From 34af3c202a7f1161c755639576f5ef4d92167b84 Mon Sep 17 00:00:00 2001 From: Brian Caruso Date: Tue, 20 Aug 2013 11:40:23 -0400 Subject: [PATCH] Adding email password method to PolicyHelper. Adding getClientAddr to VitroRequest --- .../webapp/auth/policy/PolicyHelper.java | 50 ++++++++++++++++++- .../vitro/webapp/controller/VitroRequest.java | 12 +++++ .../freemarker/FreemarkerHttpServlet.java | 8 +-- .../controller/SearchServiceController.java | 33 +++--------- .../SparqlUpdateTestDataGetter.java | 2 +- 5 files changed, 73 insertions(+), 32 deletions(-) diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java index ec9611df3..b27a8de8a 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/PolicyHelper.java @@ -17,8 +17,10 @@ import com.hp.hpl.jena.rdf.model.Resource; import com.hp.hpl.jena.rdf.model.Statement; import com.hp.hpl.jena.rdf.model.StmtIterator; +import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.RequestIdentifiers; +import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; @@ -26,6 +28,9 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPro import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropertyStatement; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropertyStatement; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropertyStatement; +import edu.cornell.mannlib.vitro.webapp.beans.UserAccount; +import edu.cornell.mannlib.vitro.webapp.controller.authenticate.Authenticator; +import edu.cornell.mannlib.vitro.webapp.controller.authenticate.BasicAuthenticator; /** * A collection of static methods to help determine whether requested actions @@ -53,7 +58,7 @@ public class PolicyHelper { IdentifierBundle ids = RequestIdentifiers.getIdBundleForRequest(req); return isAuthorizedForActions(ids, policy, actions); } - + /** * Are these actions authorized for these identifiers by these policies? */ @@ -62,6 +67,48 @@ public class PolicyHelper { return Actions.notNull(actions).isAuthorized(policy, ids); } + /** + * Is the email/password authorized for these actions? + * This should be used when a controller or something needs allow + * actions if the user passes in their email and password. + * + * It may be better to check this as part of a servlet Filter and + * add an identifier bundle. + */ + public static boolean isAuthorizedForActions( HttpServletRequest req, + String email, String password, + Actions actions){ + + if( password == null || email == null || + password.isEmpty() || email.isEmpty()){ + return false; + } + + try{ + Authenticator basicAuth = new BasicAuthenticator(req); + UserAccount user = basicAuth.getAccountForInternalAuth( email ); + log.debug("userAccount is " + user==null?"null":user.getUri() ); + + if( ! basicAuth.isCurrentPassword( user, password ) ){ + log.debug(String.format("UNAUTHORIZED, password not accepted for %s, account URI: %s", + user.getEmailAddress(), user.getUri())); + return false; + }else{ + log.debug(String.format("password accepted for %s, account URI: %s", + user.getEmailAddress(), user.getUri() )); + // figure out if that account can do the actions + IdentifierBundle ids = + ActiveIdentifierBundleFactories.getUserIdentifierBundle(req,user); + PolicyIface policy = ServletPolicyList.getPolicies(req); + return PolicyHelper.isAuthorizedForActions( ids, policy, actions ); + } + + }catch(Exception ex){ + log.error("Error while attempting to authorize actions " + actions.toString(), ex); + return false; + } + } + /** * Do the current policies authorize the current user to add this statement * to this model? @@ -260,6 +307,7 @@ public class PolicyHelper { + stmt.getObject() + ">"; } + /** * No need to instantiate this helper class - all methods are static. */ diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroRequest.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroRequest.java index 854c09ac7..a882e124d 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroRequest.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/VitroRequest.java @@ -171,6 +171,18 @@ public class VitroRequest extends HttpServletRequestWrapper { return getWebappDaoFactory().getApplicationDao().getApplicationBean(); } + /** + * Gets the the ip of the client. + * This will be X-forwarded-for header or, if that header is not + * set, getRemoteAddr(). This still may not be the client's address + * as they may be using a proxy. + * + */ + public String getClientAddr(){ + String xff = getHeader("x-forwarded-for"); + return ( xff == null || xff.trim().isEmpty() ) ? getRemoteAddr() : xff; + } + @SuppressWarnings("unchecked") @Override public Map getParameterMap() { diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java index 135cf29b2..71eeaf006 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/controller/freemarker/FreemarkerHttpServlet.java @@ -2,7 +2,7 @@ package edu.cornell.mannlib.vitro.webapp.controller.freemarker; -import static javax.mail.Message.RecipientType.TO; +import static javax.mail.Message.RecipientType.