summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitlab-ci.yml24
-rw-r--r--build_reporting/pom.xml78
-rw-r--r--eaaf_core/checks/spotbugs-exclude.xml50
-rw-r--r--eaaf_core/pom.xml272
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java35
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java1
-rw-r--r--eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java7
-rw-r--r--eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java31
-rw-r--r--eaaf_core_utils/checks/spotbugs-exclude.xml25
-rw-r--r--eaaf_core_utils/pom.xml10
-rw-r--r--eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java5
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java52
-rw-r--r--eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java13
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml15
-rw-r--r--eaaf_modules/eaaf_module_pvp2_core/pom.xml14
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml14
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/pom.xml10
-rw-r--r--eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java40
-rw-r--r--pom.xml98
19 files changed, 557 insertions, 237 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 37ca635e..9ec05060 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,12 +13,12 @@ variables:
include:
- template: Dependency-Scanning.gitlab-ci.yml
- - template: Security/SAST.gitlab-ci.yml
- template: Secret-Detection.gitlab-ci.yml
- template: Code-Quality.gitlab-ci.yml
stages:
- assemble
+ - visualize
- test
- package
- release
@@ -37,7 +37,27 @@ assemble:
when: always
reports:
junit: "**/target/surefire-reports/TEST-*.xml"
-
+ paths:
+ - build_reporting/target/site/jacoco-aggregate-ut/jacoco.xml
+
+coverage:
+ stage: visualize
+ image: haynes/jacoco2cobertura:1.0.4
+ script:
+ - mkdir -p target/site
+ # convert report from jacoco to cobertura
+ - 'python /opt/cover2cover.py build_reporting/target/site/jacoco-aggregate-ut/jacoco.xml eaaf_core_api/src/main/java eaaf_core_utils/src/main/java eaaf_core/src/main/java eaaf_modules/eaaf_module_auth_sl20/src/main/java eaaf_modules/eaaf_module_moa-sig/src/main/java eaaf_modules/eaaf_module_pvp2_core/src/main/java eaaf_modules/eaaf_module_pvp2_idp/src/main/java eaaf_modules/eaaf_module_pvp2_sp/src/main/java > target/site/cobertura.xml'
+ # read the <source></source> tag and prepend the path to every filename attribute
+ #- 'python /opt/source2filename.py target/site/cobertura.xml'
+ needs:
+ - job: assemble
+ dependencies:
+ - assemble
+ artifacts:
+ reports:
+ cobertura: target/site/cobertura.xml
+
+
publishToGitlab:
stage: package
except:
diff --git a/build_reporting/pom.xml b/build_reporting/pom.xml
new file mode 100644
index 00000000..5300ff74
--- /dev/null
+++ b/build_reporting/pom.xml
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>eaaf</artifactId>
+ <version>1.1.11-SNAPSHOT</version>
+ </parent>
+ <artifactId>build_reporting</artifactId>
+ <packaging>pom</packaging>
+ <name>Reporting Module</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_core_api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_core_utils</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf-core</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_auth_sl20</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_moa-sig</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_pvp2_core</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_pvp2_idp</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_pvp2_sp</artifactId>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.jacoco</groupId>
+ <artifactId>jacoco-maven-plugin</artifactId>
+ <version>${jacoco-maven-plugin.version}</version>
+ <executions>
+ <!-- aggregated unit test coverage report -->
+ <execution>
+ <id>aggregate-reports-ut</id>
+ <phase>test</phase>
+ <goals>
+ <goal>report-aggregate</goal>
+ </goals>
+ <configuration>
+ <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title>
+ <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory>
+ <dataFileExcludes>
+ <!-- exclude coverage data of integration tests -->
+ <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude>
+ </dataFileExcludes>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+
+</project> \ No newline at end of file
diff --git a/eaaf_core/checks/spotbugs-exclude.xml b/eaaf_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..aa11a955
--- /dev/null
+++ b/eaaf_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+ <Match>
+ <!-- bPK requires SHA1 from specification -->
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.builder.BpkBuilder" />
+ <OR>
+ <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />
+ </OR>
+ </Match>
+ <Match>
+ <!-- only redirects to internal addresses -->
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.modules.AbstractAuthServletTask"/>
+ <Method name="performRedirectToItself" />
+ <Bug pattern="UNVALIDATED_REDIRECT" />
+ </Match>
+ <Match>
+ <!-- only redirects to internal addresses -->
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.auth.services.ProtocolAuthenticationService"/>
+ <Method name="forwardToErrorHandler" />
+ <Bug pattern="UNVALIDATED_REDIRECT" />
+ </Match>
+ <Match>
