/**
* Get the relative URL for a given BaseComponentDef descriptor.
*
* @param desc the DefDescriptor of a BaseComponentDef
* @return the relative URL for the descriptor
*/
protected String getUrl(DefDescriptor<? extends BaseComponentDef> desc) {
return String.format(
"/%s/%s.%s",
desc.getNamespace(),
desc.getName(),
DefType.APPLICATION.equals(desc.getDefType()) ? "app" : "cmp");
}
/**
* Check if CSP Header setting is already inherited from one.app (top level context) See
* https://www.w3.org/TR/CSP2/#which-policy-applies
*
* @param defDesc
* @param req
* @return true if CSP header setting can be skipped
*/
private boolean canSkipCSPHeader(final DefDescriptor<?> defDesc, final HttpServletRequest req) {
if (defDesc == null | req == null) {
return false;
}
// CSP inheritance is supported starting from CSP2
if (!isCSP2Supported(req)) {
return false;
}
final String descriptorName = defDesc.getDescriptorName();
if (!descriptorName.equals("one:one")) { // only skip while loading one.app
return false;
}
final String auraFormat = req.getParameter("aura.format");
if (auraFormat != null && auraFormat.equals("HTML")) {
return false;
}
// Skip one.app requests for non HTML content with already established aura context
final String auraContext = req.getParameter("aura.context");
if (auraContext != null) {
return true;
}
return false;
}
private AttributeModel(AttributeDef def) throws QuickFixException {
this.name = def.getName();
this.description = def.getDescription();
this.type = def.getTypeDef().getName().toLowerCase();
this.required = def.isRequired();
if (def.getDefaultValue() != null) {
this.defaultValue = def.getDefaultValue().getValue().toString();
} else {
this.defaultValue = null;
}
DefDescriptor<?> parentDesc = def.getParentDescriptor();
if (parentDesc == null || parentDesc.equals(ComponentDefModel.this.descriptor)) {
this.parentName = null;
this.parentDefType = null;
} else {
this.parentName = parentDesc.getNamespace() + ":" + parentDesc.getName();
this.parentDefType = parentDesc.getDefType().name().toLowerCase();
}
}
/** Sets mandatory headers, notably for anti-clickjacking. */
@Override
public void setCSPHeaders(DefDescriptor<?> top, HttpServletRequest req, HttpServletResponse rsp) {
if (canSkipCSPHeader(top, req)) {
return;
}
ContentSecurityPolicy csp =
configAdapter.getContentSecurityPolicy(top == null ? null : top.getQualifiedName(), req);
if (csp != null) {
rsp.setHeader(CSP.Header.SECURE, csp.getCspHeaderValue());
Collection<String> terms = csp.getFrameAncestors();
if (terms != null) {
// not open to the world; figure whether we can express an X-FRAME-OPTIONS header:
if (terms.size() == 0) {
// closed to any framing at all
rsp.setHeader(HDR_FRAME_OPTIONS, HDR_FRAME_DENY);
} else if (terms.size() == 1) {
// With one ancestor term, we're either SAMEORIGIN or ALLOWFROM
for (String site : terms) {
if (site == null) {
// Add same-origin headers and policy terms
rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_SAMEORIGIN);
} else if (!site.contains("*") && !site.matches("^[a-z]+:$")) {
// XFO can't express wildcards or protocol-only, so set only for a specific site:
rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_ALLOWFROM + site);
} else {
// When XFO can't express it, still set an ALLOWALL so filters don't jump in
rsp.addHeader(HDR_FRAME_OPTIONS, HDR_FRAME_ALLOWALL);
}
}
}
}
}
}
public ComponentDefModel() throws QuickFixException {
AuraContext context = Aura.getContextService().getCurrentContext();
BaseComponent<?, ?> component = context.getCurrentComponent();
String desc = (String) component.getAttributes().getValue("descriptor");
DefType defType =
DefType.valueOf(((String) component.getAttributes().getValue("defType")).toUpperCase());
DefinitionService definitionService = Aura.getDefinitionService();
descriptor = definitionService.getDefDescriptor(desc, defType.getPrimaryInterface());
definition = descriptor.getDef();
ReferenceTreeModel.assertAccess(definition);
String type = null;
if (definition instanceof RootDefinition) {
RootDefinition rootDef = (RootDefinition) definition;
for (AttributeDef attribute : rootDef.getAttributeDefs().values()) {
if (ReferenceTreeModel.hasAccess(attribute)) {
attributes.add(new AttributeModel(attribute));
}
}
DocumentationDef docDef = rootDef.getDocumentationDef();
doc = docDef != null ? new DocumentationDefModel(docDef) : null;
if (definition instanceof BaseComponentDef) {
BaseComponentDef cmpDef = (BaseComponentDef) definition;
for (RegisterEventDef reg : cmpDef.getRegisterEventDefs().values()) {
if (ReferenceTreeModel.hasAccess(reg)) {
events.add(new AttributeModel(reg));
}
}
for (EventHandlerDef handler : cmpDef.getHandlerDefs()) {
handledEvents.add(new AttributeModel(handler));
}
for (DefDescriptor<InterfaceDef> intf : cmpDef.getInterfaces()) {
if (ReferenceTreeModel.hasAccess(intf.getDef())) {
interfaces.add(intf.getNamespace() + ":" + intf.getName());
}
}
DefDescriptor<?> superDesc = cmpDef.getExtendsDescriptor();
if (superDesc != null) {
theSuper = superDesc.getNamespace() + ":" + superDesc.getName();
} else {
theSuper = null;
}
isAbstract = cmpDef.isAbstract();
isExtensible = cmpDef.isExtensible();
} else if (definition instanceof EventDef) {
EventDef eventDef = (EventDef) definition;
DefDescriptor<?> superDesc = eventDef.getExtendsDescriptor();
if (superDesc != null) {
theSuper = superDesc.getNamespace() + ":" + superDesc.getName();
} else {
theSuper = null;
}
type = eventDef.getEventType().name();
isExtensible = true;
isAbstract = false;
} else {
theSuper = null;
isExtensible = true;
isAbstract = false;
}
support = rootDef.getSupport().name();
if (definition instanceof RootDefinition) {
List<DefDescriptor<?>> deps = ((RootDefinition) definition).getBundle();
for (DefDescriptor<?> dep : deps) {
// we already surface the documentation--users don't need to see the source for it.
if (dep.getDefType() != DefType.DOCUMENTATION) {
Definition def = dep.getDef();
if (ReferenceTreeModel.hasAccess(def)) {
defs.add(new DefModel(dep));
}
}
}
}
} else {
support = null;
theSuper = null;
isExtensible = false;
isAbstract = false;
doc = null;
}
this.type = type;
}