From 2337072ac18b66e523818702ba6dce6b462472b1 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 8 Aug 2013 15:50:28 +0200 Subject: MOA-ID Configuration Tool Beta --- .../moa/id/configuration/Constants.java | 3 + .../id/configuration/auth/AuthenticatedUser.java | 18 +- .../id/configuration/data/UserDatabaseFrom.java | 237 +++++++++++++ .../id/configuration/data/oa/OAGeneralConfig.java | 3 + .../configuration/filter/AuthenticationFilter.java | 4 +- .../configuration/helper/AuthenticationHelper.java | 35 ++ .../struts/action/ImportExportAction.java | 353 ++++++++++++++++++++ .../configuration/struts/action/IndexAction.java | 141 +++++++- .../struts/action/UserManagementAction.java | 368 ++++++++++++++++++++- .../validation/UserDatabaseFormValidator.java | 147 ++++++++ 10 files changed, 1289 insertions(+), 20 deletions(-) create mode 100644 id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java create mode 100644 id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/helper/AuthenticationHelper.java create mode 100644 id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/ImportExportAction.java create mode 100644 id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java (limited to 'id/ConfigWebTool/src/main/java/at/gv') diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java index 8ef3ec2f0..d088edf34 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/Constants.java @@ -23,4 +23,7 @@ public class Constants { public static final String MOA_CONFIG_PROTOCOL_SAML1 = "id_saml1"; public static final String MOA_CONFIG_PROTOCOL_PVP2 = "id_pvp2x"; + + public static final String DEFAULT_LOCALBKU_URL = "https://127.0.0.1:3496/https-security-layer-request"; + public static final String DEFAULT_HANDYBKU_URL = "https://www.handy-signatur.at/mobile/https-security-layer-request/default.aspx"; } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java index 3ff48e92b..8f75a357c 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/auth/AuthenticatedUser.java @@ -10,17 +10,19 @@ public class AuthenticatedUser { private long userID; private String givenName; private String familyName; + private String userName; private Date lastLogin; public AuthenticatedUser() { } - public AuthenticatedUser(long userID, String givenName, String familyName, + public AuthenticatedUser(long userID, String givenName, String familyName, String userName, boolean isAuthenticated, boolean isAdmin) { this.familyName = familyName; this.givenName = givenName; + this.userName = userName; this.userID = userID; this.isAdmin = isAdmin; this.isAuthenticated = isAuthenticated; @@ -110,6 +112,20 @@ public class AuthenticatedUser { public void setLastLogin(Date lastLogin) { this.lastLogin = lastLogin; } + + /** + * @return the userName + */ + public String getUserName() { + return userName; + } + + /** + * @param userName the userName to set + */ + public void setUserName(String userName) { + this.userName = userName; + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java new file mode 100644 index 000000000..e62160285 --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/UserDatabaseFrom.java @@ -0,0 +1,237 @@ +package at.gv.egovernment.moa.id.configuration.data; + +import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.util.MiscUtil; +import at.gv.util.data.BPK; + +public class UserDatabaseFrom { + + private String bpk; + private String familyName; + private String givenName; + private String institut; + private String mail; + private String phone; + private String username; + private String password; + private boolean active = false; + private boolean admin = false; + private boolean passwordActive; + private String userID = null; + + public UserDatabaseFrom() { + + } + + public UserDatabaseFrom(UserDatabase db) { + bpk = db.getBpk(); + familyName = db.getFamilyname(); + givenName = db.getGivenname(); + institut = db.getInstitut(); + mail = db.getMail(); + phone = db.getPhone(); + username = db.getUsername(); + + if (MiscUtil.isNotEmpty(db.getPassword())) + passwordActive = true; + else + passwordActive = false; + + active = db.isIsActive(); + admin = db.isIsAdmin(); + + userID = String.valueOf(db.getHjid()); + } + + + /** + * @return the bpk + */ + public String getBpk() { + return bpk; + } + + + /** + * @param bpk the bpk to set + */ + public void setBpk(String bpk) { + this.bpk = bpk; + } + + + /** + * @return the familyName + */ + public String getFamilyName() { + return familyName; + } + + + /** + * @param familyName the familyName to set + */ + public void setFamilyName(String