Merge branch 'fb-DSS-3249-Regression-PDFSigner-fails-signing-if-custom-image-path-is-used' into 'main'

DSS-3249: Changed to the intended constructor of PDFSigner so the allowlist isn't treated as null.

See merge request signserver/signserver!565

Author: netmackan

signserver/modules/SignServer-Module-PDFSigner/src/main/java/org/signserver/module/pdfsigner/PDFSigner.java

@@ -425,7 +425,7 @@ public Response processData(Request signRequest,
         // retrieve and preprocess configuration parameter values
         // XXX: Note: below a new instance of configError is passed in. Actually we do not want to collect errors at this stage but will do it like this for now
         final ArrayList<String> processingErrors = new ArrayList<>();
-        final PDFSignerParameters params = new PDFSignerParameters(workerId, config, processingErrors, metadata, allowPropertyOverride);
+        final PDFSignerParameters params = new PDFSignerParameters(workerId, config, processingErrors, metadata, allowPropertyOverride, allowedImagePaths);
         if (!processingErrors.isEmpty()) {
             throw new IllegalRequestException(processingErrors.toString());
         }

signserver/modules/SignServer-Module-PDFSigner/src/main/java/org/signserver/module/pdfsigner/PDFSignerParameters.java

@@ -112,10 +112,6 @@ public class PDFSignerParameters {
 
     private final Set<String> allowPropertyOverride;
 
-    public PDFSignerParameters(int workerId, WorkerConfig config, final List<String> configErrors, Map<String, String> requestMetadata, final Set<String> allowPropertyOverride) throws IllegalRequestException, SignServerException {
-        this(workerId, config, configErrors, requestMetadata, allowPropertyOverride, null);
-    }
-
     public PDFSignerParameters(int workerId, WorkerConfig config, final List<String> configErrors, Map<String, String> requestMetadata, final Set<String> allowPropertyOverride, Set<Path> allowListedImagePaths) throws IllegalRequestException, SignServerException {
         this.workerId = workerId;
         this.config = config;

signserver/modules/SignServer-Module-PDFSigner/src/test/java/org/signserver/module/pdfsigner/PDFSignerParametersUnitTest.java

@@ -16,7 +16,7 @@
 import java.util.HashSet;
 import java.util.LinkedList;
 import java.util.Set;
-import org.apache.commons.codec.binary.Base64;
+import java.util.Collections;
 import org.apache.log4j.Logger;
 import org.junit.Test;
 import static org.junit.Assert.*;
@@ -52,7 +52,7 @@ public void testOverrideAddVisibleSignature() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertTrue("ADD_VISIBLE_SIGNATURE overridden", 
@@ -77,7 +77,7 @@ public void testOverrideVisible_sig_page() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertEquals("VISIBLE_SIGNATURE_PAGE overridden", "4", instance.getVisible_sig_page());
@@ -101,7 +101,7 @@ public void testOverrideVisible_sig_rectangle() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertEquals("VISIBLE_SIGNATURE_RECTANGLE overridden", "7,8,9,10", instance.getVisible_sig_rectangle());
@@ -130,7 +130,7 @@ public void testOverrideUseTimestampTrue() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertFalse("USE_TIMESTAMP overridden", instance.isUseTimestamp());
@@ -155,7 +155,7 @@ public void testOverrideUseTimestampFalse() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertTrue("USE_TIMESTAMP overridden", instance.isUseTimestamp());
@@ -179,7 +179,7 @@ public void testOverrideEmbedCrl() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertTrue("EMBED_CRL overridden", instance.isEmbed_crl());
@@ -203,7 +203,7 @@ public void testOverrideEmbedOcspResponse() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertTrue("EMBED_OCSP_RESPONSE overridden", instance.isEmbed_ocsp_response());
@@ -226,7 +226,7 @@ public void testOverrideRemovePermissions() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertEquals("REMOVE_PERMISSIONS overridden", 
@@ -251,7 +251,7 @@ public void testOverrideSetPermissions() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertEquals("SET_PERMISSIONS overridden", 
@@ -276,7 +276,7 @@ public void testOverrideSetOwnerPassword() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertEquals("REMOVE_PERMISSIONS overridden", 
@@ -303,7 +303,7 @@ public void testOverrideVisibleSignatureCustomImageBase64() throws Exception {
         final LinkedList<String> configErrors = new LinkedList<>();
 
         // when
-        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride);
+        PDFSignerParameters instance = new PDFSignerParameters(101, config, configErrors, requestMetadata, allowPropertyOverride, Collections.emptySet());
 
         // then
         assertEquals("VISIBLE_SIGNATURE_CUSTOM_IMAGE_BASE64 overridden", image, instance.getVisible_sig_custom_image_base64());

signserver/modules/SignServer-Module-PDFSigner/src/test/java/org/signserver/module/pdfsigner/PDFSignerUnitTest.java

