SHIBUI-2024

Added validation for FileBackedHttpMetadataResolver url

backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/DurationMetadataResolverValidator.groovy → backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/validator/DurationIMetadataResolverValidator.groovy

@@ -1,8 +1,11 @@
-package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers
+package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator
 
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicMetadataResolverAttributes
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ReloadableMetadataResolverAttributes
 import edu.internet2.tier.shibboleth.admin.util.DurationUtility
 
-class DurationMetadataResolverValidator implements MetadataResolverValidator {
+class DurationIMetadataResolverValidator implements IMetadataResolverValidator {
     boolean supports(MetadataResolver resolver) {
         return resolver.hasProperty('dynamicMetadataResolverAttributes') || resolver.hasProperty('reloadableMetadataResolverAttributes')
     }
@@ -27,4 +30,4 @@ class DurationMetadataResolverValidator implements MetadataResolverValidator {
         }
         return new ValidationResult()
     }
-}
+}

backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy

@@ -400,7 +400,7 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
                 disregardTLSCertificate: resolver.httpMetadataResolverAttributes?.disregardTLSCertificate ?: null,
                 httpClientSecurityParametersRef: resolver.httpMetadataResolverAttributes?.httpClientSecurityParametersRef,
                 proxyHost: resolver.httpMetadataResolverAttributes?.proxyHost,
-                proxyPort: resolver.httpMetadataResolverAttributes?.proxyHost,
+                proxyPort: resolver.httpMetadataResolverAttributes?.proxyPort,
                 proxyUser: resolver.httpMetadataResolverAttributes?.proxyUser,
                 proxyPassword: resolver.httpMetadataResolverAttributes?.proxyPassword,
                 httpCaching: resolver.httpMetadataResolverAttributes?.httpCaching,
@@ -471,7 +471,7 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
                 disregardTLSCertificate: resolver.httpMetadataResolverAttributes?.disregardTLSCertificate ?: null,
                 httpClientSecurityParametersRef: resolver.httpMetadataResolverAttributes?.httpClientSecurityParametersRef,
                 proxyHost: resolver.httpMetadataResolverAttributes?.proxyHost,
-                proxyPort: resolver.httpMetadataResolverAttributes?.proxyHost,
+                proxyPort: resolver.httpMetadataResolverAttributes?.proxyPort,
                 proxyUser: resolver.httpMetadataResolverAttributes?.proxyUser,
                 proxyPassword: resolver.httpMetadataResolverAttributes?.proxyPassword,
                 httpCaching: resolver.httpMetadataResolverAttributes?.httpCaching,
@@ -559,4 +559,4 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
 
     }
 
-}
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/MetadataResolverValidationConfiguration.java

@@ -1,9 +1,12 @@
 package edu.internet2.tier.shibboleth.admin.ui.configuration;
 
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DurationMetadataResolverValidator;
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolverValidationService;
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolverValidator;
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ResourceBackedMetadataResolverValidator;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.DurationIMetadataResolverValidator;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.MetadataResolverValidationService;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.FileBackedHttpMetadataResolverValidator;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.IMetadataResolverValidator;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.ResourceBackedIMetadataResolverValidator;
+import edu.internet2.tier.shibboleth.admin.ui.security.service.IGroupService;
+import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
@@ -12,19 +15,22 @@
 @Configuration
 public class MetadataResolverValidationConfiguration {
 
+    @Bean ResourceBackedIMetadataResolverValidator resourceBackedMetadataResolverValidator() {
+        return new ResourceBackedIMetadataResolverValidator();
+    }
+
     @Bean
-    ResourceBackedMetadataResolverValidator resourceBackedMetadataResolverValidator() {
-        return new ResourceBackedMetadataResolverValidator();
+    FileBackedHttpMetadataResolverValidator fileBackedHttpMetadataResolverValidator(IGroupService groupService, UserService userService) {
+        return new FileBackedHttpMetadataResolverValidator(groupService, userService);
     }
 
