Exemplo n.º 1
0
  @Override
  protected int beforeHandle(Request request, Response response) {
    if (Method.OPTIONS.equals(request.getMethod())) {
      Series<Header> requestHeaders =
          (Series<Header>) request.getAttributes().get(HeaderConstants.ATTRIBUTE_HEADERS);
      String origin = requestHeaders.getFirstValue("Origin", false, "*");
      String rh = requestHeaders.getFirstValue("Access-Control-Request-Headers", false, "*");
      Series<Header> responseHeaders =
          (Series<Header>) response.getAttributes().get(HeaderConstants.ATTRIBUTE_HEADERS);
      if (responseHeaders == null) {
        responseHeaders = new Series<Header>(Header.class);
      }
      responseHeaders.add("Access-Control-Allow-Origin", origin);
      responseHeaders.set("Access-Control-Expose-Headers", "Authorization, Link");
      responseHeaders.add("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
      responseHeaders.add("Access-Control-Allow-Headers", rh);
      responseHeaders.add("Access-Control-Allow-Credentials", "true");
      responseHeaders.add("Access-Control-Max-Age", "60");
      response.getAttributes().put(HeaderConstants.ATTRIBUTE_HEADERS, responseHeaders);
      response.setEntity(new EmptyRepresentation());
      return SKIP;
    }

    return super.beforeHandle(request, response);
  }
  // TODO The secret should be a char[].
  private Representation doNoneFlow(
      String clientId, String clientSecret, Series<Parameter> params) {
    Client client = validate(clientId, clientSecret);

    // null check on failed
    if (client == null) {
      setStatus(Status.CLIENT_ERROR_FORBIDDEN);
      return sendError(OAuthError.invalid_client, "Client id verification failed.", null);
    }

    if (!client.containsUser(AUTONOMOUS_USER)) {
      client.createUser(AUTONOMOUS_USER);
    }

    AuthenticatedUser user = client.findUser(AUTONOMOUS_USER);

    // Adding all scopes since super-user
    // String[] scopes = parseScope(params.getFirstValue(SCOPE));
    List<Role> roles = Scopes.toRoles(params.getFirstValue(SCOPE));
    for (Role r : roles) {
      getLogger().fine("Requested scopes none flow = " + roles);
      user.addRole(r, "");
      getLogger().fine("Adding scope = " + r.getName() + " to auto user");
    }

    Token token = this.generator.generateToken(user, this.tokenTimeSec);
    JSONObject body = createJsonToken(token, null); // Scopes N/A

    // Sets the no-store Cache-Control header
    getResponse().setCacheDirectives(noStore);
    return new JsonStringRepresentation(body);
  }
Exemplo n.º 3
0
  @Override
  public synchronized void start() throws Exception {
    // restlet servlet engine will pass parameters from web.xml via the context parameters
    Series<Parameter> parameters = getContext().getParameters();
    dataSource = PSCPDataSource.createDataSource(parameters);
    daoFactory = PGDaoFactory.createPGDaoFactory(dataSource);
    lookupCache = new LookupCache(daoFactory);
    secretResolver = new SecretResolver();
    adminPage = parameters.getFirstValue("pscp.web.admin");
    urls = new URLS(adminPage);
    // links out to website
    urls.putStatic(
        new Template(getSlashedURL(parameters, "pscp.web.products")), URLS.Name.PRODUCT_LOCATION);
    urls.putStatic(
        new Template(getSlashedURL(parameters, "pscp.web.root")), URLS.Name.STATIC_MEDIA);

    // @todo how to deal with this?
    baseURIs = new ArrayList<String>(Arrays.asList("localhost:8080"));

    Map<String, Object> contextAttributes = getContext().getAttributes();
    contextAttributes.put(BaseResource.CONTEXT_ATTRIBUTE_DAO_FACTORY, daoFactory);
    contextAttributes.put(BaseResource.CONTEXT_ATTRIBUTE_URL_MAPPER, urls);
    contextAttributes.put(BaseResource.CONTEXT_ATTRIBUTE_LOOKUP_CACHE, lookupCache);
    contextAttributes.put(
        BaseResource.CONTEXT_ATTRIBUTE_PRODUCT_ROOT,
        getRootDir(BaseResource.CONTEXT_ATTRIBUTE_PRODUCT_ROOT, "pscp-products"));
    contextAttributes.put(
        BaseResource.CONTEXT_ATTRIBUTE_UPLOAD_ROOT,
        getRootDir(BaseResource.CONTEXT_ATTRIBUTE_UPLOAD_ROOT, "pscp-uploads"));

