From 8e746a3db99b52af262f67ecfc8a154b6c45c145 Mon Sep 17 00:00:00 2001 From: "luca.malatini" Date: Thu, 7 Sep 2023 10:53:33 +0200 Subject: [PATCH 01/14] added eidas toggle and logic --- .../views/MetadataSpCheck/MetadataSpCheck.js | 7 +- .../client/src/views/MetadataSpCheck/view.js | 313 ++++++++++++------ .../src/views/RequestCheck/RequestCheck.js | 7 +- .../client/src/views/RequestCheck/view.js | 285 ++++++++++------ spid-validator/config/api.json | 2 +- spid-validator/config/server.json | 2 +- spid-validator/server/api/metadata-sp.js | 3 +- spid-validator/server/lib/saml-utils.js | 2 +- spid-validator/server/lib/utils.js | 4 +- spid-validator/server/package.json | 2 +- 10 files changed, 412 insertions(+), 215 deletions(-) diff --git a/spid-validator/client/src/views/MetadataSpCheck/MetadataSpCheck.js b/spid-validator/client/src/views/MetadataSpCheck/MetadataSpCheck.js index e04918d..3687866 100644 --- a/spid-validator/client/src/views/MetadataSpCheck/MetadataSpCheck.js +++ b/spid-validator/client/src/views/MetadataSpCheck/MetadataSpCheck.js @@ -20,7 +20,8 @@ class MetadataSpCheck extends Component { detailview: false, deprecable: false, deprecated: false, - production: false + production: false, + eidas: true }; } @@ -135,6 +136,10 @@ class MetadataSpCheck extends Component { }); } + setEidas() { + this.setState({ eidas: !this.state.eidas }); + } + print() { Utility.print("metadata-" + this.state.test); } diff --git a/spid-validator/client/src/views/MetadataSpCheck/view.js b/spid-validator/client/src/views/MetadataSpCheck/view.js index a03f125..0b5d13a 100644 --- a/spid-validator/client/src/views/MetadataSpCheck/view.js +++ b/spid-validator/client/src/views/MetadataSpCheck/view.js @@ -3,124 +3,219 @@ import { UncontrolledTooltip } from 'reactstrap'; import BlockUi from 'react-block-ui'; import AceEditor from '../../components/AceEditor/'; import './switches.css'; -import "./style.css"; +import './style.css'; -function view(me) { - return ( -
-

Metadata Service Provider Report

-

Data Validazione: {me.state.report_datetime}

-
+function view(me) { + return ( +
+

Metadata Service Provider Report

+

+ Data Validazione: {me.state.report_datetime} +

+
+ {!me.state.detailview && ( +
+ {me.state.report != null && ( +
+
+

+ Check{' '} + + {me.state.test} + +

+ {me.state.report_profile != null && ( +

+ Profilo {me.state.report_profile} +

+ )} - {!me.state.detailview && -
- {me.state.report!=null && -
-
-

Check {me.state.test}

- {me.state.report_profile!=null &&

Profilo {me.state.report_profile}

} - - {me.state.report.map((t, i)=> { - return( - {i} - - ); - })} - -
-
- } -
- } - - {me.state.detailview && -
- {me.state.report!=null && -
-
-

Check {me.state.test}

- {me.state.report_profile!=null &&

Profilo {me.state.report_profile}

} - - - - - - - - {me.state.report.map((t, i)=> { - return( - - - - - - ); - })} -
#TestTest Result
{i}{t.test} - {t.result + (t.value? " - value: " + t.value : "")} -
-
-
+ {me.state.report.map((t, i) => { + return ( + - } - + title={t.test + (t.value ? ': ' + t.value : '')} + > + {' '} + {i} + + ); + })} +
+
+ )} +
+ )} -
-
-
- - Visualizzazione dettaglio -
+ {me.state.detailview && ( +
+ {me.state.report != null && ( +
+
+

+ Check{' '} + + {me.state.test} + +

+ {me.state.report_profile != null && ( +

+ Profilo {me.state.report_profile} +

+ )} - {me.state.deprecable && -
- - Metadata deprecato (pre Avviso n.29) -
-
+ + + + + + + {me.state.report.map((t, i) => { + return ( + + + + + + ); + })} +
#TestTest Result
+ {i} + {t.test} + {t.result + (t.value ? ' - value: ' + t.value : '')} +
+
+
+ )} +
+ )} + +
+
+
+ + Visualizzazione dettaglio +
-
- - Check per Produzione -
-
+ {me.state.deprecable && ( +
+ + Metadata deprecato (pre Avviso n.29) +
+
+ )} - - -
-
+
+
+ +
+ +
-
+
+ +
+ + Check per Produzione +
+
+ + + +
+
- ); +
+
+ ); } -export default view; +export default view; diff --git a/spid-validator/client/src/views/RequestCheck/RequestCheck.js b/spid-validator/client/src/views/RequestCheck/RequestCheck.js index 64ea135..2308826 100644 --- a/spid-validator/client/src/views/RequestCheck/RequestCheck.js +++ b/spid-validator/client/src/views/RequestCheck/RequestCheck.js @@ -18,7 +18,8 @@ class RequestCheck extends Component { report_datetime: null, report_profile: null, detailview: false, - production: false + production: false, + eidas: true }; } @@ -114,6 +115,10 @@ class RequestCheck extends Component { }); } + setEidas() { + this.setState({ eidas: !this.state.eidas }); + } + print() { Utility.print("request-" + this.state.test); } diff --git a/spid-validator/client/src/views/RequestCheck/view.js b/spid-validator/client/src/views/RequestCheck/view.js index dac41b9..a98086a 100644 --- a/spid-validator/client/src/views/RequestCheck/view.js +++ b/spid-validator/client/src/views/RequestCheck/view.js @@ -2,114 +2,203 @@ import React from 'react'; import { UncontrolledTooltip } from 'reactstrap'; import BlockUi from 'react-block-ui'; import AceEditor from '../../components/AceEditor/'; -import "./style.css"; +import './style.css'; -function view(me) { - return ( -
-

