MaDgIK
/
dnet-openaire-users
13
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

securing edit delete

This commit is contained in:
Katerina Iatropoulou 2020-11-19 11:36:54 +00:00
parent ccb0ca193e
commit 46af960f38
5 changed files with 121 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/main/java/eu/dnetlib/openaire/usermanagement/OverviewServlet.java
View File

@ -1,6 +1,7 @@
package eu.dnetlib.openaire.usermanagement; package eu.dnetlib.openaire.usermanagement;
import org.mitre.openid.connect.model.OIDCAuthenticationToken; import org.mitre.openid.connect.model.OIDCAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import javax.servlet.ServletException; import javax.servlet.ServletException;
@ -19,6 +20,7 @@ public class OverviewServlet extends HttpServlet {
if (isAuthenticated) { if (isAuthenticated) {
OIDCAuthenticationToken authentication = (OIDCAuthenticationToken) SecurityContextHolder.getContext().getAuthentication(); OIDCAuthenticationToken authentication = (OIDCAuthenticationToken) SecurityContextHolder.getContext().getAuthentication();
StringBuilder name = new StringBuilder().append(authentication.getUserInfo().getGivenName().charAt(0)); StringBuilder name = new StringBuilder().append(authentication.getUserInfo().getGivenName().charAt(0));
name.append(authentication.getUserInfo().getFamilyName().charAt(0)); name.append(authentication.getUserInfo().getFamilyName().charAt(0));
request.getSession().setAttribute("authenticated", isAuthenticated); request.getSession().setAttribute("authenticated", isAuthenticated);

105
src/main/java/eu/dnetlib/openaire/usermanagement/RegisterServiceServlet.java
View File

