diff options
Diffstat (limited to 'id/ConfigWebTool/src/main/java/at')
10 files changed, 1289 insertions, 20 deletions
diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java index 8ef3ec2f0..d088edf34 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java @@ -23,4 +23,7 @@ public class Constants { public static final String MOA_CONFIG_PROTOCOL_SAML1 = "id_saml1"; public static final String MOA_CONFIG_PROTOCOL_PVP2 = "id_pvp2x"; + + public static final String DEFAULT_LOCALBKU_URL = "https://127.0.0.1:3496/https-security-layer-request"; + public static final String DEFAULT_HANDYBKU_URL = "https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx"; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java index 3ff48e92b..8f75a357c 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java @@ -10,17 +10,19 @@ public class AuthenticatedUser { private long userID; private String givenName; private String familyName; + private String userName; private Date lastLogin; public AuthenticatedUser() { } - public AuthenticatedUser(long userID, String givenName, String familyName, + public AuthenticatedUser(long userID, String givenName, String familyName, String userName, boolean isAuthenticated, boolean isAdmin) { this.familyName = familyName; this.givenName = givenName; + this.userName = userName; this.userID = userID; this.isAdmin = isAdmin; this.isAuthenticated = isAuthenticated; @@ -110,6 +112,20 @@ public class AuthenticatedUser { public void setLastLogin(Date lastLogin) { this.lastLogin = lastLogin; } + + /** + * @return the userName + */ + public String getUserName() { + return userName; + } + + /** + * @param userName the userName to set + */ + public void setUserName(String userName) { + this.userName = userName; + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java new file mode 100644 index 000000000..e62160285 --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java @@ -0,0 +1,237 @@ +package at.gv.egovernment.moa.id.configuration.data; + +import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.util.data.BPK; + +public class UserDatabaseFrom { + + private String bpk; + private String familyName; + private String givenName; + private String institut; + private String mail; + private String phone; + private String username; + private String password; + private boolean active = false; + private boolean admin = false; + private boolean passwordActive; + private String userID = null; + + public UserDatabaseFrom() { + + } + + public UserDatabaseFrom(UserDatabase db) { + bpk = db.getBpk(); + familyName = db.getFamilyname(); + givenName = db.getGivenname(); + institut = db.getInstitut(); + mail = db.getMail(); + phone = db.getPhone(); + username = db.getUsername(); + + if (MiscUtil.isNotEmpty(db.getPassword())) + passwordActive = true; + else + passwordActive = false; + + active = db.isIsActive(); + admin = db.isIsAdmin(); + + userID = String.valueOf(db.getHjid()); + } + + + /** + * @return the bpk + */ + public String getBpk() { + return bpk; + } + + + /** + * @param bpk the bpk to set + */ + public void setBpk(String bpk) { + this.bpk = bpk; + } + + + /** + * @return the familyName + */ + public String getFamilyName() { + return familyName; + } + + + /** + * @param familyName the familyName to set + */ + public void setFamilyName(String familyName) { + this.familyName = familyName; + } + + + /** + * @return the givenName + */ + public String getGivenName() { + return givenName; + } + + + /** + * @param givenName the givenName to set + */ + public void setGivenName(String givenName) { + this.givenName = givenName; + } + + + /** + * @return the institut + */ + public String getInstitut() { + return institut; + } + + + /** + * @param institut the institut to set + */ + public void setInstitut(String institut) { + this.institut = institut; + } + + + /** + * @return the mail + */ + public String getMail() { + return mail; + } + + + /** + * @param mail the mail to set + */ + public void setMail(String mail) { + this.mail = mail; + } + + + /** + * @return the phone + */ + public String getPhone() { + return phone; + } + + + /** + * @param phone the phone to set + */ + public void setPhone(String phone) { + this.phone = phone; + } + + + /** + * @return the username + */ + public String getUsername() { + return username; + } + + + /** + * @param username the username to set + */ + public void setUsername(String username) { + this.username = username; + } + + + /** + * @return the password + */ + public String getPassword() { + return password; + } + + + /** + * @param password the password to set + */ + public void setPassword(String password) { + this.password = password; + } + + + /** + * @return the active + */ + public boolean isActive() { + return active; + } + + + /** + * @param active the active to set + */ + public void setActive(boolean active) { + this.active = active; + } + + + /** + * @return the admin + */ + public boolean isAdmin() { + return