diff options
10 files changed, 334 insertions, 4 deletions
| diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/AbstractAuthenticationManager.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/AbstractAuthenticationManager.java index 78653cf8..c93f872a 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/AbstractAuthenticationManager.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/AbstractAuthenticationManager.java @@ -50,6 +50,8 @@ import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;  import at.gv.egiz.eaaf.core.impl.idp.auth.modules.ModuleRegistration;  import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;  import at.gv.egiz.eaaf.core.impl.idp.process.ExecutionContextImpl; +import at.gv.egiz.eaaf.core.impl.idp.validation.IHttpRequestValidator; +import at.gv.egiz.eaaf.core.impl.idp.validation.NothingHttpRequestValidatior;  import at.gv.egiz.eaaf.core.impl.utils.TransactionIdUtils;  import jakarta.annotation.PostConstruct;  import jakarta.servlet.ServletException; @@ -80,6 +82,8 @@ public abstract class AbstractAuthenticationManager implements IAuthenticationMa    protected IRevisionLogger revisionsLogger;    @Autowired(required = false)    protected ISsoManager ssoManager; +  @Autowired(required = false) +  protected IHttpRequestValidator httpRequestValidator = new NothingHttpRequestValidatior();    ModuleRegistration moduleRegistration; @@ -146,6 +150,9 @@ public abstract class AbstractAuthenticationManager implements IAuthenticationMa        throw new NoPassivAuthenticationException();      } +    // inject additional security information +    httpRequestValidator.setValidationInfos(httpResp, pendingReq); +      // check Single Sign-On functionality if SSOManager is available      boolean isValidSsoSession = false;      if (ssoManager != null) { diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/AbstractController.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/AbstractController.java index 41d15743..49aa2b35 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/AbstractController.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/AbstractController.java @@ -40,11 +40,14 @@ import at.gv.egiz.eaaf.core.api.logging.IRevisionLogger;  import at.gv.egiz.eaaf.core.api.storage.ITransactionStorage;  import at.gv.egiz.eaaf.core.api.utils.IPendingRequestIdGenerationStrategy;  import at.gv.egiz.eaaf.core.exceptions.EaafException; +import at.gv.egiz.eaaf.core.exceptions.EaafSecurityException;  import at.gv.egiz.eaaf.core.exceptions.PendingReqIdValidationException;  import at.gv.egiz.eaaf.core.exceptions.ProcessExecutionException;  import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;  import at.gv.egiz.eaaf.core.impl.data.ExceptionContainer;  import at.gv.egiz.eaaf.core.impl.data.Pair; +import at.gv.egiz.eaaf.core.impl.idp.validation.IHttpRequestValidator; +import at.gv.egiz.eaaf.core.impl.idp.validation.NothingHttpRequestValidatior;  import jakarta.servlet.http.HttpServletRequest;  import jakarta.servlet.http.HttpServletResponse; @@ -75,6 +78,9 @@ public abstract class AbstractController {    @Autowired    protected IPendingRequestIdGenerationStrategy reqIdGenerationStrategy; +  @Autowired(required = false) +  protected IHttpRequestValidator httpRequestValidator = new NothingHttpRequestValidatior(); +    /**     * EAAF framework exception handler.     * @@ -145,6 +151,19 @@ public abstract class AbstractController {    } +  /** +   * Extension point to implement additional request validation. +   *  +   * @param httpReq    Current HTTP request +   * @param pendingReq Current pending-request selected by pendingRequestId +   * @throws EaafSecurityException In case of a validation error +   */ +  protected void extendedRequestValidation(@Nonnull final HttpServletRequest httpReq, +      @Nonnull final IRequest pendingReq) throws EaafSecurityException { +    httpRequestValidator.validate(httpReq, pendingReq); + +  } +    protected void handleError(final String errorMessage, final Throwable exceptionThrown,        final HttpServletRequest req, final HttpServletResponse resp, IRequest pendingReq)        throws IOException, EaafException { diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/AbstractProcessEngineSignalController.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/AbstractProcessEngineSignalController.java index 46de6167..17d240cb 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/AbstractProcessEngineSignalController.