Add "deep validation"

Author: cstamas

src/main/java/org/codehaus/plexus/components/secdispatcher/Dispatcher.java

@@ -68,4 +68,9 @@ EncryptPayload encrypt(String str, Map<String, String> attributes, Map<String, S
      */
     String decrypt(String str, Map<String, String> attributes, Map<String, String> config)
             throws SecDispatcherException;
+
+    /**
+     * Validates dispatcher configuration.
+     */
+    SecDispatcher.ValidationResponse validateConfiguration(Map<String, String> config);
 }

src/main/java/org/codehaus/plexus/components/secdispatcher/DispatcherMeta.java

@@ -10,7 +10,7 @@
  * Meta description of dispatcher.
  */
 public interface DispatcherMeta {
-    class Field {
+    final class Field {
         private final String key;
         private final boolean optional;
         private final String defaultValue;
@@ -67,7 +67,7 @@ public static Builder builder(String key) {
             return new Builder(key);
         }
 
-        public static class Builder {
+        public static final class Builder {
             private final String key;
             private boolean optional;
             private String defaultValue;

src/main/java/org/codehaus/plexus/components/secdispatcher/MasterSource.java

@@ -30,4 +30,13 @@ public interface MasterSource {
      * @throws SecDispatcherException If implementation does handle this masterSource, but cannot obtain master password
      */
     String handle(String config) throws SecDispatcherException;
+
+    /**
+     * Validates master source configuration.
+     * <ul>
+     *     <li>if the config cannot be handled by given source, return {@code null}</li>
+     *     <li>otherwise, implementation performs validation and returns non-{@code null} validation response</li>
+     * </ul>
+     */
+    SecDispatcher.ValidationResponse validateConfiguration(String config);
 }

src/main/java/org/codehaus/plexus/components/secdispatcher/SecDispatcher.java

@@ -14,6 +14,7 @@
 package org.codehaus.plexus.components.secdispatcher;
 
 import java.io.IOException;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -82,4 +83,50 @@ public interface SecDispatcher {
      * @throws IOException In case of IO problem
      */
     void writeConfiguration(SettingsSecurity configuration) throws IOException;
+
+    /**
+     * The validation response.
+     */
+    final class ValidationResponse {
+        public enum Level {
+            INFO,
+            WARNING,
+            ERROR
+        };
+
+        private final String source;
+        private final boolean valid;
+        private final Map<Level, List<String>> report;
+        private final List<ValidationResponse> subsystems;
+
+        public ValidationResponse(
+                String source, boolean valid, Map<Level, List<String>> report, List<ValidationResponse> subsystems) {
+            this.source = source;
+            this.valid = valid;
+            this.report = report;
+            this.subsystems = subsystems;
+        }
+
+        public String getSource() {
+            return source;
+        }
+
+        public boolean isValid() {
+            return valid;
+        }
+
+        public Map<Level, List<String>> getReport() {
+            return report;
+        }
+
+        public List<ValidationResponse> getSubsystems() {
+            return subsystems;
+        }
+    }
+
+    /**
+     * Performs a "deep validation" and reports the status. If return instance {@link ValidationResponse#isValid()}
+     * is {@code true}, configuration is usable.
+     */
+    ValidationResponse validateConfiguration();
 }

src/main/java/org/codehaus/plexus/components/secdispatcher/internal/DefaultSecDispatcher.java

@@ -16,6 +16,7 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
@@ -140,10 +141,12 @@ public String decrypt(String str) throws SecDispatcherException, IOException {
         try {
             String bare = cipher.unDecorate(str);
             Map<String, String> attr = requireNonNull(stripAttributes(bare));
-            if (attr.get(DISPATCHER_NAME_ATTR) == null) {
-                // TODO: log?
+            if (isLegacyPassword(str)) {
                 attr.put(DISPATCHER_NAME_ATTR, LegacyDispatcher.NAME);
             }
+            if (attr.get(DISPATCHER_NAME_ATTR) == null) {
+                throw new SecDispatcherException("Invalid encrypted string; mandatory attributes missing");
+            }
             String name = attr.get(DISPATCHER_NAME_ATTR);
             Dispatcher dispatcher = dispatchers.get(name);
             if (dispatcher == null) throw new SecDispatcherException("no dispatcher for name " + name);
@@ -175,9 +178,55 @@ public void writeConfiguration(SettingsSecurity configuration) throws IOExceptio
         SecUtil.write(configurationFile, configuration, true);
     }
 
