Merge pull request #2 from curityio/signicat-java-lib

Implementation using the Signicat Java Connector

Author: travisspencer

README.md

@@ -0,0 +1,98 @@
+Signicat Authenticator Plug-in
+==============================
+ 
+.. image:: https://travis-ci.org/curityio/signicat-authenticator.svg?branch=master
+    :target: https://travis-ci.org/curityio/signicat-authenticator
+
+An authenticator that uses the Signicat signing service to do authentication
+This project provides an opens source Signicat Authenticator plug-in for the Curity Identity Server. This allows an administrator to add functionality to Curity which will then enable end users to login using their Signicat credentials -- or more exactly -- the credentials of some E-ID provider, like BankID or NemID. The app that integrates with Curity will be provided with all of the attributes released by the user at Signicat, including the user's personal number and other biographical information.
+
+System Requirements
+~~~~~~~~~~~~~~~~~~~
+
+Curity Identity Server 2.4.0 and `its system requirements <https://developer.curity.io/docs/latest/system-admin-guide/system-requirements.html>`_
+
+Requirements for Building from Source
+"""""""""""""""""""""""""""""""""""""
+
+The source code is written entirely in `Kotlin <http://kotlinlang.org/>`_. It can be compiled using Maven 3. For this to succeed, however, the `Signicat Connector for Java <https://support.signicat.com/display/S2/Signicat+Connector+for+Java>`_ needs to be installed into a Maven repository which is accessible during compilation. The `POM <pom.xml>`_ may need to be updated depending on the Maven Coordinates (Group, Artifact, Version) used during installation. Refer to the `Maven guide for information about installing third-party JARs <https://maven.apache.org/guides/mini/guide-3rd-party-jars-local.html>`_. Once the Signicat Connector's JAR and its associated OpenSAML version are installed, the project can be compiled from a shell by issuing a command like this: ``mvn package``.
+
+Installation
+~~~~~~~~~~~~
+
+To install this plug-in, either download a binary version available from the `releases section of this project's GitHub repository <https://github.com/curityio/signicat-authenticator/releases>`_ or compile it from source (as described above). If you compiled the plug-in from source, the package will be placed in the ``target`` subdirectory. The resulting JAR file or the one downloaded from GitHub needs to placed in the directory ``${IDSVR_HOME}/usr/share/plugins/signicat``. (The name of the last directory, ``signicat``, which is the plug-in group, is arbitrary and can be anything.) All of the dependent JAR files must be placed in this directory as well. These include:
+
+* signicat-client-lib-4.0.1.jar
+* signicat-opensaml-1.1-PATCH-6.jar
+* commons-codec-1.10.jar
+* xmlsec-1.5.8.jar
+
+All of these JAR files can be obtained by downloading the `Signicat Connector for Java <https://support.signicat.com/display/S2/Signicat+Connector+for+Java>`_. Apache Commons Codec and Apache Santuario can be downloaded from Maven central or their respective project web sites.
+
+.. note::
+
+    The Signicat Connector ZIP file contains other JAR files as well (e.g., SLF4J, Apache Commons Logging, etc.). These are not required by this plug-in, but installing them should not adversely effect the plug-in either.
+
+Once the plug-in and its dependencies are placed into the plug-in group directory, it will become available as soon as each node is restarted.
+
+For a more detailed explanation of installing plug-ins, refer to the `Curity developer guide <https://developer.curity.io/docs/latest/developer-guide/plugins/index.html#plugin-installation>`_.
+
+Installing from Source
+""""""""""""""""""""""
+
+During development of the plug-in, it is very easy to copy the plug-in JAR and its dependencies with the following one-liner:
+
+.. code:: bash
+
+    mvn install dependency:copy-dependencies \
+        -DincludeScope=runtime \
+        -DoutputDirectory=$IDSVR_HOME/lib/plugins/signicat && \
+        cp target/identityserver.plugins.authenticators.signicat-*.jar $IDSVR_HOME/lib/plugins/signicat
+
+Because the server must be restarted after this, it can be quite tedious and time consuming. For that reason, it is better to use `Intellij's HotSwap capability <https://www.jetbrains.com/help/idea/reloading-classes.html>`_ to reload the classes after compilation. This will allow a developer to HotSwap changes without requiring a restart. If it fails to HotSwap some change, however, the above technique can be used.
+
+Creating a Signicat Authenticator in Curity
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The easiest way to configure a new Signicat authenticator is using the Curity admin UI. The configuration for this can be downloaded as XML or CLI commands later, so only the steps to do this in the GUI will be described.
+
+1. Go to the ``Authenticators`` page of the authentication profile wherein the authenticator instance should be created.
+2. Click the ``New Authenticator`` button.
+3. Enter a name (e.g., ``signicat1``). For production, this name needs to match the URI component in the callback URL whitelisted by Signicat.
+4. For the type, pick the ``Signicat`` option.
+5. On the next page, you can define all of the standard authenticator configuration options like any previous authenticator that should run, the resulting ACR, transformers that should executed, etc. At the bottom of the configuration page, the Signicat-specific options can be found.
+
+    .. figure:: docs/images/signicat-authenticator-type-in-curity.png
+        :align: center
+        :width: 600px
+
+    Using these inputs, certain required and optional configuration settings may be provided.
+
+    .. note::
+
+        The Signicat-specific configuration is generated dynamically based on the `configuration model defined in the Kotlin interface <https://github.com/curityio/signicat-authenticator/blob/master/src/main/kotlin/io/curity/identityserver/plugin/signicat/config/SignicatAuthenticatorPluginConfig.kt>`_.
+
+6. From the ``Country`` dropdown box, pick the country's kind of E-ID that should be used. For example, pick ``sweden`` to use Swedish BankID or ``denmark`` to use NemID.
+7. Enter the ``Service Name`` that you have registered with Signicat or use the default of ``demo`` for testing.
+8. From the ``Environment`` dropdown box, select either ``standard-environment`` or ``custom-environment``. The former should be used if you are not using a custom domain (e.g., ``signicat.example.com``). If not, then select ``standard-environment`` and pick either ``production`` or ``pre-production``. ``pre-production`` will cause certain test certificates to be used and warnings to be logged in the server log.
+9. Optionally, enter the name of a `graphics profile <https://support.signicat.com/display/S2/Graphical+profiles%2C+fonts+and+styling>`_ in the ``Graphics Profile`` text field.
+
+Once all of these changes are made, they will be staged, but not committed (i.e., not running). To make them active, click the ``Commit`` menu option in the ``Changes`` menu. Optionally enter a comment in the ``Deploy Changes`` dialogue and click ``OK``.
+
+Once the configuration is committed and running, the authenticator can be used like any other.
+
+.. note::
+
+    When using the authenticator with the Curity Security Token Service (i.e., the "OAuth server"), if the client application sends the OpenID-Connect-defined ``ui_locales`` request parameter, that will be passed to Signicat as the preferred language. Also, if a request has been made by some other client (in the same browser) using the ``ui_locales``, this preferred language will be propagated to Signicat even if the application does not explicitly provide it in the request.
+
+License
+~~~~~~~
+
+This plugin and its associated documentation is listed under the `Apache 2 license <LICENSE>`_.
+
+More Information
+~~~~~~~~~~~~~~~~
+
+Please visit `curity.io <https://curity.io/>`_ for more information about the Curity Identity Server.
+
+Copyright (C) 2018 Curity AB.

