aboutsummaryrefslogtreecommitdiff
path: root/id/server/idserverlib
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2020-08-31 16:30:08 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2020-08-31 16:30:08 +0200
commitefeae1c1b91823ea4a7d4c84f3c1721f0a06e628 (patch)
tree844dbb9e64e856e2ccdd7ff8aaa4976f66d8b1a4 /id/server/idserverlib
parent0e6a03ffbc11d07ee2d00abcd573239a971f89b5 (diff)
parent7d9e2026c557cab1b8b3c4bb6a91f054c7bed5f0 (diff)
downloadmoa-id-spss-efeae1c1b91823ea4a7d4c84f3c1721f0a06e628.tar.gz
moa-id-spss-efeae1c1b91823ea4a7d4c84f3c1721f0a06e628.tar.bz2
moa-id-spss-efeae1c1b91823ea4a7d4c84f3c1721f0a06e628.zip
Merge branch 'current_development' into development_preview
Diffstat (limited to 'id/server/idserverlib')
-rw-r--r--id/server/idserverlib/pom.xml6
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java128
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java15
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java2
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java159
-rw-r--r--id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java78
-rw-r--r--id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java637
8 files changed, 905 insertions, 132 deletions
diff --git a/id/server/idserverlib/pom.xml b/id/server/idserverlib/pom.xml
index 75a2be499..b5bb84362 100644
--- a/id/server/idserverlib/pom.xml
+++ b/id/server/idserverlib/pom.xml
@@ -4,7 +4,7 @@
<parent>
<groupId>MOA.id</groupId>
<artifactId>moa-id</artifactId>
- <version>4.1.2</version>
+ <version>4.1.3</version>
</parent>
<groupId>MOA.id.server</groupId>
@@ -503,13 +503,13 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-pool2</artifactId>
- <version>2.6.2</version>
+ <version>2.8.1</version>
</dependency>
<dependency>
<groupId>redis.clients</groupId>
<artifactId>jedis</artifactId>
<!-- version>3.0.1</version -->
- <version>3.1.0</version>
+ <version>3.3.0</version>
</dependency>
<!-- <dependency>
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
index 3dfba9cca..6864d4ec3 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/builder/MOAIDSubjectNameIdGenerator.java
@@ -1,6 +1,5 @@
package at.gv.egovernment.moa.id.auth.builder;
-import org.apache.commons.lang3.StringUtils;
import org.springframework.stereotype.Service;
import org.w3c.dom.Element;
@@ -18,9 +17,11 @@ import at.gv.egiz.eaaf.modules.pvp2.exception.PVP2Exception;
import at.gv.egiz.eaaf.modules.pvp2.idp.api.builder.ISubjectNameIdGenerator;
import at.gv.egiz.eaaf.modules.pvp2.idp.exception.ResponderErrorException;
import at.gv.egovernment.moa.id.data.IMOAAuthData;
+import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.MandateAttributesNotHandleAbleException;
import at.gv.egovernment.moa.id.protocols.pvp2x.exceptions.NoMandateDataAvailableException;
import at.gv.egovernment.moa.id.util.MandateBuilder;
import at.gv.egovernment.moa.logging.Logger;
+import at.gv.egovernment.moa.sig.tsl.utils.MiscUtil;
import at.gv.egovernment.moa.util.Constants;
@Service("MOASAML2SubjectNameIDGenerator")
@@ -31,8 +32,8 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator {
//build nameID and nameID Format from moasessio
if (authData instanceof IMOAAuthData &&
((IMOAAuthData)authData).isUseMandate()) {
- String bpktype = null;
- String bpk = null;
+ String identifier = null;
+ String identifierType = null;
Element mandate = ((IMOAAuthData)authData).getMandate();
if(mandate != null) {
@@ -56,59 +57,88 @@ public class MOAIDSubjectNameIdGenerator implements ISubjectNameIdGenerator {
Logger.error("Failed to generate IdentificationType");
throw new NoMandateDataAvailableException();
}
-
- bpktype = id.getType();
- bpk = id.getValue().getValue();
-
+
+ identifier = id.getValue().getValue();
+ identifierType = id.getType();
+
} else {
Logger.debug("Read mandator bPK|baseID from PVP attributes ... ");
- bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class);
- bpktype = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class);
-
- if (StringUtils.isEmpty(bpk)) {
- //no sourcePin is included --> search for bPK
- bpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class);
-
- try {
- if (bpk.contains(":"))
- bpk = bpk.split(":")[1];
-
- } catch (Exception e) {
- Logger.warn("Can not split bPK from mandator attribute!", e);
-
- }
-
- //set bPK-Type from configuration, because it MUST be equal to service-provider type
