Skip to content

Riina Antikainen / Moya

Go to a project
Commit 91223aea by Tuomas Riihimäki
Options

Add some checks to stuff broken by domain migration from thread-store to username

1 parent 1acfee20
Inline Side-by-side
Showing with 213 additions and 199 deletions
code/moya-beans/ejbModule/fi/codecrew/moya/beans/CardTemplateBean.java
......@@ -168,7 +168,7 @@ public class CardTemplateBean implements CardTemplateBeanLocal {
public PrintedCard checkPrintedCard(EventUser user) {
logger.info("Checking printed card");
user = eventUserFacade.find(user.getId());
user = eventUserFacade.reload(user);
LanEvent currEvent = eventBean.getCurrentEvent();
List<PrintedCard> myCards = printedcardfacade.getCards(user);
......
code/moya-utils/src/main/java/fi/codecrew/moya/utilities/UserLoginUtils.java
......@@ -32,6 +32,12 @@ public class UserLoginUtils {
}
public static String getUsernameFromJaasString(String username) {
return username.split("@[^@]+$")[0];
String[] splitted = username.split("@[^@]+$");
String ret = null;
if (splitted.length > 0) {
ret = splitted[0];
}
return ret;
}
}
code/moya-web/src/main/java/fi/codecrew/moya/HostnameFilter.java
......@@ -246,7 +246,7 @@ public class HostnameFilter implements Filter {
restAuthStr = httpRequest.getHeader("Authorization");
// }
if (restAuthStr == null) {
if (restAuthStr == null && httpRequest.getParameter("appkey") != null) {
StringBuilder hashBuilder = new StringBuilder();
hashBuilder.append(JaasBeanLocal.REST_PREFIX);
......@@ -257,9 +257,15 @@ public class HostnameFilter implements Filter {
hashBuilder.append(httpRequest.getPathInfo());
restAuthStr = hashBuilder.toString();
}
boolean ret = true;
try {
httpRequest.login('@' + parseHostname(httpRequest), restAuthStr);
if (restAuthStr == null) {
throw new ServletException("No auth data");
}
final String username = "@" + parseHostname(httpRequest);
logger.info("Logging in with username {} and password {}", username, restAuthStr);
httpRequest.login(username, restAuthStr);
} catch (ServletException loginEx) {
ret = false;
logger.info("Rest api authentication failed for path " + httpRequest.getPathInfo() + " "
......@@ -296,10 +302,11 @@ public class HostnameFilter implements Filter {
logbean.sendMessage(MoyaEventType.USER_PERMISSION_VIOLATION,
"Hostname mismatch privilege escalation! User '", httpRequest.getUserPrincipal(), "' tried to change hostname from '",
userDomain, "' to '", hostname, ",");
throw new RuntimeException("Hostname mismatch!");
throw new RuntimeException("Hostname mismatch! Expected: " + hostname + " but logged in as " + userDomain);
}
}
BortalLocalContextHolder.setInDevelopmentMode(developmentMode);
return hostname;
......
code/moya-web/src/main/java/fi/codecrew/moya/rest/UserRestView.java
/*
* Copyright Codecrew Ry
*
*
* All rights reserved.
*
* This license applies to any software containing a notice placed by the
* copyright holder. Such software is herein referred to as the Software.
* This license covers modification, distribution and use of the Software.
*
* Any distribution and use in source and binary forms, with or without
* modification is not permitted without explicit written permission from the
* copyright owner.
*
* A non-exclusive royalty-free right is granted to the copyright owner of the
* Software to use, modify and distribute all modifications to the Software in
* future versions of the Software.
*
*
* This license applies to any software containing a notice placed by the
* copyright holder. Such software is herein referred to as the Software.
* This license covers modification, distribution and use of the Software.
*
* Any distribution and use in source and binary forms, with or without
* modification is not permitted without explicit written permission from the
* copyright owner.
*
* A non-exclusive royalty-free right is granted to the copyright owner of the
* Software to use, modify and distribute all modifications to the Software in
* future versions of the Software.