     @Bean
     @SuppressWarnings("Unchecked")
-    MetadataResolverValidationService metadataResolverValidationService(List<MetadataResolverValidator> metadataResolverValidators) {
-        return new MetadataResolverValidationService(metadataResolverValidators);
+    MetadataResolverValidationService metadataResolverValidationService(List<IMetadataResolverValidator> IMetadataResolverValidators) {
+        return new MetadataResolverValidationService(IMetadataResolverValidators);
     }
 
-    @Bean
-    DurationMetadataResolverValidator durationMetadataResolverValidator() {
-        return new DurationMetadataResolverValidator();
+    @Bean DurationIMetadataResolverValidator durationMetadataResolverValidator() {
+        return new DurationIMetadataResolverValidator();
     }
-}
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolversController.java

@@ -3,7 +3,7 @@
 import com.fasterxml.jackson.databind.exc.InvalidTypeIdException;
 import edu.internet2.tier.shibboleth.admin.ui.domain.exceptions.MetadataFileNotFoundException;
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver;
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolverValidationService;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.MetadataResolverValidationService;
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.opensaml.OpenSamlChainingMetadataResolver;
 import edu.internet2.tier.shibboleth.admin.ui.domain.versioning.Version;
 import edu.internet2.tier.shibboleth.admin.ui.repository.MetadataResolverRepository;
@@ -43,7 +43,7 @@
 import java.net.URI;
 import java.util.List;
 
-import static edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolverValidator.ValidationResult;
+import static edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.IMetadataResolverValidator.ValidationResult;
 
 @RestController
 @RequestMapping("/api")
@@ -212,4 +212,4 @@ private void doResolverInitialization(MetadataResolver persistedResolver) throws
             OpenSamlChainingMetadataResolverUtil.updateChainingMetadataResolver((OpenSamlChainingMetadataResolver) chainingMetadataResolver, openSamlRepresentation);
         }
     }
-}
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/validator/FileBackedHttpMetadataResolverValidator.java

@@ -0,0 +1,32 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator;
+
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.FileBackedHttpMetadataResolver;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ResourceBackedMetadataResolver;
+import edu.internet2.tier.shibboleth.admin.ui.security.service.IGroupService;
+import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService;
+import org.springframework.beans.factory.annotation.Autowired;
+
+public class FileBackedHttpMetadataResolverValidator implements IMetadataResolverValidator {
+    @Autowired
+    IGroupService groupService;
+
+    @Autowired
+    UserService userService;
+
+    public FileBackedHttpMetadataResolverValidator(IGroupService groupService, UserService userService) {
+        this.groupService = groupService;
+        this.userService = userService;
+    }
+
+    @Override public boolean supports(MetadataResolver resolver) { return resolver instanceof FileBackedHttpMetadataResolver; }
+
+    @Override public ValidationResult validate(MetadataResolver resolver) {
+        FileBackedHttpMetadataResolver fbhmResolver = (FileBackedHttpMetadataResolver) resolver;
+        String url = fbhmResolver.getMetadataURL();
+        if (!groupService.doesUrlMatchGroupPattern(userService.getCurrentUser().getGroupId(), url)) {
+            return new ValidationResult("Metadata URL not acceptable for user's group");
+        }
+        return new ValidationResult();
+    }
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/MetadataResolverValidator.java → backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/validator/IMetadataResolverValidator.java

@@ -1,4 +1,6 @@
-package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers;
+package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator;
+
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -12,7 +14,7 @@
  *
  * @author Dmitriy Kopylenko
  */
-public interface MetadataResolverValidator<T extends MetadataResolver> {
+public interface IMetadataResolverValidator<T extends MetadataResolver> {
 
     boolean supports(MetadataResolver resolver);
 
@@ -38,4 +40,4 @@ public boolean isValid() {
             return this.errorMessages == null || this.errorMessages.isEmpty();
         }
     }
-}
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/MetadataResolverValidationService.java → backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/validator/MetadataResolverValidationService.java

@@ -1,23 +1,25 @@
-package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers;
+package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator;
 
