From a5daa20e3e8ef284c6f5a87e1cfdf0c4d5d21fc6 Mon Sep 17 00:00:00 2001 From: "Dr. Christoph \"Schorsch\" Jung" Date: Mon, 27 May 2024 12:29:01 +0200 Subject: [PATCH] fix: introduce url & header checking from the config. --- .../tractusx/agents/edc/AgentConfig.java | 38 ++++++++++++++++--- .../edc/http/DelegationServiceImpl.java | 11 +++--- 2 files changed, 38 insertions(+), 11 deletions(-) diff --git a/agent-plane/agent-plane-protocol/src/main/java/org/eclipse/tractusx/agents/edc/AgentConfig.java b/agent-plane/agent-plane-protocol/src/main/java/org/eclipse/tractusx/agents/edc/AgentConfig.java index 7842a4e..ce7cfaf 100644 --- a/agent-plane/agent-plane-protocol/src/main/java/org/eclipse/tractusx/agents/edc/AgentConfig.java +++ b/agent-plane/agent-plane-protocol/src/main/java/org/eclipse/tractusx/agents/edc/AgentConfig.java @@ -89,6 +89,10 @@ public class AgentConfig { public static final String SERVICE_DENY_ASSET_PROPERTY = "cx.agent.service.asset.deny"; public static final String DEFAULT_SERVICE_DENY_ASSET_PATTERN = "^$"; + public static final String SERVICE_ALLOW_CONNECTOR_PROPERTY = "cx.agent.service.connector.allow"; + public static final String DEFAULT_SERVICE_ALLOW_CONNECTOR_PATTERN = "https://.*"; + public static final String SERVICE_DENY_CONNECTOR_PROPERTY = "cx.agent.service.connector.deny"; + public static final String DEFAULT_SERVICE_DENY_CONNECTOR_PATTERN = "^$"; public static final String MATCHMAKING_URL = "cx.agent.matchmaking"; @@ -100,6 +104,11 @@ public class AgentConfig { protected final Pattern serviceAssetAllowPattern; protected final Pattern serviceAssetDenyPattern; protected static final Pattern ASSET_REFERENCE_PATTERN = Pattern.compile("((?[^#]+)#)?(?.+)"); + protected final Pattern connectorAllowPattern; + protected final Pattern connectorDenyPattern; + + public static final Pattern PARAMETER_KEY_ALLOW = Pattern.compile("^(?(?!asset$)[^&?=]+)$"); + public static final Pattern PARAMETER_VALUE_ALLOW = Pattern.compile("^(?[^&]+)$"); /** * references to EDC services @@ -120,6 +129,8 @@ public AgentConfig(Monitor monitor, Config config) { serviceDenyPattern = Pattern.compile(config.getString(SERVICE_DENY_PROPERTY, DEFAULT_SERVICE_DENY_PATTERN)); serviceAssetAllowPattern = Pattern.compile(config.getString(SERVICE_ALLOW_ASSET_PROPERTY, DEFAULT_SERVICE_ALLOW_ASSET_PATTERN)); serviceAssetDenyPattern = Pattern.compile(config.getString(SERVICE_DENY_ASSET_PROPERTY, DEFAULT_SERVICE_DENY_ASSET_PATTERN)); + connectorAllowPattern = Pattern.compile(config.getString(SERVICE_ALLOW_CONNECTOR_PROPERTY, DEFAULT_SERVICE_ALLOW_CONNECTOR_PATTERN)); + connectorDenyPattern = Pattern.compile(config.getString(SERVICE_DENY_CONNECTOR_PROPERTY, DEFAULT_SERVICE_DENY_CONNECTOR_PATTERN)); } /** @@ -172,7 +183,11 @@ public String getAccessPoint() { * @return uri of the control plane management endpoint (without concrete api) */ public String getControlPlaneManagementUrl() { - return config.getString(CONTROL_PLANE_MANAGEMENT, null); + String url = config.getString(CONTROL_PLANE_MANAGEMENT, null); + if (url != null && connectorAllowPattern.matcher(url).matches() && !connectorDenyPattern.matcher(url).matches()) { + return url; + } + return null; } /** @@ -181,7 +196,11 @@ public String getControlPlaneManagementUrl() { * @return uri of the control plane management endpoint (without concrete api) */ public String getControlPlaneManagementProviderUrl() { - return config.getString(CONTROL_PLANE_MANAGEMENT_PROVIDER, config.getString(CONTROL_PLANE_MANAGEMENT, null)); + String url = config.getString(CONTROL_PLANE_MANAGEMENT_PROVIDER, config.getString(CONTROL_PLANE_MANAGEMENT, null)); + if (url != null && connectorAllowPattern.matcher(url).matches() && !connectorDenyPattern.matcher(url).matches()) { + return