Request Report

-

Data Validazione: {me.state.report_datetime}

-
+function view(me) { + return ( +
+

Request Report

+

+ Data Validazione: {me.state.report_datetime} +

+
+ {!me.state.detailview && ( +
+ {me.state.report != null && ( +
+
+

+ Check{' '} + + {me.state.test} + +

+ {me.state.report_profile != null && ( +

+ Profilo {me.state.report_profile} +

+ )} - {!me.state.detailview && -
- {me.state.report!=null && -
-
-

Check {me.state.test}

- {me.state.report_profile!=null &&

Profilo {me.state.report_profile}

} - - {me.state.report.map((t, i)=> { - return( - {i} - - ); - })} - -
-
- } -
- } - - {me.state.detailview && -
- {me.state.report!=null && -
-
-

Check {me.state.test}

- {me.state.report_profile!=null &&

Profilo {me.state.report_profile}

} - - - - - - - - {me.state.report.map((t, i)=> { - return( - - - - - - ); - })} -
#TestTest Result
{i}{t.test} - {t.result + (t.value? " - value: " + t.value : "")} -
-
-
+ {me.state.report.map((t, i) => { + return ( + - } - + title={t.test + (t.value ? ': ' + t.value : '')} + > + {' '} + {i} + + ); + })} +
+
+ )} +
+ )} -
-
-
+ {me.state.detailview && ( +
+ {me.state.report != null && ( +
+
+

