Commit d19f6bda authored by cdanger's avatar cdanger

### Changed

- Parent project version: 4.0.0 -> 4.1.1  
- authzforce-ce-core-pdp-api: 8.0.0 -> 8.2.0

### Fixed
- Security issues reported by Find Security Bugs plugin
parent 7935e0d3
......@@ -4,10 +4,14 @@ All notable changes to this project are documented in this file following the [K
## Unreleased
### Changed
- Parent project version: 4.0.0 -> 4.1.0 => Changed dependency versions:
- Parent project version: 4.0.0 -> 4.1.1 => Changed dependency versions:
- Spring 4.3.4 -> 4.3.5,
- Saxon-HE 9.7.0-11 -> 9.7.0-14
- authzforce-ce-core-pdp-api: 8.0.0 -> 8.1.0
- authzforce-ce-core-pdp-api dependency version: 8.0.0 -> 8.2.0
### Fixed
- Security issues reported by Find Security Bugs plugin
## 6.0.0
### Added
......
<?xml version="1.0"?>
<!--
This file contains some false positive bugs detected by Findbugs. Their
false positive nature has been analyzed individually and they have been
put here to instruct Findbugs to ignore them.
-->
<FindBugsFilter>
<Match>
<!-- CRLF injection in logs is considered fixed in the logger configuration, e.g. logback.xml.
More info: https://github.com/find-sec-bugs/find-sec-bugs/issues/240
-->
<Bug pattern="CRLF_INJECTION_LOGS" />
</Match>
</FindBugsFilter>
\ No newline at end of file
......@@ -3,7 +3,7 @@
<parent>
<groupId>org.ow2.authzforce</groupId>
<artifactId>authzforce-ce-parent</artifactId>
<version>4.1.0</version>
<version>4.1.1</version>
</parent>
<artifactId>authzforce-ce-core</artifactId>
<version>6.0.1-SNAPSHOT</version>
......@@ -42,7 +42,7 @@
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>${artifactId.prefix}-core-pdp-api</artifactId>
<version>8.1.0</version>
<version>8.2.0</version>
</dependency>
<!-- /Authzforce dependencies -->
......@@ -102,6 +102,9 @@
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>findbugs-maven-plugin</artifactId>
<configuration>
<excludeFilterFile>findbugs-exclude-filter.xml</excludeFilterFile>
</configuration>
<executions>
<execution>
<phase>verify</phase>
......
......@@ -19,7 +19,6 @@
package org.ow2.authzforce.core.pdp.impl;
import java.io.BufferedReader;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
......@@ -28,6 +27,9 @@ import java.io.Reader;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.List;
import java.util.Set;
......@@ -55,8 +57,7 @@ import org.xml.sax.SAXParseException;
/**
*
* XML schema handler that can load schema file(s) from location(s) supported by {@link ResourceUtils} using any OASIS
* catalog at any location supported by {@link ResourceUtils} as well.
* XML schema handler that can load schema file(s) from location(s) supported by {@link ResourceUtils} using any OASIS catalog at any location supported by {@link ResourceUtils} as well.
*
* @version $Id: $
*/
......@@ -76,8 +77,7 @@ public final class SchemaHandler
}
@Override
public LSInput resolveResource(final String type, final String namespaceURI, final String publicId,
final String systemId, final String baseURI)
public LSInput resolveResource(final String type, final String namespaceURI, final String publicId, final String systemId, final String baseURI)
{
try
{
......@@ -94,8 +94,7 @@ public final class SchemaHandler
resolvedLocation = catalogResolver.resolvePublic(publicId, systemId);
if (_LOGGER.isDebugEnabled())
{
_LOGGER.debug("resolvePublic(publicId = {}, systemId = {}) -> {}",
new Object[] { publicId, systemId, resolvedLocation });
_LOGGER.debug("resolvePublic(publicId = {}, systemId = {}) -> {}", publicId, systemId, resolvedLocation);
}
}
if (resolvedLocation != null)
......@@ -109,9 +108,8 @@ public final class SchemaHandler
}
catch (final IOException ex)
{
final String errMsg = "Unable to resolve schema-required entity with XML catalog (location='"
+ catalogLocation + "'): type=" + type + ", namespaceURI=" + namespaceURI + ", publicId='"
+ publicId + "', systemId='" + systemId + "', baseURI='" + baseURI + "'";
final String errMsg = "Unable to resolve schema-required entity with XML catalog (location='" + catalogLocation + "'): type=" + type + ", namespaceURI=" + namespaceURI
+ ", publicId='" + publicId + "', systemId='" + systemId + "', baseURI='" + baseURI + "'";
throw new RuntimeException(errMsg, ex);
}
......@@ -142,10 +140,9 @@ public final class SchemaHandler
};
/**
* This is quite similar to org.apache.cxf.catalog.OASISCatalogManager, except it is much simplified as we don't
* need as many features. We are not using CXF's OASISCatalogManager class directly because it is part of cxf-core
* which drags many classes and dependencies on CXF we don't need. It would make more sense if OASISCatalogManager
* was part of a cxf common utility package, but it is not the case as of writing (December 2014).