-    protected Map<String, String> prepareDispatcherConfig(String type) throws IOException {
+    @Override
+    public ValidationResponse validateConfiguration() {
+        HashMap<ValidationResponse.Level, List<String>> report = new HashMap<>();
+        ArrayList<ValidationResponse> subsystems = new ArrayList<>();
+        boolean valid = false;
+        try {
+            SettingsSecurity config = readConfiguration(false);
+            if (config == null) {
+                report.computeIfAbsent(ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                        .add("No configuration file found on path " + configurationFile);
+            } else {
+                report.computeIfAbsent(ValidationResponse.Level.INFO, k -> new ArrayList<>())
+                        .add("Configuration file present on path " + configurationFile);
+                String defaultDispatcher = config.getDefaultDispatcher();
+                if (defaultDispatcher == null) {
+                    report.computeIfAbsent(ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                            .add("No default dispatcher set in configuration");
+                } else {
+                    report.computeIfAbsent(ValidationResponse.Level.INFO, k -> new ArrayList<>())
+                            .add("Default dispatcher set to " + defaultDispatcher);
+                    Dispatcher dispatcher = dispatchers.get(defaultDispatcher);
+                    if (dispatcher == null) {
+                        report.computeIfAbsent(ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                                .add("Default dispatcher " + defaultDispatcher + " not present in system");
+                    } else {
+                        ValidationResponse dispatcherResponse =
+                                dispatcher.validateConfiguration(prepareDispatcherConfig(defaultDispatcher));
+                        subsystems.add(dispatcherResponse);
+                        if (!dispatcherResponse.isValid()) {
+                            report.computeIfAbsent(ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                                    .add("Default dispatcher " + defaultDispatcher + " configuration is invalid");
+                        } else {
+                            valid = true;
+                            report.computeIfAbsent(ValidationResponse.Level.INFO, k -> new ArrayList<>())
+                                    .add("Default dispatcher " + defaultDispatcher + " configuration is valid");
+                        }
+                    }
+                }
+            }
+        } catch (IOException e) {
+            report.computeIfAbsent(ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                    .add(e.getMessage());
+        }
+        return new ValidationResponse(getClass().getSimpleName(), valid, report, subsystems);
+    }
+
+    protected Map<String, String> prepareDispatcherConfig(String name) throws IOException {
         HashMap<String, String> dispatcherConf = new HashMap<>();
-        Map<String, String> conf = SecUtil.getConfig(SecUtil.read(configurationFile), type);
+        Map<String, String> conf = SecUtil.getConfig(SecUtil.read(configurationFile), name);
         if (conf != null) {
             dispatcherConf.putAll(conf);
         }

src/main/java/org/codehaus/plexus/components/secdispatcher/internal/dispatchers/LegacyDispatcher.java

@@ -40,6 +40,7 @@
 import org.codehaus.plexus.components.cipher.PlexusCipherException;
 import org.codehaus.plexus.components.secdispatcher.Dispatcher;
 import org.codehaus.plexus.components.secdispatcher.DispatcherMeta;
+import org.codehaus.plexus.components.secdispatcher.SecDispatcher;
 import org.codehaus.plexus.components.secdispatcher.SecDispatcherException;
 import org.xml.sax.InputSource;
 
@@ -99,6 +100,17 @@ public String decrypt(String str, Map<String, String> attributes, Map<String, St
         }
     }
 