@ -195,7 +195,9 @@ public class RegisterServiceServlet extends HttpServlet {
if (mode.equals("create")) { if (mode.equals("create")) {
//Careful! Redirects in method //Careful! Redirects in method
checkNumberOfRegisteredServices(request, response, authentication); if (!checkNumberOfRegisteredServices(request, response, authentication)) {
return;
}
String serverRequestJSON = null; String serverRequestJSON = null;
if(keyType == null) { if(keyType == null) {
serverRequestJSON = createServiceJson(null, name, email); serverRequestJSON = createServiceJson(null, name, email);
@ -223,7 +225,7 @@ public class RegisterServiceServlet extends HttpServlet {
if(registeredService.getKeyType() != null) { if(registeredService.getKeyType() != null) {
request.getSession().setAttribute("success", request.getSession().setAttribute("success",
"Your service has been successfully registered!<br>" + "Your service has been successfully registered!<br>" +
"<b>Client ID<b>: " + serviceResponse.getClientId()); "<b>Client ID</b>: " + serviceResponse.getClientId());
} else { } else {
request.getSession().setAttribute("success", request.getSession().setAttribute("success",
"Your service has been successfully registered!<br>" + "Your service has been successfully registered!<br>" +
@ -256,61 +258,63 @@ public class RegisterServiceServlet extends HttpServlet {
if (!registeredServicesUtils.isAuthorized(authentication.getSub(), serviceIdInt)) { if (!registeredServicesUtils.isAuthorized(authentication.getSub(), serviceIdInt)) {
request.getSession().setAttribute("message", "You have no permission to edit the service."); request.getSession().setAttribute("message", "You have no permission to edit the service.");
response.sendRedirect("./registeredServices"); response.sendRedirect("./registeredServices");
}
RegisteredService registeredService = registeredServicesUtils.getRegisteredServiceDao().fetchRegisteredServiceById(serviceIdInt); } else {
if (registeredService != null && registeredService.getClientId() != null) {
String serverRequestJSON = null;
if (keyType == null) {
serverRequestJSON = createServiceJson(registeredService.getClientId(), name, email);
} else if (keyType.equals("uri")) {
serverRequestJSON = createServiceJson(registeredService.getClientId(), name, email, jwksUri);
} else if (keyType.equals("value")) {
serverRequestJSON = createServiceJson(registeredService.getClientId(), name, email, jwks);
}
if (serverRequestJSON != null) {
System.out.println("SERVER JSON " + serverRequestJSON);
HttpResponse resp = tokenUtils.updateService(registeredService.getClientId(), serverRequestJSON, registeredService.getRegistrationAccessToken());
if (resp.getStatusLine().getStatusCode() == 200) {
System.out.println("NAME >>>>" + name);
registeredService.setName(name);
System.out.println("Client Id " + registeredService.getClientId()); RegisteredService registeredService = registeredServicesUtils.getRegisteredServiceDao().fetchRegisteredServiceById(serviceIdInt);
try { if (registeredService != null && registeredService.getClientId() != null) {
registeredServicesUtils.getRegisteredServiceDao().update(registeredService); String serverRequestJSON = null;
} catch (SQLException sqle) { if (keyType == null) {
logger.error("Unable to contact db.", sqle); serverRequestJSON = createServiceJson(registeredService.getClientId(), name, email);
request.getSession().setAttribute("message", "Fail to delete the service. Please try again later."); } else if (keyType.equals("uri")) {
response.setContentType("text/html"); serverRequestJSON = createServiceJson(registeredService.getClientId(), name, email, jwksUri);
request.getRequestDispatcher("./registeredServices.jsp").include(request, response); } else if (keyType.equals("value")) {
return; serverRequestJSON = createServiceJson(registeredService.getClientId(), name, email, jwks);
}
request.getSession().setAttribute("success",
"Your service has been successfully updated!<br>" +
"<b>Client ID</b>: " + registeredService.getClientId());
} }
if (serverRequestJSON != null) {
System.out.println("SERVER JSON " + serverRequestJSON);
HttpResponse resp = tokenUtils.updateService(registeredService.getClientId(), serverRequestJSON, registeredService.getRegistrationAccessToken());
if (resp.getStatusLine().getStatusCode() == 200) {
System.out.println("NAME >>>>" + name);
registeredService.setName(name);
System.out.println("Client Id " + registeredService.getClientId());
try {
registeredServicesUtils.getRegisteredServiceDao().update(registeredService);
} catch (SQLException sqle) {
logger.error("Unable to contact db.", sqle);
request.getSession().setAttribute("message", "Fail to delete the service. Please try again later.");
response.setContentType("text/html");
request.getRequestDispatcher("./registeredServices.jsp").include(request, response);
return;
}
request.getSession().setAttribute("success",
"Your service has been successfully updated!<br>" +
"<b>Client ID</b>: " + registeredService.getClientId());
}
} else {
request.getSession().setAttribute("message", "Service with id " + serviceId + " does not exist.");
response.sendRedirect("./registeredServices");
return;
}
} else { } else {
request.getSession().setAttribute("message", "Service with id " + serviceId + " does not exist."); logger.error("Service request JSON is null");
request.getSession().setAttribute("message", "There was an error registering your service. Please try again later.");
response.sendRedirect("./registeredServices"); response.sendRedirect("./registeredServices");
return; return;
} }
} else {
logger.error("Service request JSON is null");
request.getSession().setAttribute("message", "There was an error registering your service. Please try again later.");
response.sendRedirect("./registeredServices");
return;
} }
} catch(SQLException sqle){ } catch(SQLException sqle){
logger.error("Unable to access service with id " + serviceId, sqle); logger.error("Unable to access service with id " + serviceId, sqle);
request.getSession().setAttribute("message", "There was an error accessing your service."); request.getSession().setAttribute("message", "There was an error accessing your service.");
response.sendRedirect("./registeredServices"); response.sendRedirect("./registeredServices");
} catch(NumberFormatException nfe){ } catch(NumberFormatException nfe){
logger.error("Unable to access service with id " + serviceId, nfe); logger.error("Unable to access service with id " + serviceId, nfe);
request.getSession().setAttribute("message", "Service with id " + serviceId + " does not exist."); request.getSession().setAttribute("message", "Service with id " + serviceId + " does not exist.");
response.sendRedirect("./registeredServices"); response.sendRedirect("./registeredServices");
} }
} }
} }
@ -358,21 +362,24 @@ public class RegisterServiceServlet extends HttpServlet {
return name != null && !name.isEmpty(); return name != null && !name.isEmpty();
} }
private void checkNumberOfRegisteredServices(HttpServletRequest request, HttpServletResponse response, OIDCAuthenticationToken authentication) throws IOException { private boolean checkNumberOfRegisteredServices(HttpServletRequest request, HttpServletResponse response, OIDCAuthenticationToken authentication) throws IOException {
try { try {
long numberOfRegisteredServices = long numberOfRegisteredServices =
registeredServicesUtils.getRegisteredServiceDao().countRegisteredServices(authentication.getSub()); registeredServicesUtils.getRegisteredServiceDao().countRegisteredServices(authentication.getSub());
if (numberOfRegisteredServices >= 5) { if (numberOfRegisteredServices >= 5) {
response.sendRedirect("./registeredServices"); // The message there already exists. response.sendRedirect("./registeredServices"); // The message there already exists.
return false;
} }
} catch (SQLException sqle) { } catch (SQLException sqle) {
logger.error("Unable to count registered services.", sqle); logger.error("Unable to count registered services.", sqle);
request.getSession().setAttribute("message", "Unable to contact DB. Please try again later."); request.getSession().setAttribute("message", "Unable to contact DB. Please try again later.");
response.sendRedirect("./registeredServices"); response.sendRedirect("./registeredServices");
return; return false;
} }
return true;
} }
private static String createServiceJson(String clientId, String name, String email) { private static String createServiceJson(String clientId, String name, String email) {

