Merge branch 'develop'

doc/Configuration.md

@@ -23,6 +23,7 @@ _CAS tarkvaras tehtud kohanduste ja täienduste kirjeldus._
   * [2.12 Client secret handling](#oidc_client_secret)
   * [2.13 Always force re-authentication](#oidc_force_reauthentication)
   * [2.14 Default authentication methods on login page](#default_auth_methods)
+  * [2.15 Assigning eIDAS level of assurance to domestic authentication methods](#eidas_auth_methods_loa)
 - [3. TARA truststore](#tara_truststore)
   * [3.1 Mobile-ID CA certs](#dds_ca_certs)
   * [3.2 Smart-ID CA certs](#smart-id_ca_certs)
@@ -778,7 +779,7 @@ oidc.authorize.force-auth-renewal.enabled=false
 ### 2.14 Default list of authentication methods
 Change the list of authentication methods displayed to the user on the Login page by default.
 
-Table 2.14.1 - Parameters used to spec 
+Table 2.14.1 - Parameters used to specify the list of default authentication methods 
 
 | Property        | Mandatory | Description |
 | :---------------- | :---------- | :----------------|
@@ -790,6 +791,25 @@ Example:
 tara.default-authentication-methods=idcard, mobileid, eidas, banklink, smartid
 ````    
 
+<a name="eidas_auth_methods_loa"></a>
+### 2.15 Assigning eIDAS level of assurance to domestic authentication methods
+
+Explicitly specifying the level of assurance for domestic authentication methods allows TARA clients to filter the domestic authentication methods displayed to the user by acr_values parameter. In addition, assigning a level of assurance for domestic authenticatiom method also adds the `acr` claim to the id-token issued by TARA.  
+
+Table 2.15.1 - Parameters to specify the level of assurance for domestic authentication methods. 
+
+| Property        | Mandatory | Description |
+| :---------------- | :---------- | :----------------|
+| `tara.authentication-methods-loa-map.<auth method>` | N | <p>The `<auth method>` in the configuration parameter template can have values: `idcard`, `mobileid`, `banklink`, `smartid`.</p> <p>Valid values for a parameter are: `low`, `substantial`, `high` </p>. |
+
+Example:
+
+````
+tara.authentication-methods-loa-map.idcard=high
+tara.authentication-methods-loa-map.mobileid=high
+tara.authentication-methods-loa-map.banklink=low
+tara.authentication-methods-loa-map.smartid=substantial
+````
 
 <a name="tara_truststore"></a>
 ## 3. TARA truststore

pom.xml

@@ -6,7 +6,7 @@
     <groupId>ee.ria.tara</groupId>
     <artifactId>tara-server</artifactId>
     <packaging>war</packaging>
-    <version>1.4.16</version>
+    <version>1.5.0</version>
 
     <properties>
         <cas.version>5.3.15.1</cas.version>
@@ -138,7 +138,7 @@
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>
                 <artifactId>jackson-databind</artifactId>
-                <version>2.9.10.3</version>
+                <version>2.9.10.4</version>
             </dependency>
 
             <!-- Override dependency needed for mid-rest-java-client -->

src/main/java/ee/ria/sso/authentication/TaraAuthenticationHandler.java

@@ -1,9 +1,11 @@
 package ee.ria.sso.authentication;
 
 import ee.ria.sso.authentication.credential.TaraCredential;
+import ee.ria.sso.config.TaraProperties;
 import ee.ria.sso.service.eidas.EidasCredential;
 import ee.ria.sso.service.idcard.IdCardCredential;
 import ee.ria.sso.utils.EstonianIdCodeUtil;
+import lombok.extern.slf4j.Slf4j;
 import org.apereo.cas.authentication.AuthenticationHandlerExecutionResult;
 import org.apereo.cas.authentication.Credential;
 import org.apereo.cas.authentication.PreventedException;
@@ -19,8 +21,11 @@
 
 public class TaraAuthenticationHandler extends AbstractPreAndPostProcessingAuthenticationHandler {
 
-    public TaraAuthenticationHandler(ServicesManager servicesManager, PrincipalFactory principalFactory, Integer order) {
+    private TaraProperties taraProperties;
+