- bpktype = spConfig.getAreaSpecificTargetIdentifier();
-
- } else {
- //sourcePin is include --> check sourcePinType
- if (StringUtils.isEmpty(bpktype))
- bpktype = Constants.URN_PREFIX_BASEID;
-
- }
- }
-
- if (StringUtils.isEmpty(bpk) || StringUtils.isEmpty(bpktype)) {
- throw new NoMandateDataAvailableException();
+ String natSourcePin = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_NAME, String.class);
+ String natSourcePinType = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_SOURCE_PIN_TYPE_NAME, String.class);
+ String natBpk = authData.getGenericData(PVPConstants.MANDATE_NAT_PER_BPK_NAME, String.class);
- }
-
- if (bpktype.equals(Constants.URN_PREFIX_BASEID)) {
- try {
- return new BPKBuilder().generateAreaSpecificPersonIdentifier(bpk, spConfig.getAreaSpecificTargetIdentifier());
+ String jurSourcePin = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_NAME, String.class);
+ String jurSourcePinType = authData.getGenericData(PVPConstants.MANDATE_LEG_PER_SOURCE_PIN_TYPE_NAME, String.class);
+
+ if ( (MiscUtil.isNotEmpty(jurSourcePin) || MiscUtil.isNotEmpty(jurSourcePinType))
+ && (MiscUtil.isNotEmpty(natSourcePin) || MiscUtil.isNotEmpty(natBpk))) {
+ Logger.warn("Found mandate attributes for legal- AND natural-person. "
+ + "Both not allowed during on authentication. Process stops now!");
+ throw new MandateAttributesNotHandleAbleException();
+
+ }
+
+ if (MiscUtil.isNotEmpty(jurSourcePin) && MiscUtil.isNotEmpty(jurSourcePinType)) {
+ Logger.debug("Find jur. person sourcepin. Build SubjectNameId from this ... ");
+ return Pair.newInstance(jurSourcePin, jurSourcePinType);
+
+
+ } else if (MiscUtil.isNotEmpty(natSourcePin)) {
+ Logger.debug("Find nat. person sourcepin. Build SubjectNameId from this ... ");
+ identifier = natSourcePin;
+
+ if (MiscUtil.isNotEmpty(natSourcePinType)) {
+ identifierType = natSourcePinType;
+
+ } else {
+ identifierType = Constants.URN_PREFIX_BASEID;
+
+ }
+
+ } else if (MiscUtil.isNotEmpty(natBpk)) {
+ Logger.debug("Find nat. person bPK. Build SubjectNameId from this ... ");
+ try {
+ if (natBpk.contains(":")) {
+ natBpk = natBpk.split(":")[1];
+
+ }
+
+ } catch (Exception e) {
+ Logger.warn("Can not split bPK from mandator attribute!", e);
+ Logger.info("Use nat. person bPK as it is");
+
+ }
+
+ return Pair.newInstance(natBpk,
+ spConfig.getAreaSpecificTargetIdentifier());
+
+ } else {
+ throw new NoMandateDataAvailableException();
+
+ }
+ }
+
+ if (identifierType.equals(Constants.URN_PREFIX_BASEID)) {
+ try {
+ return BPKBuilder.generateAreaSpecificPersonIdentifier(
+ identifier, spConfig.getAreaSpecificTargetIdentifier());
- } catch (EAAFBuilderException e) {
- Logger.warn("Can NOT generate SubjectNameId." , e);
- throw new ResponderErrorException("pvp2.01", null);
+ } catch (EAAFBuilderException e) {
+ Logger.warn("Can NOT generate SubjectNameId." , e);
+ throw new ResponderErrorException("pvp2.01", null);
- }
+ }
- } else
- return Pair.newInstance(bpk, bpktype);
-
- } else
+ } else {
+ return Pair.newInstance(identifier, identifierType);
+
+ }
+
+ //no mandate available. Use bPK from authenticated entity
+ } else {
return Pair.newInstance(authData.getBPK(), authData.getBPKType());
+
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
index ead80b117..03fd225e0 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/parser/StartAuthentificationParameterParser.java
@@ -42,6 +42,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.data.IAuthenticationSession;
import at.gv.egovernment.moa.id.commons.api.exceptions.MOAIDException;
import at.gv.egovernment.moa.id.config.TargetToSectorNameMapper;
+import at.gv.egovernment.moa.id.config.auth.PropertyBasedAuthConfigurationProvider;
import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
import at.gv.egovernment.moa.logging.Logger;
import at.gv.egovernment.moa.util.MiscUtil;
@@ -182,14 +183,14 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
List<String> defaulTemplateURLList =
authConfig.getSLRequestTemplates();
- if ( templateURLList != null && templateURLList.size() > 0
+ if ( templateURLList != null && !templateURLList.isEmpty()
&& MiscUtil.isNotEmpty(templateURLList.get(0)) ) {
templateURL = FileUtils.makeAbsoluteURL(
oaParam.getTemplateURL().get(0),
authConfig.getRootConfigFileDir());