2
src/main/java/eu/dnetlib/openaire/usermanagement/RegisteredServicesServlet.java
View File

@ -155,6 +155,6 @@ public class RegisteredServicesServlet extends HttpServlet {
} }
private boolean reachedMaximumNumberOfServices(List<RegisteredService> registeredServices) { private boolean reachedMaximumNumberOfServices(List<RegisteredService> registeredServices) {
return registeredServices.size() == 5; return registeredServices.size() >= 5;
} }
} }

61
src/main/java/eu/dnetlib/openaire/usermanagement/utils/AuthenticationUtils.java
View File

@ -1,6 +1,7 @@
package eu.dnetlib.openaire.usermanagement.utils; package eu.dnetlib.openaire.usermanagement.utils;
import com.google.gson.JsonParser; import com.google.gson.JsonParser;
import eu.dnetlib.openaire.usermanagement.api.Test3Service;
import org.apache.commons.io.IOUtils; import org.apache.commons.io.IOUtils;
import org.apache.http.HttpResponse; import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair; import org.apache.http.NameValuePair;
@ -9,7 +10,9 @@ import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients; import org.apache.http.impl.client.HttpClients;
import org.apache.http.message.BasicNameValuePair; import org.apache.http.message.BasicNameValuePair;
import org.apache.log4j.Logger;
import org.mitre.openid.connect.model.OIDCAuthenticationToken; import org.mitre.openid.connect.model.OIDCAuthenticationToken;
import org.springframework.beans.factory.annotation.Value;
import javax.ws.rs.core.MediaType; import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response; import javax.ws.rs.core.Response;
@ -24,6 +27,18 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
public class AuthenticationUtils { public class AuthenticationUtils {
@Value("${oidc.issuer}")
private String issuer;
@Value("${oidc.secret}")
private String secret;
@Value("${oidc.id}")
private String id;
private Logger logger = Logger.getLogger(AuthenticationUtils.class);
public static boolean isAuthenticated(OIDCAuthenticationToken authenticationToken) { public static boolean isAuthenticated(OIDCAuthenticationToken authenticationToken) {
if (authenticationToken != null) { if (authenticationToken != null) {
return true; return true;
@ -38,4 +53,50 @@ public class AuthenticationUtils {
long exp = new JsonParser().parse(new String(Base64.getDecoder().decode(matcher.group(2)))).getAsJsonObject().get("exp").getAsLong(); long exp = new JsonParser().parse(new String(Base64.getDecoder().decode(matcher.group(2)))).getAsJsonObject().get("exp").getAsLong();
return (exp - (new Date().getTime()/1000)<=0); return (exp - (new Date().getTime()/1000)<=0);
} }
/*
public void refreshAccessToken(String refreshToken) {
//TODO fix this
if (refreshToken == null || refreshToken.isEmpty()) {
return;
}
CloseableHttpClient httpclient = HttpClients.createDefault();
HttpPost httppost = new HttpPost(issuer+"/token");
// Request parameters and other properties.
List<NameValuePair> params = new ArrayList<NameValuePair>();
params.add(new BasicNameValuePair("client_id", id));
params.add(new BasicNameValuePair("client_secret", secret));
params.add(new BasicNameValuePair("grant_type", "refresh_token"));
params.add(new BasicNameValuePair("refresh_token", refreshToken));
params.add(new BasicNameValuePair("scope", "openid"));
HttpResponse response = null;
try {
httppost.setEntity(new UrlEncodedFormEntity(params, "UTF-8"));
//Execute and get the response.
response = httpclient.execute(httppost);
org.apache.http.HttpEntity entity = response.getEntity();
//TODO fix this
if (response.getStatusLine().getStatusCode() == 401) {
return;
}
String serverMessage = IOUtils.toString(entity.getContent(), StandardCharsets.UTF_8.name());
} catch (UnsupportedEncodingException uee) {
logger.error(uee);
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(String.format(, 500, "Fail to get access token.", uee.getMessage()))
.type(MediaType.APPLICATION_JSON).build();
} catch (IOException ioe) {
logger.error(ioe);
return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity(String.format(, 500, "Fail to get access token.", ioe.getMessage()))
.type(MediaType.APPLICATION_JSON).build();
}
}*/
} }

2
src/main/webapp/registerService.jsp
View File

@ -166,7 +166,7 @@
<button id="create" type="submit" class="uk-button uk-button-primary" onclick="return validate();"> <button id="create" type="submit" class="uk-button uk-button-primary" onclick="return validate();">
<c:choose> <c:choose>
<c:when test="${not empty param.id}"> <c:when test="${not empty param.id}">
Edit service Update service
</c:when> </c:when>
<c:otherwise> <c:otherwise>
Add new service Add new service