+ Check{' '} + + {me.state.test} + +

+ {me.state.report_profile != null && ( +

+ Profilo {me.state.report_profile} +

+ )} -
- - Visualizzazione dettaglio -
-
+ + + + + + + {me.state.report.map((t, i) => { + return ( + + + + + + ); + })} +
#TestTest Result
+ {i} + {t.test} + {t.result + (t.value ? ' - value: ' + t.value : '')} +
+
+
+ )} +
+ )} -
- - Check per Produzione -
-
+
+
+
+
+ + Visualizzazione dettaglio +
+
- - -
-
+
+
+ +
+ +
+
+ +
+ + Check per Produzione +
+
+ +
+
- ); +
+
+ ); } -export default view; +export default view; diff --git a/spid-validator/config/api.json b/spid-validator/config/api.json index 1797133..4d607c2 100644 --- a/spid-validator/config/api.json +++ b/spid-validator/config/api.json @@ -1,3 +1,3 @@ { - + "df7da94d-cc42-4cf4-9fb2-9e7d542ab5cd#accenture": "c952c1b6-763d-4244-a5e7-8529e40847e9" } diff --git a/spid-validator/config/server.json b/spid-validator/config/server.json index 402ad93..1a5c2a5 100644 --- a/spid-validator/config/server.json +++ b/spid-validator/config/server.json @@ -2,7 +2,7 @@ "host": "https://localhost", "port": 8443, "useProxy": false, - "useHttps": true, + "useHttps": false, "httpsPrivateKey": "./config/spid-saml-check.key", "httpsCertificate": "./config/spid-saml-check.crt" } diff --git a/spid-validator/server/api/metadata-sp.js b/spid-validator/server/api/metadata-sp.js index 352f46b..77d3f38 100644 --- a/spid-validator/server/api/metadata-sp.js +++ b/spid-validator/server/api/metadata-sp.js @@ -244,6 +244,7 @@ module.exports = function(app, checkAuthorisation, getEntityDir, database) { let deprecated = (req.query.deprecated=='Y')? true : false; let production = (req.query.production=='Y')? true : false; + let isEidas = (req.query.eidas==true)? true : false; if(!fs.existsSync(config_dir.DATA)) return res.render('warning', { message: "Directory " + config_dir.DATA + " is not found. Please create it and reload." }); @@ -267,7 +268,7 @@ module.exports = function(app, checkAuthorisation, getEntityDir, database) { } if(file!=null) { - Utility.metadataCheck(cmd, entity_id.normalize(), profile, config_idp, production).then( + Utility.metadataCheck(cmd, entity_id.normalize(), profile, config_idp, production, isEidas).then( (out) => { try { let report = fs.readFileSync(file, "utf8"); diff --git a/spid-validator/server/lib/saml-utils.js b/spid-validator/server/lib/saml-utils.js index 99c62a1..4415da9 100644 --- a/spid-validator/server/lib/saml-utils.js +++ b/spid-validator/server/lib/saml-utils.js @@ -551,7 +551,7 @@ class RequestParser { AttributeConsumingServiceIndex() { // only for type 1 let doc = new DOMParser().parseFromString(this.request.xml); let requestAttributeConsumingServiceIndex = select("//samlp:AuthnRequest", doc)[0]; - if(requestAttributeConsumingServiceIndex!=null) requestAttributeConsumingServiceIndex = requestAttributeConsumingServiceIndex.getAttribute("AttributeConsumingServiceIndex") + if(requestAssertionConsumerServiceIndex!=null && (requestAssertionConsumerServiceIndex == 99 || requestAssertionConsumerServiceIndex == 100)) requestAssertionConsumerServiceIndex = requestAssertionConsumerServiceIndex.getAttribute("AssertionConsumerServiceIndex") else requestAttributeConsumingServiceIndex = undefined; return requestAttributeConsumingServiceIndex; } diff --git a/spid-validator/server/lib/utils.js b/spid-validator/server/lib/utils.js index c669f14..92fe06f 100644 --- a/spid-validator/server/lib/utils.js +++ b/spid-validator/server/lib/utils.js @@ -70,7 +70,7 @@ class Utils { }); } - static metadataCheck(test, dir, profile, config, prod) { + static metadataCheck(test, dir, profile, config, prod, isEidas) { return new Promise((resolve, reject) => { let cmd; let dirpath = config_dir["DATA"] + "/" + dir; @@ -80,6 +80,8 @@ class Utils { cmd += " --profile " + profile; cmd += " --debug ERROR"; if(prod) cmd += " --production"; + if(isEidas) cmd += " --profile ficep-eidas-sp "; + let reportfile = ""; switch(test) { diff --git a/spid-validator/server/package.json b/spid-validator/server/package.json index 3a8df0e..4c8bd5d 100644 --- a/spid-validator/server/package.json +++ b/spid-validator/server/package.json @@ -1,6 +1,6 @@ { "name": "spid-validator", - "version": "1.9.6", + "version": "1.9.6", "description": "Tool for validating Service Provider compliance to SPID response from Identity Provider", "main": "spid-validator", "author": "Michele D'Amico (damikael) - AgID", From a3211e749b6c27b72215000f1fe4df9294550f8b Mon Sep 17 00:00:00 2001 From: "luca.malatini" Date: Thu, 7 Sep 2023 16:45:13 +0200 Subject: [PATCH 02/14] Added check for AssertionConsumerServiceIndex --- spid-validator/client/src/services.js | 5 +++-- spid-validator/client/src/views/RequestCheck/RequestCheck.js | 1 + spid-validator/server/api/request.js | 4 ++++ spid-validator/server/lib/saml-utils.js | 2 +- 4 files changed, 9 insertions(+), 3 deletions(-) diff --git a/spid-validator/client/src/services.js b/spid-validator/client/src/services.js index e451cdf..70e05dc 100644 --- a/spid-validator/client/src/services.js +++ b/spid-validator/client/src/services.js @@ -199,10 +199,11 @@ class MainService { }); } - checkRequest(test, production, callback_response, callback_error) { + checkRequest(test, production, eidas, callback_response, callback_error) { Utility.log("GET /api/request/check/" + test); axios.get('/api/request/check/' + test + - '?production=' + (production? 'Y':'N') + + '?production=' + (production? 'Y':'N') + + '?eidas=' + (eidas? true : false) + '&apikey=' + Utility.getApikey(), {timeout: 900000}) .then(function(response) { Utility.log("checkRequest Success", response.data); diff --git a/spid-validator/client/src/views/RequestCheck/RequestCheck.js b/spid-validator/client/src/views/RequestCheck/RequestCheck.js index 2308826..6a326dd 100644 --- a/spid-validator/client/src/views/RequestCheck/RequestCheck.js +++ b/spid-validator/client/src/views/RequestCheck/RequestCheck.js @@ -72,6 +72,7 @@ class RequestCheck extends Component { service.checkRequest( this.state.test, this.state.production, + this.state.eidas, (check) => { Utility.blockUI(false); let report = null; diff --git a/spid-validator/server/api/request.js b/spid-validator/server/api/request.js index 294c98a..fec92ed 100644 --- a/spid-validator/server/api/request.js +++ b/spid-validator/server/api/request.js @@ -63,6 +63,7 @@ module.exports = function(app, checkAuthorisation, getEntityDir, database) { app.get("/api/request/check/:test", function(req, res) { // check if apikey is correct + let eidas = req.query.eidas; let authorisation = checkAuthorisation(req); if(!authorisation) { error = {code: 401, msg: "Unauthorized"}; @@ -70,6 +71,9 @@ module.exports = function(app, checkAuthorisation, getEntityDir, database) { return null; } + if(authorisation=='API' && !req.body.assertion_consumer_service_index && + eidas && (assertion_consumer_service_index == 99 || assertion_consumer_service_index == 100)) + { return res.status(400).send("Parameter assertion_consumer_service_index must be 99 or 100"); } if(authorisation=='API' && !req.body.user) { return res.status(400).send("Parameter user is missing"); } if(authorisation=='API' && !req.body.request) { return res.status(400).send("Parameter request is missing"); } if(authorisation=='API' && !req.body.issuer) { return res.status(400).send("Parameter issuer is missing"); } diff --git a/spid-validator/server/lib/saml-utils.js b/spid-validator/server/lib/saml-utils.js index 4415da9..1d8ef67 100644 --- a/spid-validator/server/lib/saml-utils.js +++ b/spid-validator/server/lib/saml-utils.js @@ -551,7 +551,7 @@ class RequestParser { AttributeConsumingServiceIndex() { // only for type 1 let doc = new DOMParser().parseFromString(this.request.xml); let requestAttributeConsumingServiceIndex = select("//samlp:AuthnRequest", doc)[0]; - if(requestAssertionConsumerServiceIndex!