update validation in case of file:/ paths because trusted templates can be relative to config directory

2 files changed, 87 insertions, 18 deletions

diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
index 7707f3b90..b2f425a2c 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
@@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.config.auth.data;
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -20,6 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
 import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.util.config.EgovUtilPropertiesConfiguration;
 
 public class DummyAuthConfig implements AuthConfiguration {
@@ -28,11 +31,12 @@ public class DummyAuthConfig implements AuthConfiguration {
 	
 	private Map<String, String> basicConfig = new HashMap<>();
   private List<String> slRequestTemplates;
-	
+	private String configRootDir;
+  
 	@Override
 	public String getRootConfigFileDir() {
-		// TODO Auto-generated method stub
-		return null;
+		return configRootDir;
+		
 	}
 
 	@Override
@@ -246,7 +250,7 @@ public class DummyAuthConfig implements AuthConfiguration {
 
 	@Override
 	public List<String> getSLRequestTemplates() throws ConfigurationException {
-		return slRequestTemplates;
+		return new ArrayList<>(slRequestTemplates);
 		
 	}
 
@@ -451,8 +455,18 @@ public class DummyAuthConfig implements AuthConfiguration {
 
 	@Override
 	public URI getConfigurationRootDirectory() {
-		// TODO Auto-generated method stub
-		return null;
+		try {
+		  if (MiscUtil.isNotEmpty(configRootDir)) {
+		    return new URI(configRootDir);
+		    
+		  }      
+    } catch (URISyntaxException e) {
+      e.printStackTrace();
+      
+    }
+		
+    return null;
+		
 	}
 
 	@Override
@@ -501,5 +515,11 @@ public class DummyAuthConfig implements AuthConfiguration {
 	  slRequestTemplates = templates;
 	  
 	}
+
+  public void setConfigRootDir(String configRootDir) {
+    this.configRootDir = configRootDir;
+  }
+	
+	
 	
 }
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
index ad9e2c90e..7afad55aa 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
@@ -46,6 +46,7 @@ public class ParamValidatorUtilsTest {
     config = new DummyAuthConfig();
     AuthConfigurationProviderFactory.setAuthConfig(config);
     config.setSlRequestTemplateUrls(new ArrayList<String>());    
+    config.setConfigRootDir("file://junit.com/");
     
   }
   
@@ -68,11 +69,11 @@ public class ParamValidatorUtilsTest {
   public void templateStrictWhitelistSecond() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://aaaa.com/ccc";
+    String template = "file:/aaaa.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should NOT be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true));
@@ -95,14 +96,14 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSecond() {
+  public void templateLazyWhitelistSecond() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://aaaa.com/ccc";
+    String template = "file:/aaaa.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should NOT be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
@@ -110,7 +111,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistThird() {
+  public void templateLazyWhitelistThird() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "https://aaaa.com/ccc";
@@ -125,7 +126,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistFour() {
+  public void templateLazyWhitelistFour() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "http://aaaa.com/ccc";
@@ -140,7 +141,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistFife() {
+  public void templateLazyWhitelistFife() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "http://junit.com/ccc";
@@ -155,7 +156,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSix() {
+  public void templateLazyWhitelistSix() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "https://junit.com/ccc";
@@ -170,20 +171,68 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSeven() {
+  public void templateLazyWhitelistSeven() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://junit.com/ccc";
+    String template = "file:/junit.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should Not be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
     
   }
   
+  @Test
+  public void templateLazyWhitelistEight() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:/junit.com/ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
+  @Test
+  public void templateLazyWhitelistNine() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:\\junit.com\\ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
+  @Test
+  public void templateLazyWhitelistTen() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:\\junit.com/ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
   private HttpServletRequest getDummyHttpRequest(final String serverName) {
     return new HttpServletRequest() {