*; import java.io.IOException; import java.io.PrintWriter; @@ -23,6 +23,7 @@ import org.apache.commons.logging.LogFactory; import edu.cornell.mannlib.vitro.webapp.auth.permissions.SimplePermission; import edu.cornell.mannlib.vitro.webapp.auth.policy.PolicyHelper; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.Actions; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequiresActions; import edu.cornell.mannlib.vitro.webapp.beans.ApplicationBean; import edu.cornell.mannlib.vitro.webapp.beans.DisplayMessage; import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet; @@ -48,7 +49,7 @@ import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.utility.DeepUnwrap; -public class FreemarkerHttpServlet extends VitroHttpServlet { +public class FreemarkerHttpServlet extends VitroHttpServlet { private static final long serialVersionUID = 1L; private static final Log log = LogFactory.getLog(FreemarkerHttpServlet.class); @@ -203,7 +204,8 @@ public class FreemarkerHttpServlet extends VitroHttpServlet { * NB This method can't be static, because then the superclass method gets called rather than * the subclass method. For the same reason, it can't refer to a static or instance field * REQUIRED_ACTIONS which is overridden in the subclass. - */ + * + */ protected Actions requiredActions(VitroRequest vreq) { return Actions.AUTHORIZED; } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/SearchServiceController.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/SearchServiceController.java index 1d82546a6..b2dd876ab 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/SearchServiceController.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/search/controller/SearchServiceController.java @@ -43,7 +43,7 @@ public class SearchServiceController extends FreemarkerHttpServlet { * userAccount associated with the email. */ @Override - protected Actions requiredActions(VitroRequest vreq) { + public Actions requiredActions(VitroRequest vreq) { try{ // Works by side effect: parse the multi-part request and stash FileItems in request FileUploadServletRequest.parseRequest(vreq, 0); @@ -52,42 +52,21 @@ public class SearchServiceController extends FreemarkerHttpServlet { String pw = vreq.getParameter("password"); String email = vreq.getParameter("email"); - log.debug(String.format("email: '%s' password: '%s' ",email,pw)); - if( pw == null || email == null || pw.isEmpty() || email.isEmpty()){ return SimplePermission.MANAGE_SEARCH_INDEX.ACTIONS; } - Authenticator basicAuth = new BasicAuthenticator(vreq); - UserAccount user = basicAuth.getAccountForInternalAuth( email ); - log.debug("userAccount is " + user==null?"null":user.getUri() ); - - if( ! basicAuth.isCurrentPassword( user, pw ) ){ - log.debug(String.format("UNAUTHORIZED, password not accepted for %s, account URI: %s", - user.getEmailAddress(), user.getUri())); - return Actions.UNAUTHORIZED; - }else{ - log.debug(String.format("password accepted for %s, account URI: %s", - user.getEmailAddress(), user.getUri() )); - } - - //then figure out if that account can manage the search index. - IdentifierBundle ids = - ActiveIdentifierBundleFactories.getUserIdentifierBundle(vreq,user); - PolicyIface policy = ServletPolicyList.getPolicies(vreq); - boolean canManageSearchIndex = - PolicyHelper.isAuthorizedForActions( ids, policy, - SimplePermission.MANAGE_SEARCH_INDEX.ACTIONS ); - if( canManageSearchIndex ){ + if( PolicyHelper.isAuthorizedForActions(vreq, email, pw, + SimplePermission.MANAGE_SEARCH_INDEX.ACTIONS ) ){ return Actions.AUTHORIZED; }else{ - log.debug(String.format("userAccount is unauthorized to" + - " manage the search index.",user.getUri())); + log.debug(email + " is unauthorized to manage the search index. " + + "client IP "+vreq.getClientAddr()); return Actions.UNAUTHORIZED; } }catch(Exception ex){ - log.error("Error while attempting to log in " + + log.error("Error while client IP "+ vreq.getClientAddr() + " attempting to log in " + "to SearchServiceController: " + ex.getMessage()); return Actions.UNAUTHORIZED; } diff --git a/webapp/src/edu/cornell/mannlib/vitro/webapp/utils/dataGetter/SparqlUpdateTestDataGetter.java b/webapp/src/edu/cornell/mannlib/vitro/webapp/utils/dataGetter/SparqlUpdateTestDataGetter.java index 4a6a054f2..0d0ac41aa 100644 --- a/webapp/src/edu/cornell/mannlib/vitro/webapp/utils/dataGetter/SparqlUpdateTestDataGetter.java +++ b/webapp/src/edu/cornell/mannlib/vitro/webapp/utils/dataGetter/SparqlUpdateTestDataGetter.java @@ -21,7 +21,7 @@ import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.jena.RDFServiceDataset; /** - * Test to experement with Jena ARQ SPARQL update and the RDFServiceDataset. + * Test to experiment with Jena ARQ SPARQL update and the RDFServiceDataset. */ public class SparqlUpdateTestDataGetter implements DataGetter{ private static final Log log = LogFactory.getLog(SparqlUpdateTestDataGetter.class);