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/AbstractProcessEngineSignalController.java @@ -22,8 +22,6 @@ package at.gv.egiz.eaaf.core.impl.idp.controller;  import java.io.IOException;  import org.apache.commons.text.StringEscapeUtils; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory;  import org.springframework.beans.factory.annotation.Autowired;  import at.gv.egiz.eaaf.core.api.IRequest; @@ -37,16 +35,17 @@ import at.gv.egiz.eaaf.core.exceptions.PendingReqIdValidationException;  import at.gv.egiz.eaaf.core.impl.utils.TransactionIdUtils;  import jakarta.servlet.http.HttpServletRequest;  import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j;  /**   * Servlet that resumes a suspended process (in case of asynchronous tasks).   *   * @author tknall + * @author tlenz   *   */ +@Slf4j  public abstract class AbstractProcessEngineSignalController extends AbstractController { -  private static final Logger log = -      LoggerFactory.getLogger(AbstractProcessEngineSignalController.class);    @Autowired(required = true)    protected ProcessEngine processEngine; @@ -75,6 +74,9 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont        // change pending-request ID        requestStorage.changePendingRequestID(pendingReq); +      // extended validation of in-comming HTTP requests +      extendedRequestValidation(req, pendingReq); +              // process instance is mandatory        if (pendingReq.getProcessInstanceId() == null) {          throw new EaafIllegalStateException( @@ -99,6 +101,8 @@ public abstract class AbstractProcessEngineSignalController extends AbstractCont    } + +    /**     * Retrieves the current pending-request id from the HttpServletRequest     * parameter diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/ProtocolFinalizationController.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/ProtocolFinalizationController.java index a52d2fda..6f8790b2 100644 --- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/ProtocolFinalizationController.java +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/controller/ProtocolFinalizationController.java @@ -237,6 +237,9 @@ public class ProtocolFinalizationController extends AbstractController {        //set MDC variables        TransactionIdUtils.setAllLoggingVariables(pendingReq); +      // extended validation of in-comming HTTP requests +      extendedRequestValidation(req, pendingReq); +        //perform protocol finalization steps        protAuthService.finalizeAuthentication(req, resp, pendingReq); diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java new file mode 100644 index 00000000..98da0c46 --- /dev/null +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/CookieBasedRequestValidator.java @@ -0,0 +1,77 @@ +package at.gv.egiz.eaaf.core.impl.idp.validation; + +import java.net.MalformedURLException; +import java.net.URL; +import java.util.UUID; + +import org.apache.commons.lang3.StringUtils; +import org.springframework.web.util.WebUtils; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.EaafSecurityException; +import at.gv.egiz.eaaf.core.exceptions.EaafStorageException; +import jakarta.annotation.Nonnull; +import jakarta.servlet.http.Cookie; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j; + +/** + * Validate incoming requests based in HTTP cookies. + */ +@Slf4j +public class CookieBasedRequestValidator implements IHttpRequestValidator { + +  public static final String HTTP_COOKIE_SEC = "eaafSession"; + +  @Override +  public void setValidationInfos(@Nonnull final HttpServletResponse httpResponse, +      @Nonnull final IRequest pendingReq) throws EaafSecurityException { +    try { +      log.debug("Injecting authentication-process HTTP cookie ... "); +      String authProcessIdentifier = UUID.randomUUID().toString(); +      httpResponse.addCookie(generatePendingRequestIdCookie(authProcessIdentifier, pendingReq)); +      pendingReq.setRawDataToTransaction(HTTP_COOKIE_SEC, authProcessIdentifier); + +    } catch (MalformedURLException | EaafStorageException e) { +      throw new EaafSecurityException("process.81", e); +    } + +  } + +  @Override +  public void validate(@Nonnull final HttpServletRequest httpReq, +      @Nonnull final IRequest pendingReq) throws EaafSecurityException { +    String storedAuthProcessIdentifier = pendingReq.getRawData(HTTP_COOKIE_SEC, String.class); +     +    if (StringUtils.isNotEmpty(storedAuthProcessIdentifier)) { +      Cookie authProcessIdentifier = WebUtils.getCookie(httpReq, HTTP_COOKIE_SEC); +      if (storedAuthProcessIdentifier.equals(authProcessIdentifier.getValue())) { +        log.trace("Stored authentication-process HTTP cookie matches. Resume process ... "); +         +      } else { +        log.info("Stored authentication-process-Id:{} does not match to Id from HTTP cookie:{}", +            storedAuthProcessIdentifier, authProcessIdentifier); +        throw new EaafSecurityException("process.80"); +         +      } +       +    } else { +      log.debug("No stored authentication-process HTTP cookie. Skipping validation ... "); +       +    } +  } + +  private Cookie generatePendingRequestIdCookie(final String authProcessIdentifier, final IRequest pendingReq) +      throws MalformedURLException { +    Cookie cookie = new Cookie( +        HTTP_COOKIE_SEC, authProcessIdentifier); +    cookie.setHttpOnly(true); +    cookie.setSecure(true); +    URL url = new URL(pendingReq.getAuthUrlWithOutSlash()); +    cookie.setPath(url.getPath()); +    return cookie; + +  } + +} diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/IHttpRequestValidator.