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolverValidator.ValidationResult;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.IMetadataResolverValidator;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.IMetadataResolverValidator.ValidationResult;
 
 import java.util.ArrayList;
 import java.util.List;
 
 /**
- * A facade that aggregates {@link MetadataResolverValidator}s available to call just one of them supporting the type of a given resolver.
- * If no {@link MetadataResolverValidator}s are configured, considers provided MetadataResolver as valid.
+ * A facade that aggregates {@link IMetadataResolverValidator}s available to call just one of them supporting the type of a given resolver.
+ * If no {@link IMetadataResolverValidator}s are configured, considers provided MetadataResolver as valid.
  * <p>
  * Uses chain-of-responsibility design pattern
  *
  * @author Dmitriy Kopylenko
  */
 public class MetadataResolverValidationService<T extends MetadataResolver> {
 
-    private List<MetadataResolverValidator<T>> validators;
+    List<IMetadataResolverValidator<T>> validators;
 
-    public MetadataResolverValidationService(List<MetadataResolverValidator<T>> validators) {
+    public MetadataResolverValidationService(List<IMetadataResolverValidator<T>> validators) {
         this.validators = validators != null ? validators : new ArrayList<>();
     }
 
@@ -36,4 +38,4 @@ public ValidationResult validateIfNecessary(T metadataResolver) {
     boolean noValidatorsConfigured() {
         return this.validators.size() == 0;
     }
-}
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/ResourceBackedMetadataResolverValidator.java → backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/validator/ResourceBackedIMetadataResolverValidator.java

@@ -1,6 +1,9 @@
-package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers;
+package edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator;
 
-public class ResourceBackedMetadataResolverValidator implements MetadataResolverValidator<ResourceBackedMetadataResolver> {
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver;
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ResourceBackedMetadataResolver;
+
+public class ResourceBackedIMetadataResolverValidator implements IMetadataResolverValidator<ResourceBackedMetadataResolver> {
 
     @Override
     public boolean supports(MetadataResolver resolver) {
@@ -17,4 +20,4 @@ public ValidationResult validate(ResourceBackedMetadataResolver resolver) {
         }
         return new ValidationResult();
     }
-}
+}

backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/TestMetadataResolverValidationConfiguration.groovy

@@ -1,19 +1,29 @@
 package edu.internet2.tier.shibboleth.admin.ui.configuration
 
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolverValidationService
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolverValidator
-import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.ResourceBackedMetadataResolverValidator
-
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.MetadataResolverValidationService
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.FileBackedHttpMetadataResolverValidator
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.IMetadataResolverValidator
+import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.validator.ResourceBackedIMetadataResolverValidator
+import edu.internet2.tier.shibboleth.admin.ui.security.service.IGroupService
+import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService
+import org.springframework.beans.factory.annotation.Qualifier
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.Profile
 
 
 @Configuration
 class TestMetadataResolverValidationConfiguration {
 
     @Bean
-    ResourceBackedMetadataResolverValidator resourceBackedMetadataResolverValidator() {
-        new ResourceBackedMetadataResolverValidator()
+    @Profile("fbh-test")
+    FileBackedHttpMetadataResolverValidator fileBackedHttpMetadataResolverValidator(IGroupService groupService, UserService userService) {
+        new FileBackedHttpMetadataResolverValidator(groupService, userService)
+    }
+
+    @Bean
+    ResourceBackedIMetadataResolverValidator resourceBackedMetadataResolverValidator() {
+        new ResourceBackedIMetadataResolverValidator()
     }
 
     @Bean
@@ -22,8 +32,8 @@ class TestMetadataResolverValidationConfiguration {
     }
 
     @Bean
-    MetadataResolverValidationService metadataResolverValidationServiceOneValidator(List<MetadataResolverValidator> metadataResolverValidators) {
+    MetadataResolverValidationService metadataResolverValidationService(List<IMetadataResolverValidator> metadataResolverValidators) {
         new MetadataResolverValidationService(metadataResolverValidators)
     }
 
-}
+}