url; + } + return null; } /** @@ -190,7 +209,11 @@ public String getControlPlaneManagementProviderUrl() { * @return uri of the control plane ids endpoint (without concrete api) */ public String getControlPlaneIdsUrl() { - return config.getString(CONTROL_PLANE_IDS, null); + String url = config.getString(CONTROL_PLANE_IDS, null); + if (url != null && connectorAllowPattern.matcher(url).matches() && !connectorDenyPattern.matcher(url).matches()) { + return url; + } + return null; } /** @@ -201,7 +224,7 @@ public String getControlPlaneIdsUrl() { public Map getControlPlaneManagementHeaders() { String key = config.getString(CONTROL_PLANE_AUTH_HEADER, "X-Api-Key"); String value = config.getString(CONTROL_PLANE_AUTH_VALUE, null); - if (key != null && value != null) { + if (key != null && PARAMETER_KEY_ALLOW.matcher(key).matches() && value != null && PARAMETER_VALUE_ALLOW.matcher(value).matches()) { return Map.of(key, value); } return Map.of(); @@ -397,7 +420,12 @@ public static Pattern getAssetReferencePattern() { * @return URL for Matchmaking Agent REST call */ public String getMatchmakingAgentUrl() { - return config.getString(MATCHMAKING_URL, null); + String url = config.getString(MATCHMAKING_URL, null); + if (url != null && connectorAllowPattern.matcher(url).matches() && !connectorDenyPattern.matcher(url).matches()) { + return url; + } + return null; + } } diff --git a/agent-plane/agent-plane-protocol/src/main/java/org/eclipse/tractusx/agents/edc/http/DelegationServiceImpl.java b/agent-plane/agent-plane-protocol/src/main/java/org/eclipse/tractusx/agents/edc/http/DelegationServiceImpl.java index 65bc927..a7dec39 100644 --- a/agent-plane/agent-plane-protocol/src/main/java/org/eclipse/tractusx/agents/edc/http/DelegationServiceImpl.java +++ b/agent-plane/agent-plane-protocol/src/main/java/org/eclipse/tractusx/agents/edc/http/DelegationServiceImpl.java @@ -180,12 +180,11 @@ public DelegationResponse sendPostRequest(EndpointDataReference dataReference, S requestBuilder.post(okhttp3.RequestBody.create(request.getInputStream().readAllBytes(), parsedContentType)); var newRequest = requestBuilder.build(); - + return new DelegationResponse(sendRequest(newRequest, response), Response.status(response.getStatus()).build()); } - protected static final Pattern PARAMETER_KEY_ALLOW = Pattern.compile("^(?(?!asset$)[^&?=]+)$"); - protected static final Pattern PARAMETER_VALUE_ALLOW = Pattern.compile("^(?[^&]+)$"); + /** * computes the url to target the given data plane @@ -210,11 +209,11 @@ protected HttpUrl getUrl(String connectorUrl, String subUrl, HttpHeaders headers HttpUrl.Builder httpBuilder = Objects.requireNonNull(okhttp3.HttpUrl.parse(url)).newBuilder(); for (Map.Entry> param : uri.getQueryParameters().entrySet()) { String key = param.getKey(); - Matcher keyMatcher = PARAMETER_KEY_ALLOW.matcher(key); + Matcher keyMatcher = AgentConfig.PARAMETER_KEY_ALLOW.matcher(key); if (keyMatcher.matches()) { String recodeKey = HttpUtils.urlEncodeParameter(keyMatcher.group("param")); for (String value : param.getValue()) { - Matcher valueMatcher = PARAMETER_VALUE_ALLOW.matcher(value); + Matcher valueMatcher = AgentConfig.PARAMETER_VALUE_ALLOW.matcher(value); if (valueMatcher.matches()) { String recodeValue = HttpUtils.urlEncodeParameter(valueMatcher.group("value")); httpBuilder = httpBuilder.addQueryParameter(recodeKey, recodeValue); @@ -248,7 +247,7 @@ protected String sendRequest(okhttp3.Request request, HttpServletResponse respon if (!myResponse.isSuccessful()) { monitor.warning(String.format("Data plane call was not successful: %s", myResponse.code())); } - + Optional> warnings = Optional.empty(); var body = myResponse.body();