From 3ead2fee52a1e43e12610fda8175cb1a74e8b1f0 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Mon, 31 Aug 2020 13:51:14 +0200
Subject: update validation in case of file:/ paths because trusted templates
 can be relative to config directory

---
 .../moa/id/util/ParamValidatorUtils.java           | 28 +++++++--
 .../moa/id/config/auth/data/DummyAuthConfig.java   | 32 ++++++++--
 .../moa/id/util/ParamValidatorUtilsTest.java       | 73 ++++++++++++++++++----
 3 files changed, 111 insertions(+), 22 deletions(-)

diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
index 065615666..0e468bb6b 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java
@@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.net.MalformedURLException;
+import java.net.URISyntaxException;
 import java.net.URL;
 import java.util.Collections;
 import java.util.HashMap;
@@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException;
 import org.xml.sax.SAXException;
 
 import at.gv.egiz.eaaf.core.impl.utils.DOMUtils;
+import at.gv.egiz.eaaf.core.impl.utils.FileUtils;
 import at.gv.egovernment.moa.id.auth.exception.WrongParametersException;
 import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants;
 import at.gv.egovernment.moa.id.commons.api.AuthConfiguration;
@@ -309,7 +311,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
           }                                       
         }
     	   
-      } catch (MalformedURLException | ConfigurationException e) {
+      } catch (MalformedURLException | ConfigurationException | URISyntaxException e) {
     	 Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e);
          return false;
     
@@ -529,24 +531,42 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{
 	}
 	
   private static boolean validateTemplateUrlToWhiteList(String template, List<String> oaSlTemplates) 
-      throws ConfigurationException {
+      throws ConfigurationException, MalformedURLException, URISyntaxException {
   //check against configured trustet template urls
     AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance();
     List<String> trustedTemplateURLs = authConf.getSLRequestTemplates();
     
     //get OA specific template URLs
-    if (oaSlTemplates != null && oaSlTemplates.size() > 0) {
+    if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) {
       for (String el : oaSlTemplates)
         if (MiscUtil.isNotEmpty(el))
           trustedTemplateURLs.add(el);              
     }
     
-    boolean b = trustedTemplateURLs.contains(template);
+    boolean b = false;
+    if (template.startsWith("file:")) {
+      for (String el : trustedTemplateURLs) {
+        URL templateUrl = new URL(template);
+        URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory()));
+        b = trustedUrl.equals(templateUrl);        
+        if (b) {
+          break;
+        }        
+      }
+      
+    } else {
+      b = trustedTemplateURLs.contains(template);  
+      
+    }
+    
+    
     if (b) {
       Logger.debug("Parameter Template erfolgreich ueberprueft");
       return true;
     
     } else {
+      Logger.info("Template:" + template + " DOES NOT match to allowed templates: ["
+          + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") +  "]");
       Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. "
           + "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs "
           + "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)");  
diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
index 7707f3b90..b2f425a2c 100644
--- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
+++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java
@@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.config.auth.data;
 
 import java.io.IOException;
 import java.net.URI;
+import java.net.URISyntaxException;
 import java.net.URL;
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -20,6 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters;
 import at.gv.egovernment.moa.id.commons.api.IStorkConfig;
 import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed;
 import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException;
+import at.gv.egovernment.moa.util.MiscUtil;
 import at.gv.util.config.EgovUtilPropertiesConfiguration;
 
 public class DummyAuthConfig implements AuthConfiguration {
@@ -28,11 +31,12 @@ public class DummyAuthConfig implements AuthConfiguration {
 	
 	private Map<String, String> basicConfig = new HashMap<>();
   private List<String> slRequestTemplates;
-	
+	private String configRootDir;
+  
 	@Override
 	public String getRootConfigFileDir() {
-		// TODO Auto-generated method stub
-		return null;
+		return configRootDir;
+		
 	}
 
 	@Override
@@ -246,7 +250,7 @@ public class DummyAuthConfig implements AuthConfiguration {
 