=null && (requestAssertionConsumerServiceIndex == 99 || requestAssertionConsumerServiceIndex == 100)) requestAssertionConsumerServiceIndex = requestAssertionConsumerServiceIndex.getAttribute("AssertionConsumerServiceIndex") + if(requestAssertionConsumingServiceIndex!=null) requestAssertionConsumingServiceIndex = requestAssertionConsumingServiceIndex.getAttribute("AssertionConsumingServiceIndex") else requestAttributeConsumingServiceIndex = undefined; return requestAttributeConsumingServiceIndex; } From 63780973b133aecbe353ec70002489582d64436b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 25 Oct 2023 14:00:05 +0000 Subject: [PATCH 03/14] Bump webpack-dev-server from 2.9.7 to 3.1.11 in /spid-validator/client Bumps [webpack-dev-server](https://github.com/webpack/webpack-dev-server) from 2.9.7 to 3.1.11. - [Release notes](https://github.com/webpack/webpack-dev-server/releases) - [Changelog](https://github.com/webpack/webpack-dev-server/blob/master/CHANGELOG.md) - [Commits](https://github.com/webpack/webpack-dev-server/compare/v2.9.7...v3.1.11) --- updated-dependencies: - dependency-name: webpack-dev-server dependency-type: direct:development ... Signed-off-by: dependabot[bot] --- spid-validator/client/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spid-validator/client/package.json b/spid-validator/client/package.json index 659bcc3..bb28f4d 100644 --- a/spid-validator/client/package.json +++ b/spid-validator/client/package.json @@ -27,7 +27,7 @@ "uglify-js": "3.3.7", "url-loader": "0.6.2", "webpack": "3.10.0", - "webpack-dev-server": "2.9.7" + "webpack-dev-server": "3.1.11" }, "dependencies": { "axios": "^0.19.0", From 1ccc475ec6a41a86eb1d31ad8070145db3daa89c Mon Sep 17 00:00:00 2001 From: damikael Date: Thu, 26 Oct 2023 12:39:24 +0200 Subject: [PATCH 04/14] fix: spid-sp-test unhandled exceptions --- spid-validator/server/lib/utils.js | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/spid-validator/server/lib/utils.js b/spid-validator/server/lib/utils.js index bffdf45..e5de371 100644 --- a/spid-validator/server/lib/utils.js +++ b/spid-validator/server/lib/utils.js @@ -100,11 +100,20 @@ class Utils { console.log("[STDOUT] " + stdout); console.log("[STDERR] " + stderr); + /* if(!fs.existsSync(reportfile)) { return reject(err? stderr:stdout); } return resolve(stdout); + */ + + if(err!=null && err!='' && stderr!=null && stderr!='') { + return resolve(stdout); + } else { + return reject(stderr? stderr:stdout); + } + }); } catch(e) { return reject("Si è verificato un errore durante l'esecuzione di spid-sp-test: " + e.message); From aef2bf790f4df5e0dbd0086a4a4869fae5d199b6 Mon Sep 17 00:00:00 2001 From: damikael Date: Thu, 26 Oct 2023 16:11:54 +0200 Subject: [PATCH 05/14] fix: revert spid-sp-test handling --- spid-validator/server/lib/utils.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/spid-validator/server/lib/utils.js b/spid-validator/server/lib/utils.js index e5de371..90024da 100644 --- a/spid-validator/server/lib/utils.js +++ b/spid-validator/server/lib/utils.js @@ -100,19 +100,20 @@ class Utils { console.log("[STDOUT] " + stdout); console.log("[STDERR] " + stderr); - /* + if(!fs.existsSync(reportfile)) { return reject(err? stderr:stdout); } return resolve(stdout); - */ - + + /* if(err!=null && err!='' && stderr!=null && stderr!='') { return resolve(stdout); } else { return reject(stderr? stderr:stdout); } + */ }); } catch(e) { From ce7291fb54f75dc94b38a45a9c008ebdc620975c Mon Sep 17 00:00:00 2001 From: Michele D'Amico Date: Sat, 11 Nov 2023 15:39:28 +0100 Subject: [PATCH 06/14] add npm-shrinkwrap.json fix #253 --- spid-validator/server/npm-shrinkwrap.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 spid-validator/server/npm-shrinkwrap.json diff --git a/spid-validator/server/npm-shrinkwrap.json b/spid-validator/server/npm-shrinkwrap.json new file mode 100644 index 0000000..00b93ec --- /dev/null +++ b/spid-validator/server/npm-shrinkwrap.json @@ -0,0 +1,7 @@ +{ + "dependencies": { + "graceful-fs": { + "version": "4.2.2" + } + } +} From a4ccd81a9fdbc6e82f8355432f0a994984f6332a Mon Sep 17 00:00:00 2001 From: Michele D'Amico Date: Sat, 11 Nov 2023 15:44:16 +0100 Subject: [PATCH 07/14] del npm-shrinkwrap.json --- spid-validator/server/npm-shrinkwrap.json | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 spid-validator/server/npm-shrinkwrap.json diff --git a/spid-validator/server/npm-shrinkwrap.json b/spid-validator/server/npm-shrinkwrap.json deleted file mode 100644 index 00b93ec..0000000 --- a/spid-validator/server/npm-shrinkwrap.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "dependencies": { - "graceful-fs": { - "version": "4.2.2" - } - } -} From fb94628ad83a789fb90ad9edec09a30a2a3ff49d Mon Sep 17 00:00:00 2001 From: damikael Date: Mon, 13 Nov 2023 10:41:36 +0000 Subject: [PATCH 08/14] fix: xss vulnerability --- spid-validator/server/app/idp_demo.js | 6 ++++++ spid-validator/server/lib/saml-utils.js | 14 ++++++++++++++ spid-validator/server/package.json | 2 +- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/spid-validator/server/app/idp_demo.js b/spid-validator/server/app/idp_demo.js index b4801c3..d372276 100644 --- a/spid-validator/server/app/idp_demo.js +++ b/spid-validator/server/app/idp_demo.js @@ -649,6 +649,12 @@ module.exports = function(app, checkAuthorisation, getEntityDir, sendLogoutRespo assertionConsumerURL = metadataParser.getAssertionConsumerServiceURL(assertionConsumerIndex); } + // if no valid AssertionConsumerURL return error + let existsAssertionConsumerServiceURL = metadataParser.existsAssertionConsumerServiceURL(assertionConsumerURL); + if(!existsAssertionConsumerServiceURL) { + return res.status(400).send("AssertionConsumerServiceURL not valid"); + } + // defaults let defaults = []; defaults = Utility.defaultParam(defaults, "Issuer", config_demo.entityID); diff --git a/spid-validator/server/lib/saml-utils.js b/spid-validator/server/lib/saml-utils.js index 99c62a1..d5936fa 100644 --- a/spid-validator/server/lib/saml-utils.js +++ b/spid-validator/server/lib/saml-utils.js @@ -169,6 +169,20 @@ class MetadataParser { return serviceProviderEntityId; } + existsAssertionConsumerServiceURL(url) { + let exists = false; + let doc = new DOMParser().parseFromString(this.metadata.xml); + let acs = select("//md:EntityDescriptor/md:SPSSODescriptor/md:AssertionConsumerService", doc); + for(let i in acs) { + let acsLocation = acs[i].getAttribute("Location"); + if(acsLocation==url) { + exists = true; + break; + } + } + return exists; + } + getAssertionConsumerServiceURL(index) { let assertionConsumerServiceURL = null; let doc = new DOMParser().parseFromString(this.metadata.xml); diff --git a/spid-validator/server/package.json b/spid-validator/server/package.json index edf2bfe..ab1f5c9 100644 --- a/spid-validator/server/package.json +++ b/spid-validator/server/package.json @@ -1,6 +1,6 @@ { "name": "spid-validator", - "version": "1.10.2", + "version": "1.10.4", "description": "Tool for validating Service Provider compliance to SPID response from Identity Provider", "main": "spid-validator", "author": "Michele D'Amico (damikael) - AgID", From 289117e493f5300af8895f5014b0ae288126c2f1 Mon Sep 17 00:00:00 2001 From: damikael Date: Mon, 13 Nov 2023 10:52:21 +0000 Subject: [PATCH 09/14] Revert "fix: xss vulnerability" This reverts commit fb94628ad83a789fb90ad9edec09a30a2a3ff49d. --- spid-validator/server/app/idp_demo.js | 6 ------ spid-validator/server/lib/saml-utils.js | 14 -------------- spid-validator/server/package.json | 2 +- 3 files changed, 1 insertion(+), 21 deletions(-) diff --git a/spid-validator/server/app/idp_demo.js b/spid-validator/server/app/idp_demo.js index d372276..b4801c3 100644 --- a/spid-validator/server/app/idp_demo.js +++ b/spid-validator/server/app/idp_demo.js @@ -649,12 +649,6 @@ module.exports = function(app, checkAuthorisation, getEntityDir, sendLogoutRespo assertionConsumerURL = metadataParser.getAssertionConsumerServiceURL(assertionConsumerIndex); } - // if