/* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. */ package at.gv.egovernment.moa.id.config.webgui.validation.task.impl; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Pattern; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import at.gv.egiz.components.configuration.api.Configuration; import at.gv.egiz.eaaf.core.impl.utils.KeyValueUtils; import at.gv.egovernment.moa.id.commons.config.MOAIDConfigurationConstants; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationTaskValidationException; import at.gv.egovernment.moa.id.config.webgui.exception.ValidationObjectIdentifier; import at.gv.egovernment.moa.id.config.webgui.helper.LanguageHelper; import at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator; import at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator; import at.gv.egovernment.moa.util.MiscUtil; /** * @author tlenz * */ public class ServicesAuthenticationInformationTask extends AbstractTaskValidator implements ITaskValidator { private static final Logger log = LoggerFactory.getLogger(ServicesAuthenticationInformationTask.class); private static final List KEYWHITELIST; static { ArrayList temp = new ArrayList(); KEYWHITELIST = Collections.unmodifiableList(temp); } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator#getKeyPrefix() */ @Override public String getKeyPrefix() { return ""; } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator#getName() */ @Override public String getName() { return "Service - Authentication Configuration Task"; } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.webgui.validation.task.ITaskValidator#postProcessing(java.util.Map, java.util.List, at.gv.egiz.components.configuration.api.Configuration) */ @Override public Map postProcessing(Map input, List keysToDelete, Configuration dbconfig) { Map newConfigValues = new HashMap(); //normalize CSV encoded value string of mandate profiles String mandateProfiles = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES); if (MiscUtil.isNotEmpty(mandateProfiles)) { newConfigValues.put( MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES, KeyValueUtils.normalizeCSVValueString(mandateProfiles)); } String isLegacyModeActive = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_LEGACY); if (MiscUtil.isNotEmpty(isLegacyModeActive) && Boolean.parseBoolean(isLegacyModeActive)) { if (!input.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_FIRST_VALUE)) keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_FIRST_VALUE); if (!input.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_SECOND_VALUE)) keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_SECOND_VALUE); if (!input.containsKey(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_THIRD_VALUE)) keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_THIRD_VALUE); } else { keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_FIRST_VALUE); keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_SECOND_VALUE); keysToDelete.add(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_THIRD_VALUE); } if (newConfigValues.isEmpty()) return null; else return newConfigValues; } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator#tastValidate(java.util.Map) */ @Override protected void taskValidate(Map input) throws ConfigurationTaskValidationException { List errors = new ArrayList(); //Check BKU URLs String check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY); if (MiscUtil.isNotEmpty(check) && !ValidationHelper.validateURL(check)) { log.info("Not valid Handy-BKU URL"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_HANDY, "BKU - Handy", LanguageHelper.getErrorString("validation.general.bku.handy.valid"))); } check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL); if (MiscUtil.isNotEmpty(check) && !ValidationHelper.validateURL(check)) { log.info("Not valid Online-BKU URL"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_LOCAL, "BKU - Local", LanguageHelper.getErrorString("validation.general.bku.local.valid"))); } check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD); if (MiscUtil.isNotEmpty(check) && !ValidationHelper.validateURL(check)) { log.info("Not valid Online-BKU URL"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, "BKU - Online", LanguageHelper.getErrorString("validation.general.bku.online.valid"))); } //check KeyBoxIdentifier check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_KEYBOXIDENTIFIER); if (MiscUtil.isEmpty(check)) { log.info("Empty KeyBoxIdentifier"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, "BKU - KeyBoxIdentifier", LanguageHelper.getErrorString("validation.general.keyboxidentifier.empty"))); } else { if (!MOAIDConfigurationConstants.ALLOWED_KEYBOXIDENTIFIER.contains(check)) { log.info("Not valid KeyBoxIdentifier " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_THIRD, "BKU - KeyBoxIdentifier", LanguageHelper.getErrorString("validation.general.keyboxidentifier.valid"))); } } //check LegacyMode SLTemplates String isLegacyModeActive = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_LEGACY); if (MiscUtil.isNotEmpty(isLegacyModeActive) && Boolean.parseBoolean(isLegacyModeActive)) { if (MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_FIRST_VALUE)) && MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_SECOND_VALUE)) && MiscUtil.isEmpty(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_THIRD_VALUE)) ) { log.info("Empty OA-specific SecurityLayer Templates"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_LEGACY, "BKU - SecurityLayer Templates", LanguageHelper.getErrorString("validation.general.sltemplates.empty"))); } else { check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_FIRST_VALUE); if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) { log.info("First OA-specific SecurityLayer Templates is not valid"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_FIRST_VALUE, "BKU - 1. SecurityLayer Templates", LanguageHelper.getErrorString("validation.general.sltemplate1.valid"))); } check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_SECOND_VALUE); if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) { log.info("Second