Example 1 with TrustChain
use of it.spid.cie.oidc.model.TrustChain in project spid-cie-oidc-java by italia.
the class RelyingPartyHandler method getSPIDProvider.
protected TrustChain getSPIDProvider(String spidProvider, String trustAnchor) throws OIDCException {
if (Validator.isNullOrEmpty(spidProvider)) {
if (logger.isWarnEnabled()) {
logger.warn(TrustChainException.MissingProvider.DEFAULT_MESSAGE);
}
throw new TrustChainException.MissingProvider();
}
if (Validator.isNullOrEmpty(trustAnchor)) {
trustAnchor = options.getSPIDProviders().get(spidProvider);
if (Validator.isNullOrEmpty(trustAnchor)) {
trustAnchor = options.getDefaultTrustAnchor();
}
}
if (!options.getTrustAnchors().contains(trustAnchor)) {
logger.warn(TrustChainException.InvalidTrustAnchor.DEFAULT_MESSAGE);
throw new TrustChainException.InvalidTrustAnchor();
}
TrustChain trustChain = persistence.fetchTrustChain(spidProvider, trustAnchor);
boolean discover = false;
if (trustChain == null) {
logger.info("TrustChain not found for {}", spidProvider);
discover = true;
} else if (!trustChain.isActive()) {
String msg = TrustChainException.TrustChainDisabled.getDefualtMessage(trustChain.getModifiedDate());
if (logger.isWarnEnabled()) {
logger.warn(msg);
}
throw new TrustChainException.TrustChainDisabled(msg);
} else if (trustChain.isExpired()) {
logger.warn(String.format("TrustChain found but EXPIRED at %s.", trustChain.getExpiresOn().toString()));
logger.warn("Try to renew the trust chain");
discover = true;
}
if (discover) {
trustChain = getOrCreateTrustChain(spidProvider, trustAnchor, OIDCConstants.OPENID_PROVIDER, true);
}
return trustChain;
}
Also used :
TrustChainException(it.spid.cie.oidc.exception.TrustChainException)
TrustChain(it.spid.cie.oidc.model.TrustChain)
Example 2 with TrustChain
use of it.spid.cie.oidc.model.TrustChain in project spid-cie-oidc-java by italia.
the class RelyingPartyHandler method getOrCreateTrustChain.
protected TrustChain getOrCreateTrustChain(String subject, String trustAnchor, String metadataType, boolean force) throws OIDCException {
CachedEntityInfo trustAnchorEntity = persistence.fetchEntityInfo(trustAnchor, trustAnchor);
EntityConfiguration taConf;
if (trustAnchorEntity == null || trustAnchorEntity.isExpired() || force) {
String jwt = EntityHelper.getEntityConfiguration(trustAnchor);
taConf = new EntityConfiguration(jwt, jwtHelper);
if (trustAnchorEntity == null) {
trustAnchorEntity = CachedEntityInfo.of(trustAnchor, subject, taConf.getExpiresOn(), taConf.getIssuedAt(), taConf.getPayload(), taConf.getJwt());
trustAnchorEntity = persistence.storeEntityInfo(trustAnchorEntity);
} else {
trustAnchorEntity.setModifiedDate(LocalDateTime.now());
trustAnchorEntity.setExpiresOn(taConf.getExpiresOn());
trustAnchorEntity.setIssuedAt(taConf.getIssuedAt());
trustAnchorEntity.setStatement(taConf.getPayload());
trustAnchorEntity.setJwt(taConf.getJwt());
trustAnchorEntity = persistence.storeEntityInfo(trustAnchorEntity);
}
} else {
taConf = EntityConfiguration.of(trustAnchorEntity, jwtHelper);
}
TrustChain trustChain = persistence.fetchTrustChain(subject, trustAnchor);
if (trustChain != null && !trustChain.isActive()) {
return null;
} else {
TrustChainBuilder tcb = new TrustChainBuilder(subject, metadataType, jwtHelper).setTrustAnchor(taConf).start();
if (!tcb.isValid()) {
String msg = String.format("Trust Chain for subject %s or trust_anchor %s is not valid", subject, trustAnchor);
throw new TrustChainException.InvalidTrustChain(msg);
} else if (Validator.isNullOrEmpty(tcb.getFinalMetadata())) {
String msg = String.format("Trust chain for subject %s and trust_anchor %s doesn't have any " + "metadata of type '%s'", subject, trustAnchor, metadataType);
throw new TrustChainException.MissingMetadata(msg);
} else {
logger.info("KK TCB is valid");
}
trustChain = persistence.fetchTrustChain(subject, trustAnchor, metadataType);
