aboutsummaryrefslogtreecommitdiff
path: root/id/server
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2020-08-31 13:51:14 +0200
committerThomas Lenz <tlenz@iaik.tugraz.at>2020-08-31 13:51:14 +0200
commit3ead2fee52a1e43e12610fda8175cb1a74e8b1f0 (patch)
tree8b3f52b6366b9d326704a125ebc9e4dc9b30b4d3 /id/server
parent8322112004a0334a5d73795760880e635813793b (diff)
downloadmoa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.gz
moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.bz2
moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.zip
update validation in case of file:/ paths because trusted templates can be relative to config directory
Diffstat (limited to 'id/server')
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java28
-rw-r--r--id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java32
-rw-r--r--id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java73
3 files changed, 111 insertions, 22 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index 065615666..0e468bb6b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.MalformedURLException;
+import java.net.URISyntaxException;
import java.net.URL;
import java.util.Collections;
import java.util.HashMap;
@@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException;
import org.xml.sax.SAXException;
import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -309,7 +311,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
}
}
- } catch (MalformedURLException | ConfigurationException e) {
+ } catch (MalformedURLException | ConfigurationException | URISyntaxException e) {
Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
return false;
@@ -529,24 +531,42 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
}
private static boolean validateTemplateUrlToWhiteList(String template, List<String> oaSlTemplates)
- throws ConfigurationException {
+ throws ConfigurationException, MalformedURLException, URISyntaxException {
//check against configured trustet template urls
AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
//get OA specific template URLs
- if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
+ if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) {
for (String el : oaSlTemplates)
if (MiscUtil.isNotEmpty(el))
trustedTemplateURLs.add(el);
}
- boolean b = trustedTemplateURLs.contains(template);
+ boolean b = false;
+ if (template.startsWith("file:")) {
+ for (String el : trustedTemplateURLs) {
+ URL templateUrl = new URL(template);
+ URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory()));
+ b = trustedUrl.equals(templateUrl);
+ if (b) {
+ break;
+ }
+ }
+
+ } else {
+ b = trustedTemplateURLs.contains(template);
+
+ }
+
+
if (b) {
Logger.debug("Parameter Template erfolgreich ueberprueft");
return true;
} else {
+ Logger.info("Template:" + template + " DOES NOT match to allowed templates: ["
+ + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") + "]");
Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. "
+ "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs "
+ "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
index 7707f3b90..b2f425a2c 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
@@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.config.auth.data;
import java.io.IOException;
import java.net.URI;
+import java.net.URISyntaxException;
import java.net.URL;
+import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -20,6 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed;
import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.util.MiscUtil;
import at.gv.util.config.EgovUtilPropertiesConfiguration;
public class DummyAuthConfig implements AuthConfiguration {
@@ -28,11 +31,12 @@ public class DummyAuthConfig implements AuthConfiguration {
private Map<String, String> basicConfig = new HashMap<>();
private List<String> slRequestTemplates;
-
+ private String configRootDir;
+
@Override
public String getRootConfigFileDir() {
- // TODO Auto-generated method stub
- return null;
+ return configRootDir;
+
}
@Override
@@ -246,7 +250,7 @@ public class DummyAuthConfig implements AuthConfiguration {
@Override
public List<String> getSLRequestTemplates() throws ConfigurationException {
- return slRequestTemplates;
+ return new ArrayList<>(slRequestTemplates);
}
@@ -451,8 +455,18 @@ public class DummyAuthConfig implements AuthConfiguration {
@Override
public URI getConfigurationRootDirectory() {