admin; + } + + + /** + * @param admin the admin to set + */ + public void setAdmin(boolean admin) { + this.admin = admin; + } + + + /** + * @return the passwordActive + */ + public boolean isPasswordActive() { + return passwordActive; + } + + + /** + * @param passwordActive the passwordActive to set + */ + public void setPasswordActive(boolean passwordActive) { + this.passwordActive = passwordActive; + } + + /** + * @return the userID + */ + public String getUserID() { + return userID; + } + + /** + * @param userID the userID to set + */ + public void setUserID(String userID) { + this.userID = userID; + } + + +} diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java index f3b513019..129d62346 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java @@ -67,6 +67,9 @@ public class OAGeneralConfig { for (int i=0; i<values.length; i++) { keyBoxIdentifierList.put(values[i].value(), values[i].value()); } + + bkuLocalURL = Constants.DEFAULT_LOCALBKU_URL; + bkuHandyURL = Constants.DEFAULT_HANDYBKU_URL; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java index 4eccfdf5d..a58b20214 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/filter/AuthenticationFilter.java @@ -128,7 +128,7 @@ public class AuthenticationFilter implements Filter{ if (authuser == null) { - authuser = new AuthenticatedUser(1, "Max", "TestUser", true, true); + authuser = new AuthenticatedUser(0, "Max", "TestUser", "maxtestuser", true, true); //authuser = new AuthenticatedUser(1, "Max", "TestUser", true, false); httpServletRequest.getSession().setAttribute(Constants.SESSION_AUTH, authuser); } @@ -150,6 +150,8 @@ public class AuthenticationFilter implements Filter{ if (MiscUtil.isNotEmpty(getAuthenticatedPage())) { log.debug("Unable to find authentication data. Authenticated page is given so there is no need to save original request url. " + (loginPageForward ? "Forwarding" : "Redirecting") + " to login page \"" + loginPage + "\"."); + + } else { log.debug("Unable to find authentication data. Storing request url and " + (loginPageForward ? "forwarding" : "redirecting") + " to login page \"" + loginPage + "\"."); diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/AuthenticationHelper.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/AuthenticationHelper.java new file mode 100644 index 000000000..b2f1b106f --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/AuthenticationHelper.java @@ -0,0 +1,35 @@ +package at.gv.egovernment.moa.id.configuration.helper; + +import java.security.spec.KeySpec; + +import javax.crypto.SecretKey; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.SecretKeySpec; + +import org.apache.log4j.Logger; + +import at.gv.egovernment.moa.util.Base64Utils; + +public class AuthenticationHelper { + + private static final Logger log = Logger.getLogger(AuthenticationHelper.class); + + public static String generateKeyFormPassword(String password) { + SecretKeyFactory factory; + + try { + factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1"); + KeySpec spec = new PBEKeySpec(password.toCharArray(), "TestSALT".getBytes(), 1024, 128); + SecretKey tmp = factory.generateSecret(spec); + SecretKeySpec secret = new SecretKeySpec(tmp.getEncoded(), "AES"); + return Base64Utils.encode(secret.getEncoded()); + + } catch (Exception e) { + log.info("Key generation form password failed."); + return null; + } + + } + +} diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java new file mode 100644 index 000000000..a8992e6b8 --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java @@ -0,0 +1,353 @@ +package at.gv.egovernment.moa.id.configuration.struts.action; + +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.io.StringReader; +import java.io.StringWriter; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.xml.bind.JAXBContext; +import javax.xml.bind.JAXBException; +import javax.xml.bind.Marshaller; +import javax.xml.bind.Unmarshaller; +import javax.xml.transform.Result; + +import org.apache.commons.io.IOUtils; +import org.apache.log4j.Logger; +import org.apache.struts2.interceptor.ServletRequestAware; +import org.apache.struts2.interceptor.ServletResponseAware; +import org.hibernate.lob.ReaderInputStream; +import org.w3c.dom.Node; + +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.MOAIDConfiguration; +import at.gv.egovernment.moa.id.commons.db.dao.config.OnlineApplication; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; +import at.gv.egovernment.moa.id.config.ConfigurationException; +import at.gv.egovernment.moa.id.config.legacy.BuildFromLegacyConfig; +import at.gv.egovernment.moa.id.configuration.Constants; +import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.iaik.commons.util.IOUtil; + +import com.opensymphony.xwork2.ActionSupport; + +import eu.stork.vidp.messages.common.STORKBootstrap; + +public class ImportExportAction extends ActionSupport +implements ServletRequestAware, ServletResponseAware { + + private static final Logger log = Logger.getLogger(ImportExportAction.class); + + private