familyName) { + this.familyName = familyName; + } + + + /** + * @return the givenName + */ + public String getGivenName() { + return givenName; + } + + + /** + * @param givenName the givenName to set + */ + public void setGivenName(String givenName) { + this.givenName = givenName; + } + + + /** + * @return the institut + */ + public String getInstitut() { + return institut; + } + + + /** + * @param institut the institut to set + */ + public void setInstitut(String institut) { + this.institut = institut; + } + + + /** + * @return the mail + */ + public String getMail() { + return mail; + } + + + /** + * @param mail the mail to set + */ + public void setMail(String mail) { + this.mail = mail; + } + + + /** + * @return the phone + */ + public String getPhone() { + return phone; + } + + + /** + * @param phone the phone to set + */ + public void setPhone(String phone) { + this.phone = phone; + } + + + /** + * @return the username + */ + public String getUsername() { + return username; + } + + + /** + * @param username the username to set + */ + public void setUsername(String username) { + this.username = username; + } + + + /** + * @return the password + */ + public String getPassword() { + return password; + } + + + /** + * @param password the password to set + */ + public void setPassword(String password) { + this.password = password; + } + + + /** + * @return the active + */ + public boolean isActive() { + return active; + } + + + /** + * @param active the active to set + */ + public void setActive(boolean active) { + this.active = active; + } + + + /** + * @return the admin + */ + public boolean isAdmin() { + return admin; + } + + + /** + * @param admin the admin to set + */ + public void setAdmin(boolean admin) { + this.admin = admin; + } + + + /** + * @return the passwordActive + */ + public boolean isPasswordActive() { + return passwordActive; + } + + + /** + * @param passwordActive the passwordActive to set + */ + public void setPasswordActive(boolean passwordActive) { + this.passwordActive = passwordActive; + } + + /** + * @return the userID + */ + public String getUserID() { + return userID; + } + + /** + * @param userID the userID to set + */ + public void setUserID(String userID) { + this.userID = userID; + } + + +} diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java index f3b513019..129d62346 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/data/oa/OAGeneralConfig.java @@ -67,6 +67,9 @@ public class OAGeneralConfig { for (int i=0; i oas = ConfigurationDBRead.getAllOnlineApplications(); + if (oas != null && oas.size() > 0) { + for (OnlineApplication oa : oas) + ConfigurationDBUtils.delete(oa); + } + + + moaconfig = BuildFromLegacyConfig.build(fileUpload, ""); + + } catch (ConfigurationException e) { + log.info("Legacy configuration has an Import Error", e); + addActionError(LanguageHelper.getErrorString("errors.importexport.legacyimport", new Object[] {e.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + } + + //check if XML config should be use + log.warn("WARNING! MOA-ID 2.0 is started with XML configuration. This setup overstrike the actual configuration in the Database!"); + try { + MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); + if (moaidconfig != null) + ConfigurationDBUtils.delete(moaidconfig); + + ConfigurationDBUtils.save(moaconfig); + + } catch (MOADatabaseException e) { + log.warn("General MOA-ID config can not be stored in Database"); + addActionError(e.getMessage()); + return Constants.STRUTS_ERROR_VALIDATION; + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + log.info("Legacy Configuration load is completed."); + addActionMessage(LanguageHelper.getGUIString("webpages.inportexport.success")); + return Constants.STRUTS_SUCCESS; + + } else { + log.info("No access to Import/Export for User with ID" + authUser.getUserID()); + addActionError(LanguageHelper.getErrorString("errors.notallowed")); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + } + + public String downloadXMLConfig() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + log.info("Write MOA-ID 2.x xml config"); + JAXBContext jc; + try { + jc = JAXBContext.newInstance("at.gv.egovernment.moa.id.commons.db.dao.config"); + + Marshaller m = jc.createMarshaller(); + m.