/**
  * Get the relative URL for a given BaseComponentDef descriptor.
  *
  * @param desc the DefDescriptor of a BaseComponentDef
  * @return the relative URL for the descriptor
  */
 protected String getUrl(DefDescriptor<? extends BaseComponentDef> desc) {
   return String.format(
       "/%s/%s.%s",
       desc.getNamespace(),
       desc.getName(),
       DefType.APPLICATION.equals(desc.getDefType()) ? "app" : "cmp");
 }
  /**
   * Check if CSP Header setting is already inherited from one.app (top level context) See
   * https://www.w3.org/TR/CSP2/#which-policy-applies
   *
   * @param defDesc
   * @param req
   * @return true if CSP header setting can be skipped
   */
  private boolean canSkipCSPHeader(final DefDescriptor<?> defDesc, final HttpServletRequest req) {
    if (defDesc == null | req == null) {
      return false;
    }

    // CSP inheritance is supported starting from CSP2
    if (!isCSP2Supported(req)) {
      return false;
    }

    final String descriptorName = defDesc.getDescriptorName();
    if (!descriptorName.equals("one:one")) { // only skip while loading one.app
      return false;
    }

    final String auraFormat = req.getParameter("aura.format");
    if (auraFormat != null && auraFormat.equals("HTML")) {
      return false;
    }

    // Skip one.app requests for non HTML content with already established aura context
    final String auraContext = req.getParameter("aura.context");
    if (auraContext != null) {
      return true;
    }

    return false;
  }
Exemple #3
0
 private AttributeModel(AttributeDef def) throws QuickFixException {
   this.name = def.getName();
   this.description = def.getDescription();
   this.type = def.getTypeDef().getName().toLowerCase();
   this.required = def.isRequired();
   if (def.getDefaultValue() != null) {
     this.defaultValue = def.getDefaultValue().getValue().toString();
   } else {
     this.defaultValue = null;
   }
   DefDescriptor<?> parentDesc = def.getParentDescriptor();
   if (parentDesc == null || parentDesc.equals(ComponentDefModel.this.descriptor)) {
     this.parentName = null;
     this.parentDefType = null;
   } else {
     this.parentName = parentDesc.getNamespace() + ":" + parentDesc.getName();
     this.parentDefType = parentDesc.getDefType().name().toLowerCase();
   }
 }
  /** Sets mandatory headers, notably for anti-clickjacking. */
  @Override
  public void setCSPHeaders(DefDescriptor<?> top, HttpServletRequest req, HttpServletResponse rsp) {

    if (canSkipCSPHeader(top, req)) {
      return;
    }

    ContentSecurityPolicy csp =
        configAdapter.getContentSecurityPolicy(top == null ? null : top.getQualifiedName(), req);

    if (csp != null) {
      rsp.setHeader(CSP.Header.SECURE, csp.getCspHeaderValue());
      Collection<String> terms = csp.getFrameAncestors();
      if (terms != null) {
        // not open to the world; figure whether we can express an X-FRAME-OPTIONS header:
        if (terms.size() == 0) {
          // closed to any framing at all
          rsp.setHeader(HDR_FRAME_OPTIONS, HDR_FRAME_DENY);
        } else if (terms.size() == 1) {
          // With one ancestor term, we're either SAMEORIGIN or ALLOWFROM
          for (String site : terms) {
            if (site == null) {
              // Add same-origin headers and policy terms
              rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_SAMEORIGIN);
            } else if (!site.contains("*") && !site.matches("^[a-z]+:$")) {
              // XFO can't express wildcards or protocol-only, so set only for a specific site:
              rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_ALLOWFROM + site);
            } else {
              // When XFO can't express it, still set an ALLOWALL so filters don't jump in
              rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_ALLOWALL);
            }
          }
        }
      }
    }
  }
Exemple #5
0
  public ComponentDefModel() throws QuickFixException {
    AuraContext context = Aura.getContextService().getCurrentContext();
    BaseComponent<?, ?> component = context.getCurrentComponent();

    String desc = (String) component.getAttributes().getValue("descriptor");

    DefType defType =
        DefType.valueOf(((String) component.getAttributes().getValue("defType")).toUpperCase());
    DefinitionService definitionService = Aura.getDefinitionService();
    descriptor = definitionService.getDefDescriptor(desc, defType.getPrimaryInterface());
    definition = descriptor.getDef();

    ReferenceTreeModel.assertAccess(definition);

    String type = null;
    if (definition instanceof RootDefinition) {
      RootDefinition rootDef = (RootDefinition) definition;
      for (AttributeDef attribute : rootDef.getAttributeDefs().values()) {
        if (ReferenceTreeModel.hasAccess(attribute)) {
          attributes.add(new AttributeModel(attribute));
        }
      }

      DocumentationDef docDef = rootDef.getDocumentationDef();
      doc = docDef != null ? new DocumentationDefModel(docDef) : null;

      if (definition instanceof BaseComponentDef) {
        BaseComponentDef cmpDef = (BaseComponentDef) definition;
        for (RegisterEventDef reg : cmpDef.getRegisterEventDefs().values()) {
          if (ReferenceTreeModel.hasAccess(reg)) {
            events.add(new AttributeModel(reg));
          }
        }

        for (EventHandlerDef handler : cmpDef.getHandlerDefs()) {
          handledEvents.add(new AttributeModel(handler));
        }

        for (DefDescriptor<InterfaceDef> intf : cmpDef.getInterfaces()) {
          if (ReferenceTreeModel.hasAccess(intf.getDef())) {
            interfaces.add(intf.getNamespace() + ":" + intf.getName());
          }
        }

        DefDescriptor<?> superDesc = cmpDef.getExtendsDescriptor();
        if (superDesc != null) {
          theSuper = superDesc.getNamespace() + ":" + superDesc.getName();
        } else {
          theSuper = null;
        }

        isAbstract = cmpDef.isAbstract();
        isExtensible = cmpDef.isExtensible();

      } else if (definition instanceof EventDef) {
        EventDef eventDef = (EventDef) definition;
        DefDescriptor<?> superDesc = eventDef.getExtendsDescriptor();
        if (superDesc != null) {
          theSuper = superDesc.getNamespace() + ":" + superDesc.getName();
        } else {
          theSuper = null;
        }

        type = eventDef.getEventType().name();
        isExtensible = true;
        isAbstract = false;
      } else {
        theSuper = null;
        isExtensible = true;
        isAbstract = false;
      }

      support = rootDef.getSupport().name();

      if (definition instanceof RootDefinition) {
        List<DefDescriptor<?>> deps = ((RootDefinition) definition).getBundle();

        for (DefDescriptor<?> dep : deps) {
          // we already surface the documentation--users don't need to see the source for it.
          if (dep.getDefType() != DefType.DOCUMENTATION) {
            Definition def = dep.getDef();
            if (ReferenceTreeModel.hasAccess(def)) {
              defs.add(new DefModel(dep));
            }
          }
        }
      }
    } else {
      support = null;
      theSuper = null;
      isExtensible = false;
      isAbstract = false;
      doc = null;
    }
    this.type = type;
  }