Logger.info("No SL-Template in request, load SL-Template from OA configuration (URL: " + templateURL + ")");
- } else if ( (defaulTemplateURLList.size() > 0) && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) {
+ } else if ( !defaulTemplateURLList.isEmpty() && MiscUtil.isNotEmpty(defaulTemplateURLList.get(0))) {
templateURL = FileUtils.makeAbsoluteURL(
defaulTemplateURLList.get(0),
authConfig.getRootConfigFileDir());
@@ -203,8 +204,13 @@ public class StartAuthentificationParameterParser extends MOAIDAuthConstants{
}
- if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL()))
+ if (!ParamValidatorUtils.isValidTemplate(req, templateURL, oaParam.getTemplateURL(),
+ authConfig.getBasicConfigurationBoolean(
+ PropertyBasedAuthConfigurationProvider.PROP_STRICT_SAML1_PARAM_VALIDATION,
+ false))) {
throw new WrongParametersException("StartAuthentication", PARAM_TEMPLATE, "auth.12");
+
+ }
protocolReq.setRawDataToTransaction(
MOAIDAuthConstants.AUTHPROCESS_DATA_SECURITYLAYERTEMPLATE,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java
index 94bcae672..cf3e0efd7 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/AuthConfigurationProviderFactory.java
@@ -57,4 +57,19 @@ public class AuthConfigurationProviderFactory {
return instance;
}
+
+ /**
+ * Set AuthConfig programmatically
+ *
+ * @param authConfig
+ */
+ public static void setAuthConfig(AuthConfiguration authConfig) {
+ if (instance != null) {
+ throw new RuntimeException("AuthConfig can ONLY set once!");
+
+ }
+
+ instance = authConfig;
+
+ }
}
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
index f299e0e94..1ffdaa524 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/config/auth/PropertyBasedAuthConfigurationProvider.java
@@ -52,6 +52,8 @@ public class PropertyBasedAuthConfigurationProvider extends ConfigurationProvide
public static final String PROP_MOAID_MODE = "general.moaidmode.active";
+ public static final String PROP_STRICT_SAML1_PARAM_VALIDATION =
+ "configuration.validate.saml1.parameter.strict";
private static final boolean TRUST_MANAGER_REVOCATION_CHECKING_DEFAULT = true;
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index a44d8c1b6..0e468bb6b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.MalformedURLException;
+import java.net.URISyntaxException;
import java.net.URL;
import java.util.Collections;
import java.util.HashMap;
@@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException;
import org.xml.sax.SAXException;
import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -220,11 +222,11 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
}
// check if template is a valid URL
- try {
+ try {
+ URL bkuUrl = new URL(bkuURI);
// check if bku url starts with http or https
- if (bkuURI.startsWith("http") || bkuURI.startsWith("https")) {
- new URL(bkuURI);
-
+ if (bkuUrl.getProtocol().equals("http") || bkuUrl.getProtocol().equals("https")) {
+
// check if bkuURI is a local BKU
if (bkuURI.compareToIgnoreCase("https://localhost:3496/https-security-layer-request") == 0 ||
bkuURI.compareToIgnoreCase("http://localhost:3495/http-security-layer-request") == 0 ||
@@ -232,8 +234,8 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
bkuURI.compareToIgnoreCase("https://127.0.0.1:3496/https-security-layer-request") == 0) {
Logger.debug("Parameter bkuURI erfolgreich ueberprueft");
return true;
- }
- else {
+
+ } else {
Logger.debug("Parameter bkuURI ist keine lokale BKU. Ueberpruefe Liste der vertrauenswuerdigen BKUs.");
boolean b = allowedBKUs.contains(bkuURI);
if (b) {
@@ -246,17 +248,17 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
return false;
}
}
- }
- else if (MOAIDAuthConstants.REQ_BKU_TYPES.contains(bkuURI)) {
+
+ } else if (MOAIDAuthConstants.REQ_BKU_TYPES.contains(bkuURI)) {
Logger.debug("Parameter bkuURI from configuration is used.");
return true;
} else {
Logger.error("Fehler Ueberpruefung Parameter bkuURI. bkuURI beginnt nicht mit http or https");
return false;
+
}
-
} catch (MalformedURLException e) {
Logger.error("Fehler Ueberpruefung Parameter bkuURI", e);
return false;
@@ -268,9 +270,12 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
* Checks if the given template is valid
* @param req
* @param template
+ * @param oaSlTemplates
+ * @param useStrictValidation Enables strict validation with URLs from configuration, otherwise always allow templates from same host.