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true); +// File test = new File(xmlconfigout); +// m.marshal(moaidconfig, test); + MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); + + if (moaidconfig == null) { + log.info("No MOA-ID 2.x configruation available"); + addActionError(LanguageHelper.getErrorString("errors.importexport.export.noconfig")); + return Constants.STRUTS_ERROR_VALIDATION; + } + + List oaconfigs = ConfigurationDBRead.getAllOnlineApplications(); + moaidconfig.setOnlineApplication(oaconfigs); + + StringWriter writer = new StringWriter(); + m.marshal(moaidconfig, writer); + fileInputStream = IOUtils.toInputStream(writer.toString(), "UTF-8"); + + } catch (JAXBException e) { + log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e); + addActionError(LanguageHelper.getErrorString("errors.importexport.export", + new Object[]{e.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + } catch (IOException e) { + log.info("MOA-ID 2.x configruation could not be exported into a XML file.", e); + addActionError(LanguageHelper.getErrorString("errors.importexport.export", + new Object[]{e.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + return Constants.STRUTS_SUCCESS; + } else { + log.info("No access to Import/Export for User with ID" + authUser.getUserID()); + addActionError(LanguageHelper.getErrorString("errors.notallowed")); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + } + + + public String importXMLConfig() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + if (fileUpload == null) { + addActionError(LanguageHelper.getErrorString("errors.importexport.nofile")); + return Constants.STRUTS_ERROR_VALIDATION; + } + + log.warn("WARNING! The XML import deletes the hole old config"); + + List oas = ConfigurationDBRead.getAllOnlineApplications(); + if (oas != null && oas.size() > 0) { + for (OnlineApplication oa : oas) + ConfigurationDBUtils.delete(oa); + } + MOAIDConfiguration moaidconfig = ConfigurationDBRead.getMOAIDConfiguration(); + if (moaidconfig != null) + ConfigurationDBUtils.delete(moaidconfig); + + + log.info("Load configuration from MOA-ID 2.x XML configuration"); + + try { + JAXBContext jc = JAXBContext.newInstance("at.gv.egovernment.moa.id.commons.db.dao.config"); + Unmarshaller m = jc.createUnmarshaller(); + MOAIDConfiguration moaconfig = (MOAIDConfiguration) m.unmarshal(fileUpload); + + List importoas = moaconfig.getOnlineApplication(); + for (OnlineApplication importoa : importoas) { + ConfigurationDBUtils.saveOrUpdate(importoa); + } + + moaconfig.setOnlineApplication(null); + ConfigurationDBUtils.saveOrUpdate(moaconfig); + + } catch (Exception e) { + log.warn("MOA-ID XML configuration can not be loaded from File.", e); + addActionError(LanguageHelper.getErrorString("errors.importexport.import", + new Object[]{e.getMessage()})); + return Constants.STRUTS_ERROR_VALIDATION; + + } + + finally { + ConfigurationDBUtils.closeSession(); + } + + log.info("XML Configuration load is completed."); + addActionMessage(LanguageHelper.getGUIString("webpages.inportexport.success")); + return Constants.STRUTS_SUCCESS; + + } else { + log.info("No access to Import/Export for User with ID" + authUser.getUserID()); + addActionError(LanguageHelper.getErrorString("errors.notallowed")); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + /** + * @return the fileUpload + */ + public File getFileUpload() { + return fileUpload; + } + + + + /** + * @param fileUpload the fileUpload to set + */ + public void setFileUpload(File fileUpload) { + this.fileUpload = fileUpload; + } + + + + /** + * @return the fileUploadContentType + */ + public String getFileUploadContentType() { + return fileUploadContentType; + } + + + + /** + * @param fileUploadContentType the fileUploadContentType to set + */ + public void setFileUploadContentType(String fileUploadContentType) { + this.fileUploadContentType = fileUploadContentType; + } + + + + /** + * @return the fileUploadFileName + */ + public String getFileUploadFileName() { + return fileUploadFileName; + } + + + + /** + * @param fileUploadFileName the fileUploadFileName to set + */ + public void setFileUploadFileName(String fileUploadFileName) { + this.fileUploadFileName = fileUploadFileName; + } + + /** + * @return the authUser + */ + public AuthenticatedUser getAuthUser() { + return authUser; + } + + public void setServletResponse(HttpServletResponse response) { + this.response = response; + } + public void setServletRequest(HttpServletRequest request) { + this.request = request; + } + + public InputStream getFileInputStream() { + return fileInputStream; + } +} diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java index 4e8e44007..6aeebcf7b 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/IndexAction.java @@ -1,32 +1,169 @@ package at.gv.egovernment.moa.id.configuration.struts.action; +import