+    @Override
+    public SecDispatcher.ValidationResponse validateConfiguration(Map<String, String> config) {
+        return new SecDispatcher.ValidationResponse(
+                getClass().getSimpleName(),
+                false,
+                Map.of(
+                        SecDispatcher.ValidationResponse.Level.ERROR,
+                        List.of("This dispatcher cannot and must not be directly used via configuration")),
+                List.of());
+    }
+
     private String getMasterPassword() throws SecDispatcherException {
         String encryptedMasterPassword = getMasterMasterPasswordFromSettingsSecurityXml();
         return legacyCipher.decrypt64(plexusCipher.unDecorate(encryptedMasterPassword), MASTER_MASTER_PASSWORD);

src/main/java/org/codehaus/plexus/components/secdispatcher/internal/dispatchers/MasterDispatcher.java

@@ -17,6 +17,7 @@
 import javax.inject.Named;
 import javax.inject.Singleton;
 
+import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
 import java.util.List;
@@ -125,6 +126,54 @@ public String decrypt(String str, Map<String, String> attributes, Map<String, St
         }
     }
 
+    @Override
+    public SecDispatcher.ValidationResponse validateConfiguration(Map<String, String> config) {
+        HashMap<SecDispatcher.ValidationResponse.Level, List<String>> report = new HashMap<>();
+        ArrayList<SecDispatcher.ValidationResponse> subsystems = new ArrayList<>();
+        boolean valid = false;
+        String masterCipher = config.get(CONF_MASTER_CIPHER);
+        if (masterCipher == null) {
+            report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                    .add("Master Cipher configuration missing");
+        } else {
+            if (!cipher.availableCiphers().contains(masterCipher)) {
+                report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                        .add("Master Cipher " + masterCipher + " not supported");
+            } else {
+                report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.INFO, k -> new ArrayList<>())
+                        .add("Master Cipher " + masterCipher + " supported");
+            }
+        }
+        String masterSource = config.get(CONF_MASTER_SOURCE);
+        if (masterSource == null) {
+            report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                    .add("Master Source configuration missing");
+        } else {
+            SecDispatcher.ValidationResponse masterSourceResponse = null;
+            for (MasterSource masterPasswordSource : masterSources.values()) {
+                masterSourceResponse = masterPasswordSource.validateConfiguration(masterSource);
+                if (masterSourceResponse != null) {
+                    break;
+                }
+            }
+            if (masterSourceResponse == null) {
+                report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                        .add("Master Source configuration `" + masterSource + "` not handled");
+            } else {
+                subsystems.add(masterSourceResponse);
+                if (!masterSourceResponse.isValid()) {
+                    report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                            .add("Master Source configuration `" + masterSource + "` invalid");
+                } else {
+                    report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.INFO, k -> new ArrayList<>())
+                            .add("Master Source configuration `" + masterSource + "` valid");
+                    valid = true;
+                }
+            }
+        }
+        return new SecDispatcher.ValidationResponse(getClass().getSimpleName(), valid, report, subsystems);
+    }
+
     private String getMasterPassword(Map<String, String> config) throws SecDispatcherException {
         String masterSource = config.get(CONF_MASTER_SOURCE);
         if (masterSource == null) {

src/main/java/org/codehaus/plexus/components/secdispatcher/internal/sources/EnvMasterSource.java

@@ -21,9 +21,12 @@
 import javax.inject.Named;
 import javax.inject.Singleton;
 
+import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 
 import org.codehaus.plexus.components.secdispatcher.MasterSourceMeta;
+import org.codehaus.plexus.components.secdispatcher.SecDispatcher;
 import org.codehaus.plexus.components.secdispatcher.SecDispatcherException;
 