if (trustChain == null) {
trustChain = new TrustChain().setSubject(subject).setType(metadataType).setExpiresOn(tcb.getExpiresOn()).setChain(tcb.getChainAsString()).setPartiesInvolved(tcb.getPartiesInvolvedAsString()).setProcessingStart(LocalDateTime.now()).setActive(true).setMetadata(tcb.getFinalMetadata()).setTrustAnchor(trustAnchor).setTrustMarks(tcb.getVerifiedTrustMarksAsString()).setStatus("valid");
} else {
trustChain = trustChain.setExpiresOn(tcb.getExpiresOn()).setChain(tcb.getChainAsString()).setPartiesInvolved(tcb.getPartiesInvolvedAsString()).setProcessingStart(LocalDateTime.now()).setActive(true).setMetadata(tcb.getFinalMetadata()).setTrustAnchor(trustAnchor).setTrustMarks(tcb.getVerifiedTrustMarksAsString()).setStatus("valid");
}
trustChain = persistence.storeTrustChain(trustChain);
}
return trustChain;
}
Also used :
CachedEntityInfo(it.spid.cie.oidc.model.CachedEntityInfo)
TrustChainBuilder(it.spid.cie.oidc.model.TrustChainBuilder)
TrustChainException(it.spid.cie.oidc.exception.TrustChainException)
TrustChain(it.spid.cie.oidc.model.TrustChain)
EntityConfiguration(it.spid.cie.oidc.model.EntityConfiguration)
Example 3 with TrustChain
use of it.spid.cie.oidc.model.TrustChain in project spid-cie-oidc-java by italia.
the class TrustChainModel method toTrustChain.
public TrustChain toTrustChain(EntityInfoModel trustAnchorModel) {
TrustChain target = new TrustChain();
target.setStorageId(getStorageId());
target.setCreateDate(getCreated());
target.setModifiedDate(getModified());
target.setActive(isActive());
target.setChain(getChain());
target.setExpiresOn(getExp());
target.setIssuedAt(getIat());
target.setLog(getLog());
target.setMetadata(getMetadata());
target.setPartiesInvolved(getPartiesInvolved());
target.setProcessingStart(getProcessingStart());
target.setSubject(getSub());
target.setStatus(getStatus());
target.setTrustMarks(getTrustMasks());
target.setType(getType());
if (trustAnchorModel != null) {
target.setTrustAnchor(trustAnchorModel.getSub());
}
return target;
}
Also used :
TrustChain(it.spid.cie.oidc.model.TrustChain)
Example 4 with TrustChain
use of it.spid.cie.oidc.model.TrustChain in project spid-cie-oidc-java by italia.
the class RelyingPartyHandler method getAuthorizeURL.
/**
* Build the "authorize url": the URL a RelyingParty have to send to an OpenID
* Provider to start a SPID authorization flow
*
* @param spidProvider
* @param trustAnchor
* @param redirectUri
* @param scope
* @param profile
* @param prompt
* @return
* @throws OIDCException
*/
public String getAuthorizeURL(String spidProvider, String trustAnchor, String redirectUri, String scope, String profile, String prompt) throws OIDCException {
// TODO: CIE could reuse this flow?
if (Validator.isNullOrEmpty(profile)) {
profile = OIDCProfile.SPID.getValue();
}
TrustChain tc = getSPIDProvider(spidProvider, trustAnchor);
if (tc == null) {
throw new OIDCException("TrustChain is unavailable");
}
JSONObject providerMetadata;
try {
providerMetadata = new JSONObject(tc.getMetadata());
if (providerMetadata.isEmpty()) {
throw new OIDCException("Provider metadata is empty");
}
} catch (Exception e) {
throw e;
}
FederationEntity entityConf = persistence.fetchFederationEntity(OIDCConstants.OPENID_RELYING_PARTY);
if (entityConf == null || !entityConf.isActive()) {
throw new OIDCException("Missing configuration");
}
JSONObject entityMetadata;
JWKSet entityJWKSet;
try {
entityMetadata = entityConf.getMetadataValue(OIDCConstants.OPENID_RELYING_PARTY);
if (entityMetadata.isEmpty()) {
throw new OIDCException("Entity metadata is empty");
}
entityJWKSet = JWTHelper.getJWKSetFromJSON(entityConf.getJwks());
if (entityJWKSet.getKeys().isEmpty()) {
throw new OIDCException("Entity with invalid or empty jwks");
}
} catch (OIDCException e) {
throw e;
}
JWKSet providerJWKSet = JWTHelper.getMetadataJWKSet(providerMetadata);