    super.start();
  }
Exemplo n.º 4
0
 private String getSlashedURL(Series<Parameter> params, String key) {
   String url = params.getFirstValue(key);
   if (url.indexOf('?') < 0 && !url.endsWith("/")) {
     url = url + "/";
   }
   return url;
 }
  // TODO The secret should be a char[].
  private Representation doAuthCodeFlow(
      String clientId, String clientSecret, Series<Parameter> params)
      throws IllegalArgumentException {
    String redirUri = params.getFirstValue(REDIR_URI);

    if ((redirUri == null) || (redirUri.length() == 0)) {
      setStatus(Status.CLIENT_ERROR_BAD_REQUEST);
      return sendError(
          OAuthError.invalid_request, "Mandatory parameter redirect_uri is missing", null);
    }

    String code = params.getFirstValue(CODE);
    if ((code == null) || (code.length() == 0)) {
      setStatus(Status.CLIENT_ERROR_BAD_REQUEST);
      return sendError(OAuthError.invalid_request, "Mandatory parameter code is missing", null);
    }

    Client client = validate(clientId, clientSecret);
    // null check on failed
    if (client == null) {
      setStatus(Status.CLIENT_ERROR_FORBIDDEN);
      return sendError(OAuthError.invalid_request, "Client id verification failed.", null);
    }

    // check the client secret
    if (!clientSecret.equals(client.getClientSecret())) {
      setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
      return sendError(OAuthError.invalid_request, "Client secret did not match", null);
    }

    // TODO could add a cookie match on the owner but could fail if code is
    // sent to other entity
    // unauthorized_client, right now this is only performed if
    // ScopedResource getOwner returns the user

    // 5 min timeout on tokens, 0 for unlimited
    Token token = generator.exchangeForToken(code, tokenTimeSec);

    // TODO send back scopes if limited

    JSONObject body = createJsonToken(token, null);

    // Sets the no-store Cache-Control header
    getResponse().setCacheDirectives(noStore);
    return new JsonStringRepresentation(body);
  }
  @Override
  public void formatResponse(
      ChallengeWriter cw,
      ChallengeResponse challenge,
      Request request,
      Series<Header> httpHeaders) {

    // Setup the Date header
    String date = "";

    if (httpHeaders.getFirstValue("x-ms-date", true) == null) {
      // X-ms-Date header didn't override the standard Date header
      date = httpHeaders.getFirstValue(HeaderConstants.HEADER_DATE, true);

      if (date == null) {
        // Add a fresh Date header
        date = DateUtils.format(new Date(), DateUtils.FORMAT_RFC_1123.get(0));
        httpHeaders.add(HeaderConstants.HEADER_DATE, date);
      }
    } else {
      date = httpHeaders.getFirstValue("x-ms-date", true);
    }

    // Setup the canonicalized path
    String canonicalizedResource = getCanonicalizedResourceName(request.getResourceRef());

    // Setup the message part
    StringBuilder rest = new StringBuilder();
    rest.append(date)
        .append('\n')
        .append('/')
        .append(challenge.getIdentifier())
        .append(canonicalizedResource);

    // Append the SharedKey credentials
    cw.append(challenge.getIdentifier())
        .append(':')
        .append(
            Base64.encode(
                DigestUtils.toHMacSha256(rest.toString(), Base64.decode(challenge.getSecret())),
                true));
  }
  // TODO The secret should be a char[].
  private Representation doPasswordFlow(
      String clientId, String clientSecret, Series<Parameter> params) {
    Client client = validate(clientId, clientSecret);

    // null check on failed
    if (client == null) {
      setStatus(Status.CLIENT_ERROR_FORBIDDEN);
      return sendError(OAuthError.invalid_client, "Client id verification failed.", null);
    }

    String username = params.getFirstValue(USERNAME);
    AuthenticatedUser user = null;

    if ((username == null) || ((user = client.findUser(username)) == null)) {
      setStatus(Status.CLIENT_ERROR_BAD_REQUEST);
      return sendError(OAuthError.invalid_request, "Mandatory parameter username missing.", null);
    }

    String password = params.getFirstValue(PASSWORD);

    if (password == null) {
      setStatus(Status.CLIENT_ERROR_BAD_REQUEST);
      return sendError(OAuthError.invalid_request, "Mandatory parameter password missing.", null);
    }

    if (!password.equals(user.getPassword())) {
      setStatus(Status.CLIENT_ERROR_FORBIDDEN);
      return sendError(OAuthError.invalid_grant, "Password not correct.", null);
    }