+ <!-- the ErrorToken is only single-used as same as a CSRF token -->
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+ <Method name="errorHandling" />
+ <Bug pattern="SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING" />
+ </Match>
+ <Match>
+ <!-- Only used to evaluate expressions from pre-compiled process-flows -->
+ <OR>
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.process.springweb.SpringWebExpressionEvaluator"/>
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.process.spring.SpringExpressionEvaluator"/>
+ </OR>
+ <Bug pattern="SPEL_INJECTION" />
+ </Match>
+ <Match>
+ <!-- URL will be only generated from configuration path-->
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.conf.AbstractConfigurationImpl"/>
+ <Bug pattern="PATH_TRAVERSAL_IN" />
+ </Match>
+ <Match>
+ <!-- Logging of request parameters is allowed for this classes -->
+ <OR>
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.tasks.AbstractLocaleAuthServletTask"/>
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController"/>
+ <Class name="at.gv.egiz.eaaf.core.impl.idp.controller.AbstractProcessEngineSignalController"/>
+ </OR>
+ <Bug pattern="CRLF_INJECTION_LOGS" />
+ </Match>
+</FindBugsFilter>
diff --git a/eaaf_core/pom.xml b/eaaf_core/pom.xml
index a1eee06e..178b53a3 100644
--- a/eaaf_core/pom.xml
+++ b/eaaf_core/pom.xml
@@ -1,108 +1,112 @@
<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
- <groupId>at.gv.egiz</groupId>
- <artifactId>eaaf</artifactId>
- <version>1.1.11-SNAPSHOT</version>
+ <groupId>at.gv.egiz</groupId>
+ <artifactId>eaaf</artifactId>
+ <version>1.1.11-SNAPSHOT</version>
</parent>
<groupId>at.gv.egiz.eaaf</groupId>
<artifactId>eaaf-core</artifactId>
<name>EAAF core components</name>
<description>Core components for identity managment implementations</description>
-
+
<dependencies>
- <dependency>
- <groupId>at.gv.egiz.eaaf</groupId>
- <artifactId>eaaf_core_api</artifactId>
- </dependency>
- <dependency>
- <groupId>at.gv.egiz.eaaf</groupId>
- <artifactId>eaaf_core_utils</artifactId>
- </dependency>
-
- <dependency>
- <groupId>at.gv.egiz.components</groupId>
- <artifactId>eventlog-api</artifactId>
- </dependency>
- <dependency>
- <groupId>at.gv.egiz.components</groupId>
- <artifactId>egiz-spring-api</artifactId>
- </dependency>
- <dependency>
- <groupId>javax.annotation</groupId>
- <artifactId>javax.annotation-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-webmvc</artifactId>
- <scope>provided</scope>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-api</artifactId>
- </dependency>
- <!-- dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- </dependency-->
- <dependency>
- <groupId>commons-codec</groupId>
- <artifactId>commons-codec</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-lang3</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-collections4</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.commons</groupId>
- <artifactId>commons-text</artifactId>
- </dependency>
- <dependency>
- <groupId>commons-fileupload</groupId>
- <artifactId>commons-fileupload</artifactId>
- </dependency>
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>javax.servlet-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.velocity</groupId>
- <artifactId>velocity</artifactId>
- </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_core_api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_core_utils</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>at.gv.egiz.components</groupId>
+ <artifactId>eventlog-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.components</groupId>
+ <artifactId>egiz-spring-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>javax.annotation</groupId>
+ <artifactId>javax.annotation-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-webmvc</artifactId>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </dependency>
+ <!-- dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId>
+ </dependency -->
+ <dependency>
+ <groupId>commons-codec</groupId>
+ <artifactId>commons-codec</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-lang3</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-collections4</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-text</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>commons-fileupload</groupId>
+ <artifactId>commons-fileupload</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>javax.servlet-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.velocity</groupId>
+ <artifactId>velocity</artifactId>
+ </dependency>
<dependency>
<groupId>commons-collections</groupId>
- <artifactId>commons-collections</artifactId>
- </dependency>
- <dependency>
- <groupId>jaxen</groupId>
- <artifactId>jaxen</artifactId>
- </dependency>
- <dependency>
- <groupId>xerces</groupId>
- <artifactId>xercesImpl</artifactId>
- </dependency>
- <dependency>
- <groupId>xalan</groupId>
- <artifactId>xalan</artifactId>
- </dependency>
-
+ <artifactId>commons-collections</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>jaxen</groupId>
+ <artifactId>jaxen</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>xerces</groupId>