* @return
*/
- public static boolean isValidTemplate(HttpServletRequest req, String template, List<String> oaSlTemplates) {
+ public static boolean isValidTemplate(HttpServletRequest req, String template,
+ List<String> oaSlTemplates, boolean useStrictValidation) {
Logger.debug("Ueberpruefe Parameter Template bzw. bkuSelectionTemplateURL");
@@ -282,65 +287,38 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
// check if template is a valid URL
try {
-
- // check if template url starts with http or https
- if (template.startsWith("http") || template.startsWith("https")) {
-
- // check if template url is from same server
- String name = req.getServerName();
- String httpName = "http://" + name;
- String httpsName = "https://" + name;
-
- if (template.startsWith(httpName) || template.startsWith(httpsName)) {
- new URL(template);
- Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft");
- return true;
- }
- else {
- //check against configured trustet template urls
- AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
- List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
-
- //get OA specific template URLs
- if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
- for (String el : oaSlTemplates)
- if (MiscUtil.isNotEmpty(el))
- trustedTemplateURLs.add(el);
- }
-
- boolean b = trustedTemplateURLs.contains(template);
- if (b) {
- Logger.debug("Parameter Template erfolgreich ueberprueft");
- return true;
- }
- else {
- Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. Parameter liegt nicht am gleichen Server wie die MOA-Instanz (" + req.getServerName() + ") bzw. ist nicht auf Liste der vertrauenswuerdigen Template URLs (Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");
- return false;
- }
-
- }
-
- } else if (template.startsWith("file")){
- new URL(template);
- Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft");
- Logger.debug("Load SL-Layer Template from local filesystem " + template);
- return true;
-
- } else {
- Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. Paramter beginnt nicht mit http oder https.");
- return false;
- }
+ if (useStrictValidation) {
+ Logger.trace("Use strict validation of Template bzw. bkuSelectionTemplateURL");
+ return validateTemplateUrlToWhiteList(template, oaSlTemplates);
+
+ } else {
+ Logger.trace("Use lazy validation of Template bzw. bkuSelectionTemplateURL");
+ URL templateUrl = new URL(template);
+ String serverName = req.getServerName();
+
+ // check if template url starts with http or https
+ if (((templateUrl.getProtocol().startsWith("http")
+ || templateUrl.getProtocol().startsWith("https")))
+ && templateUrl.getHost().equals(serverName)) {
+ Logger.debug("Parameter Template bzw. bkuSelectionTemplateURL erfolgreich ueberprueft"
+ + " Lazy check is activ and template is on same host as MOA-ID");
+ return true;
+
+
+ } else {
+ return validateTemplateUrlToWhiteList(template, oaSlTemplates);
+
+ }
+ }
- } catch (MalformedURLException e) {
+ } catch (MalformedURLException | ConfigurationException | URISyntaxException e) {
Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
return false;
- } catch (ConfigurationException e) {
- Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
- return false;
- }
+
+ }
}
- /**
+ /**
* Checks if the given sessionID is valid
* @param target HTTP parameter from request
* @return
@@ -540,13 +518,62 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
} catch (WrongParametersException e) {
return false;
+
}
- if (StringUtils.isEmpty(bkuURL) && StringUtils.isEmpty(useeIDAS))
+ if (StringUtils.isEmpty(bkuURL) && StringUtils.isEmpty(useeIDAS)) {
return false;
- else
+
+ } else {
return true;
+
+ }
}
+
+ private static boolean validateTemplateUrlToWhiteList(String template, List<String> oaSlTemplates)
+ throws ConfigurationException, MalformedURLException, URISyntaxException {
+ //check against configured trustet template urls
+ AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
+ List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
+
+ //get OA specific template URLs
+ if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) {
+ for (String el : oaSlTemplates)
+ if (MiscUtil.isNotEmpty(el))
+ trustedTemplateURLs.add(el);
+ }
+
+ boolean b = false;
+ if (template.startsWith("file:")) {
+ for (String el : trustedTemplateURLs) {
+ URL templateUrl = new URL(template);
+ URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory()));
+ b = trustedUrl.equals(templateUrl);
+ if (b) {
+ break;
+ }
+ }
+
+ } else {
+ b = trustedTemplateURLs.contains(template);
+
+ }
+
+
+ if (b) {
+ Logger.debug("Parameter Template erfolgreich ueberprueft");
+ return true;
+
+ } else {
+ Logger.info("Template:" + template + " DOES NOT match to allowed templates: ["
+ + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") + "]");
+ Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. "
+ + "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs "
+ + "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");
+ return false;
+
+ }
+ }
}
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
index 1ab54471c..b2f425a2c 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
@@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.config.auth.data;
import java.io.IOException;
import java.net.URI;
+import java.net.URISyntaxException;
import java.net.URL;
+import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -20,16 +22,21 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.util.config.EgovUtilPropertiesConfiguration;
public class DummyAuthConfig implements AuthConfiguration {
private Boolean isIDLEscapingEnabled = null;
+ private Map<String, String> basicConfig = new HashMap<>();
+ private List<String> slRequestTemplates;
+ private String configRootDir;
+
@Override
public String getRootConfigFileDir() {
- // TODO Auto-generated method stub
- return null;
+ return configRootDir;
+
}
@Override