 	@Override
 	public List<String> getSLRequestTemplates() throws ConfigurationException {
-		return slRequestTemplates;
+		return new ArrayList<>(slRequestTemplates);
 		
 	}
 
@@ -451,8 +455,18 @@ public class DummyAuthConfig implements AuthConfiguration {
 
 	@Override
 	public URI getConfigurationRootDirectory() {
-		// TODO Auto-generated method stub
-		return null;
+		try {
+		  if (MiscUtil.isNotEmpty(configRootDir)) {
+		    return new URI(configRootDir);
+		    
+		  }      
+    } catch (URISyntaxException e) {
+      e.printStackTrace();
+      
+    }
+		
+    return null;
+		
 	}
 
 	@Override
@@ -501,5 +515,11 @@ public class DummyAuthConfig implements AuthConfiguration {
 	  slRequestTemplates = templates;
 	  
 	}
+
+  public void setConfigRootDir(String configRootDir) {
+    this.configRootDir = configRootDir;
+  }
+	
+	
 	
 }
diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
index ad9e2c90e..7afad55aa 100644
--- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
+++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java
@@ -46,6 +46,7 @@ public class ParamValidatorUtilsTest {
     config = new DummyAuthConfig();
     AuthConfigurationProviderFactory.setAuthConfig(config);
     config.setSlRequestTemplateUrls(new ArrayList<String>());    
+    config.setConfigRootDir("file://junit.com/");
     
   }
   
@@ -68,11 +69,11 @@ public class ParamValidatorUtilsTest {
   public void templateStrictWhitelistSecond() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://aaaa.com/ccc";
+    String template = "file:/aaaa.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should NOT be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true));
@@ -95,14 +96,14 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSecond() {
+  public void templateLazyWhitelistSecond() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://aaaa.com/ccc";
+    String template = "file:/aaaa.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should NOT be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
@@ -110,7 +111,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistThird() {
+  public void templateLazyWhitelistThird() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "https://aaaa.com/ccc";
@@ -125,7 +126,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistFour() {
+  public void templateLazyWhitelistFour() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "http://aaaa.com/ccc";
@@ -140,7 +141,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistFife() {
+  public void templateLazyWhitelistFife() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "http://junit.com/ccc";
@@ -155,7 +156,7 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSix() {
+  public void templateLazyWhitelistSix() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
     String template = "https://junit.com/ccc";
@@ -170,20 +171,68 @@ public class ParamValidatorUtilsTest {
   }
   
   @Test
-  public void templateLaczWhitelistSeven() {
+  public void templateLazyWhitelistSeven() {
     
     HttpServletRequest req = getDummyHttpRequest("junit.com");
-    String template = "file://junit.com/ccc";
+    String template = "file:/junit.com/ccc";
     List<String> oaSlTemplates = Arrays.asList(
         "http://aaaa.com/bbbb", 
         "https://aaaa.com/bbbb", 
-        "file://aaaa.com/bbbb");
+        "file:/aaaa.com/bbbb");
     
     Assert.assertFalse("Template should Not be valid", 
         ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
     
   }
   
+  @Test
+  public void templateLazyWhitelistEight() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:/junit.com/ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
+  @Test
+  public void templateLazyWhitelistNine() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:\\junit.com\\ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
+  @Test
+  public void templateLazyWhitelistTen() {
+    
+    HttpServletRequest req = getDummyHttpRequest("junit.com");
+    String template = "file:\\junit.com/ccc";
+    List<String> oaSlTemplates = Arrays.asList(
+        "http://aaaa.com/bbbb", 
+        "https://aaaa.com/bbbb", 
+        "file://aaaa.com/ccc",
+        "ccc");
+    
+    Assert.assertTrue("Template should be valid", 
+        ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false));
+    
+  }
+  
   private HttpServletRequest getDummyHttpRequest(final String serverName) {
     return new HttpServletRequest() {
       
-- 
cgit v1.2.3