+ <artifactId>xercesImpl</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>xalan</groupId>
+ <artifactId>xalan</artifactId>
+ </dependency>
+
<!-- For testing -->
- <dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-test</artifactId>
- <scope>test</scope>
- </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-test</artifactId>
+ <scope>test</scope>
+ </dependency>
<dependency>
<groupId>at.gv.egiz.eaaf</groupId>
<artifactId>eaaf_core_utils</artifactId>
@@ -110,10 +114,10 @@
<type>test-jar</type>
</dependency>
</dependencies>
-
- <build>
+
+ <build>
<finalName>eaaf_core</finalName>
-
+
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
@@ -124,44 +128,54 @@
<target>1.8</target>
</configuration>
<executions>
- <execution>
- <goals>
- <goal>compile</goal>
- <goal>testCompile</goal>
- </goals>
- </execution>
+ <execution>
+ <goals>
+ <goal>compile</goal>
+ <goal>testCompile</goal>
+ </goals>
+ </execution>
</executions>
</plugin>
<plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-jar-plugin</artifactId>
- <version>3.1.0</version>
- <executions>
- <execution>
- <goals>
- <goal>test-jar</goal>
- </goals>
- </execution>
- </executions>
- </plugin>
-
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <version>3.1.0</version>
+ <executions>
+ <execution>
+ <goals>
+ <goal>test-jar</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+
<!-- enable co-existence of testng and junit -->
- <plugin>
- <artifactId>maven-surefire-plugin</artifactId>
- <version>${surefire.version}</version>
- <configuration>
- <threadCount>1</threadCount>
- </configuration>
- <dependencies>
- <dependency>
- <groupId>org.apache.maven.surefire</groupId>
- <artifactId>surefire-junit47</artifactId>
- <version>${surefire.version}</version>
- </dependency>
- </dependencies>
- </plugin>
-
+ <plugin>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <version>${surefire.version}</version>
+ <configuration>
+ <threadCount>1</threadCount>
+ </configuration>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.maven.surefire</groupId>
+ <artifactId>surefire-junit47</artifactId>
+ <version>${surefire.version}</version>
+ </dependency>
+ </dependencies>
+ </plugin>
+
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <version>${spotbugs-maven-plugin.version}</version>
+ <configuration>
+ <failOnError>true</failOnError>
+ <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+ </configuration>
+ </plugin>
+
</plugins>
</build>
-
+
</project>
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
index 50bf76db..4410267e 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
@@ -20,8 +20,6 @@
package at.gv.egiz.eaaf.core.impl.idp.auth.services;
import java.io.IOException;
-import java.io.PrintWriter;
-import java.io.StringWriter;
import java.util.HashSet;
import javax.annotation.PostConstruct;
@@ -32,6 +30,7 @@ import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.text.StringEscapeUtils;
+import org.owasp.encoder.Encode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
@@ -286,7 +285,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
// write generic message for general exceptions
final String msg =
statusMessager.getMessage(IStatusMessenger.CODES_INTERNAL_ERROR_GENERIC, null);
- writeHtmlErrorResponse(req, resp, msg, "9199", null, (Exception) throwable);
+ writeHtmlErrorResponse(req, resp, msg, "9199", null);
}
@@ -460,8 +459,7 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
private void writeHtmlErrorResponse(@NonNull final HttpServletRequest httpReq,
@NonNull final HttpServletResponse httpResp, @NonNull final String msg,
- @NonNull final String errorCode, @Nullable final Object[] params,
- @NonNull final Exception error) throws EaafException {
+ @NonNull final String errorCode, @Nullable final Object[] params) throws EaafException {
try {
final IGuiBuilderConfiguration config =
@@ -492,14 +490,6 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORCODEPARAMS,
ArrayUtils.toString(errorCodeParams));
- // add stacktrace if debug is enabled
- if (log.isTraceEnabled()) {
- ((ModifyableGuiBuilderConfiguration) config).putCustomParameter(
- AbstractGuiFormBuilderConfiguration.PARAM_GROUP_MSG, PARAM_GUI_ERRORSTACKTRACE,
- getStacktraceFromException(error));
-
- }
-
} else {
log.info(
"Can not ADD error message, because 'GUIBuilderConfiguration' is not modifieable ");
@@ -515,18 +505,11 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
}
- private String getStacktraceFromException(final Exception ex) {
- final StringWriter errors = new StringWriter();
- ex.printStackTrace(new PrintWriter(errors));
- return errors.toString();
-
- }
-
private void internalMoaidExceptionHandler(final HttpServletRequest req,
final HttpServletResponse resp, final Exception e, final boolean writeExceptionToStatisicLog)
throws IOException, EaafException {
if (e instanceof ProtocolNotActiveException) {
- resp.getWriter().write(e.getMessage());
+ resp.getWriter().write(Encode.forHtml(e.getMessage()));
resp.setContentType(EaafConstants.CONTENTTYPE_HTML_UTF8);
resp.sendError(HttpServletResponse.SC_FORBIDDEN,
StringEscapeUtils.escapeHtml4(StringEscapeUtils.escapeEcmaScript(e.getMessage())));