README.rst

@@ -31,7 +31,7 @@
 
     <groupId>io.curity.identityserver.plugin</groupId>
     <artifactId>identityserver.plugins.authenticators.signicat</artifactId>
-    <version>1.0.0</version>
+    <version>0.9-SNAPSHOT</version>
     <packaging>jar</packaging>
     <name>Signicat Authenticator</name>
 
@@ -92,16 +92,19 @@
             <groupId>se.curity.identityserver</groupId>
             <artifactId>identityserver.sdk</artifactId>
             <version>2.4.0</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
             <version>1.7.22</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.hibernate</groupId>
             <artifactId>hibernate-validator</artifactId>
             <version>5.1.3.Final</version>
+            <scope>provided</scope>
         </dependency>
         <dependency>
             <groupId>org.jetbrains.kotlin</groupId>
@@ -110,10 +113,24 @@
             <scope>provided</scope>
         </dependency>
         <dependency>
-            <groupId>org.jetbrains.kotlin</groupId>
-            <artifactId>kotlin-test</artifactId>
-            <version>${kotlin.version}</version>
-            <scope>test</scope>
+            <groupId>com.signicat</groupId>
+            <artifactId>java-connector</artifactId>
+            <version>4.0.1</version>
+        </dependency>
+        <dependency>
+            <groupId>com.signicat</groupId>
+            <artifactId>opensaml</artifactId>
+            <version>1.1-PATCH-6</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-codec</groupId>
+            <artifactId>commons-codec</artifactId>
+            <version>1.10</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.santuario</groupId>
+            <artifactId>xmlsec</artifactId>
+            <version>1.5.8</version>
         </dependency>
     </dependencies>
 </project>

docs/images/signicat-authenticator-type-in-curity.png

@@ -16,51 +16,102 @@
 
 package io.curity.identityserver.plugin.signicat.authentication
 
+import io.curity.identityserver.plugin.signicat.config.Country
+import io.curity.identityserver.plugin.signicat.config.PredefinedEnvironment
 import io.curity.identityserver.plugin.signicat.config.SignicatAuthenticatorPluginConfig
+import io.curity.identityserver.plugin.signicat.descriptor.SignicatAuthenticatorPluginDescriptor
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
 import se.curity.identityserver.sdk.authentication.AuthenticationResult
 import se.curity.identityserver.sdk.authentication.AuthenticatorRequestHandler
-import se.curity.identityserver.sdk.http.HttpStatus
+import se.curity.identityserver.sdk.errors.ErrorCode
+import se.curity.identityserver.sdk.http.RedirectStatusCode
 import se.curity.identityserver.sdk.web.Request
 import se.curity.identityserver.sdk.web.Response
-import se.curity.identityserver.sdk.web.Response.ResponseModelScope.NOT_FAILURE
-import se.curity.identityserver.sdk.web.ResponseModel.templateResponseModel
+import java.net.URL
+import java.util.IllformedLocaleException
+import java.util.Locale
 import java.util.Optional
-import java.util.Collections.emptyMap
-import java.util.Collections.singletonMap
 
