/*******************************************************************************
* Copyright 2014 Federal Chancellery Austria
* MOA-ID has been developed in a cooperation between BRZ, the Federal
* Chancellery Austria - ICT staff unit, and Graz University of Technology.
*
* Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
* the European Commission - subsequent versions of the EUPL (the "Licence");
* You may not use this work except in compliance with the Licence.
* You may obtain a copy of the Licence at:
* http://www.osor.eu/eupl/
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the Licence is distributed on an "AS IS" basis,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Licence for the specific language governing permissions and
* limitations under the Licence.
*
* This product combines work with different licenses. See the "NOTICE" text
* file for details on the various modules and licenses.
* The "NOTICE" text file is part of the distribution. Any derivative works
* that you distribute must include a readable copy of the "NOTICE" text file.
******************************************************************************/
package at.gv.egovernment.moa.id.auth.builder;
import java.io.StringWriter;
import java.text.MessageFormat;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.List;
import javax.xml.bind.DatatypeConverter;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import at.gv.egovernment.moa.id.auth.data.AuthenticationSession;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttribute;
import at.gv.egovernment.moa.id.auth.data.ExtendedSAMLAttributeImpl;
import at.gv.egovernment.moa.id.auth.exception.BuildException;
import at.gv.egovernment.moa.id.auth.exception.ParseException;
import at.gv.egovernment.moa.id.config.ConfigurationException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
import at.gv.egovernment.moa.id.config.auth.IOAAuthParameters;
import at.gv.egovernment.moa.id.util.Random;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.Constants;
import at.gv.egovernment.moa.util.DOMUtils;
import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.egovernment.moa.util.StringUtils;
/**
* Builder for the authentication block <saml:Assertion>
* to be included in a <CreateXMLSignatureResponse>.
*
* @author Paul Ivancsics
* @version $Id$
*/
public class AuthenticationBlockAssertionBuilder extends AuthenticationAssertionBuilder implements Constants {
/** template for the Auth-Block */
private static String AUTH_BLOCK =
"" + NL +
" " + NL +
" " + NL +
" {3}" + NL +
" " + NL +
"{4}" +
" " + NL +
" {5}" + NL +
" " + NL +
" " + NL +
" {6}" + NL +
" " + NL +
"{7}" +
"{8}" +
"{9}" +
" " + NL +
"";
private static String GESCHAEFTS_BEREICH_ATTRIBUTE =
" " + NL +
" {0}" + NL +
" " + NL;
private static String WBPK_ATTRIBUTE =
" " + NL +
" " + NL +
" " + NL +
" {0}" + NL +
" {1}" + NL +
" " + NL +
" " + NL +
" " + NL;
private static String SPECIAL_TEXT_ATTRIBUTE =
" " + NL +
" {0}" + NL +
" " + NL;
private static String AUTHBLOCKTOKKEN_ATTRIBUTE =
" " + NL +
" {0}" + NL +
" " + NL;
private static String PR_IDENTIFICATION_ATTRIBUTE =
" " + NL +
" {0}" + NL +
" {1}" + NL +
" " + NL;
/**
* The number of SAML attributes included in this AUTH-Block (without the extended SAML attributes).
*/
public static final int NUM_OF_SAML_ATTRIBUTES = 5;
public static final int NUM_OF_SAML_ATTRIBUTES_SSO = 4;
/**
* Constructor for AuthenticationBlockAssertionBuilder.
*/
public AuthenticationBlockAssertionBuilder() {
super();
}
/**
* Builds the authentication block <saml:Assertion>
*
* @param issuer authentication block issuer; "GivenName FamilyName"
* @param issueInstant current timestamp
* @param authURL URL of MOA-ID authentication component
* @param target "Geschäftsbereich"; maybe null if the application
* is a business application
* @param identityLinkValue the content of the <pr:Value>
* child element of the <pr:Identification>
* element derived from the Identitylink; this is the
* value of the wbPK;
* maybe null if the application is a public service
* @param identityLinkType the content of the <pr:Type>
* child element of the <pr:Identification>
* element derived from the Identitylink; this includes the
* URN prefix and the identification number of the business
* application used as input for wbPK computation;
* maybe null if the application is a public service
* @param oaURL public URL of online application requested
* @param gebDat The date of birth from the identity link.