@@ -540,27 +523,27 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
// write error message
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- null, e);
+ null);
} else if (e instanceof InvalidProtocolRequestException) {
// send error response
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- null, e);
+ null);
} else if (e instanceof ConfigurationException) {
// send HTML formated error message
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- null, e);
+ null);
} else if (e instanceof EaafException) {
// send HTML formated error message
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- ((EaafException) e).getParams(), e);
+ ((EaafException) e).getParams());
} else if (e instanceof ProcessExecutionException) {
// send HTML formated error message
writeHtmlErrorResponse(req, resp, e.getMessage(), statusMessager.getResponseErrorCode(e),
- null, e);
+ null);
}
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
index 14537d44..edca0fba 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/process/ProcessDefinitionParser.java
@@ -101,6 +101,7 @@ public class ProcessDefinitionParser {
// Standard implementation of XMLInputFactory seems not to be thread-safe
final XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+ inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
reader = inputFactory.createXMLEventReader(processDefinitionInputStream);
final List<StartElement> transitionElements = new ArrayList<>();
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
index e8d5c294..4b8a7a04 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/utils/DomUtils.java
@@ -33,6 +33,7 @@ import java.util.Map.Entry;
import java.util.Set;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -45,8 +46,6 @@ import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
-import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
-
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.xerces.parsers.DOMParser;
@@ -71,6 +70,8 @@ import org.xml.sax.ErrorHandler;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
+import at.gv.egiz.eaaf.core.api.data.XmlNamespaceConstants;
+
/**
* Various utility functions for handling XML DOM trees.
*
@@ -785,6 +786,7 @@ public class DomUtils {
throws TransformerException, IOException {
final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+ transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
final Transformer transformer = transformerFactory.newTransformer();
final ByteArrayOutputStream bos = new ByteArrayOutputStream(16384);
@@ -1211,6 +1213,7 @@ public class DomUtils {
// StringWriter stringWriter = new StringWriter();
final Result result = new StreamResult(out);
final TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
final Transformer transformer = factory.newTransformer();
transformer.transform(source, result);
return out.toByteArray();
diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
index b20efe3d..3343a089 100644
--- a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
+++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/XPathException.java
@@ -19,9 +19,6 @@
package at.gv.egiz.eaaf.core.exceptions;
-import java.io.PrintStream;
-import java.io.PrintWriter;
-
/**
* An exception occurred evaluating an XPath.
*
@@ -56,32 +53,4 @@ public class XPathException extends RuntimeException {
return wrapped;
}
- /**
- * Print error message.
- *
- * @see java.lang.Throwable#printStackTrace(java.io.PrintStream)
- */
- @Override
- public void printStackTrace(final PrintStream s) {
- super.printStackTrace(s);
- if (getWrapped() != null) {
- s.print("Caused by: ");
- getWrapped().printStackTrace(s);
- }
- }
-
- /**
- * Print error message.
- *
- * @see java.lang.Throwable#printStackTrace(java.io.PrintWriter)
- */
- @Override
- public void printStackTrace(final PrintWriter s) {
- super.printStackTrace(s);
- if (getWrapped() != null) {
- s.print("Caused by: ");
- getWrapped().printStackTrace(s);
- }
- }
-
}
diff --git a/eaaf_core_utils/checks/spotbugs-exclude.xml b/eaaf_core_utils/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..b42f34c2
--- /dev/null
+++ b/eaaf_core_utils/checks/spotbugs-exclude.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+ <Match>
+ <Class name="at.gv.egiz.eaaf.core.impl.utils.EaafSerializationUtils" />
+ <OR>
+ <Bug pattern="OBJECT_DESERIALIZATION" />
+ </OR>
+ </Match>
+ <Match>
+ <!-- Paths and URLs only loaded from configuration -->
+ <Class name="at.gv.egiz.eaaf.core.impl.utils.FileUtils" />
+ <OR>
+ <Bug pattern="URLCONNECTION_SSRF_FD" />
+ <Bug pattern="PATH_TRAVERSAL_IN" />
+ </OR>
+ </Match>
+ <Match>
+ <!-- Paths and URLs only loaded from configuration -->
+ <Class name="at.gv.egiz.eaaf.core.impl.utils.KeyStoreUtils" />
+ <OR>
+ <Bug pattern="URLCONNECTION_SSRF_FD" />
+ <Bug pattern="PATH_TRAVERSAL_IN" />
+ </OR>
+ </Match>
+</FindBugsFilter> \ No newline at end of file
diff --git a/eaaf_core_utils/pom.xml b/eaaf_core_utils/pom.xml
index 947faf4b..c7cefa8d 100644
--- a/eaaf_core_utils/pom.xml
+++ b/eaaf_core_utils/pom.xml
@@ -181,6 +181,16 @@
</dependencies>
</plugin>
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <version>${spotbugs-maven-plugin.version}</version>