*
*/
package fi.codecrew.moya.rest;
......@@ -43,6 +43,7 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.ResponseBuilder;
import javax.ws.rs.core.Response.Status;
import fi.codecrew.moya.model.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
......@@ -59,12 +60,6 @@ import fi.codecrew.moya.beans.TicketBeanLocal;
import fi.codecrew.moya.beans.UserBeanLocal;
import fi.codecrew.moya.entitysearch.UserSearchQuery;
import fi.codecrew.moya.enums.apps.UserPermission;
import fi.codecrew.moya.model.EventUser;
import fi.codecrew.moya.model.GroupMembership;
import fi.codecrew.moya.model.Place;
import fi.codecrew.moya.model.ReaderEvent;
import fi.codecrew.moya.model.User;
import fi.codecrew.moya.model.UserImage;
import fi.codecrew.moya.rest.pojo.userinfo.v1.EventUserRestPojo;
import fi.codecrew.moya.rest.pojo.userinfo.v1.PrintedCardRestPojo;
import fi.codecrew.moya.rest.pojo.userinfo.v1.SimpleEventuserRoot;
......@@ -75,8 +70,8 @@ import fi.codecrew.moya.utilities.SearchResult;
@RequestScoped
@Path("/user")
@Consumes({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
@Produces({ MediaType.APPLICATION_JSON + "; charset=UTF-8" })
@Consumes({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML})
@Produces({MediaType.APPLICATION_JSON + "; charset=UTF-8"})
@Api(value = "/user", description = "Administer users")
public class UserRestView {
......@@ -108,10 +103,10 @@ public class UserRestView {
@POST
@Path("/giveplace/{placeId}")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@ApiOperation(value = "Set place status to give/ungive", response = UserReservationPlacePojo.class)
@ApiOperation(value = "Set place status to give/ungive", response = UserReservationPlacePojo.class)
public Response setPlacesGivenStatus(
@PathParam("placeId") Integer id,
@FormParam("action") String status) {
@PathParam("placeId") Integer id,
@FormParam("action") String status) {
Place place = placebean.find(id);
if (place == null) {
......@@ -129,17 +124,17 @@ public class UserRestView {
ResponseBuilder resp = Response.ok();
switch (status) {
case "give":
gm = placegroupbean.markGroupMembershipEntered(gm);
break;
case "ungive":
gm = placegroupbean.markGroupMembershipNotEntered(gm);
break;
default:
resp = Response.status(Status.BAD_REQUEST);
resp.status(Status.BAD_REQUEST);
resp.entity("Unknown status" + status + " possible values: 'give' and 'ungive'");
return resp.build();
case "give":
gm = placegroupbean.markGroupMembershipEntered(gm);
break;
case "ungive":
gm = placegroupbean.markGroupMembershipNotEntered(gm);
break;
default:
resp = Response.status(Status.BAD_REQUEST);
resp.status(Status.BAD_REQUEST);
resp.entity("Unknown status" + status + " possible values: 'give' and 'ungive'");
return resp.build();
}
......@@ -150,38 +145,38 @@ public class UserRestView {
@GET
@Path("/reservationswithcode/{code}")
@ApiOperation(value = "Get places with code", response = UserReservationRoot.class)
@ApiOperation(value = "Get places with code", response = UserReservationRoot.class)
public Response getPlacesWithCode(@PathParam("code") String code) {
try {
try {
EventUser curruser = permbean.getCurrentUser();
ReaderEvent revent = readerbean.checkCode("restapi: " + curruser.getLogin(), code);
EventUser curruser = permbean.getCurrentUser();
ReaderEvent revent = readerbean.checkCode("restapi: " + curruser.getLogin(), code);
if (revent != null && revent.getUser() != null) {
EventUser eu = revent.getUser();
List<GroupMembership> gms = ticketbean.findMembershipPrintlistForUser(eu);
if (revent != null && revent.getUser() != null) {
EventUser eu = revent.getUser();
List<GroupMembership> gms = ticketbean.findMembershipPrintlistForUser(eu);