* @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
*
* @return String representation of authentication block
* <saml:Assertion> built
*
* @throws BuildException If an error occurs on serializing an extended SAML attribute
* to be appended to the AUTH-Block.
*/
public String buildAuthBlock(
String issuer,
String issueInstant,
String authURL,
String target,
String targetFriendlyName,
String identityLinkValue,
String identityLinkType,
String oaURL,
String gebDat,
List extendedSAMLAttributes,
AuthenticationSession session,
IOAAuthParameters oaParam)
throws BuildException
{
session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
String wbpkNSDeclaration = "";
if (target == null) {
// OA is a business application
if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
// Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
//adding type of wbPK domain identifier
ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
} else {
// We do not have a wbPK, therefore no SAML-Attribute is provided
session.setSAMLAttributeGebeORwbpk(false);
}
} else {
// OA is a govermental application
String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
if (StringUtils.isEmpty(sectorName)) {
if (targetFriendlyName != null)
sectorName = targetFriendlyName;
}
//gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
//no business service, adding bPK
if (identityLinkValue != null) {
Element bpkSamlValueElement;
try {
bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
} catch (Exception e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
}
// String s = xmlToString(bpkSamlValueElement);
// System.out.println("bpkSamlValueElement: " + s);
ExtendedSAMLAttribute bpkAttribute =
new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(bpkAttribute);
}
boolean useMandate = session.isMandateUsed();
if (useMandate) {
//String mandateReferenceValue = Random.nextRandom();
String mandateReferenceValue = Random.nextProcessReferenceValue();
// remove leading "-"
if (mandateReferenceValue.startsWith("-"))
mandateReferenceValue = mandateReferenceValue.substring(1);
session.setMandateReferenceValue(mandateReferenceValue);
ExtendedSAMLAttribute mandateReferenceValueAttribute =
new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
extendedSAMLAttributes.add(mandateReferenceValueAttribute);
}
//gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
}
//adding friendly name of OA
String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
ExtendedSAMLAttribute oaFriendlyNameAttribute =
new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(oaFriendlyNameAttribute);
String text = "";
if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
text = oaParam.getAditionalAuthBlockText();
}
String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
//generate unique AuthBlock tokken
String uniquetokken = Random.nextRandom();
session.setAuthBlockTokken(uniquetokken);
String assertion;
try {
assertion = MessageFormat.format(
AUTH_BLOCK, new Object[] {
wbpkNSDeclaration,
issuer,
issueInstant,
authURL,
gebeORwbpk,
oaURL,
gebDat,
specialText,
MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
new Object[] { uniquetokken }),
buildExtendedSAMLAttributes(extendedSAMLAttributes)});
} catch (ParseException e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
}
return assertion;
}
/**
* Builds the authentication block <saml:Assertion>
*
* @param issuer authentication block issuer; "GivenName FamilyName"
* @param issueInstant current timestamp
* @param authURL URL of MOA-ID authentication component
* @param target "Geschäftsbereich"; maybe null if the application
* is a business application
* @param identityLinkValue the content of the <pr:Value>
* child element of the <pr:Identification>
* element derived from the Identitylink; this is the
* value of the wbPK;
* maybe null if the application is a public service
* @param identityLinkType the content of the <pr:Type>
* child element of the <pr:Identification>
* element derived from the Identitylink; this includes the
* URN prefix and the identification number of the business
* application used as input for wbPK computation;
* maybe null if the application is a public service
* @param oaURL public URL of online application requested
* @param gebDat The date of birth from the identity link.
