diff options
| author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2020-08-31 13:51:14 +0200 | 
|---|---|---|
| committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2020-08-31 13:51:14 +0200 | 
| commit | 3ead2fee52a1e43e12610fda8175cb1a74e8b1f0 (patch) | |
| tree | 8b3f52b6366b9d326704a125ebc9e4dc9b30b4d3 /id/server/idserverlib | |
| parent | 8322112004a0334a5d73795760880e635813793b (diff) | |
| download | moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.gz moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.bz2 moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.zip | |
update validation in case of file:/ paths because trusted templates can be relative to config directory
Diffstat (limited to 'id/server/idserverlib')
3 files changed, 111 insertions, 22 deletions
| diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 065615666..0e468bb6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util;  import java.io.ByteArrayInputStream;
  import java.io.IOException;
  import java.net.MalformedURLException;
 +import java.net.URISyntaxException;
  import java.net.URL;
  import java.util.Collections;
  import java.util.HashMap;
 @@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException;  import org.xml.sax.SAXException;
  import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
 +import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
  import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
  import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
  import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
 @@ -309,7 +311,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{            }                                       
          }
 -      } catch (MalformedURLException | ConfigurationException e) {
 +      } catch (MalformedURLException | ConfigurationException | URISyntaxException e) {
      	 Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
           return false;
 @@ -529,24 +531,42 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{  	}
    private static boolean validateTemplateUrlToWhiteList(String template, List<String> oaSlTemplates) 
 -      throws ConfigurationException {
 +      throws ConfigurationException, MalformedURLException, URISyntaxException {
    //check against configured trustet template urls
      AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
      List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
      //get OA specific template URLs
 -    if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
 +    if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) {
        for (String el : oaSlTemplates)
          if (MiscUtil.isNotEmpty(el))
            trustedTemplateURLs.add(el);              
      }
 -    boolean b = trustedTemplateURLs.contains(template);
 +    boolean b = false;
 +    if (template.startsWith("file:")) {
 +      for (String el : trustedTemplateURLs) {
 +        URL templateUrl = new URL(template);
 +        URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory()));
 +        b = trustedUrl.equals(templateUrl);        
 +        if (b) {
 +          break;
 +        }        
 +      }
 +      
 +    } else {
 +      b = trustedTemplateURLs.contains(template);  
 +      
 +    }
 +    
 +    
      if (b) {
        Logger.debug("Parameter Template erfolgreich ueberprueft");
        return true;
      } else {
 +      Logger.info("Template:" + template + " DOES NOT match to allowed templates: ["
 +          + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") +  "]");
        Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. "
            + "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs "
            + "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");  
 diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java index 7707f3b90..b2f425a2c 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java @@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.config.auth.data;  import java.io.IOException;  import java.net.URI; +import java.net.URISyntaxException;  import java.net.URL; +import java.util.ArrayList;  import java.util.HashMap;  import java.util.List;  import java.util.Map; @@ -20,6 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;  import at.gv.egovernment.moa.id.commons.api.IStorkConfig;  import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed;  import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.util.MiscUtil;  import at.gv.util.config.EgovUtilPropertiesConfiguration;  public class DummyAuthConfig implements AuthConfiguration { @@ -28,11 +31,12 @@ public class DummyAuthConfig implements AuthConfiguration {  	private Map<String, String> basicConfig = new HashMap<>();    private List<String> slRequestTemplates; -	 +	private String configRootDir; +    	@Override  	public String getRootConfigFileDir() { -		// TODO Auto-generated method stub -		return null; +		return configRootDir; +		  	}  	@Override @@ -246,7 +250,7 @@ public class DummyAuthConfig implements AuthConfiguration {  	@Override  	public List<String> getSLRequestTemplates() throws ConfigurationException { -		return slRequestTemplates; +		return new ArrayList<>(slRequestTemplates);  	} @@ -451,8 +455,18 @@ public class DummyAuthConfig implements AuthConfiguration {  	@Override  	public URI getConfigurationRootDirectory() { -		// TODO Auto-generated method