package at.gv.egovernment.moa.id.auth.modules.sl20_auth.tasks; import java.io.ByteArrayInputStream; import java.util.Calendar; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.opensaml.saml2.core.Assertion; import org.springframework.stereotype.Component; import at.gv.egiz.eaaf.core.api.idp.auth.data.IIdentityLink; import at.gv.egiz.eaaf.core.api.idp.process.ExecutionContext; import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException; import at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask; import at.gv.egiz.eaaf.core.impl.utils.TransactionIDUtils; import at.gv.egiz.eaaf.modules.pvp2.sp.impl.utils.AssertionAttributeExtractor; import at.gv.egovernment.moa.id.advancedlogging.MOAIDEventConstants; import at.gv.egovernment.moa.id.auth.data.AuthenticationSessionWrapper; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.Constants; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.SL20Constants; import at.gv.egovernment.moa.id.auth.modules.sl20_auth.sl20.verifier.QualifiedeIDVerifier; import at.gv.egovernment.moa.id.auth.parser.IdentityLinkAssertionParser; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.data.IVerifiyXMLSignatureResponse; import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException; import at.gv.egovernment.moa.util.Base64Utils; import at.gv.egovernment.moa.util.DateTimeUtils; import at.gv.egovernment.moaspss.logging.Logger; @Component("VerifyQualifiedeIDTask") public class VerifyQualifiedeIDTask extends AbstractAuthServletTask { @Override public void execute(ExecutionContext executionContext, HttpServletRequest request, HttpServletResponse response) throws TaskExecutionException { Logger.debug("Verify qualified eID data from SL20 response .... "); try { //check if there was an error TaskExecutionException sl20Error = pendingReq.getRawData( Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_IDENTIFIER_ERROR, TaskExecutionException.class); if (sl20Error != null) { Logger.info("Found SL2.0 error after redirect ... "); throw sl20Error; } //get data from pending request String sl20ReqId = pendingReq.getRawData( Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_REQID, String.class); String idlB64 = pendingReq.getRawData( Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_IDL, String.class); String authBlockB64 = pendingReq.getRawData( Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_AUTHBLOCK, String.class); String ccsURL = pendingReq.getRawData( Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_CCSURL, String.class); String LoA = pendingReq.getRawData( Constants.PENDING_REQ_STORAGE_PREFIX + SL20Constants.SL20_COMMAND_PARAM_EID_RESULT_LOA, String.class); //parse eID data IIdentityLink idl = new IdentityLinkAssertionParser(new ByteArrayInputStream(Base64Utils.decode(idlB64, false))).parseIdentityLink(); IVerifiyXMLSignatureResponse authBlockVerificationResult = null; try { Assertion authBlock = QualifiedeIDVerifier.parseAuthBlockToSaml2Assertion(authBlockB64); AssertionAttributeExtractor authBlockExtractor = new AssertionAttributeExtractor(authBlock); //validate eID data QualifiedeIDVerifier.verifyIdentityLink(idl, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class), (AuthConfiguration) authConfig); authBlockVerificationResult = QualifiedeIDVerifier.verifyAuthBlock( authBlockB64, pendingReq.getServiceProviderConfiguration(IOAAuthParameters.class), (AuthConfiguration) authConfig); QualifiedeIDVerifier.checkConsistencyOfeIDData(sl20ReqId, idl, authBlockExtractor, authBlockVerificationResult); //TODO: add LoA verification } catch (MOAIDException e) { if (authConfig.getBasicMOAIDConfigurationBoolean(Constants.CONFIG_PROP_DISABLE_EID_VALIDATION, false)) { Logger.warn("SL20 eID data validation IS DISABLED!!"); Logger.warn("SL20 eID data IS NOT VALID!!! Reason: " + e.getMessage(), e); } else throw e; } revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_IDL_VALIDATED); revisionsLogger.logEvent(pendingReq, MOAIDEventConstants.AUTHPROCESS_AUTHBLOCK_VALIDATED); //add into session AuthenticationSessionWrapper moasession = pendingReq.getSessionData(AuthenticationSessionWrapper.class); moasession.setIdentityLink(idl); moasession.setBkuURL(ccsURL); //TODO: from AuthBlock if (authBlockVerificationResult != null) moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(authBlockVerificationResult.getSigningDateTime())); else moasession.setIssueInstant(DateTimeUtils.buildDateTimeUTC(Calendar.getInstance())); moasession.setQAALevel(LoA); //store pending request requestStoreage.storePendingRequest(pendingReq); } catch (MOAIDException e) { Logger.warn("ERROR:", e); throw new TaskExecutionException(pendingReq, "SL2.0 Authentication FAILED. Msg: " + e.getMessage(), e); } catch (Exception e) { Logger.warn("ERROR:", e); Logger.warn("SL2.0 Authentication FAILED with a generic error.", e); throw new TaskExecutionException(pendingReq, e.getMessage(), e); } finally { TransactionIDUtils.removeTransactionId(); TransactionIDUtils.removeSessionId(); } } }