java.util.Date; + import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.servlet.http.HttpSession; +import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; +import com.opensymphony.xwork2.ActionSupport; + +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; +import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.configuration.Constants; +import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.config.ConfigurationProvider; import at.gv.egovernment.moa.id.configuration.exception.ConfigurationException; +import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator; +import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; +import at.gv.egovernment.moa.util.MiscUtil; -public class IndexAction implements ServletRequestAware, +public class IndexAction extends ActionSupport implements ServletRequestAware, ServletResponseAware { + private static final Logger log = Logger.getLogger(IndexAction.class); + private HttpServletRequest request; private HttpServletResponse response; + private String password; + private String username; + public String start() { return Constants.STRUTS_SUCCESS; } + public String authenticate() { + + String key = null; + + if (MiscUtil.isNotEmpty(username)) { + if (ValidationHelper.containsPotentialCSSCharacter(username, false)) { + log.warn("Username contains potentail XSS characters: " + username); + addActionError(LanguageHelper.getErrorString("validation.edituser.username.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + return Constants.STRUTS_ERROR; + } + } else { + log.warn("Username is empty"); + addActionError(LanguageHelper.getErrorString("validation.edituser.username.empty")); + return Constants.STRUTS_ERROR; + } + + if (MiscUtil.isEmpty(password)) { + log.warn("Password is empty"); + addActionError(LanguageHelper.getErrorString("validation.edituser.password.empty")); + return Constants.STRUTS_ERROR; + + } else { + key = AuthenticationHelper.generateKeyFormPassword(password); + if (key == null) { + addActionError(LanguageHelper.getErrorString("validation.edituser.password.valid")); + return Constants.STRUTS_ERROR; + } + } + + UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(username); + if (dbuser == null) { + log.warn("Unknown Username"); + addActionError(LanguageHelper.getErrorString("webpages.index.username.unkown")); + return Constants.STRUTS_ERROR; + + } else { + if (!dbuser.isIsActive()) { + log.warn("Username " + dbuser.getUsername() + " is not active"); + addActionError(LanguageHelper.getErrorString("webpages.index.username.notactive")); + return Constants.STRUTS_ERROR; + } + + if (!dbuser.getPassword().equals(key)) { + log.warn("Username " + dbuser.getUsername() + " use a false password"); + addActionError(LanguageHelper.getErrorString("webpages.index.password.false")); + return Constants.STRUTS_ERROR; + } + + AuthenticatedUser authuser = new AuthenticatedUser( + dbuser.getHjid(), + dbuser.getGivenname(), + dbuser.getFamilyname(), + dbuser.getUsername(), + true, + dbuser.isIsAdmin()); + + authuser.setLastLogin(dbuser.getLastLoginItem()); + + dbuser.setLastLoginItem(new Date()); + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + + } catch (MOADatabaseException e) { + log.warn("UserDatabase communicaton error", e); + addActionError(LanguageHelper.getErrorString("error.login")); + return Constants.STRUTS_ERROR; + } + finally { + ConfigurationDBUtils.closeSession(); + } + request.getSession().setAttribute(Constants.SESSION_AUTH, authuser); + return Constants.STRUTS_SUCCESS; + } + } + + public String logout() { + + HttpSession session = request.getSession(); + + if (session != null) + session.invalidate(); + + return Constants.STRUTS_SUCCESS; + } public void setServletResponse(HttpServletResponse arg0) { this.response = arg0; } public void setServletRequest(HttpServletRequest arg0) { this.request = arg0; - } + } + + /** + * @return the password + */ + public String getPassword() { + return password; + } + + /** + * @param password the password to set + */ + public void setPassword(String password) { + this.password = password; + } + + /** + * @return the username + */ + public String getUsername() { + return username; + } + + /** + * @param username the username to set + */ + public void setUsername(String username) { + this.username = username; + } + + } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java index 3f4b21fdd..c022d0057 100644 --- a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/struts/action/UserManagementAction.java @@ -1,51 +1,331 @@ package