diff options
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java')
-rw-r--r-- | id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java | 143 |
1 files changed, 120 insertions, 23 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java index 1cb4fa802..d3d00186f 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java @@ -3,26 +3,21 @@ package at.gv.egovernment.moa.id.configuration.struts.action; import java.io.File; import java.io.IOException; import java.io.InputStream; -import java.io.OutputStream; -import java.io.StringReader; import java.io.StringWriter; -import java.net.MalformedURLException; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; import javax.xml.bind.Unmarshaller; -import javax.xml.transform.Result; import org.apache.commons.io.IOUtils; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; -import org.hibernate.lob.ReaderInputStream; -import org.w3c.dom.Node; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; @@ -35,7 +30,7 @@ import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; -import at.iaik.commons.util.IOUtil; +import at.gv.egovernment.moa.id.util.Random; import com.opensymphony.xwork2.ActionSupport; @@ -51,6 +46,7 @@ implements ServletRequestAware, ServletResponseAware { private HttpServletResponse response; private AuthenticatedUser authUser; + private String formID; private File fileUpload = null; private String fileUploadContentType = null; @@ -59,13 +55,20 @@ implements ServletRequestAware, ServletResponseAware { private InputStream fileInputStream; public String init() { + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); - + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; if (authUser.isAdmin()) { - + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); + return Constants.STRUTS_SUCCESS; } else { @@ -76,16 +79,39 @@ implements ServletRequestAware, ServletResponseAware { } public String importLegacyConfig() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + if (authUser.isAdmin()) { //load legacy config if it is configured if (fileUpload == null) { addActionError(LanguageHelper.getErrorString("errors.importexport.nofile")); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -97,6 +123,9 @@ implements ServletRequestAware, ServletResponseAware { } catch (org.opensaml.xml.ConfigurationException e1) { log.info("Legacy configuration has an Import Error", e1); addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e1.getMessage()})); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } log.debug("OpenSAML successfully initialized"); @@ -108,26 +137,24 @@ implements ServletRequestAware, ServletResponseAware { try { log.warn("WARNING! The legacy import deletes the hole old config"); - String rootConfigFileDir = new File(ConfigurationProvider.getInstance().getConfigFile()).getParent(); - - try { - rootConfigFileDir = new File(rootConfigFileDir).toURL().toString(); - - } catch (MalformedURLException t) { - log.warn("RootConfiguration Directory is not found"); - rootConfigFileDir = ""; - } - + String rootConfigFileDir = ConfigurationProvider.getInstance().getConfigRootDir(); + moaconfig = BuildFromLegacyConfig.build(fileUpload, rootConfigFileDir, moaidconfig); } catch (ConfigurationException e) { log.info("Legacy configuration has an Import Error", e); addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e.getMessage()})); ConfigurationDBUtils.closeSession(); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } catch (at.gv.egovernment.moa.id.configuration.exception.ConfigurationException e) { ConfigurationDBUtils.closeSession(); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -155,6 +182,9 @@ implements ServletRequestAware, ServletResponseAware { } catch (MOADatabaseException e) { log.warn("General MOA-ID config can not be stored in Database"); addActionError(e.getMessage()); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -174,10 +204,30 @@ implements ServletRequestAware, ServletResponseAware { } public String downloadXMLConfig() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + if (authUser.isAdmin()) { log.info("Write MOA-ID 2.x xml config"); @@ -194,6 +244,9 @@ implements ServletRequestAware, ServletResponseAware { if (moaidconfig == null) { log.info("No MOA-ID 2.x configruation available"); addActionError(LanguageHelper.getErrorString("errors.importexport.export.noconfig")); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -208,11 +261,17 @@ implements ServletRequestAware, ServletResponseAware { log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e); addActionError(LanguageHelper.getErrorString("errors.importexport.export", new Object[]{e.getMessage()})); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } catch (IOException e) { log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e); addActionError(LanguageHelper.getErrorString("errors.importexport.export", new Object[]{e.getMessage()})); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -230,10 +289,30 @@ implements ServletRequestAware, ServletResponseAware { public String importXMLConfig() { - Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + HttpSession session = request.getSession(); + if (session == null) { + log.info("No http Session found."); + return Constants.STRUTS_ERROR; + } + Object authUserObj = session.getAttribute(Constants.SESSION_AUTH); authUser = (AuthenticatedUser) authUserObj; + Object formidobj = session.getAttribute(Constants.SESSION_FORMID); + if (formidobj != null && formidobj instanceof String) { + String formid = (String) formidobj; + if (!formid.equals(formID)) { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("FormIDs does not match. Some suspect Form is received from user " + + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); + return Constants.STRUTS_ERROR; + } + session.setAttribute(Constants.SESSION_FORMID, null); + if (authUser.isAdmin()) { if (fileUpload == null) { @@ -271,6 +350,9 @@ implements ServletRequestAware, ServletResponseAware { log.warn("MOA-ID XML configuration can not be loaded from File.", e); addActionError(LanguageHelper.getErrorString("errors.importexport.import", new Object[]{e.getMessage()})); + + formID = Random.nextRandom(); + session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } @@ -360,4 +442,19 @@ implements ServletRequestAware, ServletResponseAware { public InputStream getFileInputStream() { return fileInputStream; } + + /** + * @return the formID + */ + public String getFormID() { + return formID; + } + + /** + * @param formID the formID to set + */ + public void setFormID(String formID) { + this.formID = formID; + } + } |