| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
TnvzHelper Fixes
- Handle additional edge cases.
- Mzs:Schema Change: Eliminate PreAdviceNote redundancy by removing it
from mzs:DeliveryRequest/TnvzMetaData; PreadviceNote is already in
the Receiver element. Update TnvzHelper accordingly.
- Implement and integrate tnvz completeness check into
DeliveryRequestAugmenter to ensure that, after augmentation, tnvz
can be performed.
Refactor mzs:DeliveryRequest Validation:
- Before: Validating, merging and generatig ConfigType in ConfigUtil.
- Change: Need to add validation of DeliveryRequest (Reason: For
performing Tnvz Requests, the DeliveryRequest needs to be in a
consistent state).
- Problem: DeliveryRequest validation does not fit into ConfigUtil.
- Solution: Put validation of DeliveryRequest and Config into new
Component "MzsValidation".
|
|
Per default, integration tests are excluded from build. They can be
included with the `-P integration-test` argument.
- Pom: Add maven profile for integration tests.
- Rename integration tests (add `IT` prefix).
- Move Resources into IT* folders.
- Add MsgClientTest to test suite and add assertions to each test case.
|
|
- Move JaxbM initialization into Marshaller such that it can be used
in tests without Spring's Application Context.
- Remove SpringRunner from Mzs2MsgConverter Test, which makes the test
run faster.
|
|
- Add Component to create SSLContexts with own Key- and trust store.
- Inject SSLContext into HTTP Client.
- Add EAAF-Components Core Dependency, which is needed by
SSLContextCreator (KeyStoreUtils).
Schema Changes in mzs:DeliveryRequest/Config:
- Got Rid of mzs:DeliveryRequest/Config/Server. In mzs 1.4.1,
Server replaces the result of zkopf query person request. Since this
zkopf interface does not exist anymore, Server was removed.
- Add ClientType, which holds all parameters needed to connect to a
service (Url, SSL params, a.o.).
Configuration:
- Add default parameters for SSL Clients in application.yaml.
- Merge default parameters into incoming mzs:DeliveryRequests.
MoaZSException Fixes:
- Remove "Extends throwable" from Builder.
- Add convenient shorthand init method (message, throwable).
Refactor:
- Put "determinePath" to FileUtils.
- Put string related utility functions into StringUtils.
|
|
- Interpret `ISignatureVerificationService` response properly (by
following security layer spec [1] and moaspss handbook [2]).
- Add config flag `moa.spss.is-manifest-check-active`
- Change SignatureVerifier Interface: Remove @return boolean, just
throw an exception when a validation error occurs. Reason: In case
the signature cannot be validated, the application always needs the
reason for the validation error, which requires the verifier to
throw an exception. In turn, the only valid return value for
`verify()` becomes `true`, which can be omitted at that point.
- Add testcase for verifying a valid enveloped xml signature
- Remove Certificates that are not needed.
[1] https://www.buergerkarte.at/konzept/securitylayer/spezifikation/20140114/core/core.html
[2] https://apps.egiz.gv.at/handbooks/moa-spss/handbook/handbook/usage/usage.html
|
|
|
|
|
|
Fixing "ASN.1 creation error: iaik.asn1.CodingException: Length: Too
large ASN.1 object: 109"
- Set fallback value ('jks') for system property
'javax.net.ssl.keyStoreType' and 'javax.net.ssl.trustStoreType'. If
system property is not defined, MoaSigConfig falls back to value
from spring environment. Reason: Without this property explicitly
set to JKS, the inclusion of eaaf-components-moa-sig-lib breaks the
HTTP client builder and the ASN.1 creation error arises. See [1] for
explanation.
- Why fall back: Allows a user to configure these parameters via
command line, but gives meaningful defaults in case of absent
command line properties. Furthermore, these parameters can be configured via
application.yaml or .properties.
Others:
- Set fallback value for system property
'moa.spss.server.configuration'. If system property is not defined,
fall back to value from spring environment. Reason: Allows a user to
configure these parameters via command line while providing
meaningful defaults in case of absent command line properties.
- Add switch 'moa.spss.is-active' to enable / disable signature verification.
- Change log levels of at.gv.* and iaik.* packages to INFO
- Add default certstore (copied from EAAF Components).
- Add mzs root certificate to cert- and truststore.
- Update readme's installation requirements and guide.
Refactor:
- Extract public interface of SignatureVerification class.
- Rename trustprofile folder.
[1] Why eaaf-components-moa-sig-lib breaks HTTP client:
- Including eaaf-components-moa-sig-lib includes IAIK's jca/jce and
xsect, which in turn injects the iaik provider for cryptographic
operations and its own key store (iaik.pkcs.pkcs12.PKCS12KeyStore).
- The Apache HTTP client builder will ask for a
java.base/javax.net.ssl.SSLSocketFactory because it creates an SSL
context, even if the connection runs without SSL.
- Somewhere down the stack, this will trigger the TrustStoreManager to
hand over the systems default trust store (a JKS file) to IAIK's
PKCS12KeyStore. This happens if the type properties of the trust
stores are not set.