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/IHttpRequestValidator.java new file mode 100644 index 00000000..5c5e0ba1 --- /dev/null +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/IHttpRequestValidator.java @@ -0,0 +1,31 @@ +package at.gv.egiz.eaaf.core.impl.idp.validation; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.EaafSecurityException; +import jakarta.annotation.Nonnull; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; + +public interface IHttpRequestValidator { + +  /** +   * Set validation information to current process. +   *  +   * @param httpResponse Current HTTP response +   * @param pendingReq   Current pendingRequest +   * @throws EaafSecurityException In case of an internal processing error +   */ +  void setValidationInfos(@Nonnull final HttpServletResponse httpResponse, +      @Nonnull final IRequest pendingReq) throws EaafSecurityException; + +  /** +   * Validate incoming HTTP requests. +   *  +   * @param httpReq    Current HTTP request +   * @param pendingReq Current pending-request selected by pendingRequestId +   * @throws EaafSecurityException In case of a validation error +   */ +  void validate(HttpServletRequest httpReq, +      IRequest pendingReq) throws EaafSecurityException; + +}
\ No newline at end of file diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/NothingHttpRequestValidatior.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/NothingHttpRequestValidatior.java new file mode 100644 index 00000000..073dbbd0 --- /dev/null +++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/validation/NothingHttpRequestValidatior.java @@ -0,0 +1,28 @@ +package at.gv.egiz.eaaf.core.impl.idp.validation; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.EaafSecurityException; +import jakarta.servlet.http.HttpServletRequest; +import jakarta.servlet.http.HttpServletResponse; +import lombok.extern.slf4j.Slf4j; + +/** + * Blank HTTP request validation with no validation. + */ +@Slf4j +public class NothingHttpRequestValidatior implements IHttpRequestValidator { + +  @Override +  public void validate(HttpServletRequest httpReq, IRequest pendingReq) +      throws EaafSecurityException { +    log.trace("Extended HTTP request validation is not implemented ... "); + +  } + +  @Override +  public void setValidationInfos(HttpServletResponse httpResponse, IRequest pendingReq) +      throws EaafSecurityException { + +  } + +} diff --git a/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties b/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties index c5cb1bb1..a88523f2 100644 --- a/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties +++ b/eaaf_core/src/main/resources/messages/eaaf_core_messages.properties @@ -13,6 +13,9 @@ process.02=Find no applicable authentication process for current state or user-s  process.03=Can not resume the authentication process. Reason: {0}  process.04=Can not execute authentication process. Problem with an internal state +process.80=Can not continue authentication process, because HTTP security validation failed.  +process.81=Can not continue authentication process, because can initialize security context. +  process.90=Forward to service-provider not possible, because it's not supported.   process.98=Not supported internal state. Reason: {0} diff --git a/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/test/impl/idp/validation/CookieBasedRequestValidatorTest.java b/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/test/impl/idp/validation/CookieBasedRequestValidatorTest.java new file mode 100644 index 00000000..9e02fc91 --- /dev/null +++ b/eaaf_core/src/test/java/at/gv/egiz/eaaf/core/test/impl/idp/validation/CookieBasedRequestValidatorTest.java @@ -0,0 +1,115 @@ +package at.gv.egiz.eaaf.core.test.impl.idp.validation; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; + +import java.util.UUID; + +import org.junit.Before; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.test.context.ContextConfiguration; +import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; + +import at.gv.egiz.eaaf.core.api.IRequest; +import at.gv.egiz.eaaf.core.exceptions.EaafSecurityException; +import at.gv.egiz.eaaf.core.impl.idp.auth.dummy.DummyPendingRequest; +import