no valid AssertionConsumerURL return error - let existsAssertionConsumerServiceURL = metadataParser.existsAssertionConsumerServiceURL(assertionConsumerURL); - if(!existsAssertionConsumerServiceURL) { - return res.status(400).send("AssertionConsumerServiceURL not valid"); - } - // defaults let defaults = []; defaults = Utility.defaultParam(defaults, "Issuer", config_demo.entityID); diff --git a/spid-validator/server/lib/saml-utils.js b/spid-validator/server/lib/saml-utils.js index 9f9b851..1d8ef67 100644 --- a/spid-validator/server/lib/saml-utils.js +++ b/spid-validator/server/lib/saml-utils.js @@ -169,20 +169,6 @@ class MetadataParser { return serviceProviderEntityId; } - existsAssertionConsumerServiceURL(url) { - let exists = false; - let doc = new DOMParser().parseFromString(this.metadata.xml); - let acs = select("//md:EntityDescriptor/md:SPSSODescriptor/md:AssertionConsumerService", doc); - for(let i in acs) { - let acsLocation = acs[i].getAttribute("Location"); - if(acsLocation==url) { - exists = true; - break; - } - } - return exists; - } - getAssertionConsumerServiceURL(index) { let assertionConsumerServiceURL = null; let doc = new DOMParser().parseFromString(this.metadata.xml); diff --git a/spid-validator/server/package.json b/spid-validator/server/package.json index ab1f5c9..edf2bfe 100644 --- a/spid-validator/server/package.json +++ b/spid-validator/server/package.json @@ -1,6 +1,6 @@ { "name": "spid-validator", - "version": "1.10.4", + "version": "1.10.2", "description": "Tool for validating Service Provider compliance to SPID response from Identity Provider", "main": "spid-validator", "author": "Michele D'Amico (damikael) - AgID", From b191ad88c8652dc827aacc9c6edf11e3ac71fb4b Mon Sep 17 00:00:00 2001 From: damikael Date: Mon, 13 Nov 2023 10:58:51 +0000 Subject: [PATCH 10/14] Revert "Revert "fix: xss vulnerability"" This reverts commit 289117e493f5300af8895f5014b0ae288126c2f1. --- spid-validator/server/app/idp_demo.js | 6 ++++++ spid-validator/server/lib/saml-utils.js | 14 ++++++++++++++ spid-validator/server/package.json | 2 +- 3 files changed, 21 insertions(+), 1 deletion(-) diff --git a/spid-validator/server/app/idp_demo.js b/spid-validator/server/app/idp_demo.js index b4801c3..d372276 100644 --- a/spid-validator/server/app/idp_demo.js +++ b/spid-validator/server/app/idp_demo.js @@ -649,6 +649,12 @@ module.exports = function(app, checkAuthorisation, getEntityDir, sendLogoutRespo assertionConsumerURL = metadataParser.getAssertionConsumerServiceURL(assertionConsumerIndex); } + // if no valid AssertionConsumerURL return error + let existsAssertionConsumerServiceURL = metadataParser.existsAssertionConsumerServiceURL(assertionConsumerURL); + if(!existsAssertionConsumerServiceURL) { + return res.status(400).send("AssertionConsumerServiceURL not valid"); + } + // defaults let defaults = []; defaults = Utility.defaultParam(defaults, "Issuer", config_demo.entityID); diff --git a/spid-validator/server/lib/saml-utils.js b/spid-validator/server/lib/saml-utils.js index 1d8ef67..9f9b851 100644 --- a/spid-validator/server/lib/saml-utils.js +++ b/spid-validator/server/lib/saml-utils.js @@ -169,6 +169,20 @@ class MetadataParser { return serviceProviderEntityId; } + existsAssertionConsumerServiceURL(url) { + let exists = false; + let doc = new DOMParser().parseFromString(this.metadata.xml); + let acs = select("//md:EntityDescriptor/md:SPSSODescriptor/md:AssertionConsumerService", doc); + for(let i in acs) { + let acsLocation = acs[i].getAttribute("Location"); + if(acsLocation==url) { + exists = true; + break; + } + } + return exists; + } + getAssertionConsumerServiceURL(index) { let assertionConsumerServiceURL = null; let doc = new DOMParser().parseFromString(this.metadata.xml); diff --git a/spid-validator/server/package.json b/spid-validator/server/package.json index edf2bfe..ab1f5c9 100644 --- a/spid-validator/server/package.json +++ b/spid-validator/server/package.json @@ -1,6 +1,6 @@ { "name": "spid-validator", - "version": "1.10.2", + "version": "1.10.4", "description": "Tool for validating Service Provider compliance to SPID response from Identity Provider", "main": "spid-validator", "author": "Michele D'Amico (damikael) - AgID", From 03f46deb82c834a09ef6205dcf0f0f3d4c3f89f5 Mon Sep 17 00:00:00 2001 From: damikael Date: Mon, 13 Nov 2023 11:00:19 +0000 Subject: [PATCH 11/14] Revert "Merge branch 'dev' into fix-xss" This reverts commit 1c0652a0ac435ded13575f3ca552d396ba8ae6e6, reversing changes made to fb94628ad83a789fb90ad9edec09a30a2a3ff49d. --- Dockerfile | 2 +- spid-validator/client/package.json | 2 +- spid-validator/client/src/services.js | 5 +- .../views/MetadataSpCheck/MetadataSpCheck.js | 7 +- .../client/src/views/MetadataSpCheck/view.js | 313 ++++++------------ .../src/views/RequestCheck/RequestCheck.js | 8 +- .../client/src/views/RequestCheck/view.js | 285 ++++++---------- spid-validator/config/api.json | 2 +- spid-validator/config/server.json | 2 +- spid-validator/server/api/metadata-sp.js | 3 +- spid-validator/server/api/request.js | 4 - spid-validator/server/lib/saml-utils.js | 2 +- spid-validator/server/lib/utils.js | 14 +- ...wrap.json => npm-shrinkwrap.json-original} | 14 +- 14 files changed, 225 insertions(+), 438 deletions(-) rename spid-validator/server/{npm-shrinkwrap.json => npm-shrinkwrap.json-original} (92%) diff --git a/Dockerfile b/Dockerfile index 8c68883..4414501 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:14 +FROM node:12-bullseye-slim # Metadata params ARG BUILD_DATE diff --git a/spid-validator/client/package.json b/spid-validator/client/package.json index bb28f4d..659bcc3 100644 --- a/spid-validator/client/package.json +++ b/spid-validator/client/package.json @@ -27,7 +27,7 @@ "uglify-js": "3.3.7", "url-loader": "0.6.2", "webpack": "3.10.0", - "webpack-dev-server": "3.1.11" + "webpack-dev-server": "2.9.7" }, "dependencies": { "axios": "^0.19.0", diff --git a/spid-validator/client/src/services.js b/spid-validator/client/src/services.js index c061ed6..ecdce1a 100644 --- a/spid-validator/client/src/services.js +++ b/spid-validator/client/src/services.js @@ -232,11 +232,10 @@ class MainService { }); } - checkRequest(test, production, eidas, callback_response, callback_error) { + checkRequest(test, production, callback_response, callback_error) { Utility.log("GET /api/request/check/" + test); axios.get('/api/request/check/' + test + - '?production=' + (production? 'Y':'N') + - '?eidas=' + (eidas? true : false) + + '?production=' + (production? 'Y':'N') + '&apikey=' + Utility.getApikey(), {timeout: 900000}) .then(function(response) { Utility.log("checkRequest Success", response.data); diff --git a/spid-validator/client/src/views/MetadataSpCheck/MetadataSpCheck.js b/spid-validator/client/src/views/MetadataSpCheck/MetadataSpCheck.js index 3687866..e04918d 100644 --- a/spid-validator/client/src/views/MetadataSpCheck/MetadataSpCheck.js +++ b/spid-validator/client/src/views/MetadataSpCheck/MetadataSpCheck.js @@ -20,8 +20,7 @@ class MetadataSpCheck extends Component { detailview: false, deprecable: false, deprecated: false, - production: false, - eidas: true + production: false }; } @@ -136,10 +135,6 @@ class MetadataSpCheck extends Component { }); } - setEidas() { - this.setState({ eidas: !this.state.eidas }); - } - print() { Utility.print("metadata-" + this.state.test); } diff --git a/spid-validator/client/src/views/MetadataSpCheck/view.js b/spid-validator/client/src/views/MetadataSpCheck/view.js index 0b5d13a..a03f125 100644 --- a/spid-validator/client/src/views/MetadataSpCheck/view.js +++ b/spid-validator/client/src/views/MetadataSpCheck/view.js @@ -3,219 +3,124 @@ import { UncontrolledTooltip } from 'reactstrap'; import BlockUi from 'react-block-ui'; import AceEditor from '../../components/AceEditor/'; import './switches.css'; -import './style.css'; +import "./style.css"; -function view(me) { - return ( -
-