at.gv.egovernment.moa.id.configuration.struts.action; +import java.util.ArrayList; import java.util.Date; +import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; import at.gv.egovernment.moa.id.commons.db.ConfigurationDBUtils; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; +import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom; +import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator; +import at.gv.egovernment.moa.id.configuration.validation.ValidationHelper; +import at.gv.egovernment.moa.util.MiscUtil; import com.opensymphony.xwork2.ActionSupport; public class UserManagementAction extends ActionSupport implements ServletRequestAware, ServletResponseAware { + private static final Logger log = Logger.getLogger(UserManagementAction.class); + private static final long serialVersionUID = 1L; private HttpServletRequest request; private HttpServletResponse response; + + private AuthenticatedUser authUser = null; + + private List userlist = null; + private UserDatabaseFrom user = null; + + private String useridobj = null; + private static boolean newUser = false; - private AuthenticatedUser authUser; + public String init() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + log.info("Show UserList"); + + List dbuserlist = ConfigurationDBRead.getAllUsers(); + if (dbuserlist != null) { + userlist = new ArrayList(); + + for (UserDatabase dbuser : dbuserlist) { + userlist.add(new AuthenticatedUser( + dbuser.getHjid(), + dbuser.getGivenname(), + dbuser.getFamilyname(), + dbuser.getUsername(), + dbuser.isIsActive(), + dbuser.isIsAdmin())); + } + } + + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_SUCCESS; + + } else { + log.info("User with ID " + authUser.getUserID() + " is not admin. Show only EditUser Frame"); + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + if (dbuser == null) { + return Constants.STRUTS_REAUTHENTICATE; + } + user = new UserDatabaseFrom(dbuser); + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + public String createuser() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + + user = new UserDatabaseFrom(); + + newUser = true; + return Constants.STRUTS_SUCCESS; + + } else { + return Constants.STRUTS_NOTALLOWED; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + public String edituser() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + if (authUser.isAdmin()) { + long userid = -1; + + if (!ValidationHelper.validateOAID(useridobj)) { + addActionError(LanguageHelper.getErrorString("errors.edit.user.userid", request)); + return Constants.STRUTS_ERROR; + } + userid = Long.valueOf(useridobj); + + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userid); + if (dbuser == null) { + log.info("No User with ID " + userid + " in Database");; + addActionError(LanguageHelper.getErrorString("errors.edit.user.userid", request)); + return Constants.STRUTS_ERROR; + } + user = new UserDatabaseFrom(dbuser); + + newUser = false; + + ConfigurationDBUtils.closeSession(); + + return Constants.STRUTS_SUCCESS; + + } else { + log.info("User with ID " + authUser.getUserID() + " is not admin. Show his own EditUser Frame"); + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(authUser.getUserID()); + user = new UserDatabaseFrom(dbuser); + return Constants.STRUTS_SUCCESS; + } + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + public String saveuser() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + String useridobj = user.getUserID(); + long userID = -1; + if (MiscUtil.isEmpty(useridobj)) { + userID = -1; + + } else { + if (!ValidationHelper.validateOAID(useridobj)){ + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase ID " + useridobj); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + userID = Long.valueOf(useridobj); + } + + List errors; + UserDatabaseFormValidator validator = new UserDatabaseFormValidator(); + errors = validator.validate(user, userID); + + if (errors.size() > 0) { + log.info("UserDataForm has some erros."); + for (String el : errors) + addActionError(el); + user.setPassword(""); + + if (MiscUtil.isEmpty(user.getUsername())) + newUser = true; + + return Constants.STRUTS_ERROR_VALIDATION; + } + + if (!authUser.isAdmin()) { + if (authUser.getUserID() != userID) { + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase Entry " + user.getUsername()); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + + } + + String error = saveFormToDB(); + if (error != null) { + log.warn("UserData can not be stored in Database"); + addActionError(error); + return