+ <configuration>
+ <failOnError>true</failOnError>
+ <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+ </configuration>
+ </plugin>
+
</plugins>
</build>
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
index 8ec5f3a8..cfb4ed88 100644
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
+++ b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/SecurePendingRequestIdGenerationStrategy.java
@@ -2,8 +2,8 @@ package at.gv.egiz.eaaf.core.impl.utils;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
+import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
-import java.util.Arrays;
import java.util.Base64;
import javax.annotation.PostConstruct;
@@ -109,7 +109,8 @@ public class SecurePendingRequestIdGenerationStrategy
log.trace("Checking HMAC from externalPendingReqId ... ");
final byte[] tokenDigest = Base64.getDecoder().decode(tokenElements[2]);
final byte[] refDigist = calculateHmac(buildInternalToken(internalPendingReqId, timeStamp));
- if (!Arrays.equals(tokenDigest, refDigist)) {
+
+ if (!MessageDigest.isEqual(refDigist,tokenDigest)) {
log.warn("Digest of Token does NOT match");
log.debug("Token: {} | Ref: {}", tokenDigest, refDigist);
throw new PendingReqIdValidationException(null, "internal.pendingreqid.04");
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
index 6550b026..cfa8868e 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/AbstractJsonSecurityUtilsTest.java
@@ -150,7 +150,32 @@ public abstract class AbstractJsonSecurityUtilsTest {
final String encData = jwe.getCompactSerialization();
Assert.assertNotNull("JWE", encData);
+
+ /*
+ //decrypt it again
+ final JsonWebEncryption jweDecrypt = new JsonWebEncryption();
+ jweDecrypt.setCompactSerialization(encData);
+ jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(key.getFirst()));
+
+
+ // set special provider if required
+ if (rsaEncKeyStore.getSecond() != null) {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName());
+ providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+ jweDecrypt.setProviderContext(providerCtx);
+ } else {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+ jweDecrypt.setProviderContext(providerCtx);
+
+ }
+
+ String decPayload = jweDecrypt.getPayload();
+ Assert.assertNotNull("decrypted Payload", decPayload);
+ Assert.assertEquals("Decrypted message not match", payLoad, decPayload);
+ */
}
@@ -171,8 +196,7 @@ public abstract class AbstractJsonSecurityUtilsTest {
// set special provider if required
if (rsaEncKeyStore.getSecond() != null) {
final ProviderContext providerCtx = new ProviderContext();
- providerCtx.getSuppliedKeyProviderContext().setSignatureProvider(
- rsaEncKeyStore.getSecond().getName());
+ providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName());
providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
jwe.setProviderContext(providerCtx);
@@ -188,6 +212,30 @@ public abstract class AbstractJsonSecurityUtilsTest {
Assert.assertNotNull("JWE", encData);
+ //decrypt it again
+ final JsonWebEncryption jweDecrypt = new JsonWebEncryption();
+ jweDecrypt.setCompactSerialization(encData);
+ jweDecrypt.setKey(JoseUtils.convertToBcKeyIfRequired(key.getFirst()));
+
+
+ // set special provider if required
+ if (rsaEncKeyStore.getSecond() != null) {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getSuppliedKeyProviderContext().setGeneralProvider(rsaEncKeyStore.getSecond().getName());
+ providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+ jweDecrypt.setProviderContext(providerCtx);
+
+ } else {
+ final ProviderContext providerCtx = new ProviderContext();
+ providerCtx.getGeneralProviderContext().setGeneralProvider(BouncyCastleProvider.PROVIDER_NAME);
+ jweDecrypt.setProviderContext(providerCtx);
+
+ }
+
+ String decPayload = jweDecrypt.getPayload();
+ Assert.assertNotNull("decrypted Payload", decPayload);
+ Assert.assertEquals("Decrypted message not match", payLoad, decPayload);
+
}
diff --git a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
index 4f8b2a23..b01330d2 100644
--- a/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
+++ b/eaaf_modules/eaaf_module_auth_sl20/src/test/java/at/gv/egiz/eaaf/modules/auth/sl20/utils/JsonSecurityUtilsHsmKeyTest.java
@@ -3,21 +3,24 @@ package at.gv.egiz.eaaf.modules.auth.sl20.utils;
import java.security.KeyStore;
import java.security.Provider;
-import at.gv.egiz.eaaf.core.exceptions.EaafException;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
-import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-
import org.apache.commons.lang3.StringUtils;
import org.junit.Before;
import org.junit.runner.RunWith;
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import at.gv.egiz.eaaf.core.exceptions.EaafException;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration;
+import at.gv.egiz.eaaf.core.impl.credential.KeyStoreConfiguration.KeyStoreType;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+
@RunWith(SpringJUnit4ClassRunner.class)
@ContextConfiguration("/spring/test_eaaf_sl20_hsm.beans.xml")
public class JsonSecurityUtilsHsmKeyTest extends AbstractJsonSecurityUtilsTest {
+ /**
+ * Initialize jUnit test.
+ */
@Before
public void initialize() {
config.putConfigValue("modules.sl20.security.sigalg.rsa", "RS256");
diff --git a/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..b1d216dc
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_core/checks/spotbugs-exclude.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+ <Match>
+ <!-- allow logging of SAML2 message on trace level -->
+ <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpPostDecoder"/>
+ <Method name="getBase64DecodedMessage" />
+ <Bug pattern="CRLF_INJECTION_LOGS" />
+ </Match>
+ <Match>
+ <!-- allow logging of SAML2 relaystate on debug level -->
+ <Class name="at.gv.egiz.eaaf.modules.pvp2.impl.opensaml.EaafHttpRedirectDeflateDecoder"/>
+ <Method name="doDecode" />
+ <Bug pattern="CRLF_INJECTION_LOGS" />
+ </Match>
+</FindBugsFilter>
diff --git a/eaaf_modules/eaaf_module_pvp2_core/pom.xml b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
index 86a66f4e..45819787 100644
--- a/eaaf_modules/eaaf_module_pvp2_core/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_core/pom.xml
@@ -55,6 +55,10 @@
<artifactId>xmlsec</artifactId>
</dependency>
<dependency>
+ <groupId>org.cryptacular</groupId>
+ <artifactId>cryptacular</artifactId>
+ </dependency>
+ <dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15to18</artifactId>
</dependency>
@@ -168,6 +172,16 @@
</dependencies>
</plugin>
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <version>${spotbugs-maven-plugin.version}</version>
+ <configuration>
+ <failOnError>true</failOnError>
+ <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+ </configuration>
+ </plugin>
+
</plugins>
</build>
</project>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml
new file mode 100644
index 00000000..855f39bd
--- /dev/null
+++ b/eaaf_modules/eaaf_module_pvp2_idp/checks/spotbugs-exclude.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<FindBugsFilter>
+ <Match>
+ <!-- allow SHA-1, because transient SubjectNameIDs should have the same pattern as bPKs -->
+ <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.builder.Pvp2AssertionBuilder"/>
+ <Method name="buildAssertion" />
+ <Bug pattern="WEAK_MESSAGE_DIGEST_SHA1" />
+ </Match>
+ <Match>
+ <!-- allow logging of SAML2 request parameters -->
+ <Class name="at.gv.egiz.eaaf.modules.pvp2.idp.impl.AbstractPvp2XProtocol"/>
+ <Bug pattern="CRLF_INJECTION_LOGS" />
+ </Match>
+</FindBugsFilter>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
index 3840c8d9..b92d0f56 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
+++ b/eaaf_modules/eaaf_module_pvp2_idp/pom.xml
@@ -91,6 +91,16 @@
</dependencies>
</plugin>
+ <plugin>
+ <groupId>com.github.spotbugs</groupId>
+ <artifactId>spotbugs-maven-plugin</artifactId>
+ <version>${spotbugs-maven-plugin.version}</version>
+ <configuration>
+ <failOnError>true</failOnError>
+ <excludeFilterFile>checks/spotbugs-exclude.xml</excludeFilterFile>
+ </configuration>
+ </plugin>
+
</plugins>
</build>
</project>
diff --git a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
index b7b18f0f..d2ed2c11 100644
--- a/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
+++ b/eaaf_modules/eaaf_module_pvp2_idp/src/main/java/at/gv/egiz/eaaf/modules/pvp2/idp/impl/builder/Pvp2AssertionBuilder.java
@@ -26,26 +26,6 @@ import java.util.List;
import javax.naming.ConfigurationException;
-import at.gv.egiz.eaaf.core.api.data.EaafConstants;
-import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
-import at.gv.egiz.eaaf.core.api.idp.IAuthData;
-import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
-import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
-import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
-import at.gv.egiz.eaaf.core.impl.data.Pair;
-import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
-import at.gv.egiz.eaaf.core.impl.utils.Random;
-import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
-import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
-import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
