private AuthToken getAuthTokenForApp(
HttpServletRequest req, HttpServletResponse resp, boolean doNotSendHttpError)
throws IOException, ServiceException {
Config config = Provisioning.getInstance().getConfig();
int adminPort = config.getIntAttr(Provisioning.A_zimbraAdminPort, 0);
if (adminPort == req.getLocalPort()) {
return getAdminAuthTokenFromCookie(req, resp, doNotSendHttpError);
}
return getAuthTokenFromCookie(req, resp, doNotSendHttpError);
}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (!isHttpReq(request, response)) {
return;
}
HttpServletRequest req = (HttpServletRequest) request;
HttpServletResponse resp = (HttpServletResponse) response;
AuthToken authToken;
try {
authToken = getAuthTokenForApp(req, resp, false);
} catch (ServiceException se) {
ZimbraLog.zimlet.info("can't get authToken: " + se.getMessage());
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
if (authToken == null) {
// error was already sent out
return;
}
boolean isAdminAuth = false;
// ZimbraLog.zimlet.info(">>> isAdminAuth: "+isAdminAuth);
// get list of allowed zimlets
Provisioning prov = Provisioning.getInstance();
List<Zimlet> allowedZimlets = new LinkedList<Zimlet>();
List<Zimlet> allZimlets = new LinkedList<Zimlet>();
try {
isAdminAuth =
AdminAccessControl.getAdminAccessControl(authToken)
.isSufficientAdminForZimletFilterServlet();
// add all available zimlets
if (!isAdminAuth) {
// zimlets for this account's COS
Account account = prov.get(AccountBy.id, authToken.getAccountId(), authToken);
for (String zimletName : ZimletUtil.getAvailableZimlets(account).getZimletNamesAsArray()) {
Zimlet zimlet = prov.getZimlet(zimletName);
if (zimlet == null) continue;
if (zimlet.isEnabled()) {
allowedZimlets.add(zimlet);
}
allZimlets.add(zimlet);
}
}
// add the admin zimlets
else {
allZimlets = prov.listAllZimlets();
Iterator<Zimlet> iter = allZimlets.iterator();
while (iter.hasNext()) {
Zimlet zimlet = iter.next();
if (zimlet.isExtension()) {
if (zimlet.isEnabled()) {
allowedZimlets.add(zimlet);
}
}
}
}
} catch (ServiceException e) {
ZimbraLog.zimlet.info("unable to get list of zimlets");
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
// order by priority
List<Zimlet> zimletList = ZimletUtil.orderZimletsByPriority(allowedZimlets);
Set<String> allowedZimletNames = getZimletNames(zimletList);
Set<String> allZimletNames = getZimletNames(allZimlets);
// get list of zimlets for request
Set<String> zimletNames = new LinkedHashSet<String>();
String uri = req.getRequestURI();
boolean isZimletRes = uri.startsWith(ZIMLET_RES_URL_PREFIX);
if (isZimletRes) {
zimletNames.addAll(allowedZimletNames);
} else {
Matcher matcher = mPattern.matcher(uri);
if (!matcher.matches()) {
ZimbraLog.zimlet.info("no zimlet specified in request");
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
zimletNames.add(matcher.group(1));
}
// check access
File basedir = new File(LC.zimlet_directory.value());
File devdir = new File(basedir, ZimletUtil.ZIMLET_DEV_DIR);
Iterator<String> iter = zimletNames.iterator();
while (iter.hasNext()) {
String zimletName = iter.next();
try {
File devfile = new File(devdir, zimletName);
if (devfile.exists()) {
continue;
}
Zimlet zimlet = prov.getZimlet(zimletName);
if (zimlet == null) {
ZimbraLog.zimlet.info("no such zimlet: " + zimletName);
iter.remove();
allZimlets.remove(zimlet);
continue;
}
if (!allowedZimletNames.contains(zimletName)) {
ZimbraLog.zimlet.info(
"unauthorized request to zimlet "
+ zimletName
+ " from user "
+ authToken.getAccountId());
iter.remove();
allZimlets.remove(zimlet);
continue;
}
if (zimlet.isExtension() && !isAdminAuth) {
// ZimbraLog.zimlet.info("!!!!! removing extension zimlet: "+zimletName);
iter.remove();
allZimlets.remove(zimlet);
}
} catch (ServiceException se) {
ZimbraLog.zimlet.info(
"service exception to zimlet "
+ zimletName
+ " from user "
+ authToken.getAccountId()
+ ": "
+ se.getMessage());
iter.remove();
}
}
if (!isZimletRes) {
Matcher matcher = mPattern.matcher(uri);
if (matcher.matches()) {
String zimletName = matcher.group(1);
if (!zimletNames.contains(zimletName)) {
resp.sendError(HttpServletResponse.SC_FORBIDDEN);
return;
}
}
}
// force compilation of template
if (uri.endsWith(".template.js")) {
Matcher matcher = mPattern.matcher(uri);
if (matcher.matches()) {
String zimletName = matcher.group(1);
String opath = matcher.group(3);
String ipath = opath.replaceAll(".js$", "");
boolean isDevZimlet = uri.indexOf("_dev") != -1;
File zimletDir = new File(isDevZimlet ? devdir : basedir, zimletName);
File ifile = new File(zimletDir, ipath);
File ofile = new File(zimletDir, opath);
if (!ofile.exists() || (ifile.exists() && ifile.lastModified() > ofile.lastModified())) {
String prefix = zimletName + ".";
try {
TemplateCompiler.compile(
zimletDir, zimletDir, prefix, new String[] {ipath}, true, true);
} catch (IOException e) {
// ignore, let fail
}
}
}
}
// process request
req.setAttribute(ZimletFilter.ALLOWED_ZIMLETS, zimletNames);
req.setAttribute(ZimletFilter.ALL_ZIMLETS, allZimletNames);
chain.doFilter(req, resp);
}