static final long serialVersionUID = 1L; + private HttpServletRequest request; + private HttpServletResponse response; + + private AuthenticatedUser authUser; + + private File fileUpload = null; + private String fileUploadContentType = null; + private String fileUploadFileName = null; + + private InputStream fileInputStream; + + public String init() { + + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + return Constants.STRUTS_SUCCESS; + + } else { + log.info("No access to Import/Export for User with ID" + authUser.getUserID()); + addActionError(LanguageHelper.getErrorString("errors.notallowed")); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + public String importLegacyConfig() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + //load legacy config if it is configured + + if (fileUpload == null) { + addActionError(LanguageHelper.getErrorString("errors.importexport.nofile")); + return Constants.STRUTS_ERROR_VALIDATION; + } + + //Initialize OpenSAML for STORK + log.info("Starting initialization of OpenSAML..."); + try { + STORKBootstrap.bootstrap(); + + } catch (org.opensaml.xml.ConfigurationException e1) { + log.info("Legacy configuration has an Import Error", e1); + addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e1.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + } + log.debug("OpenSAML successfully initialized"); + + + MOAIDConfiguration moaconfig; + try { + log.warn("WARNING! The legacy import deletes the hole old config"); + + List<OnlineApplication> oas = ConfigurationDBRead.getAllOnlineApplications(); + if (oas != null && oas.size() > 0) { + for (OnlineApplication oa : oas) + ConfigurationDBUtils.delete(oa); + } + + + moaconfig = BuildFromLegacyConfig.build(fileUpload, ""); + + } catch (ConfigurationException e) { + log.info("Legacy configuration has an Import Error", e); + addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + } + + //check if XML config should be use + log.warn("WARNING! MOA-ID 2.0 is started with XML configuration. This setup overstrike the actual configuration in the Database!"); + try { + MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); + if (moaidconfig != null) + ConfigurationDBUtils.delete(moaidconfig); + + ConfigurationDBUtils.save(moaconfig); + + } catch (MOADatabaseException e) { + log.warn("General MOA-ID config can not be stored in Database"); + addActionError(e.getMessage()); + return Constants.STRUTS_ERROR_VALIDATION; + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + log.info("Legacy Configuration load is completed."); + addActionMessage(LanguageHelper.getGUIString("webpages.inportexport.success")); + return Constants.STRUTS_SUCCESS; + + } else { + log.info("No access to Import/Export for User with ID" + authUser.getUserID()); + addActionError(LanguageHelper.getErrorString("errors.notallowed")); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + } + + public String downloadXMLConfig() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + log.info("Write MOA-ID 2.x xml config"); + JAXBContext jc; + try { + jc = JAXBContext.newInstance("at.gv.egovernment.moa.id.commons.db.dao.config"); + + Marshaller m = jc.createMarshaller(); + m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); +// File test = new File(xmlconfigout); +// m.marshal(moaidconfig, test); + MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); + + if (moaidconfig == null) { + log.info("No MOA-ID 2.x configruation available"); + addActionError(LanguageHelper.getErrorString("errors.importexport.export.noconfig")); + return Constants.STRUTS_ERROR_VALIDATION; + } + + List<OnlineApplication> oaconfigs = ConfigurationDBRead.getAllOnlineApplications(); + moaidconfig.setOnlineApplication(oaconfigs); + + StringWriter writer = new StringWriter(); + m.marshal(moaidconfig, writer); + fileInputStream = IOUtils.toInputStream(writer.toString(), "UTF-8"); + + } catch (JAXBException e) { + log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e); + addActionError(LanguageHelper.getErrorString("errors.importexport.export", + new Object[]{e.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + } catch (IOException e) { + log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e); + addActionError(LanguageHelper.getErrorString("errors.importexport.export", + new Object[]{e.