- Oracle relaxed a precondition of this trust store (somewhere in
between Java 8 and 11) in the TrustStoreManager: Formerly, the trust
store was a JKS object. Now, the trust store can be both a JKS and a
PKCS12 object. The TrustStoreManager expects the key store to handle
both types, and Oracle's keystore does. However, IAIK's key store
cannot handle a JKS object, but since eaaf-components-moa-sig-lib
was included, the IAIK key store comes first.
- PKCS12KeyStore expects a PKCS12 file but receives a JKS file ->
Parser Error.
|
|
- Verify signature via ISignatureVerificationService.
- Override System Property moa.spss.server.configuration via spring's
environment (Reason: can configure path to moa SPSS config file via
application.yaml & moa SPSS needs this parameter to find the config
file)
- Setup test configuration directory for moaspss in
src/main/resources/moa-spss
- Readme: Explain how to install moaspss' dependencies into local
repository.
|
|
- Reason: All three classes opertate with the same data type, have
the same clients, and have the same reasons for change.
- Makes code in client more readable as it reduces number of
dependencies.
|
|
Refactor
- Add Builder to ConfigProfileGenerator. Reason: Constructor had too
many arguments.
- Move Conversion from Map to Config from ConfigProfileGenerator into
dedicated 'ConvertMapToConfig' Class; Reason: I expect additional
configuration properties and I don't want those changes to affect
the ConfigProfileGenerator (or it's test cases)
- Move Access to Spring's env into facade to simplify ConfigProfileGenerator.
|
|
|
|
ConfigProfileGenerator:
- Cancel startup if default Config profile is incomplete.
- Add property flag
'verify-completeness-of-default-delivery-request-configuration',
which allows admin to disable completeness check. In that case, just
log a warning if the default profile is incomplete.
Augmenter:
- Ensure that after merging the config is complete (or throw an
exception otherwise).
- Refactor: Move ConfigProfileValidator from ConfigProfileGenerator to
dedicated "ConfigProfileValidator" class; Reason: Augmenter needs to
check completness of at-runtime-compiled configuration.
- Refactor: Rewrote code for better readability.
Others
- NPE Fix in ConfigProfileMerger: If FallbackConfigProfile/Server is
empty, use PrimaryProfile/Server.
|
|
Augmenter
- Replace default Config Profile with map of Config Profiles. Now,
Augmenter can choose a config profile at runtime and augment it.
- Move Augmenter to sub package.
WIP
- Implement ConfigProfileGenerator, which retrieves Config profiles
from Spring Environment and returns an easy-to-use map with
profiles that is keyed with profile id's.
- Replace application.properties with application.yaml.
- Remove Augmenter test cases: They need to be adapted.
|
|
- Rewrite DeliveryRequestAugmenter to allow per-field-overriding of
configuration parameters and add test suite.
- Mzs schema change: Move DeliveryRequest/Server into
DeliveryRequest/Config; Reason: DeliveryRequest/Config contains all
parameters exclusively needed by moazs to execute the delivery
request. The msg's server url belongs to this set of parameters.
- WIP: Add prototype implementation of MsgClient and move MsgClient to
dedicated package.
- Refactor: move TnvzClient to dedicated package.
|
|
|
|
|
|
|
|
|
|
Problem: Apache CXF does not validate incoming mzs:DeliveryRequests
automatically. Per default, validation is off (performs better).
However, (1) we need to validate incoming requests, and (2)
automated CXF validation requires less maintenance and is
expected to be more stable than manual validation.
Solution:
- Add @SchemaValidation annotation to @Service.
- Endpoint Configuration: set WsdlLocation and ServiceName (needed
to prevent parser errors; see [1]).
Without those, CXF validates against generated classes and not
against the WSDL spec, and generated classes do not contain format
restrictions.
Add a testcase with an invalid delivery request ("rejectBothProfile-
AndCorporateBody") to ensure that the validator works.
[1] https://stackoverflow.com/questions/2231779/cxf-and-validation-schema-restrictions-ignored
|
|
|
|
- Implement own NamespacePrefixMapper that maps prefixes depending on
whether a msg or a mzs object is being marshaled.
- Namespaces are not hardcoded but extracted from jaxb's generated
sources (somewhat indirect, can be considered a hack, but there's no
public API to extract namespaces)
|
|
- Reason: Improves readability and makes import statetemens shorter
and more consistent
|
|
Add Optional "Config" to MZS Schema:
- Add mzs:DeliveryRequest/Config Element with a
"PerformQueryPersonRequest" node
- The config element contains parameters that are interpreted by
moa-zs and not forwarded to the ZD
- The boolean PerformQueryPersonRequest tells moa-zs if moa-zs should
perform a QueryPersonRequest towards the TNVZ.
- If config is missing, moa-zs augments the delivery request with
parameters from the app's configuartion or the default configuartion
Other Changes:
- Validate and augment incoming requests with the
DeliveryPreprocessor.
- Add stub for TlnvzClient.
- Remove some leftover ObjectFactory imports (because of the builder
they are not needed anymore)
Fixes
- Fixed incorrect API usage of Messageformat.format: format string
needs an index.
pom.xml
- Add Hamcrest Dependency (for writing more expressive tests)
- Add copy constructor to JAXB Builder
Testing
- Test validation of incoming request
- Refactor testcases to improve readability
|
|
|
