Even more strict validation on issuerDn

iam-login-service/src/main/java/it/infn/mw/iam/api/requests/model/CertLinkRequestDTO.java

@@ -22,7 +22,6 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
-import it.infn.mw.iam.api.validators.KnownCertificationAuthority;
 import it.infn.mw.iam.api.validators.RFC2253Formatted;
 import it.infn.mw.iam.api.validators.ValidCertificateDTO;
 import it.infn.mw.iam.api.validators.PemContent;
@@ -40,7 +39,6 @@ public class CertLinkRequestDTO extends IamRequestDTO implements CertificateDTO
   private String subjectDn;
 
   @RFC2253Formatted(message = "Invalid issuer DN format")
-  @KnownCertificationAuthority(message = "Certification authority not recognized")
   private String issuerDn;
 
   public CertLinkRequestDTO() {

iam-login-service/src/main/java/it/infn/mw/iam/api/scim/model/ScimX509Certificate.java

@@ -26,7 +26,6 @@
 
 import it.infn.mw.iam.api.requests.model.CertificateDTO;
 import it.infn.mw.iam.api.scim.controller.utils.JsonDateSerializer;
-import it.infn.mw.iam.api.validators.KnownCertificationAuthority;
 import it.infn.mw.iam.api.validators.PemContent;
 import it.infn.mw.iam.api.validators.RFC2253Formatted;
 import it.infn.mw.iam.api.validators.ValidCertificateDTO;
@@ -46,7 +45,6 @@ public class ScimX509Certificate implements CertificateDTO {
 
   @Length(max = 256)
   @RFC2253Formatted(message = "Invalid issuer DN format")
-  @KnownCertificationAuthority(message = "Certification authority not recognized")
   private final String issuerDn;
 
   @PemContent(message = "Invalid PEM encoded certificate")

iam-login-service/src/main/java/it/infn/mw/iam/api/validators/ValidCertificateDTO.java

@@ -26,10 +26,10 @@
 import javax.validation.Payload;
 
 @Retention(RUNTIME)
-@Target({ TYPE, ANNOTATION_TYPE })
+@Target({TYPE, ANNOTATION_TYPE})
 @Constraint(validatedBy = ValidCertificateDTOValidator.class)
 public @interface ValidCertificateDTO {
-  String message() default "Invalid certificate linking request: either subject and issuer DN or the PEM content is required! When both are provided, the PEM must be coherent with the DNs";
+  String message() default "Invalid certificate linking request: either subject and issuer DN or the PEM content is required! When both are provided, the PEM must be coherent with the DNs. The issuer DN must be a known certification authority.";
 
   Class<?>[] groups() default {};
 

iam-login-service/src/main/java/it/infn/mw/iam/api/validators/ValidCertificateDTOValidator.java

@@ -15,16 +15,20 @@
  */
 package it.infn.mw.iam.api.validators;
 
+import java.util.List;
+
 import javax.validation.ConstraintValidator;
 import javax.validation.ConstraintValidatorContext;
 
 import org.springframework.beans.factory.annotation.Autowired;
 
 import com.google.common.base.Strings;
+import static eu.emi.security.authn.x509.impl.X500NameUtils.equal;
 
 import eu.emi.security.authn.x509.impl.X500NameUtils;
 import it.infn.mw.iam.api.requests.model.CertificateDTO;
 import it.infn.mw.iam.api.scim.converter.X509CertificateParser;
+import it.infn.mw.iam.api.trust.sevice.IamTrustService;
 import it.infn.mw.iam.persistence.model.IamX509Certificate;
 
 public class ValidCertificateDTOValidator
@@ -33,6 +37,9 @@ public class ValidCertificateDTOValidator
     @Autowired
     private X509CertificateParser parser;
 
+    @Autowired
+    IamTrustService trustService;
+
     public ValidCertificateDTOValidator() {
         // empty
     }
@@ -60,6 +67,14 @@ private boolean inconsistentIssuer(CertificateDTO value, IamX509Certificate cert
                         X500NameUtils.getComparableForm(cert.getIssuerDn())));
     }
 
+    private boolean unknownCertificationAuthority(CertificateDTO value) throws Exception {
+        String issuerDn = value.getIssuerDn();
+        if (Strings.isNullOrEmpty(issuerDn)) {
+            issuerDn = parser.parseCertificateFromString(value.getPemEncodedCertificate()).getIssuerDn();
+        }
+        return !trustService.getTrusts().getResources().contains(issuerDn);
+    }
+
     @Override
     public boolean isValid(CertificateDTO value, ConstraintValidatorContext context) {
 
@@ -77,6 +92,9 @@ public boolean isValid(CertificateDTO value, ConstraintValidatorContext context)
                     return false;
                 }
             }
+            if (unknownCertificationAuthority(value)) {
+                return false;
+            }
             return true;
         } catch (
 

iam-login-service/src/test/java/it/infn/mw/iam/test/scim/user/ScimUserCreationTests.java

@@ -78,7 +78,8 @@
 @IamMockMvcIntegrationTest
 @SpringBootTest(
     classes = {IamLoginService.class, CoreControllerTestSupport.class, ScimRestUtilsMvc.class},
-    webEnvironment = WebEnvironment.MOCK)
+    webEnvironment = WebEnvironment.MOCK,
+    properties = {"x509.trustAnchorsDir=src/test/resources/test-ca"})
 @TestPropertySource(properties = {"scim.include_authorities=true"})
 public class ScimUserCreationTests extends ScimUserTestSupport {