* This is quite similar to org.apache.cxf.catalog.OASISCatalogManager, except it is much simplified as we don't need as many features. We are not using CXF's OASISCatalogManager class directly
* because it is part of cxf-core which drags many classes and dependencies on CXF we don't need. It would make more sense if OASISCatalogManager was part of a cxf common utility package, but it
* is not the case as of writing (December 2014).
* <p>
* WARNING: this is not immutable since getCatalog() gives access to internal catalog which is mutable.
* </p>
......@@ -188,9 +185,7 @@ public final class SchemaHandler
}
catch (final IOException e)
{
_LOGGER.warn(
"Error resolving resource needed by org.apache.xml.resolver.CatalogResolver for OASIS CatalogManager with URL: {}",
e);
_LOGGER.warn("Error resolving resource needed by org.apache.xml.resolver.CatalogResolver for OASIS CatalogManager with URL: {}", e);
}
}
return s;
......@@ -228,10 +223,10 @@ public final class SchemaHandler
{
try
{
final File file = new File(catalogURL.toURI());
if (!file.exists())
final Path filePath = Paths.get(catalogURL.toURI());
if (!Files.exists(filePath))
{
throw new FileNotFoundException(file.getAbsolutePath());
throw new FileNotFoundException(filePath.toString());
}
}
catch (final URISyntaxException e)
......@@ -242,9 +237,7 @@ public final class SchemaHandler
if (catalog == null)
{
_LOGGER.warn(
"Catalog found at {} but no org.apache.xml.resolver.CatalogManager was found. Check the classpatch for an xmlresolver jar.",
catalogURL);
_LOGGER.warn("Catalog found at {} but no org.apache.xml.resolver.CatalogManager was found. Check the classpatch for an xmlresolver jar.", catalogURL);
}
else
{
......@@ -319,8 +312,7 @@ public final class SchemaHandler
public Reader getCharacterStream()
{
/*
* No character stream, only byte streams are allowed. Do not throw exception, otherwise the resolution of
* the resource fails, even if byte stream OK
* No character stream, only byte streams are allowed. Do not throw exception, otherwise the resolution of the resource fails, even if byte stream OK
*/
return null;
// throw new UnsupportedOperationException();
......@@ -370,8 +362,7 @@ public final class SchemaHandler
public String getBaseURI()
{
/*
* No base URI, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the
* resolution of the resource fails, even for absolute URIs
* No base URI, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the resolution of the resource fails, even for absolute URIs
*/
return null;
// throw new UnsupportedOperationException();
......@@ -387,8 +378,7 @@ public final class SchemaHandler
public String getEncoding()
{
/*
* No encoding override, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise
* the resolution of the resource fails, even if encoding specified in other way
* No encoding override, only absolute URIs are allowed. Do not throw exception if no base URI, otherwise the resolution of the resource fails, even if encoding specified in other way
*/
return null;
// throw new UnsupportedOperationException();
......@@ -461,11 +451,9 @@ public final class SchemaHandler
public static Schema createSchema(final List<String> schemaLocations, final String catalogLocation)
{
/*
* This is mostly similar to org.apache.cxf.jaxrs.utils.schemas.SchemaHandler#createSchema(), except we are
* using Spring ResourceUtils class to get Resource URLs and we don't use any Bus object. We are not using CXF's
* SchemaHandler class directly because it is part of cxf-rt-frontend-jaxrs which drags many dependencies on CXF
* we don't need, the full CXF JAX-RS framework actually. It would make more sense if SchemaHandler was part of
* some cxf common utility package, but it is not the case as of writing (December 2014).
