Skip to content

Commit

Permalink
Fix #1840: Missing validation when updating callback configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
@romanstrobl
romanstrobl committed Jan 28, 2025
1 parent 63959b2 commit 5f00811
Showing 1 changed file with 29 additions and 17 deletions.
46 changes: 29 additions & 17 deletions .../com/wultra/security/powerauth/app/server/service/behavior/tasks/CallbackUrlBehavior.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,23 +105,7 @@ public CreateCallbackUrlResponse createCallbackUrl(CreateCallbackUrlRequest requ
throw localizationProvider.buildExceptionForCode(ServiceError.INVALID_APPLICATION);
}

if (request.getAuthentication() != null && request.getAuthentication().getCertificate() != null) {
final HttpAuthenticationPrivate.Certificate certificate = request.getAuthentication().getCertificate();
if (certificate.isUseCustomKeyStore() &&
StringUtils.hasText(certificate.getKeyStoreLocation()) &&
StringUtils.hasText(certificate.getKeyStoreContent())) {
logger.warn("Invalid keystore configuration for callback URL: {}", request.getCallbackUrl());
// Rollback is not required, error occurs before writing to database
throw localizationProvider.buildExceptionForCode(ServiceError.INVALID_REQUEST);
}
if (certificate.isUseCustomTrustStore() &&
StringUtils.hasText(certificate.getTrustStoreLocation()) &&
StringUtils.hasText(certificate.getTrustStoreContent())) {
logger.warn("Invalid truststore configuration for callback URL: {}", request.getCallbackUrl());
// Rollback is not required, error occurs before writing to database
throw localizationProvider.buildExceptionForCode(ServiceError.INVALID_REQUEST);
}
}
validateAuthenticationConfigRequest(request.getAuthentication(), request.getCallbackUrl());

final CallbackUrlEntity entity = new CallbackUrlEntity();
entity.setId(UUID.randomUUID().toString());
Expand Down Expand Up @@ -190,6 +174,8 @@ public UpdateCallbackUrlResponse updateCallbackUrl(UpdateCallbackUrlRequest requ
throw localizationProvider.buildExceptionForCode(ServiceError.INVALID_URL_FORMAT);
}

validateAuthenticationConfigRequest(request.getAuthentication(), request.getCallbackUrl());

entity.setName(request.getName());
entity.setCallbackUrl(request.getCallbackUrl());
entity.setAttributes(request.getAttributes());
Expand Down Expand Up @@ -525,4 +511,30 @@ private boolean isMaxAttemptsPositive(final CallbackUrlEntity callbackUrlEntity)
return callbackUrlEventService.obtainMaxAttempts(callbackUrlEntity) > 0;
}

/**
* Validate request so that the authentication configuration is valid.
* @param authentication Authentication.
* @param callbackUrl Callback URL.
* @throws GenericServiceException Thrown when request validation fails.
*/
private void validateAuthenticationConfigRequest(HttpAuthenticationPrivate authentication, String callbackUrl) throws GenericServiceException {
if (authentication != null && authentication.getCertificate() != null) {
HttpAuthenticationPrivate.Certificate certificate = authentication.getCertificate();

if (certificate.isUseCustomKeyStore() &&
StringUtils.hasText(certificate.getKeyStoreLocation()) &&
StringUtils.hasText(certificate.getKeyStoreContent())) {
logger.warn("Invalid keystore configuration for callback URL: {}", callbackUrl);
throw localizationProvider.buildExceptionForCode(ServiceError.INVALID_REQUEST);
}

if (certificate.isUseCustomTrustStore() &&
StringUtils.hasText(certificate.getTrustStoreLocation()) &&
StringUtils.hasText(certificate.getTrustStoreContent())) {
logger.warn("Invalid truststore configuration for callback URL: {}", callbackUrl);
throw localizationProvider.buildExceptionForCode(ServiceError.INVALID_REQUEST);
}
}
}

}

0 comments on commit 5f00811

Please sign in to comment.