Metadata Service Provider Report

-

- Data Validazione: {me.state.report_datetime} -

-
- {!me.state.detailview && ( -
- {me.state.report != null && ( -
-
-

- Check{' '} - - {me.state.test} - -

- {me.state.report_profile != null && ( -

- Profilo {me.state.report_profile} -

- )} +function view(me) { + return ( +
+

Metadata Service Provider Report

+

Data Validazione: {me.state.report_datetime}

+
- {me.state.report.map((t, i) => { - return ( - - {' '} - {i} - - ); - })} -
-
- )} -
- )} + {!me.state.detailview && +
+ {me.state.report!=null && +
+
+

Check {me.state.test}

+ {me.state.report_profile!=null &&

Profilo {me.state.report_profile}

} + + {me.state.report.map((t, i)=> { + return( + {i} + + ); + })} - {me.state.detailview && ( -
- {me.state.report != null && ( -
-
-

- Check{' '} - - {me.state.test} - -

- {me.state.report_profile != null && ( -

- Profilo {me.state.report_profile} -

- )} +
+
+ } +
+ } - - - - - - - {me.state.report.map((t, i) => { - return ( - - - - - - ); - })} -
#TestTest Result
- {i} - {t.test} - {t.result + (t.value ? ' - value: ' + t.value : '')} -
-
-
- )} -
- )} + {me.state.detailview && +
+ {me.state.report!=null && +
+
+