+    public TaraAuthenticationHandler(ServicesManager servicesManager, PrincipalFactory principalFactory, Integer order, TaraProperties taraProperties) {
         super("", servicesManager, principalFactory, order);
+        this.taraProperties = taraProperties;
     }
 
     @Override
@@ -35,6 +40,10 @@ protected AuthenticationHandlerExecutionResult doAuthentication(Credential crede
             TaraCredential taraCredential = (TaraCredential) credential;
             final Map<String, Object> principalAttributes = getMandatoryPrincipalParameters(taraCredential);
 
+            if (isLoaDefinedByConf(taraCredential.getType())) {
+                principalAttributes.put(ACR.name(), taraProperties.getAuthenticationMethodsLoaMap().get(taraCredential.getType()).getAcrName());
+            }
+
             if (credential instanceof IdCardCredential && ((IdCardCredential)taraCredential).getEmail() != null) {
                 principalAttributes.put(EMAIL.name(), ((IdCardCredential)taraCredential).getEmail());
                 principalAttributes.put(EMAIL_VERIFIED.name(), ((IdCardCredential)taraCredential).getEmailVerified());
@@ -49,6 +58,11 @@ protected AuthenticationHandlerExecutionResult doAuthentication(Credential crede
         return null;
     }
 
+    private boolean isLoaDefinedByConf(AuthenticationType type) {
+        return taraProperties != null && taraProperties.getAuthenticationMethodsLoaMap() != null
+                && taraProperties.getAuthenticationMethodsLoaMap().containsKey(type);
+    }
+
     private Map<String, Object> getMandatoryPrincipalParameters(TaraCredential taraCredential) {
         Assert.noNullElements(new Object[] {
                 taraCredential.getPrincipalCode(),

src/main/java/ee/ria/sso/config/TaraConfiguration.java

@@ -20,10 +20,7 @@
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.ApplicationContext;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.context.annotation.EnableAspectJAutoProxy;
+import org.springframework.context.annotation.*;
 import org.springframework.web.servlet.LocaleResolver;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;
 import org.springframework.web.servlet.i18n.LocaleChangeInterceptor;
@@ -128,9 +125,12 @@ public class TaraAuthenticationEventExecutionPlanConfiguration
         @Qualifier("taraPrincipalFactory")
         private PrincipalFactory taraPrincipalFactory;
 
+        @Autowired
+        private TaraProperties taraProperties;
+
         @Bean
         public AuthenticationHandler taraAuthenticationHandler() {
-            return new TaraAuthenticationHandler(this.servicesManager, taraPrincipalFactory, 1);
+            return new TaraAuthenticationHandler(this.servicesManager, taraPrincipalFactory, 1, taraProperties);
         }
 
         @Override

src/main/java/ee/ria/sso/config/TaraProperties.java

@@ -1,6 +1,7 @@
 package ee.ria.sso.config;
 
 import ee.ria.sso.authentication.AuthenticationType;
+import ee.ria.sso.authentication.LevelOfAssurance;
 import lombok.AccessLevel;
 import lombok.Data;
 import lombok.Getter;
@@ -10,9 +11,10 @@
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.core.env.Environment;
 
-import java.util.ArrayList;
+import javax.annotation.PostConstruct;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Map;
 
 @Data
 @ConfigurationProperties("tara")
@@ -26,6 +28,8 @@ public class TaraProperties {
     @Value("${env.test.message:#{null}}")
     private String testEnvironmentWarningMessage;
 
+    private Map<AuthenticationType, LevelOfAssurance> authenticationMethodsLoaMap;
+
     private List<AuthenticationType> defaultAuthenticationMethods = Arrays.asList(
             AuthenticationType.IDCard,
             AuthenticationType.MobileID);
@@ -34,6 +38,13 @@ public class TaraProperties {
     @Setter(AccessLevel.NONE)
     private final Environment environment;
 
+    @PostConstruct
