ @Service("AttributQueryBuilder") public class AttributQueryBuilder { @Autowired IDPCredentialProvider credentialProvider; public List buildSAML2AttributeList(IOAAuthParameters oa, Iterator iterator) throws ConfigurationException { Logger.debug("Build OA specific Attributes for AttributQuery request"); List attrList = new ArrayList(); SamlAttributeGenerator generator = new SamlAttributeGenerator(); while(iterator.hasNext()) { String rA = iterator.next(); Attribute attr = PVPAttributeBuilder.buildEmptyAttribute(rA); if (attr == null) { Logger.warn("Attribut " + rA + " has no valid Name"); } else { //add OA specific information if (rA.equals(PVPConstants.EID_SECTOR_FOR_IDENTIFIER_NAME)) { attr = generator.buildStringAttribute(attr.getFriendlyName(), attr.getName(), oa.getAreaSpecificTargetIdentifier()); } //TODO: add attribute values for SSO with mandates (ProfileList) attrList.add(attr); } } return attrList; } public AttributeQuery buildAttributQueryRequest(String spEntityID, String nameID, String endpoint, List requestedAttributes) throws AttributQueryException { try { AttributeQuery query = new AttributeQueryBuilder().buildObject(); //set user nameID Subject subject = SAML2Utils.createSAMLObject(Subject.class); NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); subjectNameID.setValue(nameID); subjectNameID.setFormat(NameID.TRANSIENT); subject.setNameID(subjectNameID); query.setSubject(subject); //set attributes query.getAttributes().addAll(requestedAttributes); //set general request parameters DateTime now = new DateTime(); query.setIssueInstant(now); Issuer nissuer = SAML2Utils.createSAMLObject(Issuer.class); nissuer.setValue(spEntityID); nissuer.setFormat(NameID.ENTITY); query.setIssuer(nissuer); String sessionID = SAML2Utils.getSecureIdentifier(); query.setID(sessionID); query.setDestination(endpoint); X509Credential idpSigningCredential = credentialProvider.getIDPAssertionSigningCredential(); Signature signer = SAML2Utils.createSAMLObject(Signature.class); signer.setSignatureAlgorithm(SignatureConstants.ALGO_ID_SIGNATURE_RSA_SHA1); signer.setCanonicalizationAlgorithm(SignatureConstants.ALGO_ID_C14N_EXCL_OMIT_COMMENTS); signer.setSigningCredential(idpSigningCredential); query.setSignature(signer); DocumentBuilder builder; DocumentBuilderFactory factory = DocumentBuilderFactory .newInstance(); builder = factory.newDocumentBuilder(); Document document = builder.newDocument(); Marshaller out = Configuration.getMarshallerFactory() .getMarshaller(query); out.marshall(query, document); Signer.signObject(signer); return query; } catch (CredentialsNotAvailableException e) { Logger.error("Build AttributQuery Request FAILED.", e); throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); } catch (ParserConfigurationException e) { Logger.error("Build AttributQuery Request FAILED.", e); throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); } catch (MarshallingException e) { Logger.error("Build AttributQuery Request FAILED.", e); throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); } catch (SignatureException e) { Logger.error("Build AttributQuery Request FAILED.", e); throw new AttributQueryException("Build AttributQuery Request FAILED.", null, e); } } }