Check {me.state.test}

+ {me.state.report_profile!=null &&

Profilo {me.state.report_profile}

} + + + + + + + + {me.state.report.map((t, i)=> { + return( + + + + + + ); + })} +
#TestTest Result
{i}{t.test} + {t.result + (t.value? " - value: " + t.value : "")} +
+
+
+ } +
+ } -
-
-
- - Visualizzazione dettaglio -
- {me.state.deprecable && ( -
- - Metadata deprecato (pre Avviso n.29) -
-
- )} +
+
+
+ + Visualizzazione dettaglio +
-
-
- -
- -
-
-
+ {me.state.deprecable && +
+ + Metadata deprecato (pre Avviso n.29) +
+
+ } -
- - Check per Produzione -
-
+
+ + Check per Produzione +
+
- - -
-
+ + +
+
+
+
-
-
- ); + ); } -export default view; +export default view; diff --git a/spid-validator/client/src/views/RequestCheck/RequestCheck.js b/spid-validator/client/src/views/RequestCheck/RequestCheck.js index 6a326dd..64ea135 100644 --- a/spid-validator/client/src/views/RequestCheck/RequestCheck.js +++ b/spid-validator/client/src/views/RequestCheck/RequestCheck.js @@ -18,8 +18,7 @@ class RequestCheck extends Component { report_datetime: null, report_profile: null, detailview: false, - production: false, - eidas: true + production: false }; } @@ -72,7 +71,6 @@ class RequestCheck extends Component { service.checkRequest( this.state.test, this.state.production, - this.state.eidas, (check) => { Utility.blockUI(false); let report = null; @@ -116,10 +114,6 @@ class RequestCheck extends Component { }); } - setEidas() { - this.setState({ eidas: !this.state.eidas }); - } - print() { Utility.print("request-" + this.state.test); } diff --git a/spid-validator/client/src/views/RequestCheck/view.js b/spid-validator/client/src/views/RequestCheck/view.js index a98086a..dac41b9 100644 --- a/spid-validator/client/src/views/RequestCheck/view.js +++ b/spid-validator/client/src/views/RequestCheck/view.js @@ -2,203 +2,114 @@ import React from 'react'; import { UncontrolledTooltip } from 'reactstrap'; import BlockUi from 'react-block-ui'; import AceEditor from '../../components/AceEditor/'; -import './style.css'; +import "./style.css"; -function view(me) { - return ( -
-

Request Report

-

- Data Validazione: {me.state.report_datetime} -

-
- {!me.state.detailview && ( -
- {me.state.report != null && ( -
-
-

- Check{' '} - - {me.state.test} - -

- {me.state.report_profile != null && ( -

- Profilo {me.state.report_profile} -

- )} +function view(me) { + return ( +
+

Request Report

+

Data Validazione: {me.state.report_datetime}

+
- {me.state.report.map((t, i) => { - return ( - + {me.state.report!=null && + } - title={t.test + (t.value ? ': ' + t.value : '')} - > - {' '} - {i} - - ); - })} -
-
- )} -
- )} +
+ } - {me.state.detailview && ( -
- {me.state.report != null && ( -
-
-

