package; import java.util.ArrayList; import java.util.List; import javax.servlet.http.HttpServletRequest; import org.apache.log4j.Logger; import; import; import; import; import; import; import at.gv.egovernment.moa.util.MiscUtil; public class StorkConfigValidator { private static final Logger log = Logger.getLogger(StorkConfigValidator.class); public List validate(GeneralStorkConfig form, HttpServletRequest request) { List errors = new ArrayList(); log.debug("Validate general STORK configuration"); // check peps list // if (form.getCpepslist() != null) { // for(CPEPS current : form.getCpepslist()) { if (form.getRawCPEPSList() != null) { for(CPEPS current : form.getRawCPEPSList()) { // if an existing record got deleted if(null == current) continue; // check country code String check = current.getCountryCode(); if (MiscUtil.isNotEmpty(check)) { if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { log.warn("CPEPS config countrycode contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("", new Object[] {ValidationHelper.getPotentialCSSCharacter(false)}, request )); } if(!check.toLowerCase().matches("(^[a-z][a-z]$)|(^[a-z][a-z]-[a-z]*)")) { log.warn("CPEPS config countrycode does not comply to ISO 3166-2 : " + check); errors.add(LanguageHelper.getErrorString("", new Object[] {check}, request )); } // check url check = current.getURL(); if (MiscUtil.isNotEmpty(check)) { if (!ValidationHelper.validateURL(check)) {"CPEPS config URL is invalid : " + check); errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.url", request)); } } else { log.warn("CPEPS config url is empty : " + check); errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.empty", new Object[] {check}, request )); } } else { log.warn("CPEPS config countrycode is empty : " + check); // errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.empty", // new Object[] {check}, request )); } } if (form.getCpepslist() != null) { // ensure uniqueness of country code for (CPEPS one : form.getCpepslist()) for (CPEPS another : form.getCpepslist()) if (null != one && null != another && one.getCountryCode() != null) if (!one.equals(another) && one.getCountryCode().equals(another.getCountryCode())) { errors.add(LanguageHelper.getErrorString("validation.stork.cpeps.duplicate", request)); break; } } } // check qaa String qaa = form.getDefaultQaa(); if (!MOAIDConstants.ALLOWED_eIDAS_LOA.contains(qaa)) { log.warn("eIDAS LoA is not allowed : " + qaa); errors.add(LanguageHelper.getErrorString("validation.stork.qaa.outofrange", new Object[] {qaa}, request )); } // check attributes if (MiscUtil.isNotEmpty(form.getAttributes())) { for(StorkAttribute check : form.getAttributes()) { if (check != null && MiscUtil.isNotEmpty(check.getName())) { String tmp = check.getName().replace("eidas/attributes/", ""); // since eIDaS attributes come with a "/", we need to exclude them from validation. TODO Or should we require the admin to escape them in the UI? if (ValidationHelper.containsPotentialCSSCharacter(tmp, true)) { log.warn("default attributes contains potentail XSS characters: " + check); errors.add(LanguageHelper.getErrorString("validation.stork.requestedattributes", new Object[] {ValidationHelper.getPotentialCSSCharacter(true)}, request )); } if(!tmp.toLowerCase().matches("^[A-Za-z]*$")) { log.warn("default attributes do not match the requested format : " + check); errors.add(LanguageHelper.getErrorString("validation.stork.requestedattributes", new Object[] {check}, request )); } } } //TODO: STORK attributes check if no attribute is set // } else { // log.warn("no attributes specified"); // errors.add(LanguageHelper.getErrorString("validation.stork.attributes.empty", // new Object[] {} )); } return errors; } }