#1 add result params to refresh action, back to ssl in edge router

79e21961 · Tobias Assmann · 6e07a2b5 · 79e21961 · 79e21961 · 79e21961
Commit 79e21961 authored Oct 21, 2019 by Tobias Assmann
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
 version: "3.4"

 services:
-  # facade:
-  #   image: "traefik:v2.0"
-  #   container_name: "reqesidta_facade"
-  #   labels:
-  #     - "traefik.enable=true"
-  #     # catchall and the middleware used for global http to http redirect
-  #     - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
-  #     - "traefik.http.routers.http-catchall.entrypoints=web"
-  #     - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
-  #     - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
-  #   command: --providers.docker=true
-  #     --providers.docker.exposedbydefault=false
-  #     --entryPoints.web.address=:80
-  #     --entryPoints.web-secure.address=:443
-  #     --entryPoints.traefik.address=:8080
-  #     --api.insecure=true
-  #     --log.level=debug
-  #   ports:
-  #     - "80:80"
-  #     - "443:443"
-  #     # The Web UI (enabled by --api.insecure=true)
-  #     - "8080:8080"
-  #   networks:
-  #     - reqesidta_net
-  #   volumes:
-  #     # So that Traefik can listen to the Docker events
-  #     - /var/run/docker.sock:/var/run/docker.sock
+  facade:
+    image: "traefik:v2.0"
+    container_name: "reqesidta_facade"
+    labels:
+      - "traefik.enable=true"
+      # catchall and the middleware used for global http to http redirect
+      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
+      - "traefik.http.routers.http-catchall.entrypoints=web"
+      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https@docker"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+    command: --providers.docker=true
+      --providers.docker.exposedbydefault=false
+      --entryPoints.web.address=:80
+      --entryPoints.web-secure.address=:443
+      --entryPoints.traefik.address=:8080
+      --api.insecure=true
+      --log.level=debug
+    ports:
+      - "80:80"
+      - "443:443"
+      # The Web UI (enabled by --api.insecure=true)
+      # see http://localhost:8080/dashboard/
+      - "8080:8080"
+    networks:
+      - reqesidta_net
+    volumes:
+      # So that Traefik can listen to the Docker events
+      - /var/run/docker.sock:/var/run/docker.sock

  poseidas:
    image: "reqesidta/poseidas"
    container_name: "reqesidta_poseidas"
-    # labels:
-    #   - "traefik.enable=true"
-    #   - "traefik.http.services.poseidas.loadbalancer.server.port=8443"
-    #   - "traefik.http.routers.poseidas.rule=PathPrefix(`/POSeIDAS/eidas-middleware/paosreciever`)"
-    #   - "traefik.http.routers.poseidas.entrypoints=web-secure"
-    #   - "traefik.http.routers.poseidas.tls=true"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.poseidas.loadbalancer.server.port=8443"
+      - "traefik.http.routers.poseidas.rule=PathPrefix(`/POSeIDAS/eidas-middleware/paosreciever`)"
+      - "traefik.http.routers.poseidas.entrypoints=web-secure"
+      - "traefik.http.routers.poseidas.tls=true"
    build:
      context: ./poseidas
      args:
@@ -45,7 +46,7 @@ services:
    environment:
      - JAVA_OPTS=-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005
    ports:
-      - "127.0.0.1:8443:8443"
+      #- "127.0.0.1:8443:8443"
      - "127.0.0.1:5005:5005" # Java Debug Port
    networks:
      reqesidta_net:
@@ -68,8 +69,8 @@ services:
    depends_on:
      - postgres
    # DEPRECATED
-    links:
-     - postgres
+    # links:
+    #  - postgres
    environment:
      # Format: jdbc:postgresql://hostname:port/database
      DATABASE_JDBC_URL: jdbc:postgresql://postgres:5432/ejbca
@@ -97,12 +98,12 @@ services:
  ssa:
    image: "reqesidta/ssa"
    container_name: "reqesidta_ssa"
-    # labels:
-    #   - "traefik.enable=true"
-    #   - "traefik.http.services.ssa.loadbalancer.server.port=8080"
-    #   - "traefik.http.routers.ssa.rule=PathPrefix(`/ssa-server`)"
-    #   - "traefik.http.routers.ssa.entrypoints=web-secure"
-    #   - "traefik.http.routers.ssa.tls=true"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.services.ssa.loadbalancer.server.port=8080"
+      - "traefik.http.routers.ssa.rule=PathPrefix(`/ssa-server`)"
+      - "traefik.http.routers.ssa.entrypoints=web-secure"
+      - "traefik.http.routers.ssa.tls=true"
    build:
      context: ./ssa
    depends_on:
@@ -110,7 +111,7 @@ services:
      - ejbca
    command: /opt/jboss/wildfly/bin/standalone.sh -b 0.0.0.0 -bmanagement 0.0.0.0 --debug 0.0.0.0:9797
    ports:
-      - "127.0.0.1:28080:8080"
+      # - "127.0.0.1:28080:8080"
      #- "127.0.0.1:29990:9990"
      - "127.0.0.1:9797:9797" # Java Debug Port
    volumes:

--- a/docker/poseidas/config/application.properties
+++ b/docker/poseidas/config/application.properties
 # Server settings
 server.port = 8443
-#server.ssl.enabled = false
+server.ssl.enabled = false

 poseidas.admin.username = admin
 # Password: testtest

--- a/docker/ssa/dist/ssa-server.war
+++ b/docker/ssa/dist/ssa-server.war
--- a/ssa-server/server/src/main/java/reqesidta/ssa/api/EidService.java
+++ b/ssa-server/server/src/main/java/reqesidta/ssa/api/EidService.java
 package reqesidta.ssa.api;

 import java.util.Optional;
-import java.util.UUID;

 import javax.inject.Inject;
 import javax.ws.rs.GET;
@@ -9,6 +8,8 @@ import javax.ws.rs.NotFoundException;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import javax.xml.bind.JAXBElement;
@@ -16,8 +17,6 @@ import javax.xml.bind.JAXBElement;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

-import de.bund.bsi.eid.GetResultResponseType;
-import de.bund.bsi.eid.GetServerInfoResponseType;
 import de.bund.bsi.eid.UseIDResponseType;
 import reqesidta.ssa.config.SSAConfig;
 import reqesidta.ssa.eid.EID_Client;
@@ -40,19 +39,24 @@ public class EidService {
 	@Inject private SessionStore sessionStore;
 	@Inject private EID_Client eidClient;

+	/**
+	 * curl -v -k -X GET -s https://docker.reqesidta.de/ssa-server/eid/tctoken/YOUR_SESSION_ID
+	 * @param sessionId
+	 * @return
+	 */
 	@GET
 	@Produces(MediaType.TEXT_XML)
 	@Path("/tctoken/{sessionId}")
 	public JAXBElement<TCTokenType> tcToken(@PathParam("sessionId") String sessionId) {
 		log.debug("tctoken got sessionId:"+sessionId);
 		Session session = this.readSession(sessionId);
-		byte[] documentHash = (byte[])session.get(Session.KEY_DOCUMENT_HASH).get();
+		byte[] documentHash = (byte[])session.get(Session.KEY_CLIENT_DOCUMENT_HASH).get();
 		// get stuff from eID useID
 		UseIDResponseType useID_return = eidClient.useId(documentHash);
 		String eidSessionIdString = useID_return.getPSK().getID();
 		session.set(Session.KEY_EID_SERVER_SESSIONID, useID_return.getSession().getID());
 		// replace session for user with new session using sessionID from eID server
-		session = sessionStore.copySession(session, eidSessionIdString);
+		session = sessionStore.replaceSession(session, eidSessionIdString);
 		// build response
 		TCTokenType tcToken = new TCTokenType();
 		tcToken.setServerAddress(useID_return.getECardServerAddress());
@@ -70,16 +74,31 @@ public class EidService {
 		return new ObjectFactory().createTCTokenType(tcToken);
 	}

+	/**
+	 * curl -k -v -X GET -s https://docker.reqesidta.de/ssa-server/eid/refresh/YOUR_SESSION_ID?ResultMajor=ok
+	 * @param sessionId
+	 * @return
+	 */
 	@GET
 	@Path("/refresh/{sessionId}")
-	public Response refresh(@PathParam("sessionId") String sessionId) {
+	public Response refresh(
+			@PathParam("sessionId") String sessionId,
+			@QueryParam("ResultMajor") String resMajor,
+			@QueryParam("ResultMinor") String resMinor) {
 		log.debug("refresh got sessionId:"+sessionId);
 		Session session = this.readSession(sessionId);
+		if (!resMajor.equals("ok")) {
+			log.info("refresh got ResultMajor:"+resMajor);
+			log.info("refresh got ResultMinor:"+resMinor);
+			log.info("refresh removing session due to error param ... ");
+			sessionStore.removeSession(sessionId);
+			// throw an "Failed Dependency" status back
+			throw new WebApplicationException(424);
+		}
 		byte[] eidSessionId = (byte[])session.get(Session.KEY_EID_SERVER_SESSIONID).get();
-		GetResultResponseType getResponseType = eidClient.getResult(eidSessionId);
-		//TODO what to save in session?
+		eidClient.getResult(eidSessionId);
 		// replace session for user with new session ID
-		session = sessionStore.copySession(session, UUID.randomUUID().toString());
+		session = sessionStore.replaceSession(session, null);