-import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
-import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier;
-import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
-
import org.apache.commons.lang3.StringUtils;
import org.joda.time.DateTime;
import org.opensaml.saml.common.xml.SAMLConstants;
@@ -79,6 +59,26 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
import org.springframework.util.Base64Utils;
+import at.gv.egiz.eaaf.core.api.data.EaafConstants;
+import at.gv.egiz.eaaf.core.api.data.ILoALevelMapper;
+import at.gv.egiz.eaaf.core.api.idp.IAuthData;
+import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.slo.SloInformationInterface;
+import at.gv.egiz.eaaf.core.exceptions.UnavailableAttributeException;
+import at.gv.egiz.eaaf.core.impl.data.Pair;
+import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
+import at.gv.egiz.eaaf.core.impl.utils.Random;
+import at.gv.egiz.eaaf.modules.pvp2.PvpConstants;
+import at.gv.egiz.eaaf.modules.pvp2.exception.Pvp2Exception;
+import at.gv.egiz.eaaf.modules.pvp2.exception.QaaNotSupportedException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.exception.UnprovideableAttributeException;
+import at.gv.egiz.eaaf.modules.pvp2.idp.impl.PvpSProfilePendingRequest;
+import at.gv.egiz.eaaf.modules.pvp2.impl.builder.PvpAttributeBuilder;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.QaaLevelVerifier;
+import at.gv.egiz.eaaf.modules.pvp2.impl.utils.Saml2Utils;
+
@Service("PVP2AssertionBuilder")
public class Pvp2AssertionBuilder implements PvpConstants {
diff --git a/pom.xml b/pom.xml
index c9f7309a..585310ce 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,7 +11,7 @@
<name>EGIZ EAAF components</name>
- <properties>
+ <properties>
<!-- General project properties -->
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<java.version>1.8</java.version>
@@ -50,6 +50,7 @@
<org.springframework.version>5.2.8.RELEASE</org.springframework.version>
<org.opensaml.version>3.4.5</org.opensaml.version>
<org.apache.santuario.xmlsec.version>2.2.0</org.apache.santuario.xmlsec.version>
+ <org.cryptacular.version>1.2.4</org.cryptacular.version>
<org.bouncycastle.bcprov-jdk15to18.version>1.67</org.bouncycastle.bcprov-jdk15to18.version>
<org.bouncycastle.bctls-jdk15to18.version>1.67</org.bouncycastle.bctls-jdk15to18.version>
@@ -67,6 +68,7 @@
<joda-time.version>2.10.8</joda-time.version>
<jsr305.version>3.0.2</jsr305.version>
<com.google.guava.version>30.0-jre</com.google.guava.version>
+ <org.owasp.encoder.version>1.2.3</org.owasp.encoder.version>
<httpclient.version>4.5.13</httpclient.version>
<httpcore.version>4.4.14</httpcore.version>
@@ -80,7 +82,7 @@
<!-- jUnit testing -->
<surefire.version>2.22.1</surefire.version>
- <junit.version>4.12</junit.version>
+ <junit.version>4.13.1</junit.version>
<com.squareup.okhttp3.version>4.4.1</com.squareup.okhttp3.version>
<!-- Code helper plug-ins -->
@@ -91,6 +93,7 @@
<maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version>
<maven-pmd-plugin.version>3.14.0</maven-pmd-plugin.version>
<spotbugs-maven-plugin.version>4.1.4</spotbugs-maven-plugin.version>
+ <findsecbugs-plugin.version>1.11.0</findsecbugs-plugin.version>
<dependency-check-maven.version>6.0.3</dependency-check-maven.version>
<license.outputDirectory>${project.build.directory}/thirdparty_licenses</license.outputDirectory>
@@ -106,7 +109,7 @@
<repository>
<id>gitlab-localbuild</id>
<url>https://gitlab.iaik.tugraz.at/api/v4/groups/119/-/packages/maven</url>
- </repository>
+ </repository>
<repository>
<id>egiz-commons</id>
<url>https://apps.egiz.gv.at/maven/</url>
@@ -196,7 +199,7 @@
</plugin>
</plugins>
</build>
- </profile>
+ </profile>
</profiles>
<modules>
@@ -204,6 +207,7 @@
<module>eaaf_core_utils</module>
<module>eaaf_core</module>
<module>eaaf_modules</module>
+ <module>build_reporting</module>
</modules>
<dependencyManagement>
@@ -217,7 +221,38 @@
<groupId>at.gv.egiz.eaaf</groupId>
<artifactId>eaaf_core_utils</artifactId>
<version>${egiz.eaaf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf-core</artifactId>