* @param extendedSAMLAttributes The SAML attributes to be appended to the AUTHBlock.
*
* @return String representation of authentication block
* <saml:Assertion> built
*
* @throws BuildException If an error occurs on serializing an extended SAML attribute
* to be appended to the AUTH-Block.
*/
public String buildAuthBlockForeignID(
String issuer,
String issueInstant,
String authURL,
String target,
String identityLinkValue,
String identityLinkType,
String oaURL,
String gebDat,
List extendedSAMLAttributes,
AuthenticationSession session,
IOAAuthParameters oaParam)
throws BuildException
{
session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
String wbpkNSDeclaration = "";
if (target == null) {
// OA is a business application
if (!Constants.URN_PREFIX_HPI.equals(identityLinkType)) {
// Only add wbPKs to AUTH-Block. HPIs can be added to the AUTH-Block by the corresponding Validator
gebeORwbpk = MessageFormat.format(WBPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
//BZ.., adding type of wbPK domain identifier
ExtendedSAMLAttribute idLinkDomainIdentifierTypeAttribute =
new ExtendedSAMLAttributeImpl("IdentityLinkDomainIdentifierType", oaParam.getIdentityLinkDomainIdentifierType(), Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(idLinkDomainIdentifierTypeAttribute);
//..BZ
} else {
// We do not have a wbPK, therefore no SAML-Attribute is provided
session.setSAMLAttributeGebeORwbpk(false);
}
} else {
// OA is a govermental application
//BZ..
String sectorName = TargetToSectorNameMapper.getSectorNameViaTarget(target);
//gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target });
gebeORwbpk = MessageFormat.format(GESCHAEFTS_BEREICH_ATTRIBUTE, new Object[] { target + " (" + sectorName + ")" });
//..BZ
//BZ.., no business service, adding bPK
Element bpkSamlValueElement;
try {
bpkSamlValueElement = DOMUtils.parseDocument(MessageFormat.format(PR_IDENTIFICATION_ATTRIBUTE, new Object[] { identityLinkValue, Constants.URN_PREFIX_BPK }), false, null, null).getDocumentElement();
} catch (Exception e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
}
ExtendedSAMLAttribute bpkAttribute =
new ExtendedSAMLAttributeImpl("bPK", bpkSamlValueElement, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(bpkAttribute);
//gebeORwbpk = gebeORwbpk + MessageFormat.format(BPK_ATTRIBUTE, new Object[] { identityLinkValue, identityLinkType });
wbpkNSDeclaration = " xmlns:pr=\"" + PD_NS_URI + "\"";
//..BZ
}
//BZ.., adding friendly name of OA
String oaFriendlyName = StringUtils.isEmpty(oaParam.getFriendlyName()) ? "" : oaParam.getFriendlyName();
ExtendedSAMLAttribute oaFriendlyNameAttribute =
new ExtendedSAMLAttributeImpl("oaFriendlyName", oaFriendlyName, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(oaFriendlyNameAttribute);
//..BZ
String text = "";
if (MiscUtil.isNotEmpty(oaParam.getAditionalAuthBlockText())) {
Logger.debug("Use addional AuthBlock Text from OA=" + oaParam.getPublicURLPrefix());
text = oaParam.getAditionalAuthBlockText();
}
String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
//generate unique AuthBlock tokken
String uniquetokken = Random.nextRandom();
session.setAuthBlockTokken(uniquetokken);
String assertion;
try {
assertion = MessageFormat.format(
AUTH_BLOCK, new Object[] {
wbpkNSDeclaration,
issuer,
issueInstant,
authURL,
gebeORwbpk,
oaURL,
gebDat,
specialText,
MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
new Object[] { uniquetokken }),
buildExtendedSAMLAttributes(extendedSAMLAttributes)});
} catch (ParseException e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