    Token token = this.generator.generateToken(user, this.tokenTimeSec);
    JSONObject body = createJsonToken(token, null); // Scopes N/A

    // Sets the no-store Cache-Control header
    getResponse().setCacheDirectives(noStore);
    return new JsonStringRepresentation(body);
  }
  @Post
  public Representation acceptItem(Representation entity) {
    logger.info("Attempting to delete a device");

    Series<Cookie> cookies = this.getRequest().getCookies();
    String parent_username = cookies.getFirstValue(COOKIE_USER);
    String auth_Token = cookies.getFirstValue(COOKIE_AUTH);

    if ((parent_username == null) || (auth_Token == null)) return null;

    User thisUser = new User(parent_username);

    // Is this a valid cookie?
    if (!thisUser.validateCookie(auth_Token)) return null;

    // Cookie is valid
    Form form = new Form(entity);
    String device_id = form.getFirstValue("deviceID");

    Device thisDevice = new Device(device_id);
    thisDevice.deleteDevice();

    return null;
  }
  /**
   * Creates a content type.
   *
   * @param mediaType The media type name.
   * @param parameters The parameters parsed.
   * @return The content type.
   */
  private ContentType createContentType(StringBuilder mediaType, Series<Parameter> parameters) {
    // Attempt to extract the character set
    CharacterSet characterSet = null;

    if (parameters != null) {
      String charSet = parameters.getFirstValue("charset");

      if (charSet != null) {
        parameters.removeAll("charset");
        characterSet = new CharacterSet(charSet);
      }

      return new ContentType(new MediaType(mediaType.toString(), parameters), characterSet);
    }

    return new ContentType(new MediaType(mediaType.toString()), null);
  }
  // TODO The secret should be a char[].
  private Representation doRefreshFlow(
      String clientId, String clientSecret, Series<Parameter> params) {
    String rToken = params.getFirstValue(REFRESH_TOKEN);

    if ((rToken == null) || (rToken.length() == 0)) {
      setStatus(Status.CLIENT_ERROR_BAD_REQUEST);
      return sendError(
          OAuthError.invalid_request, "Mandatory parameter refresh_token is missing", null);
    }

    Client client = validate(clientId, clientSecret);

    // null check on failed
    if (client == null) {
      setStatus(Status.CLIENT_ERROR_FORBIDDEN);
      return sendError(OAuthError.invalid_client, "Client id verification failed.", null);
    }

    Token token = generator.findToken(rToken);

    if ((token != null) && (token instanceof ExpireToken)) {
      AuthenticatedUser user = token.getUser();

      // Make sure that the user owning the token is owned by this client
      if (client.containsUser(user.getId())) {
        // refresh the token
        generator.refreshToken((ExpireToken) token);

        JSONObject body = createJsonToken(token, null); // Scopes N/A

        // Sets the no-store Cache-Control header
        getResponse().setCacheDirectives(noStore);
        return new JsonStringRepresentation(body);
      } else { // error not owner
        setStatus(Status.CLIENT_ERROR_FORBIDDEN);
        return sendError(OAuthError.unauthorized_client, "User does not match.", null);
      }
    } else { // error no such token.
      setStatus(Status.CLIENT_ERROR_UNAUTHORIZED);
      return sendError(OAuthError.invalid_grant, "Refresh token.", null);
    }
  }
Exemplo n.º 11
0
  @Override
  protected int doHandle(final Request request, final Response response) {
    int result = super.doHandle(request, response);

    Map<String, Object> requestAttributes = request.getAttributes();
    Map<String, Object> responseAttributes = response.getAttributes();
    Series<Header> requestHeaders =
        (Series<Header>)
            requestAttributes.computeIfAbsent(
                "org.restlet.http.headers", key -> new Series<Header>(Header.class));
    Series<Header> responseHeaders =
        (Series<Header>)
            responseAttributes.computeIfAbsent(
                "org.restlet.http.headers", key -> new Series<Header>(Header.class));
    // TODO fix me
    responseHeaders.add("Access-Control-Allow-Origin", requestHeaders.getFirstValue("Origin"));
    responseHeaders.add("Access-Control-Allow-Credentials", "true");
    responseHeaders.add(
        "Access-Control-Allow-Methods", "HEAD, GET, PUT, POST, DELETE, OPTIONS, TRACE");
    responseHeaders.add("Access-Control-Allow-Headers", "Content-Type, X-Requested-With");
    return result;
  }