aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib/src/test/java
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2020-08-31 10:22:11 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2020-08-31 10:22:11 +0200
commite10256fe93208ef786d2e38a68a98e2548d501ee (patch)
treea5c1c97936cdd635db7a24164f796be6be5413ee /id/server/idserverlib/src/test/java
parentc4633dffe99d4cc41e25fe165b6b8b5013ea34bd (diff)
downloadmoa-id-spss-e10256fe93208ef786d2e38a68a98e2548d501ee.tar.gz
moa-id-spss-e10256fe93208ef786d2e38a68a98e2548d501ee.tar.bz2
moa-id-spss-e10256fe93208ef786d2e38a68a98e2548d501ee.zip
fix SSRF bug in SAML1 parameter validator
Diffstat (limited to 'id/server/idserverlib/src/test/java')
-rw-r--r--id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java50
-rw-r--r--id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java588
2 files changed, 631 insertions, 7 deletions
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
index 1ab54471c..7707f3b90 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
@@ -26,6 +26,9 @@ public class DummyAuthConfig implements AuthConfiguration {
private Boolean isIDLEscapingEnabled = null;
+ private Map<String, String> basicConfig = new HashMap<>();
+ private List<String> slRequestTemplates;
+
@Override
public String getRootConfigFileDir() {
// TODO Auto-generated method stub
@@ -100,7 +103,10 @@ public class DummyAuthConfig implements AuthConfiguration {
} else if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR.equals(key)) {
return "urn:publicid:gv.at:cdid+ZP-MH";
- }
+ } else if (basicConfig.containsKey(key)) {
+ return basicConfig.get(key);
+
+ }
return null;
@@ -108,8 +114,13 @@ public class DummyAuthConfig implements AuthConfiguration {
@Override
public String getBasicConfiguration(String key, String defaultValue) {
- // TODO Auto-generated method stub
- return null;
+ if (basicConfig.containsKey(key)) {
+ return basicConfig.get(key);
+
+ } else {
+ return defaultValue;
+
+ }
}
@Override
@@ -235,8 +246,8 @@ public class DummyAuthConfig implements AuthConfiguration {
@Override
public List<String> getSLRequestTemplates() throws ConfigurationException {
- // TODO Auto-generated method stub
- return null;
+ return slRequestTemplates;
+
}
@Override
@@ -428,8 +439,14 @@ public class DummyAuthConfig implements AuthConfiguration {
}
+ if (basicConfig.containsKey(key)) {
+ return Boolean.parseBoolean(basicConfig.get(key));
+
+ } else {
+ return defaultValue;
+
+ }
- return false;
}
@Override
@@ -462,8 +479,27 @@ public class DummyAuthConfig implements AuthConfiguration {
@Override
public Boolean getBasicConfigurationBoolean(String key) {
- // TODO Auto-generated method stub
+ if (basicConfig.containsKey(key)) {
+ return Boolean.parseBoolean(basicConfig.get(key));
+
+ }
+
return null;
}
+ public void putIntoBasicConfig(String key, String value) {
+ basicConfig.put(key, value);
+
+ }
+
+ public void removeFromBasicConfig(String key) {
+ basicConfig.remove(key);
+
+ }
+
+ public void setSlRequestTemplateUrls(List<String> templates) {
+ slRequestTemplates = templates;
+
+ }
+
}
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
new file mode 100644
index 000000000..ad9e2c90e
--- /dev/null
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
@@ -0,0 +1,588 @@
+package test.at.gv.egovernment.moa.id.util;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.servlet.AsyncContext;
+import javax.servlet.DispatcherType;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletInputStream;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import javax.servlet.http.Part;
+
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.BlockJUnit4ClassRunner;
+
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.data.DummyAuthConfig;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+
+@RunWith(BlockJUnit4ClassRunner.class)
+public class ParamValidatorUtilsTest {
+
+ private static DummyAuthConfig config;
+
+ @BeforeClass
+ public static void classInitializer() {
+ config = new DummyAuthConfig();
+ AuthConfigurationProviderFactory.setAuthConfig(config);
+ config.setSlRequestTemplateUrls(new ArrayList<String>());
+
+ }
+
+ @Test
+ public void templateStrictWhitelistFirst() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "https://aaaa.com/bbbb";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true));
+
+ }
+
+ @Test
+ public void templateStrictWhitelistSecond() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file://aaaa.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should NOT be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistFirst() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "https://aaaa.com/bbbb";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLaczWhitelistSecond() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file://aaaa.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should NOT be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLaczWhitelistThird() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "https://aaaa.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should NOT be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLaczWhitelistFour() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "http://aaaa.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should NOT be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLaczWhitelistFife() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "http://junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLaczWhitelistSix() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "https://junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLaczWhitelistSeven() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file://junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should Not be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ private HttpServletRequest getDummyHttpRequest(final String serverName) {
+ return new HttpServletRequest() {
+
+ @Override
+ public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse)
+ throws IllegalStateException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public AsyncContext startAsync() throws IllegalStateException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public void setCharacterEncoding(String env) throws UnsupportedEncodingException {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void setAttribute(String name, Object o) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void removeAttribute(String name) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public boolean isSecure() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isAsyncSupported() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isAsyncStarted() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public ServletContext getServletContext() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getServerPort() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public String getServerName() {
+ return serverName;
+
+ }
+
+ @Override
+ public String getScheme() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public RequestDispatcher getRequestDispatcher(String path) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getRemotePort() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public String getRemoteHost() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRemoteAddr() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRealPath(String path) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public BufferedReader getReader() throws IOException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getProtocol() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String[] getParameterValues(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getParameterNames() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Map<String, String[]> getParameterMap() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getParameter(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Enumeration<Locale> getLocales() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Locale getLocale() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getLocalPort() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public String getLocalName() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getLocalAddr() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public ServletInputStream getInputStream() throws IOException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public DispatcherType getDispatcherType() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getContentType() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getContentLength() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public String getCharacterEncoding() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getAttributeNames() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Object getAttribute(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public AsyncContext getAsyncContext() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public void logout() throws ServletException {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void login(String username, String password) throws ServletException {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public boolean isUserInRole(String role) {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isRequestedSessionIdValid() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isRequestedSessionIdFromUrl() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isRequestedSessionIdFromURL() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isRequestedSessionIdFromCookie() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public Principal getUserPrincipal() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public HttpSession getSession(boolean create) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public HttpSession getSession() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getServletPath() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRequestedSessionId() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public StringBuffer getRequestURL() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRequestURI() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRemoteUser() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getQueryString() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getPathTranslated() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getPathInfo() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Collection<Part> getParts() throws IOException, ServletException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Part getPart(String name) throws IOException, ServletException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getMethod() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getIntHeader(String name) {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public Enumeration<String> getHeaders(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getHeaderNames() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getHeader(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public long getDateHeader(String name) {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public Cookie[] getCookies() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getContextPath() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getAuthType() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public boolean authenticate(HttpServletResponse response) throws IOException, ServletException {
+ // TODO Auto-generated method stub
+ return false;
+ }
+ };
+ }
+}