@@ -100,7 +107,10 @@ public class DummyAuthConfig implements AuthConfiguration {
} else if (UserRestrictionTask.CONFIG_PROPS_CSV_USER_SECTOR.equals(key)) {
return "urn:publicid:gv.at:cdid+ZP-MH";
- }
+ } else if (basicConfig.containsKey(key)) {
+ return basicConfig.get(key);
+
+ }
return null;
@@ -108,8 +118,13 @@ public class DummyAuthConfig implements AuthConfiguration {
@Override
public String getBasicConfiguration(String key, String defaultValue) {
- // TODO Auto-generated method stub
- return null;
+ if (basicConfig.containsKey(key)) {
+ return basicConfig.get(key);
+
+ } else {
+ return defaultValue;
+
+ }
}
@Override
@@ -235,8 +250,8 @@ public class DummyAuthConfig implements AuthConfiguration {
@Override
public List<String> getSLRequestTemplates() throws ConfigurationException {
- // TODO Auto-generated method stub
- return null;
+ return new ArrayList<>(slRequestTemplates);
+
}
@Override
@@ -428,14 +443,30 @@ public class DummyAuthConfig implements AuthConfiguration {
}
+ if (basicConfig.containsKey(key)) {
+ return Boolean.parseBoolean(basicConfig.get(key));
+
+ } else {
+ return defaultValue;
+
+ }
- return false;
}
@Override
public URI getConfigurationRootDirectory() {
- // TODO Auto-generated method stub
- return null;
+ try {
+ if (MiscUtil.isNotEmpty(configRootDir)) {
+ return new URI(configRootDir);
+
+ }
+ } catch (URISyntaxException e) {
+ e.printStackTrace();
+
+ }
+
+ return null;
+
}
@Override
@@ -462,8 +493,33 @@ public class DummyAuthConfig implements AuthConfiguration {
@Override
public Boolean getBasicConfigurationBoolean(String key) {
- // TODO Auto-generated method stub
+ if (basicConfig.containsKey(key)) {
+ return Boolean.parseBoolean(basicConfig.get(key));
+
+ }
+
return null;
}
+ public void putIntoBasicConfig(String key, String value) {
+ basicConfig.put(key, value);
+
+ }
+
+ public void removeFromBasicConfig(String key) {
+ basicConfig.remove(key);
+
+ }
+
+ public void setSlRequestTemplateUrls(List<String> templates) {
+ slRequestTemplates = templates;
+
+ }
+
+ public void setConfigRootDir(String configRootDir) {
+ this.configRootDir = configRootDir;
+ }
+
+
+
}
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
new file mode 100644
index 000000000..7afad55aa
--- /dev/null
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
@@ -0,0 +1,637 @@
+package test.at.gv.egovernment.moa.id.util;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Enumeration;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.servlet.AsyncContext;
+import javax.servlet.DispatcherType;
+import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletContext;
+import javax.servlet.ServletException;
+import javax.servlet.ServletInputStream;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.Cookie;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
+import javax.servlet.http.Part;
+
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.BlockJUnit4ClassRunner;
+
+import at.gv.egovernment.moa.id.config.auth.AuthConfigurationProviderFactory;
+import at.gv.egovernment.moa.id.config.auth.data.DummyAuthConfig;
+import at.gv.egovernment.moa.id.util.ParamValidatorUtils;
+
+@RunWith(BlockJUnit4ClassRunner.class)
+public class ParamValidatorUtilsTest {
+
+ private static DummyAuthConfig config;
+
+ @BeforeClass
+ public static void classInitializer() {
+ config = new DummyAuthConfig();
+ AuthConfigurationProviderFactory.setAuthConfig(config);
+ config.setSlRequestTemplateUrls(new ArrayList<String>());
+ config.setConfigRootDir("file://junit.com/");
+
+ }
+
+ @Test
+ public void templateStrictWhitelistFirst() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "https://aaaa.com/bbbb";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true));
+
+ }
+
+ @Test
+ public void templateStrictWhitelistSecond() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:/aaaa.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file:/aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should NOT be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistFirst() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "https://aaaa.com/bbbb";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistSecond() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:/aaaa.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file:/aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should NOT be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistThird() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "https://aaaa.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should NOT be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistFour() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "http://aaaa.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should NOT be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistFife() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "http://junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistSix() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "https://junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/bbbb");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistSeven() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:/junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file:/aaaa.com/bbbb");
+
+ Assert.assertFalse("Template should Not be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistEight() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:/junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/ccc",
+ "ccc");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistNine() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:\\junit.com\\ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/ccc",
+ "ccc");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistTen() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:\\junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/ccc",