@@ -1734,7 +1734,7 @@ public void test23Illegal_Value_Gives_Configuration_Errors() {
         workerConfig.setProperty("ARCHIVETODISK", "TRUE");
         workerConfig.setProperty("ARCHIVETODISK_PATH_BASE", "/this/path/is/not/allowed");
 
-        final MockedPathingPDFSigner instance = new MockedPathingPDFSigner();
+        final MockedPathingPDFSigner instance = new MockedPathingPDFSigner(null);
 
         instance.init(WORKER1, workerConfig, null, null);
 
@@ -2374,6 +2374,35 @@ public void testAllowSigningWithoutOwnerPassword() throws Exception {
         workerSession.reloadConfiguration(WORKER1);
     }
 
+    /**
+     * Test signing with visible signature from an allowed file path.
+     * @throws Exception in case of error
+     */
+    @Test
+    public void testSignWithAllowedVisibleSignaturePath() throws Exception {
+
+        workerSession.setWorkerProperty(WORKER1, "ADD_VISIBLE_SIGNATURE", "true");
+        workerSession.setWorkerProperty(WORKER1, "VISIBLE_SIGNATURE_CUSTOM_IMAGE_PATH", ALLOWED_RELATIVE_PATH + "/primekey.png");
+        workerSession.reloadConfiguration(WORKER1);
+
+        ReadableData requestData = createRequestDataKeepingFile(sampleOk);
+        try (CloseableWritableData responseData = createResponseData(true)) {
+
+            final SignatureRequest request = new SignatureRequest(100,
+                    requestData, responseData);
+
+            final SignatureResponse response = (SignatureResponse)
+                    processSession.process(createAdminInfo(), new WorkerIdentifier(WORKER1), request, new RequestContext(true));
+            assertEquals("requestId", 100, response.getRequestID());
+
+            Certificate signercert = response.getSignerCertificate();
+            assertNotNull(signercert);
+
+            assertTrue("data processed", responseData.toReadableData().getLength() > 0);
+            assertTrue("data processed", responseData.toReadableData().getAsByteArray().length > 0);
+        }
+    }
+
     /**
      * Helper method creating a mocked token ECDSA keys.
      *
@@ -2418,9 +2447,14 @@ public ICryptoTokenV4 getCryptoToken(final IServices services) {
      * Mocked PDFSigner used to emulate allowlists for archiving and custom image paths.
      */
     private static class MockedPathingPDFSigner extends PDFSigner {
+
+        public MockedPathingPDFSigner(ICryptoTokenV4 cryptoToken) {
+            this.cryptoToken = cryptoToken;
+        }
+
         @Override
         public ICryptoTokenV4 getCryptoToken(final IServices services) {
-            return null;
+            return cryptoToken;
         }
 
         @Override
@@ -2470,7 +2504,7 @@ public ICryptoTokenV4 getCryptoToken(final IServices services) {
         final WorkerConfig config = new WorkerConfig();
         final List<String> configErrors = new LinkedList<>();
         config.setProperty("TSA_URL", "http://any-tsa.example.com");
-        final PDFSignerParameters params = new PDFSignerParameters(1234, config, configErrors, new HashMap<>(), new HashSet<>());
+        final PDFSignerParameters params = new PDFSignerParameters(1234, config, configErrors, new HashMap<>(), new HashSet<>(), Collections.emptySet());
 
         instance.setIncludeCertificateLevels(1);
 
@@ -2583,12 +2617,7 @@ private void setupWorkers()
             config.setProperty(AUTHTYPE, "NOAUTH");
 
             workerMock.setupWorker(workerId, CRYPTOTOKEN_CLASSNAME, config,
-                    new PDFSigner() {
-                @Override
-                public ICryptoTokenV4 getCryptoToken(final IServices services) {
-                    return token;
-                }
-            });
+                    new MockedPathingPDFSigner(token));
             workerSession.reloadConfiguration(workerId);
         }
 
@@ -2614,12 +2643,7 @@ public ICryptoTokenV4 getCryptoToken(final IServices services) {
             config.setProperty(AUTHTYPE, "NOAUTH");
 
             workerMock.setupWorker(workerId, CRYPTOTOKEN_CLASSNAME, config,
-                    new PDFSigner() {
-                @Override
-                public ICryptoTokenV4 getCryptoToken(final IServices services) {
-                    return tokenCRL;
-                }
-            });
+                    new MockedPathingPDFSigner(tokenCRL));
             workerSession.reloadConfiguration(workerId);
         }
     }
@@ -2731,7 +2755,7 @@ private static void assertOwnerPassword(byte[] pdfBytes, String password) throws
     private static class PDFSignerBuilder {
 
         private WorkerConfig workerConfig = new WorkerConfig();
-        private MockedPathingPDFSigner instance = new MockedPathingPDFSigner();
+        private MockedPathingPDFSigner instance = new MockedPathingPDFSigner(null);
 
         public PDFSignerBuilder() {
             workerConfig.setProperty("TYPE", "PROCESSABLE");