package at.gv.egovernment.moa.id.protocols.pvp2x.builder.assertion; import java.util.Iterator; import java.util.List; import org.joda.time.DateTime; import org.opensaml.common.xml.SAMLConstants; import org.opensaml.saml2.core.Assertion; import org.opensaml.saml2.core.Attribute; import org.opensaml.saml2.core.AttributeStatement; import org.opensaml.saml2.core.Audience; import org.opensaml.saml2.core.AudienceRestriction; import org.opensaml.saml2.core.AuthnContext; import org.opensaml.saml2.core.AuthnContextClassRef; import org.opensaml.saml2.core.AuthnRequest; import org.opensaml.saml2.core.AuthnStatement; import org.opensaml.saml2.core.Conditions; import org.opensaml.saml2.core.Issuer; import org.opensaml.saml2.core.NameID; import org.opensaml.saml2.core.RequestedAuthnContext; import org.opensaml.saml2.core.Subject; import org.opensaml.saml2.core.SubjectConfirmation; import org.opensaml.saml2.core.SubjectConfirmationData; import org.opensaml.saml2.metadata.AttributeConsumingService; import org.opensaml.saml2.metadata.EntityDescriptor; import org.opensaml.saml2.metadata.NameIDFormat; import org.opensaml.saml2.metadata.RequestedAttribute; import org.opensaml.saml2.metadata.SPSSODescriptor; import org.w3c.dom.Element; import at.gv.e_government.reference.namespace.mandates._20040701_.Mandate; import at.gv.e_government.reference.namespace.persondata._20020228_.CorporateBodyType; import at.gv.e_government.reference.namespace.persondata._20020228_.IdentificationType; import at.gv.e_government.reference.namespace.persondata._20020228_.PhysicalPersonType; import at.gv.egovernment.moa.id.MOAIDException; import at.gv.egovernment.moa.id.auth.AuthenticationServer; import at.gv.egovernment.moa.id.auth.builder.BPKBuilder; import at.gv.egovernment.moa.id.auth.data.AuthenticationSession; import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProvider; import at.gv.egovernment.moa.id.config.auth.OAAuthParameter; import at.gv.egovernment.moa.id.data.AuthenticationData; import at.gv.egovernment.moa.id.protocols.pvp2x.PVPConstants; import at.gv.egovernment.moa.id.protocols.pvp2x.builder.PVPAttributeBuilder; import at.gv.egovernment.moa.id.protocols.pvp2x.config.PVPConfiguration; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NameIDFormatNotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoAuthContextException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.PVP2Exception; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.QAANotSupportedException; import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.UnprovideableAttributeException; import at.gv.egovernment.moa.id.protocols.pvp2x.utils.SAML2Utils; import at.gv.egovernment.moa.id.util.MandateBuilder; import at.gv.egovernment.moa.logging.Logger; import at.gv.egovernment.moa.util.Constants; public class PVP2AssertionBuilder implements PVPConstants { public static Assertion buildAssertion(AuthnRequest authnRequest, AuthenticationSession authSession, EntityDescriptor peerEntity) throws MOAIDException { Assertion assertion = SAML2Utils.createSAMLObject(Assertion.class); RequestedAuthnContext reqAuthnContext = authnRequest .getRequestedAuthnContext(); if (reqAuthnContext == null) { throw new NoAuthContextException(); } boolean stork_qaa_1_4_found = false; AuthnContextClassRef authnContextClassRef = SAML2Utils .createSAMLObject(AuthnContextClassRef.class); List reqAuthnContextClassRefIt = reqAuthnContext .getAuthnContextClassRefs(); if (reqAuthnContextClassRefIt.size() == 0) { stork_qaa_1_4_found = true; authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); } else { for (AuthnContextClassRef authnClassRef : reqAuthnContextClassRefIt) { String qaa_uri = authnClassRef.getAuthnContextClassRef(); if (qaa_uri.trim().equals(STORK_QAA_1_4) || qaa_uri.trim().equals(STORK_QAA_1_3) || qaa_uri.trim().equals(STORK_QAA_1_2) || qaa_uri.trim().equals(STORK_QAA_1_1)) { if (authSession.isForeigner()) { //TODO: insert QAA check stork_qaa_1_4_found = false; } else { stork_qaa_1_4_found = true; authnContextClassRef.setAuthnContextClassRef(STORK_QAA_1_4); } break; } } } if (!stork_qaa_1_4_found) { throw new QAANotSupportedException(STORK_QAA_1_4); } // reqAuthnContextClassRefIt = reqAuthnContext.getAuthnContextClassRefs() // .iterator(); // // StringBuilder authContextsb = new StringBuilder(); // // while (reqAuthnContextClassRefIt.hasNext()) { // AuthnContextClassRef authnClassRef = reqAuthnContextClassRefIt // .next(); // String[] qaa_uris = authnClassRef.getAuthnContextClassRef().split( // "\\s+"); // for (int i = 0; i < qaa_uris.length; i++) { // if (qaa_uris[i].trim().equals(STORK_QAA_1_4) // || qaa_uris[i].trim().equals(STORK_QAA_1_3) // || qaa_uris[i].trim().equals(STORK_QAA_1_2) // || qaa_uris[i].trim().equals(STORK_QAA_1_1)) { // authContextsb.append(qaa_uris[i].trim()); // authContextsb.append(" "); // } // } // // } AuthnContext authnContext = SAML2Utils .createSAMLObject(AuthnContext.class); authnContext.setAuthnContextClassRef(authnContextClassRef); AuthnStatement authnStatement = SAML2Utils .createSAMLObject(AuthnStatement.class); String remoteSessionID = SAML2Utils.getSecureIdentifier(); authnStatement.setAuthnInstant(new DateTime()); // currently dummy id ... authnStatement.setSessionIndex(remoteSessionID); authnStatement.setAuthnContext(authnContext); assertion.getAuthnStatements().add(authnStatement); SPSSODescriptor spSSODescriptor = peerEntity .getSPSSODescriptor(SAMLConstants.SAML20P_NS); Integer aIdx = authnRequest.getAttributeConsumingServiceIndex(); int idx = 0; if (aIdx != null) { idx = aIdx.intValue(); } AttributeConsumingService attributeConsumingService = spSSODescriptor .getAttributeConsumingServices().get(idx); AttributeStatement attributeStatement = SAML2Utils .createSAMLObject(AttributeStatement.class); Subject subject = SAML2Utils.createSAMLObject(Subject.class); NameID subjectNameID = SAML2Utils.createSAMLObject(NameID.class); boolean foundFormat = false; // TL: AuthData generation is moved to Assertion generation. Iterator formatIt = spSSODescriptor.getNameIDFormats() .iterator(); while (formatIt.hasNext()) { if (formatIt.next().getFormat().equals(NameID.PERSISTENT)) { foundFormat = true; break; } } if (!foundFormat) { // TODO use correct exception throw new NameIDFormatNotSupportedException(""); } // TODO: Check if we need to hide source pin /* * if(authSession.getUseMandate()) { Element mandate = * authSession.getMandate(); if(authSession.getBusinessService()) { // * Hide Source PIN! ParepUtils.HideStammZahlen(mandate, true, null, * authSession.getDomainIdentifier(), true); } else { * ParepUtils.HideStammZahlen(mandate, false, authSession.getTarget(), * null, true); } } */ // TODO: LOAD oaParam from request and not from MOASession in case of // SSO OAAuthParameter oaParam = AuthConfigurationProvider.getInstance() .getOnlineApplicationParameter( peerEntity.getEntityID()); AuthenticationData authData = AuthenticationServer .buildAuthenticationData(authSession, oaParam, oaParam.getTarget()); Iterator it = attributeConsumingService .getRequestAttributes().iterator(); while (it.hasNext()) { RequestedAttribute reqAttribut = it.next(); try { Attribute attr = PVPAttributeBuilder.buildAttribute( reqAttribut.getName(), authSession, oaParam, authData); if (attr == null) { if (reqAttribut.isRequired()) { throw new UnprovideableAttributeException( reqAttribut.getName()); } } else { attributeStatement.getAttributes().add(attr); } } catch (PVP2Exception e) { Logger.error( "Attribute generation failed! for " + reqAttribut.getFriendlyName(), e); if (reqAttribut.isRequired()) { throw new UnprovideableAttributeException( reqAttribut.getName()); } } } if (attributeStatement.getAttributes().size() > 0) { assertion.getAttributeStatements().add(attributeStatement); } subjectNameID.setFormat(NameID.PERSISTENT); //TLenz: set correct bPK Type and Value from AuthData if (authSession.getUseMandate()) { Element mandate = authSession.getMandate(); if(mandate == null) { throw new NoMandateDataAvailableException(); } Mandate mandateObject = MandateBuilder.buildMandate(mandate); if(mandateObject == null) { throw new NoMandateDataAvailableException(); } CorporateBodyType corporation = mandateObject.getMandator().getCorporateBody(); PhysicalPersonType pysicalperson = mandateObject.getMandator().getPhysicalPerson(); IdentificationType id; if(corporation != null && corporation.getIdentification().size() > 0) id = corporation.getIdentification().get(0); else if (pysicalperson != null && pysicalperson.getIdentification().size() > 0) id = pysicalperson.getIdentification().get(0); else { Logger.error("Failed to generate IdentificationType"); throw new NoMandateDataAvailableException(); } String bpktype = id.getType(); String bpk = id.getValue().getValue(); if (bpktype.equals(Constants.URN_PREFIX_BASEID)) { if (authSession.getBusinessService()) { subjectNameID.setValue(new BPKBuilder().buildWBPK(bpk, oaParam.getIdentityLinkDomainIdentifier())); if (oaParam.getIdentityLinkDomainIdentifier().startsWith(AuthenticationSession.REGISTERANDORDNR_PREFIX_)) subjectNameID.setNameQualifier(oaParam.getIdentityLinkDomainIdentifier()); else subjectNameID.setNameQualifier(Constants.URN_PREFIX_WBPK + "+" + oaParam.getIdentityLinkDomainIdentifier()); } else { subjectNameID.setValue(new BPKBuilder().buildBPK(bpk, oaParam.getTarget())); if (oaParam.getTarget().startsWith(Constants.URN_PREFIX_CDID + "+")) subjectNameID.setNameQualifier(oaParam.getTarget()); else subjectNameID.setNameQualifier(Constants.URN_PREFIX_CDID + "+" + oaParam.getTarget()); } } else { subjectNameID.setNameQualifier(bpktype); subjectNameID.setValue(bpk); } } else { subjectNameID.setNameQualifier(authData.getBPKType()); subjectNameID.setValue(authData.getBPK()); } subject.setNameID(subjectNameID); SubjectConfirmation subjectConfirmation = SAML2Utils .createSAMLObject(SubjectConfirmation.class); subjectConfirmation.setMethod(SubjectConfirmation.METHOD_BEARER); SubjectConfirmationData subjectConfirmationData = SAML2Utils .createSAMLObject(SubjectConfirmationData.class); subjectConfirmationData.setInResponseTo(authnRequest.getID()); subjectConfirmationData.setNotOnOrAfter(new DateTime().plusMinutes(20)); subjectConfirmationData.setRecipient(peerEntity.getEntityID()); subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData); subject.getSubjectConfirmations().add(subjectConfirmation); Conditions conditions = SAML2Utils.createSAMLObject(Conditions.class); AudienceRestriction audienceRestriction = SAML2Utils .createSAMLObject(AudienceRestriction.class); Audience audience = SAML2Utils.createSAMLObject(Audience.class); audience.setAudienceURI(peerEntity.getEntityID()); audienceRestriction.getAudiences().add(audience); conditions.setNotBefore(new DateTime()); conditions.setNotOnOrAfter(new DateTime().plusMinutes(20)); // conditions.setNotOnOrAfter(new DateTime()); conditions.getAudienceRestrictions().add(audienceRestriction); assertion.setConditions(conditions); Issuer issuer = SAML2Utils.createSAMLObject(Issuer.class); issuer.setValue(PVPConfiguration.getInstance().getIDPIssuerName()); issuer.setFormat(NameID.ENTITY); assertion.setIssuer(issuer); assertion.setSubject(subject); assertion.setID(SAML2Utils.getSecureIdentifier()); assertion.setIssueInstant(new DateTime()); return assertion; } }