* This is mostly similar to org.apache.cxf.jaxrs.utils.schemas.SchemaHandler#createSchema(), except we are using Spring ResourceUtils class to get Resource URLs and we don't use any Bus
* object. We are not using CXF's SchemaHandler class directly because it is part of cxf-rt-frontend-jaxrs which drags many dependencies on CXF we don't need, the full CXF JAX-RS framework
* actually. It would make more sense if SchemaHandler was part of some cxf common utility package, but it is not the case as of writing (December 2014).
*/
final SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
......
......@@ -365,7 +365,6 @@ public final class ExpressionFactoryImpl implements ExpressionFactory
LOGGER.warn("Expression of Variable {} is constant '{}', therefore should be replaced with a equivalent AttributeValue.", variableId, constant);
}
variableExpression.getReturnType();
return new ConstantVariableReference<>(variableId, constant, variableExpression.getReturnType(), longestVarRefChainInExpression);
}
......
......@@ -80,7 +80,7 @@ public class ConformanceV3FromV2
*/
private static final Logger LOGGER = LoggerFactory.getLogger(ConformanceV3FromV2.class);
protected static void setUp(String testRootDirectoryLocation) throws Exception
protected static void setUp(final String testRootDirectoryLocation) throws Exception
{
LOGGER.debug("Launching conformance tests for features in directory: {}", testRootDirectoryLocation);
}
......@@ -103,8 +103,8 @@ public class ConformanceV3FromV2
* PDP request filter ID to be used for the tests
* @return test data
*/
protected static Collection<? extends Object[]> getTestData(String rootDirectoryPath, String testSubDirectoryName, String testFilenamePrefixBeforeNum, int startTestNum, int endTestNum,
String requestFilterId)
protected static Collection<? extends Object[]> getTestData(final String rootDirectoryPath, final String testSubDirectoryName, final String testFilenamePrefixBeforeNum, final int startTestNum,
final int endTestNum, final String requestFilterId)
{
final Collection<Object[]> testData = new ArrayList<>();
for (int testNum = startTestNum; testNum <= endTestNum; testNum++)
......@@ -113,10 +113,12 @@ public class ConformanceV3FromV2
if (testNum < 10)
{
paddedTestNumber = "00" + testNum;
} else if (testNum < 100)
}
else if (testNum < 100)
{
paddedTestNumber = "0" + testNum;
} else
}
else
{
paddedTestNumber = Integer.toString(testNum);
}
......@@ -135,7 +137,7 @@ public class ConformanceV3FromV2
private final String reqFilter;
public ConformanceV3FromV2(String filePathPrefix, boolean enableXPath, String requestFilter)
public ConformanceV3FromV2(final String filePathPrefix, final boolean enableXPath, final String requestFilter)
{
this.testFilePathPrefix = filePathPrefix;
this.enableXPath = enableXPath;
......@@ -148,29 +150,33 @@ public class ConformanceV3FromV2
{
LOGGER.debug("Starting conformance test with files '{}*.xml'", testFilePathPrefix);
NamespaceFilteringParser unmarshaller = xacmlParserFactory.getInstance();
final NamespaceFilteringParser respUnmarshaller = xacmlParserFactory.getInstance();
Response expectedResponse = null;
String expectedRespFilepath = testFilePathPrefix + EXPECTED_RESPONSE_FILENAME_SUFFIX;
final String expectedRespFilepath = testFilePathPrefix + EXPECTED_RESPONSE_FILENAME_SUFFIX;
try
{
expectedResponse = TestUtils.createResponse(expectedRespFilepath, unmarshaller);
} catch (FileNotFoundException notFoundErr)
expectedResponse = TestUtils.createResponse(expectedRespFilepath, respUnmarshaller);
}
