From 3ead2fee52a1e43e12610fda8175cb1a74e8b1f0 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Mon, 31 Aug 2020 13:51:14 +0200 Subject: update validation in case of file:/ paths because trusted templates can be relative to config directory --- .../moa/id/util/ParamValidatorUtils.java | 28 +++++++-- .../moa/id/config/auth/data/DummyAuthConfig.java | 32 ++++++++-- .../moa/id/util/ParamValidatorUtilsTest.java | 73 ++++++++++++++++++---- 3 files changed, 111 insertions(+), 22 deletions(-) diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java index 065615666..0e468bb6b 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/util/ParamValidatorUtils.java @@ -49,6 +49,7 @@ package at.gv.egovernment.moa.id.util; import java.io.ByteArrayInputStream; import java.io.IOException; import java.net.MalformedURLException; +import java.net.URISyntaxException; import java.net.URL; import java.util.Collections; import java.util.HashMap; @@ -63,6 +64,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.xml.sax.SAXException; import at.gv.egiz.eaaf.core.impl.utils.DOMUtils; +import at.gv.egiz.eaaf.core.impl.utils.FileUtils; import at.gv.egovernment.moa.id.auth.exception.WrongParametersException; import at.gv.egovernment.moa.id.commons.MOAIDAuthConstants; import at.gv.egovernment.moa.id.commons.api.AuthConfiguration; @@ -309,7 +311,7 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ } } - } catch (MalformedURLException | ConfigurationException e) { + } catch (MalformedURLException | ConfigurationException | URISyntaxException e) { Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL.", e); return false; @@ -529,24 +531,42 @@ public class ParamValidatorUtils extends MOAIDAuthConstants{ } private static boolean validateTemplateUrlToWhiteList(String template, List oaSlTemplates) - throws ConfigurationException { + throws ConfigurationException, MalformedURLException, URISyntaxException { //check against configured trustet template urls AuthConfiguration authConf = AuthConfigurationProviderFactory.getInstance(); List trustedTemplateURLs = authConf.getSLRequestTemplates(); //get OA specific template URLs - if (oaSlTemplates != null && oaSlTemplates.size() > 0) { + if (oaSlTemplates != null && !oaSlTemplates.isEmpty()) { for (String el : oaSlTemplates) if (MiscUtil.isNotEmpty(el)) trustedTemplateURLs.add(el); } - boolean b = trustedTemplateURLs.contains(template); + boolean b = false; + if (template.startsWith("file:")) { + for (String el : trustedTemplateURLs) { + URL templateUrl = new URL(template); + URL trustedUrl = new URL(FileUtils.makeAbsoluteURL(el, authConf.getConfigurationRootDirectory())); + b = trustedUrl.equals(templateUrl); + if (b) { + break; + } + } + + } else { + b = trustedTemplateURLs.contains(template); + + } + + if (b) { Logger.debug("Parameter Template erfolgreich ueberprueft"); return true; } else { + Logger.info("Template:" + template + " DOES NOT match to allowed templates: [" + + org.apache.commons.lang3.StringUtils.join(trustedTemplateURLs, ",") + "]"); Logger.error("Fehler Ueberpruefung Parameter Template bzw. bkuSelectionTemplateURL. " + "Parameter ist nicht auf Liste der vertrauenswuerdigen Template URLs " + "(Konfigurationselement: MOA-IDConfiguration/TrustedTemplateURLs)"); diff --git a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java index 7707f3b90..b2f425a2c 100644 --- a/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java +++ b/id/server/idserverlib/src/test/java/at/gv/egovernment/moa/id/config/auth/data/DummyAuthConfig.java @@ -2,7 +2,9 @@ package at.gv.egovernment.moa.id.config.auth.data; import java.io.IOException; import java.net.URI; +import java.net.URISyntaxException; import java.net.URL; +import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -20,6 +22,7 @@ import at.gv.egovernment.moa.id.commons.api.IOAAuthParameters; import at.gv.egovernment.moa.id.commons.api.IStorkConfig; import at.gv.egovernment.moa.id.commons.api.data.ProtocolAllowed; import at.gv.egovernment.moa.id.commons.api.exceptions.ConfigurationException; +import at.gv.egovernment.moa.util.MiscUtil; import at.gv.util.config.EgovUtilPropertiesConfiguration; public class DummyAuthConfig implements AuthConfiguration { @@ -28,11 +31,12 @@ public class DummyAuthConfig implements AuthConfiguration { private Map basicConfig = new HashMap<>(); private List slRequestTemplates; - + private String configRootDir; + @Override