UserReservationRoot ret = new UserReservationRoot();
ret.setUser(PojoUtils.initEventUserRestPojo(eu));
UserReservationRoot ret = new UserReservationRoot();
ret.setUser(PojoUtils.initEventUserRestPojo(eu));
for (GroupMembership g : gms) {
for (GroupMembership g : gms) {
ret.getReservations().add(PojoUtils.initUserReservationPlace(g));
}
return Response.ok(ret).build();
}
return Response.status(Status.NOT_FOUND).build();
ret.getReservations().add(PojoUtils.initUserReservationPlace(g));
}
return Response.ok(ret).build();
}
return Response.status(Status.NOT_FOUND).build();
} catch (Exception e) {
logger.error("Getting places failed", e);
return Response.serverError().build();
}
} catch (Exception e) {
logger.error("Getting places failed", e);
return Response.serverError().build();
}
}
@GET
@Path("/{userid}/reservations")
@ApiOperation(value = "Get user's reservations", response = UserReservationRoot.class)
@ApiOperation(value = "Get user's reservations", response = UserReservationRoot.class)
public Response usersPlaces(@PathParam("userid") Integer userid) {
EventUser eu = userbean.findByUserId(userid, false);
if (eu != null) {
......@@ -200,12 +195,12 @@ public class UserRestView {
@POST
@Path("/auth")
@Produces({ MediaType.APPLICATION_JSON })
@Produces({MediaType.APPLICATION_JSON})
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@ApiOperation(value = "Authenticate", response = EventUserRestPojo.class)
@ApiOperation(value = "Authenticate", response = EventUserRestPojo.class)
public Response auth(
@FormParam("username") String username,
@FormParam("password") String password) {
@FormParam("username") String username,
@FormParam("password") String password) {
logger.info("Tried to login with rest {} , {}", username, password);
boolean success = true;
try {
......@@ -243,30 +238,35 @@ public class UserRestView {
@Path("/eventusers")
@ApiOperation(value = "Get EventUsers", response = SimpleEventuserRoot.class)
public SimpleEventuserRoot getEventUsers(
@DefaultValue("0") @QueryParam("pagesize") Integer pagesize,
@DefaultValue("0") @QueryParam("page") Integer page,
@QueryParam("search") String search
) {
@DefaultValue("0") @QueryParam("pagesize") Integer pagesize,
@DefaultValue("0") @QueryParam("page") Integer page,
@QueryParam("search") String search
) {
try {
try {
UserSearchQuery q = new UserSearchQuery(page, pagesize, null, search, QuerySortOrder.UNSORTED);
SearchResult<EventUser> users = userbean.getThisEventsUsers(q);
return PojoUtils.parseEventusers(users.getResults());
UserSearchQuery q = new UserSearchQuery(page, pagesize, null, search, QuerySortOrder.UNSORTED);
SearchResult<EventUser> users = userbean.getThisEventsUsers(q);
return PojoUtils.parseEventusers(users.getResults());
} catch (Exception e) {
logger.error("Getting EventUsers failed", e);
throw e;
}
} catch (Exception e) {
logger.error("Getting EventUsers failed", e);
throw e;
}
}
@GET
@Path("/card/{eventuserId}")
@ApiOperation(value = "Get PrintedCard for EventUser", response = PrintedCardRestPojo.class)
public PrintedCardRestPojo getUsersCard(
@ApiParam("EventUser entity ID") @PathParam("eventuserId") Integer eventuserid) {
@ApiParam("EventUser entity ID") @PathParam("eventuserId") Integer eventuserid) {
EventUser user = userbean.findByEventUserId(eventuserid);
return PojoUtils.initPrintedCardRestPojo(cardbean.checkPrintedCard(user));
logger.warn("users card for user: {}", user);
PrintedCard card = cardbean.checkPrintedCard(user);
if (card == null) {
return null;
}
return PojoUtils.initPrintedCardRestPojo(card);
}
......@@ -274,7 +274,7 @@ public class UserRestView {
