diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2020-08-31 13:51:14 +0200 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2020-08-31 13:51:14 +0200 |
commit | 3ead2fee52a1e43e12610fda8175cb1a74e8b1f0 (patch) | |
tree | 8b3f52b6366b9d326704a125ebc9e4dc9b30b4d3 /id | |
parent | 8322112004a0334a5d73795760880e635813793b (diff) | |
download | moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.gz moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.tar.bz2 moa-id-spss-3ead2fee52a1e43e12610fda8175cb1a74e8b1f0.zip |
update validation in case of file:/ paths because trusted templates can be relative to config directory
Diffstat (limited to 'id')
3 files changed, 111 insertions, 22 deletions
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 065615666..0e468bb6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util; import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.MalformedURLException;
+import java.net.URISyntaxException;
import java.net.URL;
import java.util.Collections;
import java.util.HashMap;
@@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.xml.sax.SAXException;
import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -309,7 +311,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ }
}
- } catch (MalformedURLException | ConfigurationException e) {
+ } catch (MalformedURLException | ConfigurationException | URISyntaxException e) {
Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
return false;
@@ -529,24 +531,42 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ }
private static boolean validateTemplateUrlToWhiteList(String template, List<String> oaSlTemplates)
- throws ConfigurationException {
+ throws ConfigurationException, MalformedURLException, URISyntaxException {
//check against configured trustet template urls
AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
//get OA specific template URLs
- if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
+ if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) {
for (String el : oaSlTemplates)
if (MiscUtil.isNotEmpty(el))
trustedTemplateURLs.add(el);
}
- boolean b = trustedTemplateURLs.contains(template);
+ boolean b = false;
+ if (template.startsWith("file:")) {
+ for (String el : trustedTemplateURLs) {
+ URL templateUrl = new URL(template);
+ URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory()));
+ b = trustedUrl.equals(templateUrl);
+ if (b) {
+ break;
+ }
+ }
+
+ } else {
+ b = trustedTemplateURLs.contains(template);
+
+ }
+
+
if (b) {
Logger.debug("Parameter Template erfolgreich ueberprueft");
return true;
} else {
+ Logger.info("Template:" + template + " DOES NOT match to allowed templates: ["
+ + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") + "]");
Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. "
+ "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs "
+ "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java index 7707f3b90..b2f425a2c 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java @@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.config.auth.data; import java.io.IOException; import java.net.URI; +import java.net.URISyntaxException; import java.net.URL; +import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -20,6 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IStorkConfig; import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.util.config.EgovUtilPropertiesConfiguration; public class DummyAuthConfig implements AuthConfiguration { @@ -28,11 +31,12 @@ public class DummyAuthConfig implements AuthConfiguration { private Map<String, String> basicConfig = new HashMap<>(); private List<String> slRequestTemplates; - + private String configRootDir; + @Override public String getRootConfigFileDir() { - // TODO Auto-generated method stub - return null; + return configRootDir; + } @Override @@ -246,7 +250,7 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public List<String> getSLRequestTemplates() throws ConfigurationException { - return slRequestTemplates; + return new ArrayList<>(slRequestTemplates); } @@ -451,8 +455,18 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public URI getConfigurationRootDirectory() { - // TODO Auto-generated method stub - return null; + try { + if (MiscUtil.isNotEmpty(configRootDir)) { + return new URI(configRootDir); + + } + } catch (URISyntaxException e) { + e.printStackTrace(); + + } + + return null; + } @Override @@ -501,5 +515,11 @@ public class DummyAuthConfig implements AuthConfiguration { slRequestTemplates = templates; } + + public void setConfigRootDir(String configRootDir) { + this.configRootDir = configRootDir; + } + + } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java index ad9e2c90e..7afad55aa 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java @@ -46,6 +46,7 @@ public class ParamValidatorUtilsTest { config = new DummyAuthConfig(); AuthConfigurationProviderFactory.setAuthConfig(config); config.setSlRequestTemplateUrls(new ArrayList<String>()); + config.setConfigRootDir("file://junit.com/"); } @@ -68,11 +69,11 @@ public class ParamValidatorUtilsTest { public void templateStrictWhitelistSecond() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://aaaa.com/ccc"; + String template = "file:/aaaa.com/ccc"; List<String> oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should NOT be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); @@ -95,14 +96,14 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSecond() { + public void templateLazyWhitelistSecond() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://aaaa.com/ccc"; + String template = "file:/aaaa.com/ccc"; List<String> oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should NOT be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); @@ -110,7 +111,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistThird() { + public void templateLazyWhitelistThird() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "https://aaaa.com/ccc"; @@ -125,7 +126,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistFour() { + public void templateLazyWhitelistFour() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "http://aaaa.com/ccc"; @@ -140,7 +141,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistFife() { + public void templateLazyWhitelistFife() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "http://junit.com/ccc"; @@ -155,7 +156,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSix() { + public void templateLazyWhitelistSix() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "https://junit.com/ccc"; @@ -170,20 +171,68 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSeven() { + public void templateLazyWhitelistSeven() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://junit.com/ccc"; + String template = "file:/junit.com/ccc"; List<String> oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should Not be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); } + @Test + public void templateLazyWhitelistEight() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:/junit.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLazyWhitelistNine() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:\\junit.com\\ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLazyWhitelistTen() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:\\junit.com/ccc"; + List<String> oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + private HttpServletRequest getDummyHttpRequest(final String serverName) { return new HttpServletRequest() { |