diff options
author | Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> | 2015-03-26 10:04:08 +0100 |
---|---|---|
committer | Andreas Fitzek <andreas.fitzek@iaik.tugraz.at> | 2015-03-26 10:04:08 +0100 |
commit | dfde473ef88f8be7873385b1ff3357c1f79afe73 (patch) | |
tree | 5e6873399f8519944a1a20c6ed1ba2d2795f429e /pdf-as-web/src/main | |
parent | f179c8db3574d03bb1b6b5be1bd86c9ea04073ad (diff) | |
download | pdf-as-4-dfde473ef88f8be7873385b1ff3357c1f79afe73.tar.gz pdf-as-4-dfde473ef88f8be7873385b1ff3357c1f79afe73.tar.bz2 pdf-as-4-dfde473ef88f8be7873385b1ff3357c1f79afe73.zip |
added Whitelist for external configuration overwrites
Diffstat (limited to 'pdf-as-web/src/main')
4 files changed, 90 insertions, 29 deletions
diff --git a/pdf-as-web/src/main/configuration/pdf-as-web.properties b/pdf-as-web/src/main/configuration/pdf-as-web.properties index 4f6b0661..71bcf386 100644 --- a/pdf-as-web/src/main/configuration/pdf-as-web.properties +++ b/pdf-as-web/src/main/configuration/pdf-as-web.properties @@ -10,7 +10,12 @@ bku.local.url=http://127.0.0.1:3495/http-security-layer-request bku.mobile.url=https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx # Allow full configuration overwrite from external sources -allow.ext.overwrite=true +# use with care! +allow.ext.overwrite=false + +# White list entries for properties, that can be overwriten, +# by external components +ext.overwrite.wl.1=^$ ks.enabled=false ks.file=test.p12 diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java index 5860b740..ca4f2c50 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/config/WebConfiguration.java @@ -50,6 +50,8 @@ public class WebConfiguration implements IConfigurationConstants { public static final String STATISTIC_BACKEND_LIST = "statistic.backends"; public static final String ALLOW_EXT_OVERWRITE = "allow.ext.overwrite"; + public static final String ALLOW_EXT_WHITELIST_VALUE_PRE = "ext.overwrite.wl."; + public static final String MOA_SS_ENABLED = "moa.enabled"; public static final String SOAP_SIGN_ENABLED = "soap.sign.enabled"; public static final String SOAP_VERIFY_ENABLED = "soap.verify.enabled"; @@ -94,11 +96,13 @@ public class WebConfiguration implements IConfigurationConstants { .getLogger(WebConfiguration.class); private static List<String> whiteListregEx = new ArrayList<String>(); - + private static List<String> overwritewhiteListregEx = new ArrayList<String>(); + public static void configure(String config) { properties.clear(); whiteListregEx.clear(); + overwritewhiteListregEx.clear(); try { properties.load(new FileInputStream(config)); @@ -123,6 +127,23 @@ public class WebConfiguration implements IConfigurationConstants { } } } + + if (isAllowExtOverwrite()) { + Iterator<Object> keyIt = properties.keySet().iterator(); + while (keyIt.hasNext()) { + Object keyObj = keyIt.next(); + if (keyObj != null) { + String key = keyObj.toString(); + if (key.startsWith(ALLOW_EXT_WHITELIST_VALUE_PRE)) { + String whitelist_expr = properties.getProperty(key); + if (whitelist_expr != null) { + overwritewhiteListregEx.add(whitelist_expr); + logger.debug("Overwrite Whitelist: " + whitelist_expr); + } + } + } + } + } Iterator<Object> keyIt = properties.keySet().iterator(); while (keyIt.hasNext()) { @@ -249,6 +270,26 @@ public class WebConfiguration implements IConfigurationConstants { return false; } + public static synchronized boolean isOverwriteAllowed(String key) { + if (isAllowExtOverwrite()) { + + Iterator<String> patterns = whiteListregEx.iterator(); + while (patterns.hasNext()) { + String pattern = patterns.next(); + try { + if (key.matches(pattern)) { + return true; + } + } catch (Throwable e) { + logger.warn("Error in matching regex: " + pattern, e); + } + } + + return false; + } + return false; + } + public static boolean isMoaEnabled(String keyIdentifier) { String value = properties.getProperty(MOA_LIST + "." + keyIdentifier + ".enabled"); if (value != null) { diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java new file mode 100644 index 00000000..3bf20bf4 --- /dev/null +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/ConfigurationOverwrite.java @@ -0,0 +1,35 @@ +package at.gv.egiz.pdfas.web.helper; + +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import at.gv.egiz.pdfas.lib.api.Configuration; +import at.gv.egiz.pdfas.web.config.WebConfiguration; + +public class ConfigurationOverwrite { + + private static final Logger logger = LoggerFactory + .getLogger(ConfigurationOverwrite.class); + + public static void overwriteConfiguration(Map<String, String> overwrite, + Configuration config) { + if (WebConfiguration.isAllowExtOverwrite() && overwrite != null && config != null) { + Iterator<Entry<String, String>> entryIt = overwrite.entrySet() + .iterator(); + while (entryIt.hasNext()) { + Entry<String, String> entry = entryIt.next(); + if (WebConfiguration.isOverwriteAllowed(entry.getKey())) { + config.setValue(entry.getKey(), entry.getValue()); + } else { + logger.warn( + "External component tried to overwrite cfg {}. This is not in the whitelist!", + entry.getKey()); + } + } + } + } +} diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java index 53cf5783..52eb8468 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java @@ -36,7 +36,6 @@ import java.security.cert.CertificateException; import java.util.Iterator; import java.util.List; import java.util.Map; -import java.util.Map.Entry; import javax.imageio.ImageIO; import javax.servlet.RequestDispatcher; @@ -362,16 +361,9 @@ public class PdfAsHelper { Configuration config = pdfAs.getConfiguration(); - if (WebConfiguration.isAllowExtOverwrite()) { - Map<String,String> configOverwrite = PdfAsParameterExtractor.getOverwriteMap(request); - if(configOverwrite != null) { - Iterator<Entry<String, String>> entryIt = configOverwrite.entrySet().iterator(); - while (entryIt.hasNext()) { - Entry<String, String> entry = entryIt.next(); - config.setValue(entry.getKey(), entry.getValue()); - } - } - } + + Map<String,String> configOverwrite = PdfAsParameterExtractor.getOverwriteMap(request); + ConfigurationOverwrite.overwriteConfiguration(configOverwrite, config); ByteArrayOutputStream baos = new ByteArrayOutputStream(); @@ -502,6 +494,7 @@ public class PdfAsHelper { // set Signature Position signParameter.setSignaturePosition(buildPosString(request, response)); + @SuppressWarnings("unused") SignResult result = pdfAs.sign(signParameter); return baos.toByteArray(); @@ -523,15 +516,8 @@ public class PdfAsHelper { PDFASSignParameters params) throws Exception { Configuration config = pdfAs.getConfiguration(); - if (WebConfiguration.isAllowExtOverwrite()) { - if (params.getOverrides() != null) { - Iterator<Entry<String, String>> entryIt = params.getOverrides() - .getMap().entrySet().iterator(); - while (entryIt.hasNext()) { - Entry<String, String> entry = entryIt.next(); - config.setValue(entry.getKey(), entry.getValue()); - } - } + if (WebConfiguration.isAllowExtOverwrite() && params.getOverrides() != null) { + ConfigurationOverwrite.overwriteConfiguration(params.getOverrides().getMap(), config); } ByteArrayOutputStream baos = new ByteArrayOutputStream(); @@ -702,13 +688,7 @@ public class PdfAsHelper { Configuration config = pdfAs.getConfiguration(); session.setAttribute(PDF_CONFIG, config); - if (WebConfiguration.isAllowExtOverwrite() && overwrite != null) { - Iterator<Entry<String, String>> entryIt = overwrite.entrySet().iterator(); - while (entryIt.hasNext()) { - Entry<String, String> entry = entryIt.next(); - config.setValue(entry.getKey(), entry.getValue()); - } - } + ConfigurationOverwrite.overwriteConfiguration(overwrite, config); ByteArrayOutputStream baos = new ByteArrayOutputStream(); session.setAttribute(PDF_OUTPUT, baos); |