From 8401af5e1871908957dce23b706a4c54b34e80bf Mon Sep 17 00:00:00 2001
From: Dan Caseley <dan@caseley.me.uk>
Date: Sat, 19 Oct 2024 13:12:12 +0100
Subject: [PATCH] OF-2893: Warn administrator when a wildcard pattern is loaded
 (but wildcards are disabled)

---
 i18n/src/main/resources/openfire_i18n.properties           | 1 +
 .../main/java/org/jivesoftware/admin/AuthCheckFilter.java  | 7 +++++++
 xmppserver/src/main/webapp/plugin-admin.jsp                | 6 ++++++
 3 files changed, 14 insertions(+)

diff --git a/i18n/src/main/resources/openfire_i18n.properties b/i18n/src/main/resources/openfire_i18n.properties
index 8a11f18238..3c325f4348 100644
--- a/i18n/src/main/resources/openfire_i18n.properties
+++ b/i18n/src/main/resources/openfire_i18n.properties
@@ -2824,6 +2824,7 @@ plugin.admin.failed.minJavaVersion=The plugin requires Java specification versio
 plugin.admin.failed.missingParent=The plugin requires another plugin, named {0}, that currently is not installed.
 plugin.admin.failed.databaseScript=A plugin database install or update script failed. Review the logs for additional details.
 plugin.admin.failed.unknown=An exception occurred while loading plugin. Review the logs for additional details.
+plugin.admin.wildcards-exists=A plugin has loaded admin console authentication bypass patterns that includes a wildcard, but the System Property 'adminConsole.access.allow-wildcards-in-excludes' is disabled.
 
 # System Admin Console access
 system.admin.console.access.title=Admin Console Access
diff --git a/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java b/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java
index 4613f457e2..4cd79800ae 100644
--- a/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java
+++ b/xmppserver/src/main/java/org/jivesoftware/admin/AuthCheckFilter.java
@@ -184,6 +184,13 @@ public static void removeExclude(String exclude) {
         excludes.remove(exclude);
     }
 
+    /**
+     * Indicates to the caller whether any of the currently loaded exclusions contains a wildcard
+     */
+    public static boolean excludesIncludeWildcards() {
+        return excludes.stream().anyMatch(e -> e.contains("*"));
+    }
+
     /**
      * Returns true if a URL passes an exclude rule.
      *
diff --git a/xmppserver/src/main/webapp/plugin-admin.jsp b/xmppserver/src/main/webapp/plugin-admin.jsp
index d3c8f1fcf7..19945d0c78 100644
--- a/xmppserver/src/main/webapp/plugin-admin.jsp
+++ b/xmppserver/src/main/webapp/plugin-admin.jsp
@@ -23,6 +23,7 @@
                  org.apache.commons.fileupload.disk.DiskFileItemFactory,
                  org.apache.commons.fileupload.servlet.ServletFileUpload"
         %>
+<%@ page import="org.jivesoftware.admin.AuthCheckFilter" %>
 <%@ page import="org.jivesoftware.openfire.XMPPServer" %>
 <%@ page import="org.jivesoftware.openfire.container.PluginManager" %>
 <%@ page import="org.jivesoftware.openfire.update.UpdateManager" %>
@@ -369,6 +370,11 @@ tr.lowerhalf > td:last-child {
             <fmt:message key="plugin.admin.monitortask_running" />
         </admin:infobox>
     </c:if>
+    <c:if test="${ AuthCheckFilter.excludesIncludeWildcards() && !AuthCheckFilter.ALLOW_WILDCARDS_IN_EXCLUDES.getValue() }">
+        <admin:infobox type="warning">
+            <fmt:message key="plugin.admin.wildcards-exists" />
+        </admin:infobox>
+    </c:if>
     <p>
     <fmt:message key="plugin.admin.info"/>
 </p>