From 57bcf96c65d2cbc18076a305a4cc61774a03d4a3 Mon Sep 17 00:00:00 2001
From: Thomas <>
Date: Wed, 20 Dec 2023 11:35:34 +0100
Subject: chore(core): add publicURLPrefix validation into some more modules

---
 .../services/ProtocolAuthenticationService.java    | 35 +++++++++++-------
 .../impl/idp/auth/services/TicketErrorService.java | 12 ++++---
 .../gv/egiz/eaaf/core/impl/utils/ServletUtils.java | 41 ----------------------
 3 files changed, 29 insertions(+), 59 deletions(-)
 delete mode 100644 eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/ServletUtils.java

diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
index bf449d44..84753408 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/ProtocolAuthenticationService.java
@@ -27,8 +27,6 @@ import org.apache.commons.lang3.ArrayUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.text.StringEscapeUtils;
 import org.owasp.encoder.Encode;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.lang.NonNull;
@@ -47,6 +45,7 @@ import at.gv.egiz.eaaf.core.api.gui.ModifyableGuiBuilderConfiguration;
 import at.gv.egiz.eaaf.core.api.idp.IAction;
 import at.gv.egiz.eaaf.core.api.idp.IAuthData;
 import at.gv.egiz.eaaf.core.api.idp.IAuthenticationDataBuilder;
+import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP;
 import at.gv.egiz.eaaf.core.api.idp.IModulInfo;
 import at.gv.egiz.eaaf.core.api.idp.ISpConfiguration;
 import at.gv.egiz.eaaf.core.api.idp.auth.IAuthenticationManager;
@@ -74,14 +73,17 @@ import at.gv.egiz.eaaf.core.impl.idp.auth.services.IErrorService.IHandleData;
 import at.gv.egiz.eaaf.core.impl.idp.auth.services.IErrorService.LogLevel;
 import at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController;
 import at.gv.egiz.eaaf.core.impl.idp.controller.protocols.RequestImpl;
-import at.gv.egiz.eaaf.core.impl.utils.ServletUtils;
 import jakarta.annotation.PostConstruct;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
 
+@Slf4j
 @Service
 public class ProtocolAuthenticationService implements IProtocolAuthenticationService {
-  private static final Logger log = LoggerFactory.getLogger(ProtocolAuthenticationService.class);
+
+  @Autowired(required = true)
+  protected IConfigurationWithSP authConfig;
 
   @Autowired(required = true)
   private ApplicationContext applicationContext;
@@ -363,12 +365,19 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
       guiBuilder.build(req, resp, parentHopGuiConfig, "iFrame-to-parent");
 
     } else {
-      // build up redirect URL
-      final String redirectUrl = generateErrorRedirectUrl(req, errorKey);
-      resp.setContentType("text/html");
-      resp.setStatus(302);
-      resp.addHeader("Location", redirectUrl);
-      log.debug("REDIRECT TO: {}", redirectUrl);
+      try {
+        // build up redirect URL
+        final String redirectUrl = generateErrorRedirectUrl(req, errorKey);
+        resp.setContentType("text/html");
+        resp.setStatus(302);
+        resp.addHeader("Location", redirectUrl);
+        log.debug("REDIRECT TO: {}", redirectUrl);
+
+      } catch (EaafException e) {
+        log.error("Can not forward to error page", e);
+        throw new GuiBuildException("Redirect URL generation error", e);
+
+      }
 
     }
   }
@@ -592,9 +601,9 @@ public class ProtocolAuthenticationService implements IProtocolAuthenticationSer
     return null;
   }
 