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + return Constants.STRUTS_SUCCESS; + } else { + log.info("No access to Import/Export for User with ID" + authUser.getUserID()); + addActionError(LanguageHelper.getErrorString("errors.notallowed")); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + } + + + public String importXMLConfig() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + if (fileUpload == null) { + addActionError(LanguageHelper.getErrorString("errors.importexport.nofile")); + return Constants.STRUTS_ERROR_VALIDATION; + } + + log.warn("WARNING! The XML import deletes the hole old config"); + + List<OnlineApplication> oas = ConfigurationDBRead.getAllOnlineApplications(); + if (oas != null && oas.size() > 0) { + for (OnlineApplication oa : oas) + ConfigurationDBUtils.delete(oa); + } + MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); + if (moaidconfig != null) + ConfigurationDBUtils.delete(moaidconfig); + + + log.info("Load configuration from MOA-ID 2.x XML configuration"); + + try { + JAXBContext jc = JAXBContext.newInstance("at.gv.egovernment.moa.id.commons.db.dao.config"); + Unmarshaller m = jc.createUnmarshaller(); + MOAIDConfiguration moaconfig = (MOAIDConfiguration) m.unmarshal(fileUpload); + + List<OnlineApplication> importoas = moaconfig.getOnlineApplication(); + for (OnlineApplication importoa : importoas) { + ConfigurationDBUtils.saveOrUpdate(importoa); + } + + moaconfig.setOnlineApplication(null); + ConfigurationDBUtils.saveOrUpdate(moaconfig); + + } catch (Exception e) { + log.warn("MOA-ID XML configuration can not be loaded from File.", e); + addActionError(LanguageHelper.getErrorString("errors.importexport.import", + new Object[]{e.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + log.info("XML Configuration load is completed."); + addActionMessage(LanguageHelper.getGUIString("webpages.inportexport.success")); + return Constants.STRUTS_SUCCESS; + + } else { + log.info("No access to Import/Export for User with ID" + authUser.getUserID()); + addActionError(LanguageHelper.getErrorString("errors.notallowed")); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + /** + * @return the fileUpload + */ + public File getFileUpload() { + return fileUpload; + } + + + + /** + * @param fileUpload the fileUpload to set + */ + public void setFileUpload(File fileUpload) { + this.fileUpload = fileUpload; + } + + + + /** + * @return the fileUploadContentType + */ + public String getFileUploadContentType() { + return fileUploadContentType; + } + + + + /** + * @param fileUploadContentType the fileUploadContentType to set + */ + public void setFileUploadContentType(String fileUploadContentType) { + this.fileUploadContentType = fileUploadContentType; + } + + + + /** + * @return the fileUploadFileName + */ + public String getFileUploadFileName() { + return fileUploadFileName; + } + + + + /** + * @param fileUploadFileName the fileUploadFileName to set + */ + public void setFileUploadFileName(String fileUploadFileName) { + this.fileUploadFileName = fileUploadFileName; + } + + /** + * @return the authUser + */ + public AuthenticatedUser getAuthUser() { + return authUser; + } + + public void setServletResponse(HttpServletResponse response) { + this.response = response; + } + public void setServletRequest(HttpServletRequest request) { + this.request = request; + } + + public InputStream getFileInputStream() { + return fileInputStream; + } +} diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index 4e8e44007..6aeebcf7b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -1,32 +1,169 @@ package at.gv.egovernment.moa.id.configuration.struts.action; +import java.util.Date; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; +import com.opensymphony.xwork2.ActionSupport; + +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.configuration.Constants; +import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; +import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator; +import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; +import at.gv.egovernment.moa.util.MiscUtil; -public class IndexAction implements ServletRequestAware, +public class IndexAction extends ActionSupport implements ServletRequestAware, ServletResponseAware { + private static final Logger log = Logger.getLogger(IndexAction.class); + private HttpServletRequest request; private HttpServletResponse response; + private String password; + private String username; + public String start() { return Constants.STRUTS_SUCCESS; } + public String authenticate() { + + String key = null; + + if (MiscUtil.isNotEmpty(username)) { + if (ValidationHelper.containsPotentialCSSCharacter(username, false)) { + log.warn("Username contains potentail XSS characters: " + username); + addActionError(LanguageHelper.getErrorString("validation.edituser.username.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("Username is empty"); + addActionError(LanguageHelper.getErrorString("validation.edituser.username.empty")); + return Constants.STRUTS_ERROR; + } + + if (MiscUtil.isEmpty(password)) { + log.warn("Password is empty"); + addActionError(LanguageHelper.getErrorString("validation.edituser.password.empty")); + return Constants.STRUTS_ERROR; + + } else { + key = AuthenticationHelper.generateKeyFormPassword(password); + if (key == null) { + addActionError(LanguageHelper.getErrorString("validation.edituser.password.valid")); + return Constants.STRUTS_ERROR; + } + } + + UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(username); + if (dbuser == null) { + log.warn("Unknown Username"); + addActionError(LanguageHelper.getErrorString("webpages.index.username.unkown")); + return