/**
* Get the expected name for the manifest cookie.
*
* @return the name (null if none)
*/
private static String getManifestCookieName() {
AuraContext context = Aura.getContextService().getCurrentContext();
if (context.getApplicationDescriptor() != null) {
StringBuilder sb = new StringBuilder();
if (context.getMode() != Mode.PROD) {
sb.append(context.getMode());
sb.append("_");
}
sb.append(context.getApplicationDescriptor().getNamespace());
sb.append("_");
sb.append(context.getApplicationDescriptor().getName());
sb.append(MANIFEST_COOKIE_TAIL);
return sb.toString();
}
return null;
}
@Override
public void assertAccess(DefDescriptor<?> desc) throws QuickFixException {
if (!accessCache.contains(desc)) {
Aura.getLoggingService().incrementNum("SecurityProviderCheck");
DefType defType = desc.getDefType();
String ns = desc.getNamespace();
AuraContext context = Aura.getContextService().getCurrentContext();
Mode mode = context.getMode();
String prefix = desc.getPrefix();
//
// This breaks encapsulation! -gordon
//
boolean isTopLevel = desc.equals(context.getApplicationDescriptor());
if (isTopLevel) {
//
// If we are trying to access the top level component, we need to ensure
// that it is _not_ abstract.
//
BaseComponentDef def = getDef(context.getApplicationDescriptor());
if (def != null && def.isAbstract() && def.getProviderDescriptor() == null) {
throw new NoAccessException(
String.format("Access to %s disallowed. Abstract definition.", desc));
}
}
//
// If this is _not_ the top level, we allow circumventing the security provider.
// This means that certain things will short-circuit, hopefully making checks faster...
// Not sure if this is premature optimization or not.
//
if (!isTopLevel || desc.getDefType().equals(DefType.COMPONENT)) {
if (!securedDefTypes.contains(defType)
|| unsecuredPrefixes.contains(prefix)
|| unsecuredNamespaces.contains(ns)
|| (mode != Mode.PROD
&& (!Aura.getConfigAdapter().isProduction())
&& unsecuredNonProductionNamespaces.contains(ns))) {
accessCache.add(desc);
return;
}
if (ns != null && DefDescriptor.JAVA_PREFIX.equals(prefix)) {
// handle java packages that have namespaces like aura.impl.blah
for (String okNs : unsecuredNamespaces) {
if (ns.startsWith(okNs)) {
accessCache.add(desc);
return;
}
}
}
}
SecurityProviderDef securityProviderDef = getSecurityProvider();
if (securityProviderDef == null) {
if (mode != Mode.PROD && !Aura.getConfigAdapter().isProduction()) {
accessCache.add(desc);
return;
} else {
throw new NoAccessException(
String.format("Access to %s disallowed. No Security Provider found.", desc));
}
} else {
if (!securityProviderDef.isAllowed(desc)) {
throw new NoAccessException(
String.format(
"Access to %s disallowed by %s",
desc, securityProviderDef.getDescriptor().getName()));
}
}
accessCache.add(desc);
}
}
/**
* Handle an exception in the servlet.
*
* <p>This routine should be called whenever an exception has surfaced to the top level of the
* servlet. It should not be overridden unless Aura is entirely subsumed. Most special cases can
* be handled by the Aura user by implementing {@link ExceptionAdapter ExceptionAdapter}.
*
* @param t the throwable to write out.
* @param quickfix is this exception a valid quick-fix
* @param context the aura context.
* @param request the request.
* @param response the response.
* @param written true if we have started writing to the output stream.
* @throws IOException if the output stream does.
* @throws ServletException if send404 does (should not generally happen).
*/
@Override
public void handleServletException(
Throwable t,
boolean quickfix,
AuraContext context,
HttpServletRequest request,
HttpServletResponse response,
boolean written)
throws IOException {
try {
Throwable mappedEx = t;
boolean map = !quickfix;
Format format = context.getFormat();
//
// This seems to fail, though the documentation implies that you can do
// it.
//
// if (written && !response.isCommitted()) {
// response.resetBuffer();
// written = false;
// }
if (!written) {
// Should we only delete for JSON?
setNoCache(response);
}
if (mappedEx instanceof IOException) {
//
// Just re-throw IOExceptions.
//
throw (IOException) mappedEx;
} else if (mappedEx instanceof NoAccessException) {
Throwable cause = mappedEx.getCause();
String denyMessage = mappedEx.getMessage();
map = false;
if (cause != null) {
//
// Note that the exception handler can remap the cause here.
//
cause = exceptionAdapter.handleException(cause);
denyMessage += ": cause = " + cause.getMessage();
}
//
// Is this correct?!?!?!
//
if (format != Format.JSON) {
this.send404(request.getServletContext(), request, response);
if (!isProductionMode(context.getMode())) {
// Preserve new lines and tabs in the stacktrace since this is directly being written on
// to the
// page
denyMessage = "<pre>" + AuraTextUtil.escapeForHTML(denyMessage) + "</pre>";
response.getWriter().println(denyMessage);
}
return;
}
} else if (mappedEx instanceof QuickFixException) {
if (isProductionMode(context.getMode())) {
//
// In production environments, we want wrap the quick-fix. But be a little careful here.
// We should never mark the top level as a quick-fix, because that means that we gack
// on every mis-spelled app. In this case we simply send a 404 and bolt.
//
if (mappedEx instanceof DefinitionNotFoundException) {
DefinitionNotFoundException dnfe = (DefinitionNotFoundException) mappedEx;
if (dnfe.getDescriptor() != null
&& dnfe.getDescriptor().equals(context.getApplicationDescriptor())) {
// We're in production and tried to hit an aura app that doesn't exist.
// just show the standard 404 page.
this.send404(request.getServletContext(), request, response);
return;
}
}
map = true;
mappedEx = new AuraUnhandledException("404 Not Found (Application Error)", mappedEx);
}
}
if (map) {
mappedEx = exceptionAdapter.handleException(mappedEx);
}
PrintWriter out = response.getWriter();
//
// If we have written out data, We are kinda toast in this case.
// We really want to roll it all back, but we can't, so we opt
// for the best we can do. For HTML we can do nothing at all.
//
if (format == Format.JSON) {
if (!written) {
out.write(CSRF_PROTECT);
}
//
// If an exception happened while we were emitting JSON, we want the
// client to ignore the now-corrupt data structure. 404s and 500s
// cause the client to prepend /*, so we can effectively erase the
// bad data by appending a */ here and then serializing the exception
// info.
//
out.write("*/");
//
// Unfortunately we can't do the following now. It might be possible
// in some cases, but we don't want to go there unless we have to.
//
}
if (format == Format.JS || format == Format.CSS) {
// Make sure js and css doesn't get cached in browser, appcache, etc
response.setStatus(HttpStatus.SC_INTERNAL_SERVER_ERROR);
}
if (format == Format.JSON
|| format == Format.HTML
|| format == Format.JS
|| format == Format.CSS) {
//
// We only write out exceptions for HTML or JSON.
// Seems bogus, but here it is.
//
// Start out by cleaning out some settings to ensure we don't
// check too many things, leading to a circular failure. Note
// that this is still a bit dangerous, as we seem to have a lot
// of magic in the serializer.
//
// Clear the InstanceStack before trying to serialize the exception since the Throwable has
// likely
// rendered the stack inaccurate, and may falsely trigger NoAccessExceptions.
InstanceStack stack = this.contextService.getCurrentContext().getInstanceStack();
List<String> list = stack.getStackInfo();
for (int count = list.size(); count > 0; count--) {
stack.popInstance(stack.peek());
}
serializationService.write(mappedEx, null, out);
if (format == Format.JSON) {
out.write("/*ERROR*/");
}
}
} catch (IOException ioe) {
throw ioe;
} catch (Throwable death) {
//
// Catch any other exception and log it. This is actually kinda bad, because something has
// gone horribly wrong. We should write out some sort of generic page other than a 404,
// but at this point, it is unclear what we can do, as stuff is breaking right and left.
//
try {
response.setStatus(HttpStatus.SC_INTERNAL_SERVER_ERROR);
exceptionAdapter.handleException(death);
if (!isProductionMode(context.getMode())) {
response.getWriter().println(death.getMessage());
}
} catch (IOException ioe) {
throw ioe;
} catch (Throwable doubleDeath) {
// we are totally hosed.
if (!isProductionMode(context.getMode())) {
response.getWriter().println(doubleDeath.getMessage());
}
}
} finally {
this.contextService.endContext();
}
}
@Override
public void write(T value, Map<String, Object> componentAttributes, Appendable out)
throws IOException {
try {
AuraContext context = Aura.getContextService().getCurrentContext();
InstanceService instanceService = Aura.getInstanceService();
RenderingService renderingService = Aura.getRenderingService();
BaseComponentDef def = value.getDescriptor().getDef();
ComponentDef templateDef = def.getTemplateDef();
Map<String, Object> attributes = Maps.newHashMap();
StringBuilder sb = new StringBuilder();
writeHtmlStyles(new ArrayList<>(Arrays.asList(Aura.getConfigAdapter().getResetCssURL())), sb);
attributes.put("auraResetCss", sb.toString());
sb.setLength(0);
writeHtmlStyles(AuraServlet.getStyles(), sb);
attributes.put("auraStyleTags", sb.toString());
sb.setLength(0);
writeHtmlScripts(AuraServlet.getScripts(), sb);
DefDescriptor<StyleDef> styleDefDesc = templateDef.getStyleDescriptor();
if (styleDefDesc != null) {
attributes.put("auraInlineStyle", styleDefDesc.getDef().getCode());
}
String contextPath = context.getContextPath();
Mode mode = context.getMode();
if (mode.allowLocalRendering() && def.isLocallyRenderable()) {
BaseComponent<?, ?> cmp =
(BaseComponent<?, ?>) instanceService.getInstance(def, componentAttributes);
attributes.put("body", Lists.<BaseComponent<?, ?>>newArrayList(cmp));
attributes.put("bodyClass", "");
attributes.put("autoInitialize", "false");
Component template = instanceService.getInstance(templateDef.getDescriptor(), attributes);
renderingService.render(template, out);
} else {
attributes.put("auraScriptTags", sb.toString());
Map<String, Object> auraInit = Maps.newHashMap();
if (componentAttributes != null && !componentAttributes.isEmpty()) {
auraInit.put("attributes", componentAttributes);
}
auraInit.put("descriptor", def.getDescriptor());
auraInit.put("deftype", def.getDescriptor().getDefType());
auraInit.put("host", contextPath);
attributes.put("autoInitialize", "false");
attributes.put("autoInitializeSync", "true");
auraInit.put("instance", value);
auraInit.put("token", AuraBaseServlet.getToken());
StringBuilder contextWriter = new StringBuilder();
Aura.getSerializationService()
.write(context, null, AuraContext.class, contextWriter, "JSON");
auraInit.put("context", new Literal(contextWriter.toString()));
attributes.put("auraInitSync", JsonEncoder.serialize(auraInit));
Component template = instanceService.getInstance(templateDef.getDescriptor(), attributes);
renderingService.render(template, out);
}
} catch (QuickFixException e) {
throw new AuraRuntimeException(e);
}
}
@Override
public void serialize(Json json, AuraContext ctx) throws IOException {
json.writeMapBegin();
json.writeMapEntry("mode", ctx.getMode());
DefDescriptor<? extends BaseComponentDef> appDesc = ctx.getApplicationDescriptor();
if (appDesc != null) {
if (appDesc.getDefType().equals(DefType.APPLICATION)) {
json.writeMapEntry(
"app", String.format("%s:%s", appDesc.getNamespace(), appDesc.getName()));
} else {
json.writeMapEntry(
"cmp", String.format("%s:%s", appDesc.getNamespace(), appDesc.getName()));
}
}
if (ctx.getSerializeThemes()) {
ThemeList themes = ctx.getThemeList();
if (!themes.isEmpty()) {
List<String> stringed = Lists.newArrayList();
for (DefDescriptor<ThemeDef> theme : themes) {
stringed.add(theme.getQualifiedName());
}
json.writeMapEntry("themes", stringed);
}
Optional<String> dynamicVarsUid = themes.getActiveDynamicVarsUid();
if (dynamicVarsUid.isPresent()) {
json.writeMapEntry("dynamicVarsUid", dynamicVarsUid.get());
}
}
if (ctx.getRequestedLocales() != null) {
List<String> locales = new ArrayList<>();
for (Locale locale : ctx.getRequestedLocales()) {
locales.add(locale.toString());
}
json.writeMapEntry("requestedLocales", locales);
}
Map<String, String> loadedStrings = Maps.newHashMap();
Map<DefDescriptor<?>, String> clientLoaded = Maps.newHashMap();
clientLoaded.putAll(ctx.getClientLoaded());
for (Map.Entry<DefDescriptor<?>, String> entry : ctx.getLoaded().entrySet()) {
loadedStrings.put(
String.format(
"%s@%s", entry.getKey().getDefType().toString(), entry.getKey().getQualifiedName()),
entry.getValue());
clientLoaded.remove(entry.getKey());
}
if (forClient) {
for (DefDescriptor<?> deleted : clientLoaded.keySet()) {
loadedStrings.put(
String.format("%s@%s", deleted.getDefType().toString(), deleted.getQualifiedName()),
DELETED);
}
}
if (loadedStrings.size() > 0) {
json.writeMapKey("loaded");
json.writeMap(loadedStrings);
}
if (ctx.getSerializeLastMod()) {
json.writeMapEntry("lastmod", Long.toString(AuraBaseServlet.getLastMod()));
}
TestContextAdapter testContextAdapter = Aura.get(TestContextAdapter.class);
if (testContextAdapter != null) {
TestContext testContext = testContextAdapter.getTestContext();
if (testContext != null) {
json.writeMapEntry("test", testContext.getName());
}
}
if (ctx.getFrameworkUID() != null) {
json.writeMapEntry("fwuid", ctx.getFrameworkUID());
}
if (forClient) {
// client needs value providers, urls don't
boolean started = false;
for (GlobalValueProvider valueProvider : ctx.getGlobalProviders().values()) {
if (!valueProvider.isEmpty()) {
if (!started) {
json.writeMapKey("globalValueProviders");
json.writeArrayBegin();
started = true;
}
json.writeComma();
json.writeIndent();
json.writeMapBegin();
json.writeMapEntry("type", valueProvider.getValueProviderKey().getPrefix());
json.writeMapEntry("values", valueProvider.getData());
json.writeMapEnd();
}
}
if (started) {
json.writeArrayEnd();
}
//
// Now comes the tricky part, we have to serialize all of the definitions that are
// required on the client side, and, of all types. This way, we won't have to handle
// ugly cases of actual definitions nested inside our configs, and, we ensure that
// all dependencies actually get sent to the client. Note that the 'loaded' set needs
// to be updated as well, but that needs to happen prior to this.
//
Map<DefDescriptor<? extends Definition>, Definition> defMap;
defMap = ctx.getDefRegistry().filterRegistry(ctx.getPreloadedDefinitions());
if (defMap.size() > 0) {
List<Definition> componentDefs = Lists.newArrayList();
List<Definition> eventDefs = Lists.newArrayList();
List<Definition> libraryDefs = Lists.newArrayList();
for (Map.Entry<DefDescriptor<? extends Definition>, Definition> entry :
defMap.entrySet()) {
DefDescriptor<? extends Definition> desc = entry.getKey();
DefType dt = desc.getDefType();
Definition d = entry.getValue();
//
// Ignore defs that ended up not being valid. This is arguably something
// that the MDR should have done when filtering.
//
if (d != null) {
if (DefType.COMPONENT.equals(dt) || DefType.APPLICATION.equals(dt)) {
componentDefs.add(d);
} else if (DefType.EVENT.equals(dt)) {
eventDefs.add(d);
} else if (DefType.LIBRARY.equals(dt)) {
libraryDefs.add(d);
}
}
}
writeDefs(json, "componentDefs", componentDefs);
writeDefs(json, "eventDefs", eventDefs);
writeDefs(json, "libraryDefs", libraryDefs);
}
ctx.serializeAsPart(json);
}
json.writeMapEnd();
}