stub -		return null; +		try { +		  if (MiscUtil.isNotEmpty(configRootDir)) { +		    return new URI(configRootDir); +		     +		  }       +    } catch (URISyntaxException e) { +      e.printStackTrace(); +       +    } +		 +    return null; +		  	}  	@Override @@ -501,5 +515,11 @@ public class DummyAuthConfig implements AuthConfiguration {  	  slRequestTemplates = templates;  	} + +  public void setConfigRootDir(String configRootDir) { +    this.configRootDir = configRootDir; +  } +	 +	  } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java index ad9e2c90e..7afad55aa 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java @@ -46,6 +46,7 @@ public class ParamValidatorUtilsTest {      config = new DummyAuthConfig();      AuthConfigurationProviderFactory.setAuthConfig(config);      config.setSlRequestTemplateUrls(new ArrayList<String>());     +    config.setConfigRootDir("file://junit.com/");    } @@ -68,11 +69,11 @@ public class ParamValidatorUtilsTest {    public void templateStrictWhitelistSecond() {      HttpServletRequest req = getDummyHttpRequest("junit.com"); -    String template = "file://aaaa.com/ccc"; +    String template = "file:/aaaa.com/ccc";      List<String> oaSlTemplates = Arrays.asList(          "http://aaaa.com/bbbb",           "https://aaaa.com/bbbb",  -        "file://aaaa.com/bbbb"); +        "file:/aaaa.com/bbbb");      Assert.assertFalse("Template should NOT be valid",           ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); @@ -95,14 +96,14 @@ public class ParamValidatorUtilsTest {    }    @Test -  public void templateLaczWhitelistSecond() { +  public void templateLazyWhitelistSecond() {      HttpServletRequest req = getDummyHttpRequest("junit.com"); -    String template = "file://aaaa.com/ccc"; +    String template = "file:/aaaa.com/ccc";      List<String> oaSlTemplates = Arrays.asList(          "http://aaaa.com/bbbb",           "https://aaaa.com/bbbb",  -        "file://aaaa.com/bbbb"); +        "file:/aaaa.com/bbbb");      Assert.assertFalse("Template should NOT be valid",           ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); @@ -110,7 +111,7 @@ public class ParamValidatorUtilsTest {    }    @Test -  public void templateLaczWhitelistThird() { +  public void templateLazyWhitelistThird() {      HttpServletRequest req = getDummyHttpRequest("junit.com");      String template = "https://aaaa.com/ccc"; @@ -125,7 +126,7 @@ public class ParamValidatorUtilsTest {    }    @Test -  public void templateLaczWhitelistFour() { +  public void templateLazyWhitelistFour() {      HttpServletRequest req = getDummyHttpRequest("junit.com");      String template = "http://aaaa.com/ccc"; @@ -140,7 +141,7 @@ public class ParamValidatorUtilsTest {    }    @Test -  public void templateLaczWhitelistFife() { +  public void templateLazyWhitelistFife() {      HttpServletRequest req = getDummyHttpRequest("junit.com");      String template = "http://junit.com/ccc"; @@ -155,7 +156,7 @@ public class ParamValidatorUtilsTest {    }    @Test -  public void templateLaczWhitelistSix() { +  public void templateLazyWhitelistSix() {      HttpServletRequest req = getDummyHttpRequest("junit.com");      String template = "https://junit.com/ccc"; @@ -170,20 +171,68 @@ public class ParamValidatorUtilsTest {    }    @Test -  public void templateLaczWhitelistSeven() { +  public void templateLazyWhitelistSeven() {      HttpServletRequest req = getDummyHttpRequest("junit.com"); -    String template = "file://junit.com/ccc"; +    String template = "file:/junit.com/ccc";      List<String> oaSlTemplates = Arrays.asList(          "http://aaaa.com/bbbb",           "https://aaaa.com/bbbb",  -        "file://aaaa.com/bbbb"); +        "file:/aaaa.com/bbbb");      Assert.assertFalse("Template should Not be valid",           ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));    } +  @Test +  public void templateLazyWhitelistEight() { +     +    HttpServletRequest req = getDummyHttpRequest("junit.com"); +    String template = "file:/junit.com/ccc"; +    List<String> oaSlTemplates = Arrays.asList( +        "http://aaaa.com/bbbb",  +        "https://aaaa.com/bbbb",  +        "file://aaaa.com/ccc", +        "ccc"); +     +    Assert.assertTrue("Template should be valid",  +        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); +     +  } +   +  @Test +  public void templateLazyWhitelistNine() { +     +    HttpServletRequest req = getDummyHttpRequest("junit.com"); +    String template = "file:\\junit.com\\ccc"; +    List<String> oaSlTemplates = Arrays.asList( +        "http://aaaa.com/bbbb",  +        "https://aaaa.com/bbbb",  +        "file://aaaa.com/ccc", +        "ccc"); +     +    Assert.assertTrue("Template should be valid",  +        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); +     +  } +   +  @Test +  public void templateLazyWhitelistTen() { +     +    HttpServletRequest req = getDummyHttpRequest("junit.com"); +    String template = "file:\\junit.com/ccc"; +    List<String> oaSlTemplates = Arrays.asList( +        "http://aaaa.com/bbbb",  +        "https://aaaa.com/bbbb",  +        "file://aaaa.com/ccc", +        "ccc"); +     +    Assert.assertTrue("Template should be valid",  +        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); +     +  } +      private HttpServletRequest getDummyHttpRequest(final String serverName) {      return new HttpServletRequest() { | 