Constants.STRUTS_ERROR; + + } else { + if (!dbuser.isIsActive()) { + log.warn("Username " + dbuser.getUsername() + " is not active"); + addActionError(LanguageHelper.getErrorString("webpages.index.username.notactive")); + return Constants.STRUTS_ERROR; + } + + if (!dbuser.getPassword().equals(key)) { + log.warn("Username " + dbuser.getUsername() + " use a false password"); + addActionError(LanguageHelper.getErrorString("webpages.index.password.false")); + return Constants.STRUTS_ERROR; + } + + AuthenticatedUser authuser = new AuthenticatedUser( + dbuser.getHjid(), + dbuser.getGivenname(), + dbuser.getFamilyname(), + dbuser.getUsername(), + true, + dbuser.isIsAdmin()); + + authuser.setLastLogin(dbuser.getLastLoginItem()); + + dbuser.setLastLoginItem(new Date()); + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + + } catch (MOADatabaseException e) { + log.warn("UserDatabase communicaton error", e); + addActionError(LanguageHelper.getErrorString("error.login")); + return Constants.STRUTS_ERROR; + } + finally { + ConfigurationDBUtils.closeSession(); + } + request.getSession().setAttribute(Constants.SESSION_AUTH, authuser); + return Constants.STRUTS_SUCCESS; + } + } + + public String logout() { + + HttpSession session = request.getSession(); + + if (session != null) + session.invalidate(); + + return Constants.STRUTS_SUCCESS; + } public void setServletResponse(HttpServletResponse arg0) { this.response = arg0; } public void setServletRequest(HttpServletRequest arg0) { this.request = arg0; - } + } + + /** + * @return the password + */ + public String getPassword() { + return password; + } + + /** + * @param password the password to set + */ + public void setPassword(String password) { + this.password = password; + } + + /** + * @return the username + */ + public String getUsername() { + return username; + } + + /** + * @param username the username to set + */ + public void setUsername(String username) { + this.username = username; + } + + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java index 3f4b21fdd..c022d0057 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java @@ -1,51 +1,331 @@ package at.gv.egovernment.moa.id.configuration.struts.action; +import java.util.ArrayList; import java.util.Date; +import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; +import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom; +import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator; +import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; +import at.gv.egovernment.moa.util.MiscUtil; import com.opensymphony.xwork2.ActionSupport; public class UserManagementAction extends ActionSupport implements ServletRequestAware, ServletResponseAware { + private static final Logger log = Logger.getLogger(UserManagementAction.class); + private static final long serialVersionUID = 1L; private HttpServletRequest request; private HttpServletResponse response; + + private AuthenticatedUser authUser = null; + + private List<AuthenticatedUser> userlist = null; + private UserDatabaseFrom user = null; + + private String useridobj = null; + private static boolean newUser = false; - private AuthenticatedUser authUser; + public String init() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + log.info("Show UserList"); + + List<UserDatabase> dbuserlist = ConfigurationDBRead.getAllUsers(); + if (dbuserlist != null) { + userlist = new ArrayList<AuthenticatedUser>(); + + for (UserDatabase dbuser : dbuserlist) { + userlist.add(new AuthenticatedUser( + dbuser.getHjid(), + dbuser.getGivenname(), + dbuser.getFamilyname(), + dbuser.getUsername(), + dbuser.isIsActive(), + dbuser.isIsAdmin())); + } + } + + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_SUCCESS; + + } else { + log.info("User with ID " + authUser.getUserID() + " is not admin. Show only EditUser Frame"); + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + if (dbuser == null) { + return Constants.STRUTS_REAUTHENTICATE; + } + user = new UserDatabaseFrom(dbuser); + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + public String createuser() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + user = new UserDatabaseFrom(); + + newUser = true; + return Constants.STRUTS_SUCCESS; + + } else { + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + public String edituser() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + long userid = -1; + + if (!ValidationHelper.validateOAID(useridobj)) { + addActionError(LanguageHelper.getErrorString("errors.edit.user.userid", request)); + return Constants.STRUTS_ERROR; + } + userid = Long.valueOf(useridobj); + + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userid); + if (dbuser == null) { + log.info("No User with ID " + userid + " in Database");; + addActionError(LanguageHelper.getErrorString("errors.edit.user.userid", request)); + return Constants.STRUTS_ERROR; + } + user = new UserDatabaseFrom(dbuser); + + newUser = false; + + ConfigurationDBUtils.closeSession(); + + return Constants.STRUTS_SUCCESS; + + } else { + log.info("User with ID " + authUser.getUserID() + " is not admin. Show his own EditUser Frame"); + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + user = new UserDatabaseFrom(dbuser); + return Constants.STRUTS_SUCCESS; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + public String saveuser() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + String useridobj = user.getUserID(); + long userID = -1; + if (MiscUtil.isEmpty(useridobj)) { + userID = -1; + + } else { + if (!ValidationHelper.validateOAID(useridobj)){ + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase ID " + useridobj); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + userID = Long.valueOf(useridobj); + } + + List<String> errors; + UserDatabaseFormValidator validator = new UserDatabaseFormValidator(); + errors = validator.validate(user, userID); + + if (errors.size() > 0) { + log.info("UserDataForm has some erros."); + for (String el : errors) + addActionError(el); + user.setPassword(""); + + if (MiscUtil.isEmpty(user.getUsername())) + newUser = true; + + return Constants.STRUTS_ERROR_VALIDATION; + } + + if (!authUser.isAdmin()) { + if (authUser.getUserID() != userID) { + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase Entry " + user.getUsername()); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + + } + + String error = saveFormToDB(); + if (error != null) { + log.warn("UserData can not be stored in Database"); + addActionError(error); + return Constants.STRUTS_SUCCESS; + } + + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_SUCCESS; + + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + public String deleteuser() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + String useridobj = user.getUserID(); + long userID = -1; + if (MiscUtil.isEmpty(useridobj)) { + userID = -1; + + } else { + if (!ValidationHelper.validateOAID(useridobj)){ + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase ID " + useridobj); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + userID = Long.valueOf(useridobj); + } + + if (!authUser.isAdmin()) { + if (authUser.getUserID() != userID) { + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase Entry " + user.getUsername()); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + } + + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID); + if (dbuser != null) { + dbuser.setOnlineApplication(null); + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + ConfigurationDBUtils.delete(dbuser); + + } catch (MOADatabaseException e) { + log.warn("UserData can not be deleted from Database"); + addActionError(e.getMessage()); + return Constants.STRUTS_SUCCESS; + } + + finally { + ConfigurationDBUtils.closeSession(); + } + } + + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_SUCCESS; + + } + return Constants.STRUTS_REAUTHENTICATE; + + } - public String createTestUser() throws MOADatabaseException { + private String saveFormToDB() { + + UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(user.getUsername()); - UserDatabase user = new UserDatabase(); - user.setBpk(""); - user.setFamilyname("Max"); - user.setGivenname("Mustermann"); - user.setIsActive(true); - user.setIsAdmin(false); - user.setInstitut("EGIZ"); - user.setLastLoginItem(new Date()); - user.setMail("masdf@amfasdf.com"); - user.setPhone("00660011542"); - user.setUsername("testuser"); + if( dbuser == null) { + dbuser = new UserDatabase(); + } - ConfigurationDBUtils.save(user); + dbuser.setBpk(user.getBpk()); + dbuser.setFamilyname(user.getFamilyName()); + dbuser.setGivenname(user.getGivenName()); + dbuser.setInstitut(user.getInstitut()); + dbuser.setMail(user.getMail()); + dbuser.setPhone(user.getPhone()); + dbuser.setUsername(user.getUsername()); - return Constants.STRUTS_SUCCESS; + if (authUser.isAdmin()) { + dbuser.setIsActive(user.isActive()); + dbuser.setIsAdmin(user.isAdmin()); + } + + if (MiscUtil.isNotEmpty(user.getPassword())) { + String key = AuthenticationHelper.generateKeyFormPassword(user.getPassword()); + if (key == null) { + return LanguageHelper.getErrorString("errors.edit.user.save"); + } + dbuser.setPassword(key); + } + + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + } catch (MOADatabaseException e) { + log.warn("User information can not be stored in Database.", e); + return LanguageHelper.getErrorString("errors.edit.user.save"); + } + + return null; } +// public String createTestUser() throws MOADatabaseException { +// +// UserDatabase user = new UserDatabase(); +// user.setBpk(""); +// user.setFamilyname("Max"); +// user.setGivenname("Mustermann"); +// user.setIsActive(true); +// user.setIsAdmin(false); +// user.setInstitut("EGIZ"); +// user.setLastLoginItem(new Date()); +// user.setMail("masdf@amfasdf.com"); +// user.setPhone("00660011542"); +// user.setUsername("testuser"); +// +// ConfigurationDBUtils.save(user); +// +// return Constants.STRUTS_SUCCESS; +// } + public void