- Check{' '} - - {me.state.test} - -

- {me.state.report_profile != null && ( -

- Profilo {me.state.report_profile} -

- )} + {me.state.detailview && +
+ {me.state.report!=null && +
+
+

Check {me.state.test}

+ {me.state.report_profile!=null &&

Profilo {me.state.report_profile}

} + + + + + + + + {me.state.report.map((t, i)=> { + return( + + + + + + ); + })} +
#TestTest Result
{i}{t.test} + {t.result + (t.value? " - value: " + t.value : "")} +
+
+
+ } +
+ } - - - - - - - {me.state.report.map((t, i) => { - return ( - - - - - - ); - })} -
#TestTest Result
- {i} - {t.test} - {t.result + (t.value ? ' - value: ' + t.value : '')} -
-
-
- )} -
- )} -
-
-
-
- - Visualizzazione dettaglio -
-
+
+
+
-
-
- -
- -
-
-
+
+ + Visualizzazione dettaglio +
+
+ +
+ + Check per Produzione +
+
-
- - Check per Produzione -
-
+ + +
+
+
- -
-
-
-
- ); + ); } -export default view; +export default view; diff --git a/spid-validator/config/api.json b/spid-validator/config/api.json index 4d607c2..1797133 100644 --- a/spid-validator/config/api.json +++ b/spid-validator/config/api.json @@ -1,3 +1,3 @@ { - "df7da94d-cc42-4cf4-9fb2-9e7d542ab5cd#accenture": "c952c1b6-763d-4244-a5e7-8529e40847e9" + } diff --git a/spid-validator/config/server.json b/spid-validator/config/server.json index 1a5c2a5..402ad93 100644 --- a/spid-validator/config/server.json +++ b/spid-validator/config/server.json @@ -2,7 +2,7 @@ "host": "https://localhost", "port": 8443, "useProxy": false, - "useHttps": false, + "useHttps": true, "httpsPrivateKey": "./config/spid-saml-check.key", "httpsCertificate": "./config/spid-saml-check.crt" } diff --git a/spid-validator/server/api/metadata-sp.js b/spid-validator/server/api/metadata-sp.js index 35b784f..7dea3a0 100644 --- a/spid-validator/server/api/metadata-sp.js +++ b/spid-validator/server/api/metadata-sp.js @@ -432,7 +432,6 @@ module.exports = function(app, checkAuthorisation, getEntityDir, database) { let deprecated = (req.query.deprecated=='Y')? true : false; let production = (req.query.production=='Y')? true : false; - let isEidas = (req.query.eidas==true)? true : false; if(!fs.existsSync(config_dir.DATA)) return res.render('warning', { message: "Directory " + config_dir.DATA + " is not found. Please create it and reload." }); @@ -456,7 +455,7 @@ module.exports = function(app, checkAuthorisation, getEntityDir, database) { } if(file!=null) { - Utility.metadataCheck(cmd, entity_id.normalize(), profile, config_idp, production, isEidas).then( + Utility.metadataCheck(cmd, entity_id.normalize(), profile, config_idp, production).then( (out) => { try { let report = fs.readFileSync(file, "utf8"); diff --git a/spid-validator/server/api/request.js b/spid-validator/server/api/request.js index fec92ed..294c98a 100644 --- a/spid-validator/server/api/request.js +++ b/spid-validator/server/api/request.js @@ -63,7 +63,6 @@ module.exports = function(app, checkAuthorisation, getEntityDir, database) { app.get("/api/request/check/:test", function(req, res) { // check if apikey is correct - let eidas = req.query.eidas; let authorisation = checkAuthorisation(req); if(!authorisation) { error = {code: 401, msg: "Unauthorized"}; @@ -71,9 +70,6 @@ module.exports = function(app, checkAuthorisation, getEntityDir, database) { return null; } - if(authorisation=='API' && !req.body.assertion_consumer_service_index && - eidas && (assertion_consumer_service_index == 99 || assertion_consumer_service_index == 100)) - { return res.status(400).send("Parameter assertion_consumer_service_index must be 99 or 100"); } if(authorisation=='API' && !req.body.user) { return res.status(400).send("Parameter user is missing"); } if(authorisation=='API' && !req.body.request) { return res.status(400).send("Parameter request is missing"); } if(authorisation=='API' && !req.body.issuer) { return res.status(400).send("Parameter issuer is missing"); } diff --git a/spid-validator/server/lib/saml-utils.js b/spid-validator/server/lib/saml-utils.js index 9f9b851..d5936fa 100644 --- a/spid-validator/server/lib/saml-utils.js +++ b/spid-validator/server/lib/saml-utils.js @@ -565,7 +565,7 @@ class RequestParser { AttributeConsumingServiceIndex() { // only for type 1 let doc = new DOMParser().parseFromString(this.request.xml); let requestAttributeConsumingServiceIndex = select("//samlp:AuthnRequest", doc)[0]; - if(requestAssertionConsumingServiceIndex!=null) requestAssertionConsumingServiceIndex = requestAssertionConsumingServiceIndex.getAttribute("AssertionConsumingServiceIndex") + if(requestAttributeConsumingServiceIndex!=null) requestAttributeConsumingServiceIndex = requestAttributeConsumingServiceIndex.getAttribute("AttributeConsumingServiceIndex") else requestAttributeConsumingServiceIndex = undefined; return requestAttributeConsumingServiceIndex; } diff --git a/spid-validator/server/lib/utils.js b/spid-validator/server/lib/utils.js index 039cb58..bffdf45 100644 --- a/spid-validator/server/lib/utils.js +++ b/spid-validator/server/lib/utils.js @@ -70,7 +70,7 @@ class Utils { }); } - static metadataCheck(test, dir, profile, config, prod, isEidas) { + static metadataCheck(test, dir, profile, config, prod) { return new Promise((resolve, reject) => { let cmd; let dirpath = config_dir["DATA"] + "/" + dir; @@ -80,8 +80,6 @@ class Utils { cmd += " --profile " + profile; cmd += " --debug ERROR"; if(prod) cmd += " --production"; - if(isEidas) cmd += " --profile ficep-eidas-sp "; - let reportfile = ""; switch(test) { @@ -102,21 +100,11 @@ class Utils { console.log("[STDOUT] " + stdout); console.log("[STDERR] " + stderr); - if(!fs.existsSync(reportfile)) { return reject(err? stderr:stdout); } return resolve(stdout); - - /* - if(err!=null && err!='' && stderr!=null && stderr!='') { - return resolve(stdout); - } else { - return reject(stderr? stderr:stdout); - } - */ - }); } catch(e) { return reject("Si è verificato un errore durante l'esecuzione di spid-sp-test: " + e.message); diff --git a/spid-validator/server/npm-shrinkwrap.json b/spid-validator/server/npm-shrinkwrap.json-original similarity index 92% rename from spid-validator/server/npm-shrinkwrap.json rename to spid-validator/server/npm-shrinkwrap.json-original index 00b93ec..8ffd64e 100644 --- a/spid-validator/server/npm-shrinkwrap.json +++ b/spid-validator/server/npm-shrinkwrap.json-original @@ -1,7 +1,7 @@ -{ - "dependencies": { - "graceful-fs": { - "version": "4.2.2" - } - } -} +{ + "dependencies": { + "graceful-fs": { + "version": "4.2.2" + } + } +} \ No newline at end of file From 1f8ea949a4371c24932d02850b62c87e83e54deb Mon Sep 17 00:00:00 2001 From: damikael Date: Mon, 13 Nov 2023 11:24:45 +0000 Subject: [PATCH 12/14] upd Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4414501..8c68883 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM node:12-bullseye-slim +FROM node:14 # Metadata params ARG BUILD_DATE From f8464f5e20fef06ae1527766d194803a283d7894 Mon Sep 17 00:00:00 2001 From: Michele D'Amico Date: Mon, 13 Nov 2023 12:27:17 +0100 Subject: [PATCH 13/14] add npm-shrinkwrap.json --- spid-validator/server/npm-shrinkwrap.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 spid-validator/server/npm-shrinkwrap.json diff --git a/spid-validator/server/npm-shrinkwrap.json b/spid-validator/server/npm-shrinkwrap.json new file mode 100644 index 0000000..00b93ec --- /dev/null +++ b/spid-validator/server/npm-shrinkwrap.json @@ -0,0 +1,7 @@ +{ + "dependencies": { + "graceful-fs": { + "version": "4.2.2" + } + } +} From 0fc98a22048cfe04ed0bfff95201378ffe83dfa1 Mon Sep 17 00:00:00 2001 From: Michele D'Amico Date: Mon, 13 Nov 2023 12:27:36 +0100 Subject: [PATCH 14/14] del spid-validator/server/npm-shrinkwrap.json-original --- spid-validator/server/npm-shrinkwrap.json-original | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 spid-validator/server/npm-shrinkwrap.json-original diff --git a/spid-validator/server/npm-shrinkwrap.json-original b/spid-validator/server/npm-shrinkwrap.json-original deleted file mode 100644 index 8ffd64e..0000000 --- a/spid-validator/server/npm-shrinkwrap.json-original +++ /dev/null @@ -1,7 +0,0 @@ -{ - "dependencies": { - "graceful-fs": { - "version": "4.2.2" - } - } -} \ No newline at end of file