@Override
public void assertAccess(DefDescriptor<?> desc) throws QuickFixException {
if (!accessCache.contains(desc)) {
Aura.getLoggingService().incrementNum("SecurityProviderCheck");
DefType defType = desc.getDefType();
String ns = desc.getNamespace();
AuraContext context = Aura.getContextService().getCurrentContext();
Mode mode = context.getMode();
String prefix = desc.getPrefix();
//
// This breaks encapsulation! -gordon
//
boolean isTopLevel = desc.equals(context.getApplicationDescriptor());
if (isTopLevel) {
//
// If we are trying to access the top level component, we need to ensure
// that it is _not_ abstract.
//
BaseComponentDef def = getDef(context.getApplicationDescriptor());
if (def != null && def.isAbstract() && def.getProviderDescriptor() == null) {
throw new NoAccessException(
String.format("Access to %s disallowed. Abstract definition.", desc));
}
}
//
// If this is _not_ the top level, we allow circumventing the security provider.
// This means that certain things will short-circuit, hopefully making checks faster...
// Not sure if this is premature optimization or not.
//
if (!isTopLevel || desc.getDefType().equals(DefType.COMPONENT)) {
if (!securedDefTypes.contains(defType)
|| unsecuredPrefixes.contains(prefix)
|| unsecuredNamespaces.contains(ns)
|| (mode != Mode.PROD
&& (!Aura.getConfigAdapter().isProduction())
&& unsecuredNonProductionNamespaces.contains(ns))) {
accessCache.add(desc);
return;
}
if (ns != null && DefDescriptor.JAVA_PREFIX.equals(prefix)) {
// handle java packages that have namespaces like aura.impl.blah
for (String okNs : unsecuredNamespaces) {
if (ns.startsWith(okNs)) {
accessCache.add(desc);
return;
}
}
}
}
SecurityProviderDef securityProviderDef = getSecurityProvider();
if (securityProviderDef == null) {
if (mode != Mode.PROD && !Aura.getConfigAdapter().isProduction()) {
accessCache.add(desc);
return;
} else {
throw new NoAccessException(
String.format("Access to %s disallowed. No Security Provider found.", desc));
}
} else {
if (!securityProviderDef.isAllowed(desc)) {
throw new NoAccessException(
String.format(
"Access to %s disallowed by %s",
desc, securityProviderDef.getDescriptor().getName()));
}
}
accessCache.add(desc);
}
}
public ComponentDefModel() throws QuickFixException {
AuraContext context = Aura.getContextService().getCurrentContext();
BaseComponent<?, ?> component = context.getCurrentComponent();
String desc = (String) component.getAttributes().getValue("descriptor");
DefType defType =
DefType.valueOf(((String) component.getAttributes().getValue("defType")).toUpperCase());
DefinitionService definitionService = Aura.getDefinitionService();
descriptor = definitionService.getDefDescriptor(desc, defType.getPrimaryInterface());
definition = descriptor.getDef();
ReferenceTreeModel.assertAccess(definition);
String type = null;
if (definition instanceof RootDefinition) {
RootDefinition rootDef = (RootDefinition) definition;
for (AttributeDef attribute : rootDef.getAttributeDefs().values()) {
if (ReferenceTreeModel.hasAccess(attribute)) {
attributes.add(new AttributeModel(attribute));
}
}
DocumentationDef docDef = rootDef.getDocumentationDef();
doc = docDef != null ? new DocumentationDefModel(docDef) : null;
if (definition instanceof BaseComponentDef) {
BaseComponentDef cmpDef = (BaseComponentDef) definition;
for (RegisterEventDef reg : cmpDef.getRegisterEventDefs().values()) {
if (ReferenceTreeModel.hasAccess(reg)) {
events.add(new AttributeModel(reg));
}
}
for (EventHandlerDef handler : cmpDef.getHandlerDefs()) {
handledEvents.add(new AttributeModel(handler));
}
for (DefDescriptor<InterfaceDef> intf : cmpDef.getInterfaces()) {
if (ReferenceTreeModel.hasAccess(intf.getDef())) {
interfaces.add(intf.getNamespace() + ":" + intf.getName());
}
}
DefDescriptor<?> superDesc = cmpDef.getExtendsDescriptor();
if (superDesc != null) {
theSuper = superDesc.getNamespace() + ":" + superDesc.getName();
} else {
theSuper = null;
}
isAbstract = cmpDef.isAbstract();
isExtensible = cmpDef.isExtensible();
} else if (definition instanceof EventDef) {
EventDef eventDef = (EventDef) definition;
DefDescriptor<?> superDesc = eventDef.getExtendsDescriptor();
if (superDesc != null) {
theSuper = superDesc.getNamespace() + ":" + superDesc.getName();
} else {
theSuper = null;
}
type = eventDef.getEventType().name();
isExtensible = true;
isAbstract = false;
} else {
theSuper = null;
isExtensible = true;
isAbstract = false;
}
support = rootDef.getSupport().name();
if (definition instanceof RootDefinition) {
List<DefDescriptor<?>> deps = ((RootDefinition) definition).getBundle();
for (DefDescriptor<?> dep : deps) {
// we already surface the documentation--users don't need to see the source for it.
if (dep.getDefType() != DefType.DOCUMENTATION) {
Definition def = dep.getDef();
if (ReferenceTreeModel.hasAccess(def)) {
defs.add(new DefModel(dep));
}
}
}
}
} else {
support = null;
theSuper = null;
isExtensible = false;
isAbstract = false;
doc = null;
}
this.type = type;
}
private String buildJsTestTargetUri(DefDescriptor<?> targetDescriptor, TestCaseDef testDef)
throws QuickFixException {
Map<String, Object> targetAttributes = testDef.getAttributeValues();
// Force "legacy" style tests until ready
if (!ENABLE_FREEFORM_TESTS && targetAttributes == null) {
targetAttributes = ImmutableMap.of();
}
if (targetAttributes != null) {
// The test has attributes specified, so request for the target component with the test's
// attributes.