+    public void validateConfiguration() {
+        if (authenticationMethodsLoaMap != null && authenticationMethodsLoaMap.containsKey(AuthenticationType.eIDAS))
+            throw new IllegalStateException("Please check your configuration! Level of assurance (LoA) cannot be configured for eIDAS authentication method! NB! The proper LoA for eIDAS authentication is determined from the eIDAS authentication response directly.");
+
+    }
+
     public boolean isPropertyEnabled(final String propertyName) {
         return StringUtils.isNotBlank(propertyName) && "true".equals(
                 this.environment.getProperty(propertyName, (String) null)

src/main/java/ee/ria/sso/flow/ThymeleafSupport.java

@@ -13,6 +13,7 @@
 import org.apereo.cas.services.OidcRegisteredService;
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 import org.springframework.web.util.UriComponentsBuilder;
+import org.springframework.webflow.core.collection.SharedAttributeMap;
 import org.springframework.webflow.execution.RequestContextHolder;
 
 import javax.servlet.http.HttpServletRequest;
@@ -32,31 +33,35 @@ public class ThymeleafSupport {
     private final String defaultLocaleChangeParam;
 
     public boolean isAuthMethodAllowed(final AuthenticationType method) {
-        if (method != null && taraProperties.isPropertyEnabled(method.getPropertyName() + ".enabled")) {
-            final Object attribute = RequestContextHolder.getRequestContext().getExternalContext()
-                    .getSessionMap().get(Constants.TARA_OIDC_SESSION_AUTH_METHODS);
-
-            if (attribute == null) {
-                return true; // TODO: only needed for cas management
-            } else if (attribute instanceof List) {
-                return ((List) attribute).contains(method);
-            }
-        }
+        if (method == null)
+            return false;
 
-        return false;
+        SharedAttributeMap<Object> sessionMap = RequestContextHolder.getRequestContext().getExternalContext().getSessionMap();
+        final List<AuthenticationType> clientSpecificAuthMethodList = sessionMap.get(Constants.TARA_OIDC_SESSION_AUTH_METHODS, List.class);
+
+        if (clientSpecificAuthMethodList != null) {
+            return clientSpecificAuthMethodList.contains(method);
+        } else {
+            return true; // client specific auth method list is not supported (ie cas-management)
+        }
     }
 
     public boolean isNotLocale(String code, Locale locale) {
         return !locale.getLanguage().equalsIgnoreCase(code);
     }
 
     public String getLocaleUrl(String locale) throws URISyntaxException {
-        UriComponentsBuilder builder = ServletUriComponentsBuilder.fromCurrentRequest().replaceQueryParam(defaultLocaleChangeParam, locale);
-        URI serverUri = new URI(this.casProperties.getServer().getName());
-        if ("https".equalsIgnoreCase(serverUri.getScheme())) {
-            builder.port((serverUri.getPort() == -1) ? 443 : serverUri.getPort());
+        try {
+            UriComponentsBuilder builder = ServletUriComponentsBuilder.fromCurrentRequest().replaceQueryParam(defaultLocaleChangeParam, locale);
+            URI serverUri = new URI(this.casProperties.getServer().getName());
+            if ("https".equalsIgnoreCase(serverUri.getScheme())) {
+                builder.port((serverUri.getPort() == -1) ? 443 : serverUri.getPort());
+            }
+            return builder.scheme(serverUri.getScheme()).host(serverUri.getHost()).build(true).toUriString();
+        } catch (Exception e) {
+            log.warn("Failed to create the locale change URL: " + e.getMessage(), e);
+            return "#";
         }
-        return builder.scheme(serverUri.getScheme()).host(serverUri.getHost()).build(true).toUriString();
     }
 
     public boolean isEidasOnlyDirect(Map<String, Object> sessionAttributes) {