update validation in case of file:/ paths because trusted templates can be relative to config directory

3 files changed, 111 insertions, 22 deletions

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index 065615666..0e468bb6b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util;
 import java.io.ByteArrayInputStream;

 import java.io.IOException;

 import java.net.MalformedURLException;

+import java.net.URISyntaxException;

 import java.net.URL;

 import java.util.Collections;

 import java.util.HashMap;

@@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException;
 import org.xml.sax.SAXException;

 

 import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;

+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;

 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;

 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;

 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;

@@ -309,7 +311,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
           }                                       

         }

     	   

-      } catch (MalformedURLException | ConfigurationException e) {

+      } catch (MalformedURLException | ConfigurationException | URISyntaxException e) {

     	 Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);

          return false;

     

@@ -529,24 +531,42 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
 	}

 	

   private static boolean validateTemplateUrlToWhiteList(String template, List<String> oaSlTemplates) 

-      throws ConfigurationException {

+      throws ConfigurationException, MalformedURLException, URISyntaxException {

   //check against configured trustet template urls

     AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();

     List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();

     

     //get OA specific template URLs

-    if (oaSlTemplates != null && oaSlTemplates.size() > 0) {

+    if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) {

       for (String el : oaSlTemplates)

         if (MiscUtil.isNotEmpty(el))

           trustedTemplateURLs.add(el);              

     }

     

-    boolean b = trustedTemplateURLs.contains(template);

+    boolean b = false;

+    if (template.startsWith("file:")) {

+      for (String el : trustedTemplateURLs) {

+        URL templateUrl = new URL(template);

+        URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory()));

+        b = trustedUrl.equals(templateUrl);        

+        if (b) {

+          break;

+        }        

+      }

+      

+    } else {

+      b = trustedTemplateURLs.contains(template);  

+      

+    }

+    

+    

     if (b) {

       Logger.debug("Parameter Template erfolgreich ueberprueft");

       return true;

     

     } else {

+      Logger.info("Template:" + template + " DOES NOT match to allowed templates: ["

+          + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") +  "]");

       Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. "

           + "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs "

           + "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");  

diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
index 7707f3b90..b2f425a2c 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
@@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.config.auth.data;
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -20,6 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
 import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.util.config.EgovUtilPropertiesConfiguration;
 
 public class DummyAuthConfig implements AuthConfiguration {
@@ -28,11 +31,12 @@ public class DummyAuthConfig implements AuthConfiguration {
 	
 	private Map<String, String> basicConfig = new HashMap<>();
   private List<String> slRequestTemplates;
-	
+	private String configRootDir;
+  
 	@Override
 	public String getRootConfigFileDir() {
-		// TODO Auto-generated method stub
-		return null;
+		return configRootDir;
+		
 	}
 
 	@Override
@@ -246,7 +250,7 @@ public class DummyAuthConfig implements AuthConfiguration {
 
 	@Override
 	public List<String> getSLRequestTemplates() throws ConfigurationException {
-		return slRequestTemplates;
+		return new ArrayList<>(slRequestTemplates);
 		
 	}
 
@@ -451,8 +455,18 @@ public class DummyAuthConfig implements AuthConfiguration {
 
 	@Override
 	public URI getConfigurationRootDirectory() {
-		// TODO Auto-generated method stub
-		return null;
+		try {
+		  if (MiscUtil.isNotEmpty(configRootDir)) {
+		    return new URI(configRootDir);
+		    
+		  }      
+    } catch (URISyntaxException e) {
+      e.printStackTrace();
+      
+    }
+		
+    return null;
+		
 	}
 
 	@Override
@@ -501,5 +515,11 @@ public class DummyAuthConfig implements AuthConfiguration {
 	  slRequestTemplates = templates;
 	  
 	}
+
+  public void setConfigRootDir(String configRootDir) {
+    this.configRootDir = configRootDir;
+  }
+	
+	
 	
 }
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
index ad9e2c90e..7afad55aa 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
@@ -46,6 +46,7 @@ public class ParamValidatorUtilsTest {
     config = new DummyAuthConfig();
     AuthConfigurationProviderFactory.setAuthConfig(config);
     config.setSlRequestTemplateUrls(new ArrayList<String>());    
+    config.setConfigRootDir("file://junit.com/");
     
   }
   
@@ -68,11 +69,11 @@ public class ParamValidatorUtilsTest {
   public void templateStrictWhitelistSecond() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://aaaa.com/ccc";
+    String template = "file:/aaaa.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should NOT be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true));
@@ -95,14 +96,14 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSecond() {
+  public void templateLazyWhitelistSecond() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://aaaa.com/ccc";
+    String template = "file:/aaaa.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should NOT be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
@@ -110,7 +111,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistThird() {
+  public void templateLazyWhitelistThird() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "https://aaaa.com/ccc";
@@ -125,7 +126,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistFour() {
+  public void templateLazyWhitelistFour() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "http://aaaa.com/ccc";
@@ -140,7 +141,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistFife() {
+  public void templateLazyWhitelistFife() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "http://junit.com/ccc";
@@ -155,7 +156,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSix() {
+  public void templateLazyWhitelistSix() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "https://junit.com/ccc";
@@ -170,20 +171,68 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSeven() {
+  public void templateLazyWhitelistSeven() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://junit.com/ccc";
+    String template = "file:/junit.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should Not be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
     
   }
   
+  @Test
+  public void templateLazyWhitelistEight() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:/junit.com/ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
+  @Test
+  public void templateLazyWhitelistNine() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:\\junit.com\\ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
+  @Test
+  public void templateLazyWhitelistTen() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:\\junit.com/ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
   private HttpServletRequest getDummyHttpRequest(final String serverName) {
     return new HttpServletRequest() {