at.gv.egiz.eaaf.core.impl.idp.validation.CookieBasedRequestValidator; +import at.gv.egiz.eaaf.core.test.dummy.DummyAuthConfigMap; +import jakarta.servlet.http.Cookie; +import lombok.SneakyThrows; + +@RunWith(SpringJUnit4ClassRunner.class) +@ContextConfiguration("/SpringTest-context_eaaf_core.xml") +public class CookieBasedRequestValidatorTest { + +  DummyAuthConfigMap config = new DummyAuthConfigMap(); + +  CookieBasedRequestValidator toCheck = new CookieBasedRequestValidator(); +  MockHttpServletRequest httpReq; +  IRequest pendingReq; + +  /** +   * jUnit test initializer. +   */ +  @Before +  @SneakyThrows +  public void initialize() { +    pendingReq = new DummyPendingRequest(); + +    httpReq = new MockHttpServletRequest("POST", "https://localhost/authhandler"); +    ((DummyPendingRequest) pendingReq).initialize(httpReq, config); + +  } + +  @Test +  @SneakyThrows +  public void setHttpCookie() { +    MockHttpServletResponse httpResp = new MockHttpServletResponse(); +    toCheck.setValidationInfos(httpResp, pendingReq); + +    // validate state +    String storedCookie = pendingReq.getRawData(CookieBasedRequestValidator.HTTP_COOKIE_SEC, String.class); +    assertNotNull("stored http cookie", storedCookie); + +    Cookie cookie = httpResp.getCookie(CookieBasedRequestValidator.HTTP_COOKIE_SEC); +    assertNotNull("response http cookie", cookie); + +    assertEquals(storedCookie, cookie.getValue(), "cookie value not match"); + +    assertTrue("httpOnly", cookie.isHttpOnly()); +    assertTrue("secured", cookie.getSecure()); + +    assertEquals("", cookie.getPath(), "wrong Context Path"); + +  } + +  @Test +  @SneakyThrows +  public void success() { +    MockHttpServletResponse httpResp = new MockHttpServletResponse(); +    toCheck.setValidationInfos(httpResp, pendingReq); + +    // validate state +    httpReq.setCookies(httpResp.getCookies()); +    toCheck.validate(httpReq, pendingReq); + +  } + +  @Test +  @SneakyThrows +  public void notCookieInSession() { +    MockHttpServletResponse httpResp = new MockHttpServletResponse(); +    toCheck.setValidationInfos(httpResp, pendingReq); + +    // validate state +    pendingReq.removeRawDataFromTransaction(CookieBasedRequestValidator.HTTP_COOKIE_SEC); + +    httpReq.setCookies(httpResp.getCookies()); +    toCheck.validate(httpReq, pendingReq); + +  } + +  @Test +  @SneakyThrows +  public void wrongCookie() { +    MockHttpServletResponse httpResp = new MockHttpServletResponse(); +    toCheck.setValidationInfos(httpResp, pendingReq); + +    // validate state + +    Cookie cookie = httpResp.getCookie(CookieBasedRequestValidator.HTTP_COOKIE_SEC); +    cookie.setValue(UUID.randomUUID().toString()); +    httpReq.setCookies(cookie); +     +    EaafSecurityException error = assertThrows(EaafSecurityException.class,  +        () -> toCheck.validate(httpReq, pendingReq)); +    assertEquals("process.80", error.getErrorId(), "wrong ErrorCode"); + +  } + +} diff --git a/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/EaafSecurityException.java b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/EaafSecurityException.java new file mode 100644 index 00000000..1a3dd67e --- /dev/null +++ b/eaaf_core_api/src/main/java/at/gv/egiz/eaaf/core/exceptions/EaafSecurityException.java @@ -0,0 +1,43 @@ +/* + * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a + * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology. + * + * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European + * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in + * compliance with the Licence. You may obtain a copy of the Licence at: + * https://joinup.ec.europa.eu/news/understanding-eupl-v12 + * + * Unless required by applicable law or agreed to in writing, software distributed under the Licence + * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express + * or implied. See the Licence for the specific language governing permissions and limitations under + * the Licence. + * + * This product combines work with different licenses. See the "NOTICE" text file for details on the + * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative + * works that you distribute must include a readable copy of the "NOTICE" text file. +*/ + +package at.gv.egiz.eaaf.core.exceptions; + +/** + * In case of a security-validation error. + */ +public class EaafSecurityException extends EaafException { + +  private static final long serialVersionUID = 1L; + +  public EaafSecurityException(final String msg) { +    super(msg, null); + +  } + +  public EaafSecurityException(final String msg, final Object[] params) { +    super(msg, params); + +  } + +  public EaafSecurityException(String msg, Exception e) { +    super(msg, null, e); +  } + +} | 