Constants.STRUTS_SUCCESS; + } + + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_SUCCESS; + + } + return Constants.STRUTS_REAUTHENTICATE; + + } + + public String deleteuser() { + Object authUserObj = request.getSession().getAttribute(Constants.SESSION_AUTH); + + if (authUserObj != null && authUserObj instanceof AuthenticatedUser) { + authUser = (AuthenticatedUser) authUserObj; + + String useridobj = user.getUserID(); + long userID = -1; + if (MiscUtil.isEmpty(useridobj)) { + userID = -1; + + } else { + if (!ValidationHelper.validateOAID(useridobj)){ + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase ID " + useridobj); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + userID = Long.valueOf(useridobj); + } + + if (!authUser.isAdmin()) { + if (authUser.getUserID() != userID) { + log.warn("User with ID " + authUser.getUserID() + + " would access UserDatabase Entry " + user.getUsername()); + addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); + return Constants.STRUTS_ERROR; + } + } + + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID); + if (dbuser != null) { + dbuser.setOnlineApplication(null); + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + ConfigurationDBUtils.delete(dbuser); + + } catch (MOADatabaseException e) { + log.warn("UserData can not be deleted from Database"); + addActionError(e.getMessage()); + return Constants.STRUTS_SUCCESS; + } + + finally { + ConfigurationDBUtils.closeSession(); + } + } + + ConfigurationDBUtils.closeSession(); + return Constants.STRUTS_SUCCESS; + + } + return Constants.STRUTS_REAUTHENTICATE; + + } - public String createTestUser() throws MOADatabaseException { + private String saveFormToDB() { + + UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(user.getUsername()); - UserDatabase user = new UserDatabase(); - user.setBpk(""); - user.setFamilyname("Max"); - user.setGivenname("Mustermann"); - user.setIsActive(true); - user.setIsAdmin(false); - user.setInstitut("EGIZ"); - user.setLastLoginItem(new Date()); - user.setMail("masdf@amfasdf.com"); - user.setPhone("00660011542"); - user.setUsername("testuser"); + if( dbuser == null) { + dbuser = new UserDatabase(); + } - ConfigurationDBUtils.save(user); + dbuser.setBpk(user.getBpk()); + dbuser.setFamilyname(user.getFamilyName()); + dbuser.setGivenname(user.getGivenName()); + dbuser.setInstitut(user.getInstitut()); + dbuser.setMail(user.getMail()); + dbuser.setPhone(user.getPhone()); + dbuser.setUsername(user.getUsername()); - return Constants.STRUTS_SUCCESS; + if (authUser.isAdmin()) { + dbuser.setIsActive(user.isActive()); + dbuser.setIsAdmin(user.isAdmin()); + } + + if (MiscUtil.isNotEmpty(user.getPassword())) { + String key = AuthenticationHelper.generateKeyFormPassword(user.getPassword()); + if (key == null) { + return LanguageHelper.getErrorString("errors.edit.user.save"); + } + dbuser.setPassword(key); + } + + + try { + ConfigurationDBUtils.saveOrUpdate(dbuser); + } catch (MOADatabaseException e) { + log.warn("User information can not be stored in Database.", e); + return LanguageHelper.getErrorString("errors.edit.user.save"); + } + + return null; } +// public String createTestUser() throws MOADatabaseException { +// +// UserDatabase user = new UserDatabase(); +// user.setBpk(""); +// user.setFamilyname("Max"); +// user.setGivenname("Mustermann"); +// user.setIsActive(true); +// user.setIsAdmin(false); +// user.setInstitut("EGIZ"); +// user.setLastLoginItem(new Date()); +// user.setMail("masdf@amfasdf.com"); +// user.setPhone("00660011542"); +// user.setUsername("testuser"); +// +// ConfigurationDBUtils.save(user); +// +// return Constants.STRUTS_SUCCESS; +// } + public void setServletResponse(HttpServletResponse response) { this.response = response; @@ -56,7 +336,63 @@ public class UserManagementAction extends ActionSupport this.request = request; } + + /** + * @return the userlist + */ + public List getUserlist() { + return userlist; + } + + /** + * @param userlist the userlist to set + */ + public void setUserlist(List userlist) { + this.userlist = userlist; + } + + /** + * @return the user + */ + public UserDatabaseFrom getUser() { + return user; + } + + /** + * @param user the user to set + */ + public void setUser(UserDatabaseFrom user) { + this.user = user; + } + + /** + * @return the useridobj + */ + public String getUseridobj() { + return useridobj; + } + + /** + * @param useridobj the useridobj to set + */ + public void setUseridobj(String useridobj) { + this.useridobj = useridobj; + } + + /** + * @return the authUser + */ + public AuthenticatedUser getAuthUser() { + return