Merge branch 'develop'

Author: RasmusSoot

disain/controlcode.html

@@ -47,7 +47,7 @@ <h1 class="c-header__logo">
                 <div class="c-tab-login__main">
                     <div class="c-tab-login__content is-active" data-tab="mobile-id">
                         <div class="c-tab-login__content-wrap">
-                            <div class="c-tab-login__content-icon">
+                            <div class="c-tab-login__content-icon" aria-hidden="true">
                                 <svg class="icon icon-mobile-id"><use xlink:href="#icon-mobile-id"></use></svg>
                             </div>
                             <div class="c-tab-login__content-text">

disain/login.html

@@ -105,7 +105,7 @@ <h1 class="c-header__logo">
                     <!-- ID-card -->
                     <div class="c-tab-login__content is-active" data-tab="id-card">
                         <div class="c-tab-login__content-wrap">
-                            <div class="c-tab-login__content-icon">
+                            <div class="c-tab-login__content-icon" aria-hidden="true">
                                 <svg class="icon icon-id-card"><use xlink:href="#icon-id-card"></use></svg>
                             </div>
                             <div class="c-tab-login__content-text">
@@ -130,7 +130,7 @@ <h2>ID-kaart</h2>
                     <!-- Mobile-ID -->
                     <div class="c-tab-login__content" data-tab="mobile-id">
                         <div class="c-tab-login__content-wrap">
-                            <div class="c-tab-login__content-icon">
+                            <div class="c-tab-login__content-icon" aria-hidden="true">
                                 <svg class="icon icon-mobile-id"><use xlink:href="#icon-mobile-id"></use></svg>
                             </div>
                             <div class="c-tab-login__content-text">
@@ -189,7 +189,7 @@ <h2>Mobiil-ID</h2>
                     <!-- Banklink -->
                     <div class="c-tab-login__content" data-tab="bank-link">
                         <div class="c-tab-login__content-wrap">
-                            <div class="c-tab-login__content-icon">
+                            <div class="c-tab-login__content-icon" aria-hidden="true">
                                 <svg class="icon icon-bank-link"><use xlink:href="#icon-bank-link"></use></svg>
                             </div>
                             <div class="c-tab-login__content-text">
@@ -224,7 +224,7 @@ <h2>Pangalink</h2>
                     <!-- Smart-ID -->
                     <div class="c-tab-login__content" data-tab="smart-id">
                         <div class="c-tab-login__content-wrap">
-                            <div class="c-tab-login__content-icon">
+                            <div class="c-tab-login__content-icon" aria-hidden="true">
                                 <svg class="icon icon-smart-id"><use xlink:href="#icon-smart-id"></use></svg>
                             </div>
                             <div class="c-tab-login__content-text">
@@ -269,7 +269,7 @@ <h2>Smart-ID</h2>
                     <!-- EU Citizen -->
                     <div class="c-tab-login__content" data-tab="eu-citizen">
                         <div class="c-tab-login__content-wrap">
-                            <div class="c-tab-login__content-icon">
+                            <div class="c-tab-login__content-icon" aria-hidden="true">
                                 <svg class="icon icon-eu-citizen"><use xlink:href="#icon-eu-citizen"></use></svg>
                             </div>
                             <div class="c-tab-login__content-text">

disain/scripts/main/main.js

@@ -236,11 +236,13 @@ jQuery(function ($) {
 
 	function showAlert(alert) {
         alert.attr("role", "alert");
+	    alert.removeAttr("aria-hidden");
 	    alert.addClass('show');
 	}
 
     function hideAlert(alert) {
         alert.removeAttr("role");
+	    alert.attr("aria-hidden", "true");
         alert.removeClass('show');
     }
 

doc/Configuration.md

@@ -6,12 +6,13 @@
     <groupId>ee.ria.tara</groupId>
     <artifactId>tara-server</artifactId>
     <packaging>war</packaging>
-    <version>1.4.11</version>
+    <version>1.4.12</version>
 