}
return assertion;
}
public static String generateSpecialText(String inputtext, String issuer, String gebDat, String issueInstant) {
Calendar datetime = DatatypeConverter.parseDateTime(issueInstant);
SimpleDateFormat dateformat = new SimpleDateFormat("dd.MM.yyyy");
SimpleDateFormat timeformat = new SimpleDateFormat("HH:mm:ss");
String text = inputtext.replaceAll("#NAME#", issuer);
text = text.replaceAll("#BIRTHDAY#", gebDat);
text = text.replaceAll("#DATE#", dateformat.format(datetime.getTime()));
text = text.replaceAll("#TIME#", timeformat.format(datetime.getTime()));
return text;
}
public static String xmlToString(Node node) {
try {
Source source = new DOMSource(node);
StringWriter stringWriter = new StringWriter();
Result result = new StreamResult(stringWriter);
TransformerFactory factory = TransformerFactory.newInstance();
Transformer transformer = factory.newTransformer();
transformer.transform(source, result);
return stringWriter.getBuffer().toString();
} catch (TransformerConfigurationException e) {
e.printStackTrace();
} catch (TransformerException e) {
e.printStackTrace();
}
return null;
}
public String buildAuthBlockSSO(
String issuer,
String issueInstant,
String authURL,
String target,
String targetFriendlyName,
String identityLinkValue,
String identityLinkType,
String oaURL,
String gebDat,
List extendedSAMLAttributes,
AuthenticationSession session,
IOAAuthParameters oaParam)
throws BuildException
{
session.setSAMLAttributeGebeORwbpk(true);
String gebeORwbpk = "";
String wbpkNSDeclaration = "";
if (target != null) {
boolean useMandate = session.isMandateUsed();
if (useMandate) {
//String mandateReferenceValue = Random.nextRandom();
String mandateReferenceValue = Random.nextProcessReferenceValue();
// remove leading "-"
if (mandateReferenceValue.startsWith("-"))
mandateReferenceValue = mandateReferenceValue.substring(1);
session.setMandateReferenceValue(mandateReferenceValue);
ExtendedSAMLAttribute mandateReferenceValueAttribute =
new ExtendedSAMLAttributeImpl("mandateReferenceValue", mandateReferenceValue, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK);
extendedSAMLAttributes.add(mandateReferenceValueAttribute);
}
}
//adding friendly name of OA
String friendlyname;
try {
friendlyname = AuthConfigurationProviderFactory.getInstance().getSSOFriendlyName();
ExtendedSAMLAttribute oaFriendlyNameAttribute =
new ExtendedSAMLAttributeImpl("oaFriendlyName", friendlyname, Constants.MOA_NS_URI, ExtendedSAMLAttribute.ADD_TO_AUTHBLOCK_ONLY);
extendedSAMLAttributes.add(oaFriendlyNameAttribute);
String text = AuthConfigurationProviderFactory.getInstance().getSSOSpecialText();
if (MiscUtil.isEmpty(text))
text="";
String specialText = MessageFormat.format(SPECIAL_TEXT_ATTRIBUTE,
new Object[] { generateSpecialText(text, issuer, gebDat, issueInstant) });
//generate unique AuthBlock tokken
String uniquetokken = Random.nextRandom();
session.setAuthBlockTokken(uniquetokken);
String assertion;
assertion = MessageFormat.format(
AUTH_BLOCK, new Object[] {
wbpkNSDeclaration,
issuer,
issueInstant,
authURL,
gebeORwbpk,
oaURL,
gebDat,
specialText,
MessageFormat.format(AUTHBLOCKTOKKEN_ATTRIBUTE,
new Object[] { uniquetokken }),
buildExtendedSAMLAttributes(extendedSAMLAttributes)});
return assertion;
} catch (ParseException e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
} catch (ConfigurationException e) {
Logger.error("Error on building AUTH-Block: " + e.getMessage());
throw new BuildException("builder.00", new Object[] { "AUTH-Block", e.toString()});
}
}
}