String hash = "";
List<NameValuePair> newParams = Lists.newArrayList();
for (Entry<String, Object> entry : targetAttributes.entrySet()) {
String key = entry.getKey();
String value;
if (entry.getValue() instanceof Map<?, ?> || entry.getValue() instanceof List<?>) {
value = JsonEncoder.serialize(entry.getValue());
} else {
value = entry.getValue().toString();
}
if (key.equals("__layout")) {
hash = value;
} else {
newParams.add(new BasicNameValuePair(key, value));
}
}
String qs = URLEncodedUtils.format(newParams, "UTF-8") + hash;
return createURI(
targetDescriptor.getNamespace(),
targetDescriptor.getName(),
targetDescriptor.getDefType(),
null,
Authentication.AUTHENTICATED.name(),
qs);
} else {
// Free-form tests will load only the target component's template.
// TODO: Allow specifying the template on the test.
// TODO: Load proxy app for cmps, apps must loadApplication.
final BaseComponentDef originalDef = (BaseComponentDef) targetDescriptor.getDef();
final ComponentDef targetTemplate = originalDef.getTemplateDef();
String newDescriptorString =
String.format("%s$%s", targetDescriptor.getDescriptorName(), testDef.getName());
final DefDescriptor<ApplicationDef> newDescriptor =
Aura.getDefinitionService().getDefDescriptor(newDescriptorString, ApplicationDef.class);
final ApplicationDef dummyDef =
Aura.getDefinitionService().getDefinition("aurajstest:blank", ApplicationDef.class);
BaseComponentDef targetDef =
(BaseComponentDef)
Proxy.newProxyInstance(
originalDef.getClass().getClassLoader(),
new Class<?>[] {ApplicationDef.class},
new InvocationHandler() {
@Override
public Object invoke(Object proxy, Method method, Object[] args)
throws Throwable {
switch (method.getName()) {
case "getDescriptor":
return newDescriptor;
case "getTemplateDef":
return targetTemplate;
case "isLocallyRenderable":
return method.invoke(originalDef, args);
default:
return method.invoke(dummyDef, args);
}
}
});
TestContext testContext =
Aura.get(TestContextAdapter.class).getTestContext(testDef.getQualifiedName());
testContext.getLocalDefs().add(targetDef);
return createURI(
newDescriptor.getNamespace(),
newDescriptor.getName(),
newDescriptor.getDefType(),
null,
Authentication.AUTHENTICATED.name(),
null);
}
}
@Override
public void write(T value, Map<String, Object> componentAttributes, Appendable out)
throws IOException {
try {
AuraContext context = Aura.getContextService().getCurrentContext();
InstanceService instanceService = Aura.getInstanceService();
RenderingService renderingService = Aura.getRenderingService();
BaseComponentDef def = value.getDescriptor().getDef();
ComponentDef templateDef = def.getTemplateDef();
Map<String, Object> attributes = Maps.newHashMap();
StringBuilder sb = new StringBuilder();
writeHtmlStyles(new ArrayList<>(Arrays.asList(Aura.getConfigAdapter().getResetCssURL())), sb);
attributes.put("auraResetCss", sb.toString());
sb.setLength(0);
writeHtmlStyles(AuraServlet.getStyles(), sb);
attributes.put("auraStyleTags", sb.toString());
sb.setLength(0);
writeHtmlScripts(AuraServlet.getScripts(), sb);
DefDescriptor<StyleDef> styleDefDesc = templateDef.getStyleDescriptor();
if (styleDefDesc != null) {
attributes.put("auraInlineStyle", styleDefDesc.getDef().getCode());
}
String contextPath = context.getContextPath();
Mode mode = context.getMode();
if (mode.allowLocalRendering() && def.isLocallyRenderable()) {
BaseComponent<?, ?> cmp =
(BaseComponent<?, ?>) instanceService.getInstance(def, componentAttributes);
attributes.put("body", Lists.<BaseComponent<?, ?>>newArrayList(cmp));
attributes.put("bodyClass", "");
attributes.put("autoInitialize", "false");
Component template = instanceService.getInstance(templateDef.getDescriptor(), attributes);
renderingService.render(template, out);
} else {
attributes.put("auraScriptTags", sb.toString());
Map<String, Object> auraInit = Maps.newHashMap();
if (componentAttributes != null && !componentAttributes.isEmpty()) {
auraInit.put("attributes", componentAttributes);
}
auraInit.put("descriptor", def.getDescriptor());
auraInit.put("deftype", def.getDescriptor().getDefType());
auraInit.put("host", contextPath);
attributes.put("autoInitialize", "false");
attributes.put("autoInitializeSync", "true");
auraInit.put("instance", value);
auraInit.put("token", AuraBaseServlet.getToken());
StringBuilder contextWriter = new StringBuilder();
Aura.getSerializationService()
.write(context, null, AuraContext.class, contextWriter, "JSON");
auraInit.put("context", new Literal(contextWriter.toString()));
attributes.put("auraInitSync", JsonEncoder.serialize(auraInit));
Component template = instanceService.getInstance(templateDef.getDescriptor(), attributes);
renderingService.render(template, out);
}
} catch (QuickFixException e) {
throw new AuraRuntimeException(e);
}
}