-  private String generateErrorRedirectUrl(final HttpServletRequest req, String errorKey) {
-    String redirectUrl = null;
-    redirectUrl = ServletUtils.getBaseUrl(req);
+  private String generateErrorRedirectUrl(final HttpServletRequest req, String errorKey)
+      throws EaafAuthenticationException, EaafException {
+    String redirectUrl = authConfig.validateIdpUrl(HttpUtils.extractAuthUrlFromRequest(req));
     redirectUrl += ProtocolFinalizationController.ENDPOINT_ERRORHANDLING + "?"
         + EaafConstants.PARAM_HTTP_ERROR_CODE + "=" + errorKey;
     return redirectUrl;
diff --git a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/TicketErrorService.java b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/TicketErrorService.java
index 2f3abdfb..e8d6cb9a 100644
--- a/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/TicketErrorService.java
+++ b/eaaf_core/src/main/java/at/gv/egiz/eaaf/core/impl/idp/auth/services/TicketErrorService.java
@@ -28,16 +28,17 @@ import at.gv.egiz.eaaf.core.api.IRequest;
 import at.gv.egiz.eaaf.core.api.IStatusMessenger;
 import at.gv.egiz.eaaf.core.api.data.EaafConstants;
 import at.gv.egiz.eaaf.core.api.gui.ModifyableGuiBuilderConfiguration;
-import at.gv.egiz.eaaf.core.api.idp.IConfiguration;
+import at.gv.egiz.eaaf.core.api.idp.IConfigurationWithSP;
 import at.gv.egiz.eaaf.core.api.utils.IPendingRequestIdGenerationStrategy;
+import at.gv.egiz.eaaf.core.exceptions.EaafAuthenticationException;
 import at.gv.egiz.eaaf.core.exceptions.EaafException;
 import at.gv.egiz.eaaf.core.exceptions.TaskExecutionException;
 import at.gv.egiz.eaaf.core.impl.data.ErrorConfig;
 import at.gv.egiz.eaaf.core.impl.gui.AbstractGuiFormBuilderConfiguration;
+import at.gv.egiz.eaaf.core.impl.http.HttpUtils;
 import at.gv.egiz.eaaf.core.impl.idp.controller.ProtocolFinalizationController;
 import at.gv.egiz.eaaf.core.impl.utils.DefaultYamlMapper;
 import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
-import at.gv.egiz.eaaf.core.impl.utils.ServletUtils;
 import jakarta.annotation.PostConstruct;
 import jakarta.servlet.http.HttpServletRequest;
 import lombok.Builder;
@@ -54,7 +55,7 @@ public abstract class TicketErrorService implements IErrorService {
 
 
   @Autowired
-  IConfiguration basicConfig;
+  IConfigurationWithSP basicConfig;
   
   @Autowired
   ResourceLoader resourceLoader;
@@ -181,8 +182,9 @@ public abstract class TicketErrorService implements IErrorService {
     }
   }
   
-  private String generateRedirect(HttpServletRequest httpReq, String errorTokenId) {
-    String redirectUrl = ServletUtils.getBaseUrl(httpReq);
+  private String generateRedirect(HttpServletRequest httpReq, String errorTokenId)
+      throws EaafAuthenticationException, EaafException {
+    String redirectUrl = basicConfig.validateIdpUrl(HttpUtils.extractAuthUrlFromRequest(httpReq));
     redirectUrl += ProtocolFinalizationController.ENDPOINT_ERROR_REDIRECT + "?"
         + EaafConstants.PARAM_HTTP_ERROR_CODE + "=" + StringEscapeUtils
         .escapeHtml4(errorTokenId);    
diff --git a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/ServletUtils.java b/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/ServletUtils.java
deleted file mode 100644
index cf044d43..00000000
--- a/eaaf_core_utils/src/main/java/at/gv/egiz/eaaf/core/impl/utils/ServletUtils.java
+++ /dev/null
@@ -1,41 +0,0 @@
-/*
- * Copyright 2017 Graz University of Technology EAAF-Core Components has been developed in a
- * cooperation between EGIZ, A-SIT Plus, A-SIT, and Graz University of Technology.
- *
- * Licensed under the EUPL, Version 1.2 or - as soon they will be approved by the European
- * Commission - subsequent versions of the EUPL (the "Licence"); You may not use this work except in
- * compliance with the Licence. You may obtain a copy of the Licence at:
- * https://joinup.ec.europa.eu/news/understanding-eupl-v12
- *
- * Unless required by applicable law or agreed to in writing, software distributed under the Licence
- * is distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express
- * or implied. See the Licence for the specific language governing permissions and limitations under
- * the Licence.
- *
- * This product combines work with different licenses. See the "NOTICE" text file for details on the
- * various modules and licenses. The "NOTICE" text file is part of the distribution. Any derivative
- * works that you distribute must include a readable copy of the "NOTICE" text file.
- */
-
-package at.gv.egiz.eaaf.core.impl.utils;
-
-import jakarta.servlet.http.HttpServletRequest;
-
-public class ServletUtils {
-
-  /**
-   * Get Context URL from http request.
-   *
-   * @param request http Request
-   * @return Context URL
-   */
-  public static String getBaseUrl(final HttpServletRequest request) {
-    if (request.getServerPort() == 80 || request.getServerPort() == 443) {
-      return request.getScheme() + "://" + request.getServerName() + request.getContextPath();
-    } else {
-      return request.getScheme() + "://" + request.getServerName() + ":" + request.getServerPort()
-          + request.getContextPath();
-    }
-  }
-
-}
-- 
cgit v1.2.3