+ "ccc");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ private HttpServletRequest getDummyHttpRequest(final String serverName) {
+ return new HttpServletRequest() {
+
+ @Override
+ public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse)
+ throws IllegalStateException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public AsyncContext startAsync() throws IllegalStateException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public void setCharacterEncoding(String env) throws UnsupportedEncodingException {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void setAttribute(String name, Object o) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void removeAttribute(String name) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public boolean isSecure() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isAsyncSupported() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isAsyncStarted() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public ServletContext getServletContext() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getServerPort() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public String getServerName() {
+ return serverName;
+
+ }
+
+ @Override
+ public String getScheme() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public RequestDispatcher getRequestDispatcher(String path) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getRemotePort() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public String getRemoteHost() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRemoteAddr() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRealPath(String path) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public BufferedReader getReader() throws IOException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getProtocol() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String[] getParameterValues(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getParameterNames() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Map<String, String[]> getParameterMap() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getParameter(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Enumeration<Locale> getLocales() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Locale getLocale() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getLocalPort() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public String getLocalName() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getLocalAddr() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public ServletInputStream getInputStream() throws IOException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public DispatcherType getDispatcherType() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getContentType() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getContentLength() {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public String getCharacterEncoding() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getAttributeNames() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Object getAttribute(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public AsyncContext getAsyncContext() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public void logout() throws ServletException {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void login(String username, String password) throws ServletException {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public boolean isUserInRole(String role) {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isRequestedSessionIdValid() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isRequestedSessionIdFromUrl() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isRequestedSessionIdFromURL() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public boolean isRequestedSessionIdFromCookie() {
+ // TODO Auto-generated method stub
+ return false;
+ }
+
+ @Override
+ public Principal getUserPrincipal() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public HttpSession getSession(boolean create) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public HttpSession getSession() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getServletPath() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRequestedSessionId() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public StringBuffer getRequestURL() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRequestURI() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getRemoteUser() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getQueryString() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getPathTranslated() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getPathInfo() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Collection<Part> getParts() throws IOException, ServletException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Part getPart(String name) throws IOException, ServletException {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getMethod() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public int getIntHeader(String name) {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public Enumeration<String> getHeaders(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public Enumeration<String> getHeaderNames() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getHeader(String name) {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public long getDateHeader(String name) {
+ // TODO Auto-generated method stub
+ return 0;
+ }
+
+ @Override
+ public Cookie[] getCookies() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getContextPath() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public String getAuthType() {
+ // TODO Auto-generated method stub
+ return null;
+ }
+
+ @Override
+ public boolean authenticate(HttpServletResponse response) throws IOException, ServletException {
+ // TODO Auto-generated method stub
+ return false;
+ }
+ };
+ }
+}