     <properties>
         <cas.version>5.3.9</cas.version>
         <springboot.version>1.5.18.RELEASE</springboot.version>
         <banklink.version>2.1.15</banklink.version>
+        <jersey.version>2.28</jersey.version>
         <!-- app.server could be -jetty, -undertow, -tomcat, or blank if you plan to provide appserver -->
         <app.server>-tomcat</app.server>
         <maven.compiler.source>1.8</maven.compiler.source>
@@ -149,6 +150,14 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+
+            <!-- Force-override given dependency version used by mid-rest-java-client -->
+            <!-- At the moment version 2.27 is for some reason taken from spring, even tho jersey is only used by mid-rest-java-client and it has defined use of ${jersey.version}  -->
+            <dependency>
+                <groupId>org.glassfish.jersey.inject</groupId>
+                <artifactId>jersey-hk2</artifactId>
+                <version>${jersey.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -324,12 +333,21 @@
             <version>${banklink.version}</version>
         </dependency>
 
-        <!-- mobileid -->
+        <!-- Mobile-ID SOAP client -->
         <dependency>
             <groupId>com.codeborne</groupId>
             <artifactId>mobileid</artifactId>
-            <version>1.3</version>
+            <version>1.4</version>
         </dependency>
+
+        <!-- Mobile-ID REST client -->
+        <!-- NB! When updating must also update explicitly defined 'org.glassfish.jersey.inject.jersey-hk2' version -->
+        <dependency>
+            <groupId>ee.sk.mid</groupId>
+            <artifactId>mid-rest-java-client</artifactId>
+            <version>1.1</version>
+        </dependency>
+
         <dependency>
             <groupId>org.bouncycastle</groupId>
             <artifactId>bcprov-jdk15on</artifactId>

pom.xml

@@ -9,8 +9,8 @@
 public final class Constants {
 
     public static final String CERTIFICATE_SESSION_ATTRIBUTE = "Client-Certificate";
-    public static final String MOBILE_CHALLENGE = "mobileChallenge";
-    public static final String MOBILE_SESSION = "mobileSession";
+    public static final String MOBILE_ID_VERIFICATION_CODE = "mobileIdVerificationCode";
+    public static final String MOBILE_ID_AUTHENTICATION_SESSION = "mobileIdAuthenticationSession";
     public static final String AUTH_COUNT = "authCount";
     public static final String ERROR_MESSAGE = "TARA_ERROR_MESSAGE";
     public static final String EVENT_OUTSTANDING = "outstanding";
@@ -29,6 +29,7 @@ public final class Constants {
     public static final String MDC_ATTRIBUTE_OCSP_ID = "ocspUrl";
 
     public static final String TARA_OIDC_SESSION_SCOPES = "taraOidcSessionScopes";
+    public static final String TARA_OIDC_SESSION_SCOPE_EIDAS_COUNTRY = "taraOidcSessionScopeEidasCountry";
     public static final String TARA_OIDC_SESSION_CLIENT_ID = "taraOidcSessionClientId";
     public static final String TARA_OIDC_SESSION_REDIRECT_URI = "taraOidcSessionRedirectUri";
     public static final String TARA_OIDC_SESSION_AUTH_METHODS = "taraOidcSessionAllowedAuthMethods";

src/main/java/ee/ria/sso/Constants.java

@@ -1,7 +1,14 @@
 package ee.ria.sso.config;
 
+import ee.ria.sso.config.eidas.EidasConfigurationProvider;
 import ee.ria.sso.i18n.TaraLocaleChangeInterceptor;
-import ee.ria.sso.oidc.*;
+import ee.ria.sso.oidc.OidcAuthorizeRequestValidationServletFilter;
+import ee.ria.sso.oidc.OidcAuthorizeRequestValidator;
+import ee.ria.sso.oidc.TaraDefaultOAuthCodeFactory;
+import ee.ria.sso.oidc.TaraOidcAccessTokenEndpointController;
+import ee.ria.sso.oidc.TaraOidcAuthorizeEndpointController;
+import ee.ria.sso.oidc.TaraOidcIdTokenGeneratorService;
+import ee.ria.sso.oidc.TaraOidcServerDiscoverySettings;
 import org.apache.http.HttpStatus;
 import org.apereo.cas.audit.AuditableExecution;
 import org.apereo.cas.authentication.principal.PrincipalFactory;
@@ -32,7 +39,6 @@
 import org.apereo.cas.support.oauth.web.response.accesstoken.ext.BaseAccessTokenGrantRequestExtractor;
 import org.apereo.cas.support.oauth.web.response.callback.OAuth20AuthorizationResponseBuilder;
 import org.apereo.cas.support.oauth.web.views.ConsentApprovalViewResolver;
-import org.apereo.cas.support.oauth.web.views.OAuth20UserProfileViewRenderer;
 import org.apereo.cas.ticket.ExpirationPolicy;
 import org.apereo.cas.ticket.UniqueTicketIdGenerator;
 import org.apereo.cas.ticket.accesstoken.AccessTokenFactory;
@@ -56,7 +62,13 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.Ordered;
 