catch (final FileNotFoundException notFoundErr)
{
// do nothing except logging -> request = null
LOGGER.debug("Response file '{}' does not exist -> Static Policy/Request syntax error check", expectedRespFilepath);
}
final NamespaceFilteringParser reqUnmarshaller = xacmlParserFactory.getInstance();
Request request = null;
// if no Request file, it is just a static policy syntax error check
String expectedReqFilepath = testFilePathPrefix + REQUEST_FILENAME_SUFFIX;
final String expectedReqFilepath = testFilePathPrefix + REQUEST_FILENAME_SUFFIX;
try
{
request = TestUtils.createRequest(expectedReqFilepath, unmarshaller);
} catch (FileNotFoundException notFoundErr)
request = TestUtils.createRequest(expectedReqFilepath, reqUnmarshaller);
}
catch (final FileNotFoundException notFoundErr)
{
// do nothing except logging -> request = null
LOGGER.debug("Request file '{}' does not exist -> Static policy syntax error check (Request/Response ignored)", expectedReqFilepath);
} catch (JAXBException e)
}
catch (final JAXBException e)
{
// we found syntax error in request
if (expectedResponse == null)
......@@ -185,11 +191,11 @@ public class ConformanceV3FromV2
throw e;
}
String rootPolicyFilepath = testFilePathPrefix + ROOT_POLICY_FILENAME_SUFFIX;
final String rootPolicyFilepath = testFilePathPrefix + ROOT_POLICY_FILENAME_SUFFIX;
// referenced policies if any
String refPoliciesDirLocation = testFilePathPrefix + REF_POLICIES_DIRNAME_SUFFIX;
final String refPoliciesDirLocation = testFilePathPrefix + REF_POLICIES_DIRNAME_SUFFIX;
String attributeProviderConfLocation = testFilePathPrefix + ATTRIBUTE_PROVIDER_FILENAME_SUFFIX;
final String attributeProviderConfLocation = testFilePathPrefix + ATTRIBUTE_PROVIDER_FILENAME_SUFFIX;
PDPImpl pdp = null;
try
......@@ -200,7 +206,8 @@ public class ConformanceV3FromV2
// this is a policy syntax error check and we didn't found the syntax error as
// expected
Assert.fail("Failed to find syntax error as expected in policy located at: " + rootPolicyFilepath);
} else if (expectedResponse == null)
}
else if (expectedResponse == null)
{
/*
* No expected response, so it is not a PDP evaluation test, but request or policy syntax error check. We got here, so request and policy OK. This is unexpected.
......@@ -208,19 +215,21 @@ public class ConformanceV3FromV2
Assert.fail("Missing response file '" + expectedRespFilepath + "' or failed to find syntax error as expected in either request located at '" + expectedReqFilepath
+ "' or policy located at '" + rootPolicyFilepath + "'");
} else
}
else
{
// this is an evaluation test with request/response (not a policy syntax check)
LOGGER.debug("Request that is sent to the PDP: {}", request);
Response response = pdp.evaluate(request, unmarshaller.getNamespacePrefixUriMap());
final Response actualResponse = pdp.evaluate(request, reqUnmarshaller.getNamespacePrefixUriMap());
if (LOGGER.isDebugEnabled())
{
LOGGER.debug("Response that is received from the PDP : {}", TestUtils.printResponse(response));
LOGGER.debug("Response that is received from the PDP : {}", TestUtils.printResponse(actualResponse));
}
TestUtils.assertNormalizedEquals(testFilePathPrefix, expectedResponse, response);
TestUtils.assertNormalizedEquals(testFilePathPrefix, expectedResponse, actualResponse);
}
} catch (IllegalArgumentException e)
}
catch (final IllegalArgumentException e)
{
// we found syntax error in policy
if (request == null)
......@@ -233,7 +242,8 @@ public class ConformanceV3FromV2
// Unexpected error
throw e;
} finally
}
finally
{
if (pdp != null)
{
......