- // TODO Auto-generated method stub
- return null;
+ try {
+ if (MiscUtil.isNotEmpty(configRootDir)) {
+ return new URI(configRootDir);
+
+ }
+ } catch (URISyntaxException e) {
+ e.printStackTrace();
+
+ }
+
+ return null;
+
}
@Override
@@ -501,5 +515,11 @@ public class DummyAuthConfig implements AuthConfiguration {
slRequestTemplates = templates;
}
+
+ public void setConfigRootDir(String configRootDir) {
+ this.configRootDir = configRootDir;
+ }
+
+
}
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
index ad9e2c90e..7afad55aa 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
@@ -46,6 +46,7 @@ public class ParamValidatorUtilsTest {
config = new DummyAuthConfig();
AuthConfigurationProviderFactory.setAuthConfig(config);
config.setSlRequestTemplateUrls(new ArrayList<String>());
+ config.setConfigRootDir("file://junit.com/");
}
@@ -68,11 +69,11 @@ public class ParamValidatorUtilsTest {
public void templateStrictWhitelistSecond() {
HttpServletRequest req = getDummyHttpRequest("junit.com");
- String template = "file://aaaa.com/ccc";
+ String template = "file:/aaaa.com/ccc";
List<String> oaSlTemplates = Arrays.asList(
"http://aaaa.com/bbbb",
"https://aaaa.com/bbbb",
- "file://aaaa.com/bbbb");
+ "file:/aaaa.com/bbbb");
Assert.assertFalse("Template should NOT be valid",
ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true));
@@ -95,14 +96,14 @@ public class ParamValidatorUtilsTest {
}
@Test
- public void templateLaczWhitelistSecond() {
+ public void templateLazyWhitelistSecond() {
HttpServletRequest req = getDummyHttpRequest("junit.com");
- String template = "file://aaaa.com/ccc";
+ String template = "file:/aaaa.com/ccc";
List<String> oaSlTemplates = Arrays.asList(
"http://aaaa.com/bbbb",
"https://aaaa.com/bbbb",
- "file://aaaa.com/bbbb");
+ "file:/aaaa.com/bbbb");
Assert.assertFalse("Template should NOT be valid",
ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
@@ -110,7 +111,7 @@ public class ParamValidatorUtilsTest {
}
@Test
- public void templateLaczWhitelistThird() {
+ public void templateLazyWhitelistThird() {
HttpServletRequest req = getDummyHttpRequest("junit.com");
String template = "https://aaaa.com/ccc";
@@ -125,7 +126,7 @@ public class ParamValidatorUtilsTest {
}
@Test
- public void templateLaczWhitelistFour() {
+ public void templateLazyWhitelistFour() {
HttpServletRequest req = getDummyHttpRequest("junit.com");
String template = "http://aaaa.com/ccc";
@@ -140,7 +141,7 @@ public class ParamValidatorUtilsTest {
}
@Test
- public void templateLaczWhitelistFife() {
+ public void templateLazyWhitelistFife() {
HttpServletRequest req = getDummyHttpRequest("junit.com");
String template = "http://junit.com/ccc";
@@ -155,7 +156,7 @@ public class ParamValidatorUtilsTest {
}
@Test
- public void templateLaczWhitelistSix() {
+ public void templateLazyWhitelistSix() {
HttpServletRequest req = getDummyHttpRequest("junit.com");
String template = "https://junit.com/ccc";
@@ -170,20 +171,68 @@ public class ParamValidatorUtilsTest {
}
@Test
- public void templateLaczWhitelistSeven() {
+ public void templateLazyWhitelistSeven() {
HttpServletRequest req = getDummyHttpRequest("junit.com");
- String template = "file://junit.com/ccc";
+ String template = "file:/junit.com/ccc";
List<String> oaSlTemplates = Arrays.asList(
"http://aaaa.com/bbbb",
"https://aaaa.com/bbbb",
- "file://aaaa.com/bbbb");
+ "file:/aaaa.com/bbbb");
Assert.assertFalse("Template should Not be valid",
ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
}
+ @Test
+ public void templateLazyWhitelistEight() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:/junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/ccc",
+ "ccc");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistNine() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:\\junit.com\\ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/ccc",
+ "ccc");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
+ @Test
+ public void templateLazyWhitelistTen() {
+
+ HttpServletRequest req = getDummyHttpRequest("junit.com");
+ String template = "file:\\junit.com/ccc";
+ List<String> oaSlTemplates = Arrays.asList(
+ "http://aaaa.com/bbbb",
+ "https://aaaa.com/bbbb",
+ "file://aaaa.com/ccc",
+ "ccc");
+
+ Assert.assertTrue("Template should be valid",
+ ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+
+ }
+
private HttpServletRequest getDummyHttpRequest(final String serverName) {
return new HttpServletRequest() {