@Path("/eventuser/{cardauthcode}")
@ApiOperation(value = "Get EventUser by cardAuthCode", response = EventUserRestPojo.class)
public EventUserRestPojo getEventUser(
@ApiParam("Card authentication code") @PathParam("cardauthcode") String code) {
@ApiParam("Card authentication code") @PathParam("cardauthcode") String code) {
EventUser user = userbean.getUserByAuthcode(code);
if (user != null)
......@@ -283,123 +283,124 @@ public class UserRestView {
return new EventUserRestPojo();
}
@GET
@Path("/")
@Produces({ MediaType.APPLICATION_JSON })
@ApiOperation(value = "Find event user", response = EventUserRestPojo.class)
public Response getEventUser(@QueryParam("email") @ApiParam("Email address") String email,
@QueryParam("login") @ApiParam("Username") String userName) {
try {
if (permbean.hasPermission(UserPermission.VIEW_ALL) == false) {
return Response.status(Status.FORBIDDEN).build();
}
EventUser eventUser;
User user = null;
// If username not given, try to find username by email
if (userName == null || userName.isEmpty()) {
user = userbean.findUserByEmailUsername(email);
}
if(user != null) {
eventUser = userbean.getEventUser(user, true);
} else {
// Get the user
eventUser = userbean.findEventuserByLogin(userName);
}
if (eventUser == null) {
return Response.status(Status.NOT_FOUND).build();
}
// Return the EventUser
return Response.ok(PojoUtils.initEventUserRestPojo(eventUser)).build();
} catch (Exception e) {
logger.error("Finding event user failed", e);
return Response.serverError().build();
}
}
@POST
@Path("/{userid}/check-password")
@Produces({ MediaType.APPLICATION_JSON })
@ApiOperation(value = "Check user password", response = EventUserRestPojo.class)
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response checkPassword(@PathParam("userid") @ApiParam("User ID") Integer userId,
@FormParam("password") @ApiParam("Password") String password) {
try {
if (permbean.hasPermission(UserPermission.VIEW_ALL) == false) {
return Response.status(Status.FORBIDDEN).build();
}
EventUser user = userbean.findByUserId(userId, true);
if (user == null) {
return Response.status(Status.NOT_FOUND).build();
}
//boolean passwordOk = user.checkPassword(password);
boolean passwordOk = userbean.checkPassword(user, password);
if (passwordOk) {
return Response.ok(PojoUtils.initEventUserRestPojo(user), MediaType.APPLICATION_JSON_TYPE).build();
}
return Response.status(Status.UNAUTHORIZED).entity(PojoUtils.initErrorPojo("Wrong password")).build();
} catch (Exception e) {
logger.error("Checking user authentication failed", e);
return Response.serverError().entity(PojoUtils.initErrorPojo("Checking password failed")).build();
}
}
@POST
@Path("/{userid}/reset-password")
@Produces({ MediaType.APPLICATION_JSON })
@ApiOperation(value = "Reset user password", response = EventUserRestPojo.class)
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response resetPassword(@PathParam("userid") @ApiParam("User ID") Integer userId,
@FormParam("password") @ApiParam("New password") String password) {
try {
if (permbean.hasPermission(UserPermission.MODIFY) == false || permbean.hasPermission(UserPermission.VIEW_ALL)) {
return Response.status(Status.FORBIDDEN).build();
}
EventUser eventUser = userbean.findByUserId(userId, true);
User user = eventUser.getUser();
userbean.resetPassword(user, password);
return Response.ok(PojoUtils.initEventUserRestPojo(eventUser)).build();
} catch (Exception e) {
logger.error("Checking user authentication failed", e);
return Response.serverError().entity(PojoUtils.initErrorPojo("Resetting user password failed")).build();
}
}
/**
* Post forma parameter "image" with the image data in it.