 class RequestModel(request: Request)
 
 class SignicatAuthenticatorRequestHandler(config : SignicatAuthenticatorPluginConfig)
     : AuthenticatorRequestHandler<RequestModel>
 {
-    val userPreferenceManager = config.userPreferenceManager
+    private val logger: Logger = LoggerFactory.getLogger(SignicatAuthenticatorRequestHandler::class.java)
+    private val exceptionFactory = config.exceptionFactory
+    private val environment = config.environment
+    private val service = config.serviceName
+    private val profile = config.graphicsProfile
+    private val country = config.country
+    private val authenticationInformationProvider = config.authenticationInformationProvider
+    private val preferredLanguage = config.userPreferencesManager.locales
 
-    private object ViewDataKeys
-    {
-        internal val USERNAME = "_username"
-    }
-    
-    override fun preProcess(request: Request, response: Response): RequestModel
-    {
-        // set the template and model for responses on the NOT_FAILURE scope
-        response.setResponseModel(templateResponseModel(
-                singletonMap<String, Any>(ViewDataKeys.USERNAME, userPreferenceManager.username),
-                "authenticate/get"), NOT_FAILURE)
-    
-        // on request validation failure, we should use the same template as for NOT_FAILURE
-        response.setResponseModel(templateResponseModel(emptyMap(), "authenticate/get"), HttpStatus.BAD_REQUEST)
-    
-        return RequestModel(request)
-    }
+    override fun preProcess(request: Request, response: Response): RequestModel = RequestModel(request)
 
     override fun get(requestModel: RequestModel, response: Response): Optional<AuthenticationResult>
     {
-        return Optional.empty()
+        return handle(requestModel, response)
     }
     override fun post(requestModel: RequestModel, response: Response): Optional<AuthenticationResult>
     {
-        // TODO: Start signing process or return
+        // Strange but fine if the client wants to do a post to start the flow
+        
+        return handle(requestModel, response)
+    }
+    
+    private fun handle(requestModel: RequestModel, response: Response): Optional<AuthenticationResult>
+    {
+        val authUrl = authenticationInformationProvider.fullyQualifiedAuthenticationUri
+        val target = URL(authUrl.toURL(), "${authUrl.path}/${SignicatAuthenticatorPluginDescriptor.CALLBACK}")
+        
+        logger.debug("Redirecting to Signicat with the callback URL of {}", target)
+        
+        val method = when (country) {
+            Country.SWEDEN -> "sbid"
+            Country.DENMARK -> "nemid"
+            Country.ESTONIA -> "esteid"
+            Country.FINLAND -> "tupas"
+            Country.NORWAY -> "nbid"
+        }
+        val env = environment.customEnvironment.orElseGet {
+            environment.standardEnvironment.map { it ->
+                when (it)
+                {
+                    PredefinedEnvironment.PRE_PRODUCTION -> "preprod"
+                    PredefinedEnvironment.PRODUCTION     -> "id"
+                    // This and the other exceptional case below are guaranteed by the data model to never happen, but
+                    // this fact isn't know in the type system. So, these cases are handled to avoid bogus warnings,
+                    // but they will not occur.
+                    null -> throw exceptionFactory.internalServerException(ErrorCode.CONFIGURATION_ERROR)
+                }
+            }.orElseThrow { throw exceptionFactory.internalServerException(ErrorCode.CONFIGURATION_ERROR) }
+        }
+        var id = "$method:"
+        
+        profile.ifPresent { id += it }
+        
+        if (preferredLanguage != null)
+        {
+            val bcp47languageTag = preferredLanguage.split(' ', limit = 1)[0] // Use only first
+            
+            try
+            {
+                val lang = Locale.forLanguageTag(bcp47languageTag).language.toLowerCase()
+                
+                id += ":$lang"
+            }
+            catch (_ : IllformedLocaleException)
+            {
+                logger.debug("The prefered language '$preferredLanguage' could not be parsed, so it will not be " +
+                        "sent to Signicat")
+            }
+        }
+        
+        val location = "https://$env.signicat.com/std/method/$service?id=$id&target=$target"
 
-        return Optional.empty()
+        // Use a 303 in case this a POST request, so that the user agent is guaranteed (by compliance with HTTP) to
+        // strip the body posted here before following the redirect.
+        throw exceptionFactory.redirectException(location, RedirectStatusCode.SEE_OTHER)
     }
 }