github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

DWN-39926 : validate scopes on manage client page

pull/1601/head
Harry Smith 2023-01-26 09:39:09 +00:00
parent 42b6aa57bd
commit 9119dddef1
1 changed files with 26 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
openid-connect-server/src/main/java/org/mitre/openid/connect/web/ClientAPI.java
View File

@ -21,6 +21,8 @@ import java.lang.reflect.Type;
import java.sql.SQLIntegrityConstraintViolationException; import java.sql.SQLIntegrityConstraintViolationException;
import java.text.ParseException; import java.text.ParseException;
import java.util.Collection; import java.util.Collection;
import java.util.Set;
import java.util.regex.Pattern;
import javax.persistence.PersistenceException; import javax.persistence.PersistenceException;
@ -33,9 +35,8 @@ import org.mitre.oauth2.model.ClientDetailsEntity.SubjectType;
import org.mitre.oauth2.model.PKCEAlgorithm; import org.mitre.oauth2.model.PKCEAlgorithm;
import org.mitre.oauth2.service.ClientDetailsEntityService; import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.oauth2.web.AuthenticationUtilities; import org.mitre.oauth2.web.AuthenticationUtilities;
import org.mitre.openid.connect.exception.ScopeException;
import org.mitre.openid.connect.exception.ValidationException; import org.mitre.openid.connect.exception.ValidationException;
import org.mitre.openid.connect.model.CachedImage;
import org.mitre.openid.connect.service.ClientLogoLoadingService;
import org.mitre.openid.connect.view.ClientEntityViewForAdmins; import org.mitre.openid.connect.view.ClientEntityViewForAdmins;
import org.mitre.openid.connect.view.ClientEntityViewForUsers; import org.mitre.openid.connect.view.ClientEntityViewForUsers;
import org.mitre.openid.connect.view.HttpCodeView; import org.mitre.openid.connect.view.HttpCodeView;
@ -45,10 +46,8 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus; import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType; import org.springframework.http.MediaType;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.common.util.OAuth2Utils; import org.springframework.security.oauth2.common.util.OAuth2Utils;
@ -130,6 +129,9 @@ public class ClientAPI {
public static final String URL = RootController.API_URL + "/clients"; public static final String URL = RootController.API_URL + "/clients";
private static final String characterMatcher = "[a-zA-Z]+";
private static final Pattern pattern = Pattern.compile(characterMatcher);
@Autowired @Autowired
private ClientDetailsEntityService clientService; private ClientDetailsEntityService clientService;
@ -256,6 +258,12 @@ public class ClientAPI {
json = parser.parse(jsonString).getAsJsonObject(); json = parser.parse(jsonString).getAsJsonObject();
client = gson.fromJson(json, ClientDetailsEntity.class); client = gson.fromJson(json, ClientDetailsEntity.class);
client = validateSoftwareStatement(client); client = validateSoftwareStatement(client);
validateScopes(client.getScope());
} catch (ScopeException e) {
logger.error("apiAddClient failed due to ScopeException", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Could not save new client. The server encountered a scope exception. Contact a system administrator for assistance.");
return JsonErrorView.VIEWNAME;
} catch (JsonSyntaxException e) { } catch (JsonSyntaxException e) {
logger.error("apiAddClient failed due to JsonSyntaxException", e); logger.error("apiAddClient failed due to JsonSyntaxException", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
@ -369,6 +377,12 @@ public class ClientAPI {
json = parser.parse(jsonString).getAsJsonObject(); json = parser.parse(jsonString).getAsJsonObject();
client = gson.fromJson(json, ClientDetailsEntity.class); client = gson.fromJson(json, ClientDetailsEntity.class);
client = validateSoftwareStatement(client); client = validateSoftwareStatement(client);
validateScopes(client.getScope());
} catch (ScopeException e) {
logger.error("apiUpdateClient failed due to ScopeException", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
m.addAttribute(JsonErrorView.ERROR_MESSAGE, "Could not update client. The server encountered a scope exception. Contact a system administrator for assistance.");
return JsonErrorView.VIEWNAME;
} catch (JsonSyntaxException e) { } catch (JsonSyntaxException e) {
logger.error("apiUpdateClient failed due to JsonSyntaxException", e); logger.error("apiUpdateClient failed due to JsonSyntaxException", e);
m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST); m.addAttribute(HttpCodeView.CODE, HttpStatus.BAD_REQUEST);
@ -460,6 +474,14 @@ public class ClientAPI {
} }
} }
private void validateScopes(Set<String> scopes) throws ScopeException {
for (String s : scopes) {
if (!pattern.matcher(s).matches()) {
throw new ScopeException(s);
}
}
}
/** /**
* Delete a client * Delete a client
* @param id * @param id