* @param request
* @param userId
* @return
* @throws IOException
*/
@PUT
@Path("/{userid}/image")
@ApiOperation(value = "Upload image", response = EventUserRestPojo.class)
@Consumes(MediaType.MULTIPART_FORM_DATA)
public Response updateUserImage(@Context HttpServletRequest request,
@PathParam("userid") @ApiParam("User ID") Integer userId) throws IOException {
try {
if (permbean.hasPermission(UserPermission.MODIFY) == false || permbean.hasPermission(UserPermission.VIEW_ALL)) {
return Response.status(Status.FORBIDDEN).build();
}
Part imagePart = request.getPart("image");
EventUser eventUser = userbean.findByUserId(userId, true);
UserImage userImage = userbean.uploadImage(eventUser, imagePart.getContentType(),
imagePart.getInputStream(), imagePart.getSubmittedFileName(), null);
return Response.ok(PojoUtils.initEventUserRestPojo(eventUser)).build();
} catch (ServletException e) {
logger.error("Updating user image failed", e);
return Response.serverError().entity(PojoUtils.initErrorPojo("Updating user image failed")).build();
}
}
@GET
@Path("/")
@Produces({MediaType.APPLICATION_JSON})
@ApiOperation(value = "Find event user", response = EventUserRestPojo.class)
public Response getEventUser(@QueryParam("email") @ApiParam("Email address") String email,
@QueryParam("login") @ApiParam("Username") String userName) {
try {
if (permbean.hasPermission(UserPermission.VIEW_ALL) == false) {
return Response.status(Status.FORBIDDEN).build();
}
EventUser eventUser;
User user = null;
// If username not given, try to find username by email
if (userName == null || userName.isEmpty()) {
user = userbean.findUserByEmailUsername(email);
}
if (user != null) {
eventUser = userbean.getEventUser(user, true);
} else {
// Get the user
eventUser = userbean.findEventuserByLogin(userName);
}
if (eventUser == null) {
return Response.status(Status.NOT_FOUND).build();
}
// Return the EventUser
return Response.ok(PojoUtils.initEventUserRestPojo(eventUser)).build();
} catch (Exception e) {
logger.error("Finding event user failed", e);
return Response.serverError().build();
}
}
@POST
@Path("/{userid}/check-password")
@Produces({MediaType.APPLICATION_JSON})
@ApiOperation(value = "Check user password", response = EventUserRestPojo.class)
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response checkPassword(@PathParam("userid") @ApiParam("User ID") Integer userId,
@FormParam("password") @ApiParam("Password") String password) {
try {
if (permbean.hasPermission(UserPermission.VIEW_ALL) == false) {
return Response.status(Status.FORBIDDEN).build();
}
EventUser user = userbean.findByUserId(userId, true);
if (user == null) {
return Response.status(Status.NOT_FOUND).build();
}
//boolean passwordOk = user.checkPassword(password);
boolean passwordOk = userbean.checkPassword(user, password);
if (passwordOk) {
return Response.ok(PojoUtils.initEventUserRestPojo(user), MediaType.APPLICATION_JSON_TYPE).build();
}
return Response.status(Status.UNAUTHORIZED).entity(PojoUtils.initErrorPojo("Wrong password")).build();
} catch (Exception e) {
logger.error("Checking user authentication failed", e);
return Response.serverError().entity(PojoUtils.initErrorPojo("Checking password failed")).build();
}
}
@POST
@Path("/{userid}/reset-password")
@Produces({MediaType.APPLICATION_JSON})
@ApiOperation(value = "Reset user password", response = EventUserRestPojo.class)
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response resetPassword(@PathParam("userid") @ApiParam("User ID") Integer userId,
@FormParam("password") @ApiParam("New password") String password) {
try {
if (permbean.hasPermission(UserPermission.MODIFY) == false || permbean.hasPermission(UserPermission.VIEW_ALL)) {
return Response.status(Status.FORBIDDEN).build();
}
EventUser eventUser = userbean.findByUserId(userId, true);
User user = eventUser.getUser();
userbean.resetPassword(user, password);
return Response.ok(PojoUtils.initEventUserRestPojo(eventUser)).build();
} catch (Exception e) {
logger.error("Checking user authentication failed", e);
return Response.serverError().entity(PojoUtils.initErrorPojo("Resetting user password failed")).build();
}
}
/**
* Post forma parameter "image" with the image data in it.
*
* @param request
* @param userId
* @return
* @throws IOException
*/
@PUT
@Path("/{userid}/image")
@ApiOperation(value = "Upload image", response = EventUserRestPojo.class)
@Consumes(MediaType.MULTIPART_FORM_DATA)
public Response updateUserImage(@Context HttpServletRequest request,
@PathParam("userid") @ApiParam("User ID") Integer userId) throws IOException {
try {
if (permbean.hasPermission(UserPermission.MODIFY) == false || permbean.hasPermission(UserPermission.VIEW_ALL)) {
return Response.status(Status.FORBIDDEN).build();
}
Part imagePart = request.getPart("image");
EventUser eventUser = userbean.findByUserId(userId, true);
UserImage userImage = userbean.uploadImage(eventUser, imagePart.getContentType(),
imagePart.getInputStream(), imagePart.getSubmittedFileName(), null);
return Response.ok(PojoUtils.initEventUserRestPojo(eventUser)).build();
} catch (ServletException e) {
logger.error("Updating user image failed", e);
return Response.serverError().entity(PojoUtils.initErrorPojo("Updating user image failed")).build();
}
}
}
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!