-import java.util.*;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
@@ -149,6 +161,9 @@ public class TaraOidcConfiguration {
     @Qualifier("consentApprovalViewResolver")
     private ConsentApprovalViewResolver consentApprovalViewResolver;
 
+    @Autowired
+    private EidasConfigurationProvider eidasConfigurationProvider;
+
     @Bean
     public OidcAuthorizeEndpointController oidcAuthorizeController() {
         return new TaraOidcAuthorizeEndpointController(
@@ -201,7 +216,7 @@ public TaraOidcServerDiscoverySettings getObject() {
                 final TaraOidcServerDiscoverySettings discoveryProperties =
                         new TaraOidcServerDiscoverySettings(taraProperties, casProperties, oidc.getIssuer());
                 discoveryProperties.setClaimsSupported(oidc.getClaims());
-                discoveryProperties.setScopesSupported(oidc.getScopes());
+                discoveryProperties.setScopesSupported(determineSupportedScopes(oidc.getScopes()));
                 discoveryProperties.setResponseTypesSupported(
                         Collections.singletonList(OAuth20ResponseTypes.CODE.getType()));
                 discoveryProperties.setSubjectTypesSupported(oidc.getSubjectTypes());
@@ -235,7 +250,7 @@ protected HttpAction unauthorized(J2EContext context, List<Client> currentClient
     public FilterRegistrationBean oidcAuthorizeCheckingServletFilter(OidcAuthorizeRequestValidator oidcAuthorizeRequestValidator) {
         final Map<String, String> initParams = new HashMap<>();
         final FilterRegistrationBean bean = new FilterRegistrationBean();
-        bean.setFilter(new OidcAuthorizeRequestValidationServletFilter(oidcAuthorizeRequestValidator));
+        bean.setFilter(new OidcAuthorizeRequestValidationServletFilter(oidcAuthorizeRequestValidator, eidasConfigurationProvider));
         bean.setUrlPatterns(Collections.singleton("/oidc/authorize"));
         bean.setInitParameters(initParams);
         bean.setName("oidcAuthorizeCheckingServletFilter");
@@ -261,4 +276,10 @@ private ExpirationPolicy oAuthCodeExpirationPolicy() {
                     oauth.getCode().getTimeToKillInSeconds());
         }
     }
+
+    private List<String> determineSupportedScopes(List<String> oidcScopes) {
+        return Stream.of(oidcScopes, eidasConfigurationProvider.getAllowedEidasCountryScopeAttributes())
+                .flatMap(Collection::stream)
+                .collect(Collectors.collectingAndThen(Collectors.toList(), Collections::unmodifiableList));
+    }
 }

src/main/java/ee/ria/sso/config/TaraOidcConfiguration.java

@@ -1,6 +1,7 @@
 package ee.ria.sso.config.eidas;
 
 import ee.ria.sso.config.TaraResourceBundleMessageSource;
+import ee.ria.sso.oidc.TaraScopeValuedAttributeName;
 import ee.ria.sso.utils.CountryCodeUtil;
 import lombok.Getter;
 import lombok.Setter;
@@ -50,6 +51,8 @@ public class EidasConfigurationProvider {
 
     private List<String> listOfCountries;
 
+    private List<String> allowedEidasCountryScopeAttributes;
+
     private boolean clientCertificateEnabled;
 
     private String clientCertificateKeystore;
@@ -68,6 +71,7 @@ public void init() {
         }
 
         listOfCountries = parseAvailableCountries(availableCountries);
+        allowedEidasCountryScopeAttributes = constructEidasCountryScopeAttributes(listOfCountries);
     }
 
     private static List<String> parseAvailableCountries(String input) {
@@ -79,6 +83,12 @@ private static List<String> parseAvailableCountries(String input) {
         return countryCodes;
     }
 