String authzEndpoint = providerMetadata.getString("authorization_endpoint");
JSONArray entityRedirectUris = entityMetadata.getJSONArray("redirect_uris");
if (entityRedirectUris.isEmpty()) {
throw new OIDCException("Entity has no redirect_uris");
}
if (!Validator.isNullOrEmpty(redirectUri)) {
if (!JSONUtil.contains(entityRedirectUris, redirectUri)) {
logger.warn("Requested for unknown redirect uri '{}'. Reverted to default '{}'", redirectUri, entityRedirectUris.getString(0));
redirectUri = entityRedirectUris.getString(0);
}
} else {
redirectUri = entityRedirectUris.getString(0);
}
if (Validator.isNullOrEmpty(scope)) {
scope = OIDCConstants.SCOPE_OPENID;
}
if (Validator.isNullOrEmpty(profile)) {
profile = options.getAcrValue(OIDCProfile.SPID);
}
if (Validator.isNullOrEmpty(prompt)) {
prompt = "consent login";
}
String responseType = entityMetadata.getJSONArray("response_types").getString(0);
String nonce = UUID.randomUUID().toString();
String state = UUID.randomUUID().toString();
String clientId = entityMetadata.getString("client_id");
long issuedAt = LocalDateTime.now().toEpochSecond(ZoneOffset.UTC);
String[] aud = new String[] { tc.getSubject(), authzEndpoint };
JSONObject claims = getRequestedClaims(profile);
JSONObject pkce = PKCEHelper.getPKCE();
String acr = options.getAcrValue(OIDCProfile.SPID);
JSONObject authzData = new JSONObject().put("scope", scope).put("redirect_uri", redirectUri).put("response_type", responseType).put("nonce", nonce).put("state", state).put("client_id", clientId).put("endpoint", authzEndpoint).put("acr_values", acr).put("iat", issuedAt).put("aud", JSONUtil.asJSONArray(aud)).put("claims", claims).put("prompt", prompt).put("code_verifier", pkce.getString("code_verifier")).put("code_challenge", pkce.getString("code_challenge")).put("code_challenge_method", pkce.getString("code_challenge_method"));
AuthnRequest authzEntry = new AuthnRequest().setClientId(clientId).setState(state).setEndpoint(authzEndpoint).setProvider(tc.getSubject()).setProviderId(tc.getSubject()).setData(authzData.toString()).setProviderJwks(providerJWKSet.toString()).setProviderConfiguration(providerMetadata.toString());
authzEntry = persistence.storeOIDCAuthnRequest(authzEntry);
authzData.remove("code_verifier");
authzData.put("iss", entityMetadata.getString("client_id"));
authzData.put("sub", entityMetadata.getString("client_id"));
String requestObj = jwtHelper.createJWS(authzData, entityJWKSet);
authzData.put("request", requestObj);
String url = buildURL(authzEndpoint, authzData);
logger.info("Starting Authn request to {}", url);
return url;
}
Also used :
FederationEntity(it.spid.cie.oidc.model.FederationEntity)
TrustChain(it.spid.cie.oidc.model.TrustChain)
JSONObject(org.json.JSONObject)
AuthnRequest(it.spid.cie.oidc.model.AuthnRequest)
OIDCException(it.spid.cie.oidc.exception.OIDCException)
JWKSet(com.nimbusds.jose.jwk.JWKSet)
JSONArray(org.json.JSONArray)
SchemaException(it.spid.cie.oidc.exception.SchemaException)
OIDCException(it.spid.cie.oidc.exception.OIDCException)
RelyingPartyException(it.spid.cie.oidc.exception.RelyingPartyException)
TrustChainException(it.spid.cie.oidc.exception.TrustChainException)
Aggregations
TrustChain (it.spid.cie.oidc.model.TrustChain)4
TrustChainException (it.spid.cie.oidc.exception.TrustChainException)3
JWKSet (com.nimbusds.jose.jwk.JWKSet)1
OIDCException (it.spid.cie.oidc.exception.OIDCException)1
RelyingPartyException (it.spid.cie.oidc.exception.RelyingPartyException)1
SchemaException (it.spid.cie.oidc.exception.SchemaException)1
AuthnRequest (it.spid.cie.oidc.model.AuthnRequest)1
CachedEntityInfo (it.spid.cie.oidc.model.CachedEntityInfo)1
EntityConfiguration (it.spid.cie.oidc.model.EntityConfiguration)1
FederationEntity (it.spid.cie.oidc.model.FederationEntity)1
TrustChainBuilder (it.spid.cie.oidc.model.TrustChainBuilder)1
JSONArray (org.json.JSONArray)1
JSONObject (org.json.JSONObject)1