public String getRootConfigFileDir() { - // TODO Auto-generated method stub - return null; + return configRootDir; + } @Override @@ -246,7 +250,7 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public List getSLRequestTemplates() throws ConfigurationException { - return slRequestTemplates; + return new ArrayList<>(slRequestTemplates); } @@ -451,8 +455,18 @@ public class DummyAuthConfig implements AuthConfiguration { @Override public URI getConfigurationRootDirectory() { - // TODO Auto-generated method stub - return null; + try { + if (MiscUtil.isNotEmpty(configRootDir)) { + return new URI(configRootDir); + + } + } catch (URISyntaxException e) { + e.printStackTrace(); + + } + + return null; + } @Override @@ -501,5 +515,11 @@ public class DummyAuthConfig implements AuthConfiguration { slRequestTemplates = templates; } + + public void setConfigRootDir(String configRootDir) { + this.configRootDir = configRootDir; + } + + } diff --git a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java index ad9e2c90e..7afad55aa 100644 --- a/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java +++ b/id/server/idserverlib/src/test/java/test/at/gv/egovernment/moa/id/util/ParamValidatorUtilsTest.java @@ -46,6 +46,7 @@ public class ParamValidatorUtilsTest { config = new DummyAuthConfig(); AuthConfigurationProviderFactory.setAuthConfig(config); config.setSlRequestTemplateUrls(new ArrayList()); + config.setConfigRootDir("file://junit.com/"); } @@ -68,11 +69,11 @@ public class ParamValidatorUtilsTest { public void templateStrictWhitelistSecond() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://aaaa.com/ccc"; + String template = "file:/aaaa.com/ccc"; List oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should NOT be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, true)); @@ -95,14 +96,14 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSecond() { + public void templateLazyWhitelistSecond() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://aaaa.com/ccc"; + String template = "file:/aaaa.com/ccc"; List oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should NOT be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); @@ -110,7 +111,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistThird() { + public void templateLazyWhitelistThird() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "https://aaaa.com/ccc"; @@ -125,7 +126,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistFour() { + public void templateLazyWhitelistFour() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "http://aaaa.com/ccc"; @@ -140,7 +141,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistFife() { + public void templateLazyWhitelistFife() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "http://junit.com/ccc"; @@ -155,7 +156,7 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSix() { + public void templateLazyWhitelistSix() { HttpServletRequest req = getDummyHttpRequest("junit.com"); String template = "https://junit.com/ccc"; @@ -170,20 +171,68 @@ public class ParamValidatorUtilsTest { } @Test - public void templateLaczWhitelistSeven() { + public void templateLazyWhitelistSeven() { HttpServletRequest req = getDummyHttpRequest("junit.com"); - String template = "file://junit.com/ccc"; + String template = "file:/junit.com/ccc"; List oaSlTemplates = Arrays.asList( "http://aaaa.com/bbbb", "https://aaaa.com/bbbb", - "file://aaaa.com/bbbb"); + "file:/aaaa.com/bbbb"); Assert.assertFalse("Template should Not be valid", ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); } + @Test + public void templateLazyWhitelistEight() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:/junit.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLazyWhitelistNine() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:\\junit.com\\ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + + @Test + public void templateLazyWhitelistTen() { + + HttpServletRequest req = getDummyHttpRequest("junit.com"); + String template = "file:\\junit.com/ccc"; + List oaSlTemplates = Arrays.asList( + "http://aaaa.com/bbbb", + "https://aaaa.com/bbbb", + "file://aaaa.com/ccc", + "ccc"); + + Assert.assertTrue("Template should be valid", + ParamValidatorUtils.isValidTemplate(req, template, oaSlTemplates, false)); + + } + private HttpServletRequest getDummyHttpRequest(final String serverName) { return new HttpServletRequest() { -- cgit v1.2.3