OA-specific SecurityLayer Templates is not valid"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_SECOND_VALUE, "BKU - 2. SecurityLayer Templates", LanguageHelper.getErrorString("validation.general.sltemplate2.valid"))); } check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_THIRD_VALUE); if (MiscUtil.isNotEmpty(check) && ValidationHelper.isNotValidIdentityLinkSigner(check) ) { log.info("Third OA-specific SecurityLayer Templates is not valid"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_BKU_TEMPLATE_THIRD_VALUE, "BKU - 3. SecurityLayer Templates", LanguageHelper.getErrorString("validation.general.sltemplate3.valid"))); } } } //check Mandate Profiles String checkUseMandate = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_USE); if (MiscUtil.isNotEmpty(checkUseMandate) && Boolean.parseBoolean(checkUseMandate)) { check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES); if (ValidationHelper.containsNotValidCharacter(check, true)) { log.warn("MandateProfiles contains potentail XSS characters: " + check); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_MANDATES_OVS_PROFILES, "Mandates - Profiles", LanguageHelper.getErrorString("validation.general.mandate.profiles", new Object[] {ValidationHelper.getNotValidCharacter(true)}) )); } } String isTestCredentialsActive = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TESTCREDENTIALS_ENABLED); check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_TESTCREDENTIALS_OIDs); if (MiscUtil.isNotEmpty(isTestCredentialsActive) && Boolean.parseBoolean(isTestCredentialsActive) && MiscUtil.isNotEmpty(check)) { String[] oids = check.split(","); for (String el : oids) { if (!el.startsWith(MOAIDConfigurationConstants.TESTCREDENTIALROOTOID)) { log.warn("Test credential OID does not start with test credential root OID"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_TESTCREDENTIALS_OIDs, "Test-Identities - allowed OIDs", LanguageHelper.getErrorString("validation.general.testcredentials.oid.valid", new Object[] {el}) )); } } } check = input.get(MOAIDConfigurationConstants.SERVICE_EXTERNAL_MIS_SERVICE_URL); if (MiscUtil.isNotEmpty(check) && !ValidationHelper.validateURL(check)) { log.info("Not valid MIS Service URL"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_EXTERNAL_MIS_SERVICE_URL, "Mandates - MIS", LanguageHelper.getErrorString("validation.general.mandateservice.valid", new Object[]{check}))); } check = input.get(MOAIDConfigurationConstants.SERVICE_EXTERNAL_ELGA_MANDATE_SERVICE_URL); if (MiscUtil.isNotEmpty(check) && !ValidationHelper.validateURL(check)) { log.info("Not valid ELGA Service URL"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_EXTERNAL_ELGA_MANDATE_SERVICE_URL, "Mandates - ELGA", LanguageHelper.getErrorString("validation.general.elga.mandateservice.valid", new Object[]{check}))); } check = input.get(MOAIDConfigurationConstants.SERVICE_EXTERNAL_CENTRAL_EIDASNODE_SERVICE_URL); if (MiscUtil.isNotEmpty(check) && !ValidationHelper.validateURL(check)) { log.info("Not valid SZR-GW Service URL"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_EXTERNAL_CENTRAL_EIDASNODE_SERVICE_URL, "SZR-Gateway - Service URL", LanguageHelper.getErrorString("validation.general.szrgw.url.valid", new Object[]{check}))); } check = input.get(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS); if (input.get(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENABLED) != null && Boolean.valueOf(input.get(MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENABLED))) { if (MiscUtil.isNotEmpty(check)) { log.debug("Validate SL2.0 configuration ... "); List sl20Endpoints = KeyValueUtils.getListOfCSVValues(check); if (sl20Endpoints.size() == 1) { String value = sl20Endpoints.get(0); if (!value.startsWith(KeyValueUtils.DEFAULT_VALUE + KeyValueUtils.KEYVVALUEDELIMITER) && value.contains(KeyValueUtils.KEYVVALUEDELIMITER)) { log.warn("SL2.0 endpoint '" + value + "' has wrong format"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS, "SL2.0 - EndPoint URLs", LanguageHelper.getErrorString("validation.general.sl20.endpoints.wrong", new Object[]{value}))); } else if (!value.startsWith(KeyValueUtils.DEFAULT_VALUE + KeyValueUtils.KEYVVALUEDELIMITER) && !value.contains(KeyValueUtils.KEYVVALUEDELIMITER) ) { log.info("Find one SL2.0 endpoint without 'default='. Start updateing ... "); sl20Endpoints.remove(0); sl20Endpoints.add(KeyValueUtils.DEFAULT_VALUE + KeyValueUtils.KEYVVALUEDELIMITER + value); } } else { boolean findDefault = false; for (String el : sl20Endpoints) { if (!el.contains(KeyValueUtils.KEYVVALUEDELIMITER)) { log.warn("SL2.0 endpoint '" + el + "' has wrong format"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS, "SL2.0 - EndPoint URLs", LanguageHelper.getErrorString("validation.general.sl20.endpoints.wrong", new Object[]{el}))); } else { if (el.startsWith(KeyValueUtils.DEFAULT_VALUE + KeyValueUtils.KEYVVALUEDELIMITER)) { log.debug("Find default endpoint."); findDefault = true; } else { String firstPart = el.split(KeyValueUtils.KEYVVALUEDELIMITER)[0]; try { Integer.valueOf(firstPart); } catch (NumberFormatException e) { log.warn("SL2.0 endpoint '" + el + "' has wrong format", e); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS, "SL2.0 - EndPoint URLs", LanguageHelper.getErrorString("validation.general.sl20.endpoints.wrong", new Object[]{el}))); } } } } if (!findDefault) { log.warn("SL2.0 endpoints contains NO default endpoint"); errors.add(new ValidationObjectIdentifier( MOAIDConfigurationConstants.SERVICE_AUTH_SL20_ENDPOINTS, "SL2.0 - EndPoint URLs", LanguageHelper.getErrorString("validation.general.sl20.endpoints.default", new Object[]{}))); } } } } if (!errors.isEmpty()) throw new ConfigurationTaskValidationException(errors); } /* (non-Javadoc) * @see at.gv.egovernment.moa.id.config.webgui.validation.task.AbstractTaskValidator#getAllAllowedKeys() */ @Override public List getAllAllowedPatterns() { return generatePatternsFromKeys(KEYWHITELIST); } }