authUser; + } + + /** + * @return the newUser + */ + public boolean isNewUser() { + return newUser; + } + - } diff --git a/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java new file mode 100644 index 000000000..8e6edf52a --- /dev/null +++ b/id/ConfigWebTool/src/main/java/at/gv/egovernment/moa/id/configuration/validation/UserDatabaseFormValidator.java @@ -0,0 +1,147 @@ +package at.gv.egovernment.moa.id.configuration.validation; + +import java.util.ArrayList; +import java.util.List; + +import org.apache.log4j.Logger; + +import at.gv.egovernment.moa.id.commons.db.ConfigurationDBRead; +import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; +import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom; +import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; +import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; +import at.gv.egovernment.moa.util.MiscUtil; + +public class UserDatabaseFormValidator { + + private static final Logger log = Logger.getLogger(UserDatabaseFormValidator.class); + + public List validate(UserDatabaseFrom form, long userID) { + List errors = new ArrayList(); + + String check = form.getGivenName(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("GivenName contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("GivenName is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.givenname.empty")); + } + + + check = form.getFamilyName(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("FamilyName contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("FamilyName is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.familyname.empty")); + } + + check = form.getInstitut(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("Organisation contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.institut.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Organisation is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.institut.empty")); + } + + check = form.getMail(); + if (MiscUtil.isNotEmpty(check)) { + if (!ValidationHelper.isEmailAddressFormat(check)) { + log.warn("Mailaddress is not valid: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.mail.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Mailaddress is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.mail.empty")); + } + + check = form.getPhone(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("Phonenumber contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.phone.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } else { + log.warn("Phonenumber is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.phone.empty")); + } + + check = form.getUsername(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("Username contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.username.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + + } else { + UserDatabase dbuser = ConfigurationDBRead.getUserWithUserName(check); + if (dbuser != null && userID != dbuser.getHjid()) { + log.warn("Username " + check + " exists in UserDatabase"); + errors.add(LanguageHelper.getErrorString("validation.edituser.username.duplicate")); + form.setUsername(""); + } + } + } else { + if (userID == -1) { + log.warn("Username is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.username.empty")); + } else { + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID); + if (dbuser == null) { + log.warn("Username is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.username.empty")); + } else { + form.setUsername(dbuser.getUsername()); + } + } + } + + check = form.getPassword(); + if (MiscUtil.isEmpty(check)) { + if (userID == -1) { + log.warn("Password is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.password.empty")); + } else { + UserDatabase dbuser = ConfigurationDBRead.getUserWithID(userID); + if (dbuser == null || MiscUtil.isEmpty(dbuser.getPassword())) { + log.warn("Password is empty"); + errors.add(LanguageHelper.getErrorString("validation.edituser.password.empty")); + } + } + + } else { + String key = AuthenticationHelper.generateKeyFormPassword(check); + if (key == null) { + errors.add(LanguageHelper.getErrorString("validation.edituser.password.valid")); + } + } + + + + check = form.getBpk(); + if (MiscUtil.isNotEmpty(check)) { + if (ValidationHelper.containsPotentialCSSCharacter(check, false)) { + log.warn("BPK contains potentail XSS characters: " + check); + errors.add(LanguageHelper.getErrorString("validation.edituser.bpk.valid", + new Object[] {ValidationHelper.getPotentialCSSCharacter(false)} )); + } + } + + return errors; + + } +} -- cgit v1.2.3