 /**
@@ -58,4 +61,26 @@ protected String doHandle(String transformed) throws SecDispatcherException {
         }
         return value;
     }
+
+    @Override
+    protected SecDispatcher.ValidationResponse doValidateConfiguration(String transformed) {
+        String value = System.getenv(transformed);
+        if (value == null) {
+            return new SecDispatcher.ValidationResponse(
+                    getClass().getSimpleName(),
+                    true,
+                    Map.of(
+                            SecDispatcher.ValidationResponse.Level.WARNING,
+                            List.of("Configured environment variable not exist")),
+                    List.of());
+        } else {
+            return new SecDispatcher.ValidationResponse(
+                    getClass().getSimpleName(),
+                    true,
+                    Map.of(
+                            SecDispatcher.ValidationResponse.Level.INFO,
+                            List.of("Configured environment variable exist")),
+                    List.of());
+        }
+    }
 }

src/main/java/org/codehaus/plexus/components/secdispatcher/internal/sources/GpgAgentMasterSource.java

@@ -29,12 +29,17 @@
 import java.net.UnixDomainSocketAddress;
 import java.nio.channels.Channels;
 import java.nio.channels.SocketChannel;
+import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.HexFormat;
+import java.util.List;
 import java.util.Optional;
 
 import org.codehaus.plexus.components.secdispatcher.MasterSourceMeta;
+import org.codehaus.plexus.components.secdispatcher.SecDispatcher;
 import org.codehaus.plexus.components.secdispatcher.SecDispatcherException;
 
 /**
@@ -83,6 +88,39 @@ protected String doHandle(String transformed) throws SecDispatcherException {
         }
     }
 
+    @Override
+    protected SecDispatcher.ValidationResponse doValidateConfiguration(String transformed) {
+        HashMap<SecDispatcher.ValidationResponse.Level, List<String>> report = new HashMap<>();
+        boolean valid = false;
+
+        String extra = "";
+        if (transformed.contains("?")) {
+            extra = transformed.substring(transformed.indexOf("?"));
+            transformed = transformed.substring(0, transformed.indexOf("?"));
+        }
+        Path socketLocation = Paths.get(transformed);
+        if (!socketLocation.isAbsolute()) {
+            socketLocation = Paths.get(System.getProperty("user.home"))
+                    .resolve(socketLocation)
+                    .toAbsolutePath();
+        }
+        if (Files.exists(socketLocation)) {
+            report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.ERROR, k -> new ArrayList<>())
+                    .add("Unix domain socket for GPG Agent does not exist. Maybe you need to start gpg-agent?");
+        } else {
+            report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.INFO, k -> new ArrayList<>())
+                    .add("Unix domain socket for GPG Agent exist");
+            valid = true;
+        }
+        boolean interactive = !extra.contains("non-interactive");
+        if (!interactive) {
+            report.computeIfAbsent(SecDispatcher.ValidationResponse.Level.WARNING, k -> new ArrayList<>())
+                    .add(
+                            "Non-interactive flag found, gpg-agent will not ask for passphrase, it can use only cached ones");
+        }
+        return new SecDispatcher.ValidationResponse(getClass().getSimpleName(), valid, report, List.of());
+    }
+
     private String load(Path socketPath, boolean interactive) throws IOException {
         try (SocketChannel sock = SocketChannel.open(StandardProtocolFamily.UNIX)) {
             sock.connect(UnixDomainSocketAddress.of(socketPath));

src/main/java/org/codehaus/plexus/components/secdispatcher/internal/sources/MasterSourceSupport.java

@@ -22,6 +22,7 @@
 import java.util.function.Predicate;
 
 import org.codehaus.plexus.components.secdispatcher.MasterSource;
+import org.codehaus.plexus.components.secdispatcher.SecDispatcher;
 import org.codehaus.plexus.components.secdispatcher.SecDispatcherException;
 
 import static java.util.Objects.requireNonNull;
@@ -47,4 +48,13 @@ public String handle(String masterSource) throws SecDispatcherException {
     }
 
     protected abstract String doHandle(String transformed) throws SecDispatcherException;
+
+    public SecDispatcher.ValidationResponse validateConfiguration(String masterSource) {
+        if (matcher.test(masterSource)) {
+            return doValidateConfiguration(transformer.apply(masterSource));
+        }
+        return null;
+    }
+
+    protected abstract SecDispatcher.ValidationResponse doValidateConfiguration(String transformed);
 }