......@@ -39,7 +39,7 @@ import org.ow2.authzforce.core.test.utils.FunctionTest;
public class SpecialMatchFunctionsTest extends FunctionTest
{
public SpecialMatchFunctionsTest(String functionName, List<Value> inputs, Value expectedResult)
public SpecialMatchFunctionsTest(final String functionName, final List<Value> inputs, final Value expectedResult)
{
super(functionName, null, inputs, expectedResult);
}
......@@ -52,32 +52,38 @@ public class SpecialMatchFunctionsTest extends FunctionTest
{
return Arrays.asList(
// urn:oasis:names:tc:xacml:1.0:function:x500Name-match
new Object[] { NAME_X500NAME_MATCH,
Arrays.asList(new X500NameValue("O=Medico Corp,C=US"), new X500NameValue("cn=John Smith,o=Medico Corp, c=US")), BooleanValue.TRUE },
new Object[] { NAME_X500NAME_MATCH,
Arrays.asList(new X500NameValue("O=Another Corp,C=US"), new X500NameValue("cn=John Smith,o=Medico Corp, c=US")), BooleanValue.FALSE },
new Object[] { NAME_X500NAME_MATCH, Arrays.asList(new X500NameValue("O=Medico Corp,C=US"), new X500NameValue("cn=John Smith,o=Medico Corp, c=US")), BooleanValue.TRUE },
//
new Object[] { NAME_X500NAME_MATCH, Arrays.asList(new X500NameValue("O=Medico Corp,C=US"), new X500NameValue("cn=John Smith, o=Medico Corp, c=US")), BooleanValue.TRUE },
//
new Object[] { NAME_X500NAME_MATCH, Arrays.asList(new X500NameValue("O=Medico Corp,C=US"), new X500NameValue("cn=John Smith\\,O=Medico Corp, c=US")), BooleanValue.FALSE },
//
new Object[] { NAME_X500NAME_MATCH, Arrays.asList(new X500NameValue("O=Medico Corp,C=US"), new X500NameValue("cn=John Smith\\, O=Medico Corp, c=US")), BooleanValue.FALSE },
//
new Object[] { NAME_X500NAME_MATCH, Arrays.asList(new X500NameValue("O=Another Corp,C=US"), new X500NameValue("cn=John Smith,o=Medico Corp, c=US")), BooleanValue.FALSE },
// urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("Anderson@sun.com")),
BooleanValue.TRUE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("Anderson@SUN.COM")),
BooleanValue.TRUE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("Anne.Anderson@sun.com")),
BooleanValue.FALSE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("anderson@sun.com")),
BooleanValue.FALSE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("Anderson@east.sun.com")),
BooleanValue.FALSE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("Anderson@sun.com")), BooleanValue.TRUE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("Anderson@SUN.COM")), BooleanValue.TRUE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("Anne.Anderson@sun.com")), BooleanValue.FALSE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("anderson@sun.com")), BooleanValue.FALSE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("Anderson@sun.com"), new RFC822NameValue("Anderson@east.sun.com")), BooleanValue.FALSE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("sun.com"), new RFC822NameValue("Anderson@sun.com")), BooleanValue.TRUE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("sun.com"), new RFC822NameValue("Baxter@SUN.COM")), BooleanValue.TRUE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("sun.com"), new RFC822NameValue("Anderson@east.sun.com")),
BooleanValue.FALSE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue(".east.sun.com"), new RFC822NameValue("Anderson@east.sun.com")),
BooleanValue.TRUE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue(".east.sun.com"), new RFC822NameValue("anne.anderson@ISRG.EAST.SUN.COM")),
BooleanValue.TRUE },
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue(".east.sun.com"), new RFC822NameValue("Anderson@sun.com")),
BooleanValue.FALSE });
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue("sun.com"), new RFC822NameValue("Anderson@east.sun.com")), BooleanValue.FALSE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue(".east.sun.com"), new RFC822NameValue("Anderson@east.sun.com")), BooleanValue.TRUE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue(".east.sun.com"), new RFC822NameValue("anne.anderson@ISRG.EAST.SUN.COM")), BooleanValue.TRUE },
//
new Object[] { NAME_RFC822NAME_MATCH, Arrays.asList(new StringValue(".east.sun.com"), new RFC822NameValue("Anderson@sun.com")), BooleanValue.FALSE });
}
}
......@@ -15,8 +15,7 @@
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
<PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:ordered-deny-overrides"
PolicySetId="urn:oasis:names:tc:xacml:2.0:conformance-test:IIIG302:InternalPolicyset"
Version="1.0"
......
......@@ -11,6 +11,8 @@
<appender name="stdout" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%-4r [%t] [%d] %5p [%C:%M] \(%F:%L\) - %m%n</pattern>
<!-- Pattern mitigating CRLF injection -->
<!-- <pattern>%-4r [%t] [%d] %5p [%C:%M] \(%F:%L\) - %replace(%m){'\r?\n','<NEWLINE>'}%n</pattern> -->
</encoder>
</appender>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment