Exemplo n.º 1
0
 /**
  * Get the expected name for the manifest cookie.
  *
  * @return the name (null if none)
  */
 private static String getManifestCookieName() {
   AuraContext context = Aura.getContextService().getCurrentContext();
   if (context.getApplicationDescriptor() != null) {
     StringBuilder sb = new StringBuilder();
     if (context.getMode() != Mode.PROD) {
       sb.append(context.getMode());
       sb.append("_");
     }
     sb.append(context.getApplicationDescriptor().getNamespace());
     sb.append("_");
     sb.append(context.getApplicationDescriptor().getName());
     sb.append(MANIFEST_COOKIE_TAIL);
     return sb.toString();
   }
   return null;
 }
Exemplo n.º 2
0
  @Override
  public void assertAccess(DefDescriptor<?> desc) throws QuickFixException {

    if (!accessCache.contains(desc)) {
      Aura.getLoggingService().incrementNum("SecurityProviderCheck");
      DefType defType = desc.getDefType();
      String ns = desc.getNamespace();
      AuraContext context = Aura.getContextService().getCurrentContext();
      Mode mode = context.getMode();
      String prefix = desc.getPrefix();
      //
      // This breaks encapsulation! -gordon
      //
      boolean isTopLevel = desc.equals(context.getApplicationDescriptor());

      if (isTopLevel) {
        //
        // If we are trying to access the top level component, we need to ensure
        // that it is _not_ abstract.
        //
        BaseComponentDef def = getDef(context.getApplicationDescriptor());
        if (def != null && def.isAbstract() && def.getProviderDescriptor() == null) {
          throw new NoAccessException(
              String.format("Access to %s disallowed. Abstract definition.", desc));
        }
      }
      //
      // If this is _not_ the top level, we allow circumventing the security provider.
      // This means that certain things will short-circuit, hopefully making checks faster...
      // Not sure if this is premature optimization or not.
      //
      if (!isTopLevel || desc.getDefType().equals(DefType.COMPONENT)) {
        if (!securedDefTypes.contains(defType)
            || unsecuredPrefixes.contains(prefix)
            || unsecuredNamespaces.contains(ns)
            || (mode != Mode.PROD
                && (!Aura.getConfigAdapter().isProduction())
                && unsecuredNonProductionNamespaces.contains(ns))) {
          accessCache.add(desc);
          return;
        }

        if (ns != null && DefDescriptor.JAVA_PREFIX.equals(prefix)) {
          // handle java packages that have namespaces like aura.impl.blah
          for (String okNs : unsecuredNamespaces) {
            if (ns.startsWith(okNs)) {
              accessCache.add(desc);
              return;
            }
          }
        }
      }

      SecurityProviderDef securityProviderDef = getSecurityProvider();
      if (securityProviderDef == null) {
        if (mode != Mode.PROD && !Aura.getConfigAdapter().isProduction()) {
          accessCache.add(desc);
          return;
        } else {
          throw new NoAccessException(
              String.format("Access to %s disallowed.  No Security Provider found.", desc));
        }
      } else {
        if (!securityProviderDef.isAllowed(desc)) {
          throw new NoAccessException(
              String.format(
                  "Access to %s disallowed by %s",
                  desc, securityProviderDef.getDescriptor().getName()));
        }
      }
      accessCache.add(desc);
    }
  }
Exemplo n.º 3
0
  /**
   * Handle an exception in the servlet.
   *
   * <p>This routine should be called whenever an exception has surfaced to the top level of the
   * servlet. It should not be overridden unless Aura is entirely subsumed. Most special cases can
   * be handled by the Aura user by implementing {@link ExceptionAdapter ExceptionAdapter}.
   *
   * @param t the throwable to write out.
   * @param quickfix is this exception a valid quick-fix
   * @param context the aura context.
   * @param request the request.
   * @param response the response.
   * @param written true if we have started writing to the output stream.
   * @throws IOException if the output stream does.
   * @throws ServletException if send404 does (should not generally happen).
   */
  @Override
  public void handleServletException(
      Throwable t,
      boolean quickfix,
      AuraContext context,
      HttpServletRequest request,
      HttpServletResponse response,
      boolean written)
      throws IOException {
    try {
      Throwable mappedEx = t;
      boolean map = !quickfix;
      Format format = context.getFormat();

      //
      // This seems to fail, though the documentation implies that you can do
      // it.
      //
      // if (written && !response.isCommitted()) {
      // response.resetBuffer();
      // written = false;
      // }
      if (!written) {
        // Should we only delete for JSON?
        setNoCache(response);
      }
      if (mappedEx instanceof IOException) {
        //
        // Just re-throw IOExceptions.
        //
        throw (IOException) mappedEx;
      } else if (mappedEx instanceof NoAccessException) {
        Throwable cause = mappedEx.getCause();
        String denyMessage = mappedEx.getMessage();

        map = false;
        if (cause != null) {
          //
          // Note that the exception handler can remap the cause here.
          //
          cause = exceptionAdapter.handleException(cause);
          denyMessage += ": cause = " + cause.getMessage();
        }
        //
        // Is this correct?!?!?!
        //
        if (format != Format.JSON) {
          this.send404(request.getServletContext(), request, response);
          if (!isProductionMode(context.getMode())) {
            // Preserve new lines and tabs in the stacktrace since this is directly being written on
            // to the
            // page
            denyMessage = "<pre>" + AuraTextUtil.escapeForHTML(denyMessage) + "</pre>";
            response.getWriter().println(denyMessage);
          }
          return;
        }
      } else if (mappedEx instanceof QuickFixException) {
        if (isProductionMode(context.getMode())) {
          //
          // In production environments, we want wrap the quick-fix. But be a little careful here.
          // We should never mark the top level as a quick-fix, because that means that we gack
          // on every mis-spelled app. In this case we simply send a 404 and bolt.
          //
          if (mappedEx instanceof DefinitionNotFoundException) {
            DefinitionNotFoundException dnfe = (DefinitionNotFoundException) mappedEx;

            if (dnfe.getDescriptor() != null
                && dnfe.getDescriptor().equals(context.getApplicationDescriptor())) {
              // We're in production and tried to hit an aura app that doesn't exist.
              // just show the standard 404 page.
              this.send404(request.getServletContext(), request, response);
              return;
            }
          }
          map = true;
          mappedEx = new AuraUnhandledException("404 Not Found (Application Error)", mappedEx);
        }
      }
      if (map) {
        mappedEx = exceptionAdapter.handleException(mappedEx);
      }

      PrintWriter out = response.getWriter();

      //
      // If we have written out data, We are kinda toast in this case.
      // We really want to roll it all back, but we can't, so we opt
      // for the best we can do. For HTML we can do nothing at all.
      //
      if (format == Format.JSON) {
        if (!written) {
          out.write(CSRF_PROTECT);
        }
        //
        // If an exception happened while we were emitting JSON, we want the
        // client to ignore the now-corrupt data structure. 404s and 500s
        // cause the client to prepend /*, so we can effectively erase the
        // bad data by appending a */ here and then serializing the exception
        // info.
        //
        out.write("*/");
        //
        // Unfortunately we can't do the following now. It might be possible
        // in some cases, but we don't want to go there unless we have to.
        //
      }
      if (format == Format.JS || format == Format.CSS) {
        // Make sure js and css doesn't get cached in browser, appcache, etc
        response.setStatus(HttpStatus.SC_INTERNAL_SERVER_ERROR);
      }
      if (format == Format.JSON
          || format == Format.HTML
          || format == Format.JS
          || format == Format.CSS) {
        //
        // We only write out exceptions for HTML or JSON.
        // Seems bogus, but here it is.
        //
        // Start out by cleaning out some settings to ensure we don't
        // check too many things, leading to a circular failure. Note
        // that this is still a bit dangerous, as we seem to have a lot
        // of magic in the serializer.
        //
        // Clear the InstanceStack before trying to serialize the exception since the Throwable has
        // likely
        // rendered the stack inaccurate, and may falsely trigger NoAccessExceptions.
        InstanceStack stack = this.contextService.getCurrentContext().getInstanceStack();
        List<String> list = stack.getStackInfo();
        for (int count = list.size(); count > 0; count--) {
          stack.popInstance(stack.peek());
        }

        serializationService.write(mappedEx, null, out);
        if (format == Format.JSON) {
          out.write("/*ERROR*/");
        }
      }
    } catch (IOException ioe) {
      throw ioe;
    } catch (Throwable death) {
      //
      // Catch any other exception and log it. This is actually kinda bad, because something has
      // gone horribly wrong. We should write out some sort of generic page other than a 404,
      // but at this point, it is unclear what we can do, as stuff is breaking right and left.
      //
      try {
        response.setStatus(HttpStatus.SC_INTERNAL_SERVER_ERROR);
        exceptionAdapter.handleException(death);
        if (!isProductionMode(context.getMode())) {
          response.getWriter().println(death.getMessage());
        }
      } catch (IOException ioe) {
        throw ioe;
      } catch (Throwable doubleDeath) {
        // we are totally hosed.
        if (!isProductionMode(context.getMode())) {
          response.getWriter().println(doubleDeath.getMessage());
        }
      }
    } finally {
      this.contextService.endContext();
    }
  }
  @Override
  public void write(T value, Map<String, Object> componentAttributes, Appendable out)
      throws IOException {
    try {

      AuraContext context = Aura.getContextService().getCurrentContext();
      InstanceService instanceService = Aura.getInstanceService();
      RenderingService renderingService = Aura.getRenderingService();
      BaseComponentDef def = value.getDescriptor().getDef();

      ComponentDef templateDef = def.getTemplateDef();
      Map<String, Object> attributes = Maps.newHashMap();

      StringBuilder sb = new StringBuilder();
      writeHtmlStyles(new ArrayList<>(Arrays.asList(Aura.getConfigAdapter().getResetCssURL())), sb);
      attributes.put("auraResetCss", sb.toString());
      sb.setLength(0);
      writeHtmlStyles(AuraServlet.getStyles(), sb);
      attributes.put("auraStyleTags", sb.toString());
      sb.setLength(0);
      writeHtmlScripts(AuraServlet.getScripts(), sb);
      DefDescriptor<StyleDef> styleDefDesc = templateDef.getStyleDescriptor();
      if (styleDefDesc != null) {
        attributes.put("auraInlineStyle", styleDefDesc.getDef().getCode());
      }

      String contextPath = context.getContextPath();
      Mode mode = context.getMode();

      if (mode.allowLocalRendering() && def.isLocallyRenderable()) {
        BaseComponent<?, ?> cmp =
            (BaseComponent<?, ?>) instanceService.getInstance(def, componentAttributes);

        attributes.put("body", Lists.<BaseComponent<?, ?>>newArrayList(cmp));
        attributes.put("bodyClass", "");
        attributes.put("autoInitialize", "false");

        Component template = instanceService.getInstance(templateDef.getDescriptor(), attributes);

        renderingService.render(template, out);
      } else {

        attributes.put("auraScriptTags", sb.toString());
        Map<String, Object> auraInit = Maps.newHashMap();
        if (componentAttributes != null && !componentAttributes.isEmpty()) {
          auraInit.put("attributes", componentAttributes);
        }
        auraInit.put("descriptor", def.getDescriptor());
        auraInit.put("deftype", def.getDescriptor().getDefType());
        auraInit.put("host", contextPath);

        attributes.put("autoInitialize", "false");
        attributes.put("autoInitializeSync", "true");

        auraInit.put("instance", value);
        auraInit.put("token", AuraBaseServlet.getToken());

        StringBuilder contextWriter = new StringBuilder();
        Aura.getSerializationService()
            .write(context, null, AuraContext.class, contextWriter, "JSON");
        auraInit.put("context", new Literal(contextWriter.toString()));

        attributes.put("auraInitSync", JsonEncoder.serialize(auraInit));

        Component template = instanceService.getInstance(templateDef.getDescriptor(), attributes);
        renderingService.render(template, out);
      }
    } catch (QuickFixException e) {
      throw new AuraRuntimeException(e);
    }
  }
Exemplo n.º 5
0
    @Override
    public void serialize(Json json, AuraContext ctx) throws IOException {
      json.writeMapBegin();
      json.writeMapEntry("mode", ctx.getMode());

      DefDescriptor<? extends BaseComponentDef> appDesc = ctx.getApplicationDescriptor();
      if (appDesc != null) {
        if (appDesc.getDefType().equals(DefType.APPLICATION)) {
          json.writeMapEntry(
              "app", String.format("%s:%s", appDesc.getNamespace(), appDesc.getName()));
        } else {
          json.writeMapEntry(
              "cmp", String.format("%s:%s", appDesc.getNamespace(), appDesc.getName()));
        }
      }

      if (ctx.getSerializeThemes()) {
        ThemeList themes = ctx.getThemeList();
        if (!themes.isEmpty()) {
          List<String> stringed = Lists.newArrayList();
          for (DefDescriptor<ThemeDef> theme : themes) {
            stringed.add(theme.getQualifiedName());
          }
          json.writeMapEntry("themes", stringed);
        }

        Optional<String> dynamicVarsUid = themes.getActiveDynamicVarsUid();
        if (dynamicVarsUid.isPresent()) {
          json.writeMapEntry("dynamicVarsUid", dynamicVarsUid.get());
        }
      }

      if (ctx.getRequestedLocales() != null) {
        List<String> locales = new ArrayList<>();
        for (Locale locale : ctx.getRequestedLocales()) {
          locales.add(locale.toString());
        }
        json.writeMapEntry("requestedLocales", locales);
      }
      Map<String, String> loadedStrings = Maps.newHashMap();
      Map<DefDescriptor<?>, String> clientLoaded = Maps.newHashMap();
      clientLoaded.putAll(ctx.getClientLoaded());
      for (Map.Entry<DefDescriptor<?>, String> entry : ctx.getLoaded().entrySet()) {
        loadedStrings.put(
            String.format(
                "%s@%s", entry.getKey().getDefType().toString(), entry.getKey().getQualifiedName()),
            entry.getValue());
        clientLoaded.remove(entry.getKey());
      }
      if (forClient) {
        for (DefDescriptor<?> deleted : clientLoaded.keySet()) {
          loadedStrings.put(
              String.format("%s@%s", deleted.getDefType().toString(), deleted.getQualifiedName()),
              DELETED);
        }
      }
      if (loadedStrings.size() > 0) {
        json.writeMapKey("loaded");
        json.writeMap(loadedStrings);
      }
      if (ctx.getSerializeLastMod()) {
        json.writeMapEntry("lastmod", Long.toString(AuraBaseServlet.getLastMod()));
      }

      TestContextAdapter testContextAdapter = Aura.get(TestContextAdapter.class);
      if (testContextAdapter != null) {
        TestContext testContext = testContextAdapter.getTestContext();
        if (testContext != null) {
          json.writeMapEntry("test", testContext.getName());
        }
      }

      if (ctx.getFrameworkUID() != null) {
        json.writeMapEntry("fwuid", ctx.getFrameworkUID());
      }

      if (forClient) {
        // client needs value providers, urls don't
        boolean started = false;

        for (GlobalValueProvider valueProvider : ctx.getGlobalProviders().values()) {
          if (!valueProvider.isEmpty()) {
            if (!started) {
              json.writeMapKey("globalValueProviders");
              json.writeArrayBegin();
              started = true;
            }
            json.writeComma();
            json.writeIndent();
            json.writeMapBegin();
            json.writeMapEntry("type", valueProvider.getValueProviderKey().getPrefix());
            json.writeMapEntry("values", valueProvider.getData());
            json.writeMapEnd();
          }
        }

        if (started) {
          json.writeArrayEnd();
        }

        //
        // Now comes the tricky part, we have to serialize all of the definitions that are
        // required on the client side, and, of all types. This way, we won't have to handle
        // ugly cases of actual definitions nested inside our configs, and, we ensure that
        // all dependencies actually get sent to the client. Note that the 'loaded' set needs
        // to be updated as well, but that needs to happen prior to this.
        //
        Map<DefDescriptor<? extends Definition>, Definition> defMap;

        defMap = ctx.getDefRegistry().filterRegistry(ctx.getPreloadedDefinitions());

        if (defMap.size() > 0) {
          List<Definition> componentDefs = Lists.newArrayList();
          List<Definition> eventDefs = Lists.newArrayList();
          List<Definition> libraryDefs = Lists.newArrayList();

          for (Map.Entry<DefDescriptor<? extends Definition>, Definition> entry :
              defMap.entrySet()) {
            DefDescriptor<? extends Definition> desc = entry.getKey();
            DefType dt = desc.getDefType();
            Definition d = entry.getValue();
            //
            // Ignore defs that ended up not being valid. This is arguably something
            // that the MDR should have done when filtering.
            //
            if (d != null) {
              if (DefType.COMPONENT.equals(dt) || DefType.APPLICATION.equals(dt)) {
                componentDefs.add(d);
              } else if (DefType.EVENT.equals(dt)) {
                eventDefs.add(d);
              } else if (DefType.LIBRARY.equals(dt)) {
                libraryDefs.add(d);
              }
            }
          }
          writeDefs(json, "componentDefs", componentDefs);
          writeDefs(json, "eventDefs", eventDefs);
          writeDefs(json, "libraryDefs", libraryDefs);
        }
        ctx.serializeAsPart(json);
      }
      json.writeMapEnd();
    }