 		return Response.ok(session.getId()).build();
 	}

--- a/ssa-server/server/src/main/java/reqesidta/ssa/api/SsaService.java
+++ b/ssa-server/server/src/main/java/reqesidta/ssa/api/SsaService.java
@@ -51,6 +51,11 @@ public class SsaService {
 		this.jsonb = JsonbBuilder.create(config);
 	}

+	/**
+	 * curl -L -k -X POST -H "Content-Type: application/json" --data '{"sig-alg":"SHA256WITHDSA","doc-hash":"SGVsbG8gV29ybGQK"}' http://docker.reqesidta.de/ssa-server/ssa/start
+	 * @param reqAsJson
+	 * @return
+	 */
 	@POST
 	@Consumes(MediaType.APPLICATION_JSON)
 	@Produces(MediaType.APPLICATION_JSON)
@@ -62,8 +67,8 @@ public class SsaService {
 			throw new BadRequestException();
 		}
 		Session session = sessionStore.getNewSession();
-		session.set(Session.KEY_SIGNATURE_ALGORITHM, req.signatureAlgorithm);
-		session.set(Session.KEY_DOCUMENT_HASH, req.documentHash);
+		session.set(Session.KEY_CLIENT_SIGNATURE_ALGORITHM, req.signatureAlgorithm);
+		session.set(Session.KEY_CLIENT_DOCUMENT_HASH, req.documentHash);
 		InitResponse response = new InitResponse();
 		response.tcTokenUrl = this.config.getBaseUrl()+"/eid/tctoken/"+session.getId();
 		String respAsJson = jsonb.toJson(response);

--- a/ssa-server/server/src/main/java/reqesidta/ssa/session/Session.java
+++ b/ssa-server/server/src/main/java/reqesidta/ssa/session/Session.java
@@ -14,8 +14,8 @@ public class Session {
 	private Instant lastAccess = Instant.now();
 	private final Map<String, Object> map;

-	public final static String KEY_SIGNATURE_ALGORITHM = "sig-alg";
-	public final static String KEY_DOCUMENT_HASH = "doc-hash";
+	public final static String KEY_CLIENT_SIGNATURE_ALGORITHM = "sig-alg";
+	public final static String KEY_CLIENT_DOCUMENT_HASH = "doc-hash";
 	public final static String KEY_EID_SERVER_SESSIONID = "eid-sessionid";

 	Session(String ID) {

--- a/ssa-server/server/src/main/java/reqesidta/ssa/session/SessionStore.java
+++ b/ssa-server/server/src/main/java/reqesidta/ssa/session/SessionStore.java
@@ -49,7 +49,17 @@ public class SessionStore {
 		return s;
 	}

-	public synchronized Session copySession(Session session, String id) {
+	/**
+	 * Replace the given session in session store with a new session
+	 * with old content and new id.
+	 * @param session
+	 * @param id if null is given an id is generated
+	 * @return
+	 */
+	public synchronized Session replaceSession(Session session, String id) {
+		if (id == null) {
+			id = UUID.randomUUID().toString();
+		}
 		Session s = session.copy(id);
 		this.storage.put(id, s);
 		this.storage.remove(session.getId());

--- a/ssa-server/server/src/main/resources/reference.conf
+++ b/ssa-server/server/src/main/resources/reference.conf
 ssa-config {
 	sessionMaxAge: 60,
 	sessionCheckAgeInterval: 30,
-	baseUrl: "http://ssa.docker.reqesidta.de:28080/ssa-server"
-	eidUrl: "https://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
+	baseUrl: "https://docker.reqesidta.de/ssa-server"
+	eidUrl: "http://poseidas.docker.reqesidta.de:8443/POSeIDAS/service/eid/TR-03130-WSDL.wsdl"
 	ca-config: {
 		caName: 'dummy-caName',
 		cmpAlias: 'dummy-cmp-alias',