setServletResponse(HttpServletResponse response) { this.response = response; @@ -56,7 +336,63 @@ public class UserManagementAction extends ActionSupport this.request = request; } + + /** + * @return the userlist + */ + public List<AuthenticatedUser> getUserlist() { + return userlist; + } + + /** + * @param userlist the userlist to set + */ + public void setUserlist(List<AuthenticatedUser> userlist) { + this.userlist = userlist; + } + + /** + * @return the user + */ + public UserDatabaseFrom getUser() { + return user; + } + + /** + * @param user the user to set + */ + public void setUser(UserDatabaseFrom user) { + this.user = user; + } + + /** + * @return the useridobj + */ + public String getUseridobj() { + return useridobj; + } + + /** + * @param useridobj the useridobj to set + */ + public void setUseridobj(String useridobj) { + this.useridobj = useridobj; + } + + /** + * @return the authUser + */ + public AuthenticatedUser getAuthUser() { + return authUser; + } + + /** + * @return the newUser + */ + public boolean isNewUser() { + return newUser; + } + - } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java new file mode 100644 index 000000000..8e6edf52a --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java @@ -0,0 +1,147 @@ +package at.gv.egovernment.moa.id.configuration.validation; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.log4j.Logger; + +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom; +import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.util.MiscUtil; + +public class UserDatabaseFormValidator { + + private static final Logger log = Logger.getLogger(UserDatabaseFormValidator.class); + + public List<String> validate(UserDatabaseFrom form, long userID) { + List<String> errors = new ArrayList<String>(); + + String check = form.getGivenName(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("GivenName contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("GivenName is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.empty")); + } + + + check = form.getFamilyName(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("FamilyName contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("FamilyName is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.empty")); + } + + check = form.getInstitut(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("Organisation contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.institut.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Organisation is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.institut.empty")); + } + + check = form.getMail(); + if (MiscUtil.isNotEmpty(check)) { + if (!ValidationHelper.isEmailAddressFormat(check)) { + log.warn("Mailaddress is not valid: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.mail.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Mailaddress is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.mail.empty")); + } + + check = form.getPhone(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("Phonenumber contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.phone.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Phonenumber is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.phone.empty")); + } + + check = form.getUsername(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("Username contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.username.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + + } else { + UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(check); + if (dbuser != null && userID != dbuser.getHjid()) { + log.warn("Username " + check + " exists in UserDatabase"); + errors.add(LanguageHelper.getErrorString("validation.edituser.username.duplicate")); + form.setUsername(""); + } + } + } else { + if (userID == -1) { + log.warn("Username is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.username.empty")); + } else { + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID); + if (dbuser == null) { + log.warn("Username is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.username.empty")); + } else { + form.setUsername(dbuser.getUsername()); + } + } + } + + check = form.getPassword(); + if (MiscUtil.isEmpty(check)) { + if (userID == -1) { + log.warn("Password is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.password.empty")); + } else { + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID); + if (dbuser == null || MiscUtil.isEmpty(dbuser.getPassword())) { + log.warn("Password is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.password.empty")); + } + } + + } else { + String key = AuthenticationHelper.generateKeyFormPassword(check); + if (key == null) { + errors.add(LanguageHelper.getErrorString("validation.edituser.password.valid")); + } + } + + + + check = form.getBpk(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("BPK contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.bpk.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } + + return errors; + + } +} |