+    private List<String> constructEidasCountryScopeAttributes(List<String> allowedCountryCodes) {
+        return allowedCountryCodes.stream()
+                .map(countryCode -> TaraScopeValuedAttributeName.EIDAS_COUNTRY.getFormalName() + ":" + countryCode.toLowerCase())
+                .collect(Collectors.toList());
+    }
+
     private static void validateCountryCodes(List<String> countryCodes) {
         for (String countryCode : countryCodes) {
             Assert.isTrue(CountryCodeUtil.isValidCountryCode(countryCode), "Invalid ISO 3166-1 alpha-2 country code '" + countryCode + "'");

src/main/java/ee/ria/sso/config/eidas/EidasConfigurationProvider.java

@@ -0,0 +1,72 @@
+package ee.ria.sso.config.mobileid;
+
+import ee.ria.sso.service.mobileid.MobileIDAuthenticationClient;
+import ee.ria.sso.service.mobileid.MobileIDAuthenticationService;
+import ee.ria.sso.service.mobileid.rest.MobileIDRESTAuthClient;
+import ee.ria.sso.service.mobileid.soap.MobileIDAuthenticatorWrapper;
+import ee.ria.sso.service.mobileid.soap.MobileIDSOAPAuthClient;
+import ee.ria.sso.statistics.StatisticsHandler;
+import ee.sk.mid.MidClient;
+import ee.sk.mid.rest.MidLoggingFilter;
+import lombok.extern.slf4j.Slf4j;
+import org.glassfish.jersey.client.ClientConfig;
+import org.glassfish.jersey.client.ClientProperties;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@ConditionalOnProperty("mobile-id.enabled")
+@Configuration
+@Slf4j
+public class MobileIDConfiguration {
+
+    @Autowired
+    private StatisticsHandler statisticsHandler;
+
+    @Autowired
+    private MobileIDConfigurationProvider configurationProvider;
+
+    @Bean
+    public MobileIDAuthenticationClient constructAuthenticationClient() {
+        if (configurationProvider.isUseDdsService()) {
+            log.info("Initializing SOAP protocol based authentication client for DDS Mobile-ID service");
+            return new MobileIDSOAPAuthClient(mobileIDAuthenticatorWrapper());
+        } else {
+            log.info("Initializing REST protocol based authentication client for Mobile-ID REST service");
+            return new MobileIDRESTAuthClient(configurationProvider, midClient());
+        }
+    }
+
+    @Bean
+    public MobileIDAuthenticationService mobileIDAuthenticationService() {
+        return new MobileIDAuthenticationService(
+                statisticsHandler, configurationProvider, constructAuthenticationClient());
+    }
+
+    private MobileIDAuthenticatorWrapper mobileIDAuthenticatorWrapper() {
+        MobileIDAuthenticatorWrapper authenticator = new MobileIDAuthenticatorWrapper();
+        authenticator.setDigidocServiceURL(configurationProvider.getHostUrl());
+        authenticator.setLoginMessage(configurationProvider.getMessageToDisplay());
+        authenticator.setServiceName(configurationProvider.getServiceName());
+        return authenticator;
+    }
+
+    private MidClient midClient() {
+        return MidClient.newBuilder()
+                .withHostUrl(configurationProvider.getHostUrl())
+                .withRelyingPartyUUID(configurationProvider.getRelyingPartyUuid())
+                .withRelyingPartyName(configurationProvider.getRelyingPartyName())
+                .withNetworkConnectionConfig(clientConfig())
+                .withLongPollingTimeoutSeconds(configurationProvider.getSessionStatusSocketOpenDuration())
+                .build();
+    }
+
+    private ClientConfig clientConfig() {
+        ClientConfig clientConfig = new ClientConfig();
+        clientConfig.property(ClientProperties.CONNECT_TIMEOUT, configurationProvider.getConnectionTimeout());
+        clientConfig.property(ClientProperties.READ_TIMEOUT, configurationProvider.getReadTimeout());
+        clientConfig.register(new MidLoggingFilter());
+        return clientConfig;
+    }
+}