Informationen zur Konfiguration des Antragsrouting ergänzt

Draft: Wird noch von @Florian_Kaufmann durch Screenshots aus planning#175 (closed) ergänzt

MR für Doku zu planning#175 (closed)

docs/getting-started/sending/get-destination.mdx

@@ -204,62 +204,73 @@ Dann kann man mit diesem und einer entsprechenden Bibliothek eine Signaturprüfu
 Im folgenden Beispiel wird die Bibliothek [nimbus-jose-jwt](https://connect2id.com/products/nimbus-jose-jwt) für die Prüfung genutzt.
 
 ```java
-SignedJWT signedJWT = SignedJWT.parse(destinationSignature);
-UUID keyId = UUID.fromString(signedJWT.getHeader().getKeyID());
+    SignedJWT signedJWT = SignedJWT.parse(destinationSignature);
+    String keyId = signedJWT.getHeader().getKeyID();
+    String requestedServiceIdentifier = "urn:de:fim:leika:leistung:100";
+    String requestedRegion = "urn:de:bund:destatis:bevoelkerungsstatistik:schluessel:rs:11111";
 
-validateTokenStructure(signedJWT);
+    Boolean validToken = validateToken(signedJWT, requestedServiceIdentifier, requestedRegion);
+    Boolean validTokenSignature = verifySSPSignature(signedJWT, keyId);
 
-verifySSPSignature(signedJWT, keyId)
+    Boolean validJWT = validToken && validTokenSignature;
 ```
 
 ```java
-boolean validateTokenStructure(SignedJWT signedJWT) {
-  try {
-    validateHeader(signedJWT.getHeader());
-    validatePayload(signedJWT.getJWTClaimsSet());
-  } catch (ParseException e) {
-    throw new RuntimeException("The payload of the SET could not get parsed properly.");
-  }
-}
+    static boolean validateToken(SignedJWT signedJWT, String requestedServiceIdentifier, String requestedRegion) {
+        try {
+            validateHeader(signedJWT.getHeader());
+            validatePayload(signedJWT.getJWTClaimsSet(), requestedServiceIdentifier, requestedRegion);
+            return true;
+        } catch (ParseException e) {
+            throw new RuntimeException("The payload of the SET could not get parsed properly.");
+        }
+    }
 
-private void validateHeader(JWSHeader header) {
-  validateTrueOrElseThrow(header.getAlgorithm() == JWSAlgorithm.PS512, "The provided alg in the SET header is not allowed.");
-  validateTrueOrElseThrow(header.getType().toString().equals("jwt"), "The provided typ in the SET header is not jwt");
-  validateTrueOrElseThrow(header.getKeyID() != null, "The kid the SET was signed with is not set.");
-}
+    static private void validateHeader(JWSHeader header) {
+        validateTrueOrElseThrow(header.getAlgorithm() == JWSAlgorithm.PS512, "The provided alg in the SET header is not allowed.");
+        validateTrueOrElseThrow(header.getType().toString().equals("jwt"), "The provided typ in the SET header is not jwt");
+        validateTrueOrElseThrow(header.getKeyID() != null, "The kid the SET was signed with is not set.");
+    }
 
-private void validatePayload(JWTClaimsSet payload) throws ParseException {
-  validateTrueOrElseThrow(payload.getClaim("iss") != null, "The claim iss is missing in the payload of the JWT.");
-  validateTrueOrElseThrow(payload.getClaim("iat") != null, "The claim iat is missing in the payload of the JWT.");
-  validateTrueOrElseThrow(payload.getClaim("jti") != null, "The claim jti is missing in the payload of the JWT.");
-  validateTrueOrElseThrow(payload.getClaim("destinationId") != null, "The claim destinationId is missing in the payload of the JWT.");
-  validateTrueOrElseThrow(payload.getClaim("submissionHost") != null, "The claim submissionHost is missing in the payload of the JWT.");
-  validateTrueOrElseThrow(payload.getClaim("services") != null, "The claim services is missing in the payload of the JWT.");
-  validateTrueOrElseThrow(payload.getJSONObjectClaim("services").keySet().size() >= 1, "At least one service is needed.");
-}
+    static private void validatePayload(JWTClaimsSet payload, String requestedServiceIdentifier, String requestedRegion) throws ParseException {
+        validateTrueOrElseThrow(payload.getClaim("iss") != null, "The claim iss is missing in the payload of the JWT.");
+        validateTrueOrElseThrow(payload.getClaim("iat") != null, "The claim iat is missing in the payload of the JWT.");
+        validateTrueOrElseThrow(payload.getClaim("jti") != null, "The claim jti is missing in the payload of the JWT.");
+        validateTrueOrElseThrow(payload.getClaim("destinationId") != null, "The claim destinationId is missing in the payload of the JWT.");
+        validateTrueOrElseThrow(payload.getClaim("submissionHost") != null, "The claim submissionHost is missing in the payload of the JWT.");
+        validateTrueOrElseThrow(payload.getClaim("services") != null, "The claim services is missing in the payload of the JWT.");
+        validateTrueOrElseThrow(!((JSONArray) payload.getClaim("services")).isEmpty(), "At least one service is needed.");
+        validateTrueOrElseThrow(
+                ((JSONArray) payload.getClaim("services")).stream().anyMatch(service -> (
+                        ((JSONArray) ((JSONObject) service).get("gebietIDs")).contains(requestedRegion) &&
+                                ((JSONArray) ((JSONObject) service).get("leistungIDs")).contains(requestedServiceIdentifier)
+                        )
+                ),
+                String.format("Requested region '%s' or requested serviceIdentifier '%s' not found", requestedRegion, requestedServiceIdentifier));
+    }
 
-private void validateTrueOrElseThrow(boolean expression, String msg) {
-  if (!expression) {
-    throw new RuntimeException(msg);
-  }
-}
+    static private void validateTrueOrElseThrow(boolean expression, String msg) {
+        if (!expression) {
+            throw new RuntimeException(msg);
+        }
+    }
 ```
 
 ```java
-static final SSP_BASE_URL = "https://portal.auth-testing.fit-connect.fitko.dev";
+    static final String SSP_BASE_URL = "https://portal.auth-dev.fit-connect.fitko.dev";
 
-boolean verifySSPSignature(SignedJWT signedJWT, String keyId) {
+    static boolean verifySSPSignature(SignedJWT signedJWT, String keyId) throws IOException, ParseException, JOSEException {
 
-  JWKSet jwks = JWKSet.load(SSP_BASE_URL + "/.well-known/jwks.json");
-  JWK publicKey = jwks.getKeyByKeyId(keyId)
+        JWKSet jwks = JWKSet.load(new URL(SSP_BASE_URL + "/.well-known/jwks.json"));
+        JWK publicKey = jwks.getKeyByKeyId(keyId);
 
-  if (publicKey.getAlgorithm() != JWSAlgorithm.PS512) {
-    throw new RuntimeException("The key specified for signature verification doesn't use/specify PS512 as algorithm.")
-  }
+        if (publicKey.getAlgorithm() != JWSAlgorithm.PS512) {
+            throw new RuntimeException("The key specified for signature verification doesn't use/specify PS512 as algorithm.");
+        }
 
-  JWSVerifier jwsVerifier = new RSASSAVerifier(publicKey.toRSAKey());
-  return signedJWT.verify(jwsVerifier);
-}
+        JWSVerifier jwsVerifier = new RSASSAVerifier(publicKey.toRSAKey());
+        return signedJWT.verify(jwsVerifier);
+    }
 ```
 
 </TabItem>