+ <version>${egiz.eaaf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_auth_sl20</artifactId>
+ <version>${egiz.eaaf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_moa-sig</artifactId>
+ <version>${egiz.eaaf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_pvp2_core</artifactId>
+ <version>${egiz.eaaf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_pvp2_idp</artifactId>
+ <version>${egiz.eaaf.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>at.gv.egiz.eaaf</groupId>
+ <artifactId>eaaf_module_pvp2_sp</artifactId>
+ <version>${egiz.eaaf.version}</version>
</dependency>
+
<dependency>
<groupId>at.gv.egiz.components</groupId>
<artifactId>eventlog-api</artifactId>
@@ -355,7 +390,7 @@
<groupId>javax.annotation</groupId>
<artifactId>javax.annotation-api</artifactId>
<version>${javax.annotation-api}</version>
- </dependency>
+ </dependency>
<dependency>
<groupId>commons-collections</groupId>
<artifactId>commons-collections</artifactId>
@@ -432,6 +467,13 @@
<version>${org.apache.santuario.xmlsec.version}</version>
</dependency>
<dependency>
+ <!-- Set newer version, because 1.1.3 from openSAML dependency has
+ an CVE-2020-7226 -->
+ <groupId>org.cryptacular</groupId>
+ <artifactId>cryptacular</artifactId>
+ <version>${org.cryptacular.version}</version>
+ </dependency>
+ <dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15to18</artifactId>
<version>${org.bouncycastle.bcprov-jdk15to18.version}</version>
@@ -439,7 +481,7 @@
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bctls-jdk15to18</artifactId>
- <version>${org.bouncycastle.bctls-jdk15to18.version}</version>
+ <version>${org.bouncycastle.bctls-jdk15to18.version}</version>
</dependency>
<dependency>
@@ -481,6 +523,12 @@
</dependency>
<dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ <version>${org.owasp.encoder.version}</version>
+ </dependency>
+
+ <dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
<version>${joda-time.version}</version>
@@ -527,7 +575,7 @@
<artifactId>okhttp-tls</artifactId>
<version>${com.squareup.okhttp3.version}</version>
<scope>test</scope>
- </dependency>
+ </dependency>
<dependency>
<groupId>at.gv.egiz.eaaf</groupId>
<artifactId>eaaf_core_utils</artifactId>
@@ -581,6 +629,8 @@
<version>${surefire.version}</version>
<configuration>
<threadCount>1</threadCount>
+ <!-- Sets the VM argument line used when unit tests are run. -->
+ <argLine>${surefireArgLine}</argLine>
</configuration>
<dependencies>
<dependency>
@@ -633,6 +683,9 @@
<goals>
<goal>prepare-agent</goal>
</goals>
+ <configuration>
+ <propertyName>surefireArgLine</propertyName>
+ </configuration>
</execution>
<execution>
<id>post-unit-report</id>
@@ -643,7 +696,7 @@
<configuration>
<outputDirectory>target/jacoco-report</outputDirectory>
</configuration>
- </execution>
+ </execution>
<execution>
<id>post-unit-check</id>
<phase>test</phase>
@@ -670,7 +723,7 @@
</rule>
</rules>
</configuration>
- </execution>
+ </execution>
</executions>
</plugin>
@@ -716,6 +769,13 @@
</executions>
<configuration>
<failOnError>true</failOnError>
+ <plugins>
+ <plugin>
+ <groupId>com.h3xstream.findsecbugs</groupId>
+ <artifactId>findsecbugs-plugin</artifactId>
+ <version>${findsecbugs-plugin.version}</version>
+ </plugin>
+ </plugins>
</configuration>
</plugin>
@@ -724,18 +784,20 @@
</build>
<reporting>
- <plugins>
+ <plugins>
<plugin>
<groupId>org.jacoco</groupId>
- <artifactId>jacoco-maven-plugin</artifactId>
- <reportSets>
- <reportSet>
- <reports>
- <report>report</report>
- </reports>
- </reportSet>
- </reportSets>
+ <artifactId>jacoco-maven-plugin</artifactId>
+ <configuration>
+ <title>Maven Multimodule Coverage Demo: Coverage of Unit Tests</title>
+ <outputDirectory>${project.reporting.outputDirectory}/jacoco-aggregate-ut</outputDirectory>
+ <dataFileExcludes>
+ <!-- exclude coverage data of integration tests -->
+ <dataFileExclude>**/target/jacoco-it.exec</dataFileExclude>
+ </dataFileExcludes>
+ </configuration>
</plugin>
+
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-pmd-plugin</artifactId>