/******************************************************************************* * Copyright 2014 Federal Chancellery Austria * MOA-ID has been developed in a cooperation between BRZ, the Federal * Chancellery Austria - ICT staff unit, and Graz University of Technology. * * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by * the European Commission - subsequent versions of the EUPL (the "Licence"); * You may not use this work except in compliance with the Licence. * You may obtain a copy of the Licence at: * http://www.osor.eu/eupl/ * * Unless required by applicable law or agreed to in writing, software * distributed under the Licence is distributed on an "AS IS" basis, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the Licence for the specific language governing permissions and * limitations under the Licence. * * This product combines work with different licenses. See the "NOTICE" text * file for details on the various modules and licenses. * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. *******************************************************************************/ package at.gv.egovernment.moa.id.configuration.struts.action; import java.io.ByteArrayInputStream; import java.io.InputStream; import java.util.List; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.log4j.Logger; import org.apache.struts2.interceptor.ServletRequestAware; import org.apache.struts2.interceptor.ServletResponseAware; import at.gv.egiz.eaaf.core.impl.utils.Random; import at.gv.egovernment.moa.id.commons.db.dao.config.UserDatabase; import at.gv.egovernment.moa.id.commons.db.ex.MOADatabaseException; import at.gv.egovernment.moa.id.commons.validation.ValidationHelper; import at.gv.egovernment.moa.id.config.webgui.exception.ConfigurationException; import at.gv.egovernment.moa.id.configuration.Constants; import at.gv.egovernment.moa.id.configuration.auth.AuthenticatedUser; import at.gv.egovernment.moa.id.configuration.data.UserDatabaseFrom; import at.gv.egovernment.moa.id.configuration.exception.BasicActionException; import at.gv.egovernment.moa.id.configuration.helper.AuthenticationHelper; import at.gv.egovernment.moa.id.configuration.helper.FormDataHelper; import at.gv.egovernment.moa.id.configuration.helper.LanguageHelper; import at.gv.egovernment.moa.id.configuration.helper.MailHelper; import at.gv.egovernment.moa.id.configuration.validation.UserDatabaseFormValidator; import at.gv.egovernment.moa.util.MiscUtil; import com.opensymphony.xwork2.ActionSupport; public class UserManagementAction extends BasicAction { private static final Logger log = Logger.getLogger(UserManagementAction.class); private static final long serialVersionUID = 1L; private List userlist = null; private UserDatabaseFrom user = null; private String useridobj = null; private static boolean newUser = false; private InputStream stream; private String nextPage; private String formID; public String init() { try { populateBasicInformations(); } catch (BasicActionException e) { return Constants.STRUTS_ERROR; } if (session == null) { log.info("No http Session found."); return Constants.STRUTS_ERROR; } if (authUser.isAdmin()) { log.info("Show NewserRequests"); log.info("Show UserList"); List dbuserlist = configuration.getUserManagement().getAllUsers(); if (dbuserlist != null) { userlist = FormDataHelper.addFormUsers(dbuserlist); } session.setAttribute(Constants.SESSION_RETURNAREA, Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name()); return Constants.STRUTS_SUCCESS; } else { log.info("User with ID " + authUser.getUserID() + " is not admin. Show only EditUser Frame"); UserDatabase dbuser = configuration.getUserManagement().getUserWithID(authUser.getUserID()); if (dbuser == null) { return Constants.STRUTS_REAUTHENTICATE; } user = new UserDatabaseFrom(dbuser); session.setAttribute(Constants.SESSION_RETURNAREA, Constants.STRUTS_RETURNAREA_VALUES.main.name()); formID = Random.nextRandom(); session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_NOTALLOWED; } } public String createuser() { try { populateBasicInformations(); } catch (BasicActionException e) { return Constants.STRUTS_ERROR; } nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name(); if (authUser.isAdmin()) { user = new UserDatabaseFrom(); newUser = true; formID = Random.nextRandom(); session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_SUCCESS; } else { return Constants.STRUTS_NOTALLOWED; } } public String edituser() { try { populateBasicInformations(); } catch (BasicActionException e) { return Constants.STRUTS_ERROR; } Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); if (nextPageAttr != null && nextPageAttr instanceof String && MiscUtil.isNotEmpty((String)nextPageAttr) ) { nextPage = (String) nextPageAttr; } else { nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name(); } formID = Random.nextRandom(); session.setAttribute(Constants.SESSION_FORMID, formID); if (authUser.isAdmin()) { long userid = -1; if (!ValidationHelper.validateOAID(useridobj)) { addActionError(LanguageHelper.getErrorString("errors.edit.user.userid", request)); return Constants.STRUTS_ERROR; } userid = Long.valueOf(useridobj); UserDatabase dbuser = configuration.getUserManagement().getUserWithID(userid); if (dbuser == null) { log.info("No User with ID " + userid + " in Database");; addActionError(LanguageHelper.getErrorString("errors.edit.user.userid", request)); return Constants.STRUTS_ERROR; } user = new UserDatabaseFrom(dbuser); newUser = false; return Constants.STRUTS_SUCCESS; } else { log.info("User with ID " + authUser.getUserID() + " is not admin. Show his own EditUser Frame"); UserDatabase dbuser = configuration.getUserManagement().getUserWithID(authUser.getUserID()); user = new UserDatabaseFrom(dbuser); return Constants.STRUTS_SUCCESS; } } public String saveuser() { try { populateBasicInformations(); } catch (BasicActionException e) { return Constants.STRUTS_ERROR; } Object formidobj = session.getAttribute(Constants.SESSION_FORMID); if (formidobj != null && formidobj instanceof String) { String formid = (String) formidobj; if (!formid.equals(formID)) { log.warn("FormIDs does not match. Some suspect Form is received from user " + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; } } else { log.warn("FormIDs does not match. Some suspect Form is received from user " + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; } session.setAttribute(Constants.SESSION_FORMID, null); String useridobj = user.getUserID(); long userID = -1; if (MiscUtil.isEmpty(useridobj)) { userID = -1; } else { if (!ValidationHelper.validateOAID(useridobj)){ log.warn("User with ID " + authUser.getUserID() + " would access UserDatabase ID " + useridobj); addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); return Constants.STRUTS_ERROR; } userID = Long.valueOf(useridobj); } UserDatabase dbuser = configuration.getUserManagement().getUserWithID(userID); if( dbuser == null) { dbuser = new UserDatabase(); dbuser.setIsMandateUser(false); dbuser.setIsAdminRequest(false); dbuser.setIsPVP2Generated(false); dbuser.setUserRequestTokken(null); dbuser.setIsMailAddressVerified(false); dbuser.setUsername(user.getUsername()); } List errors; UserDatabaseFormValidator validator = new UserDatabaseFormValidator(); boolean ispvp2 = false; boolean ismandate = false; if (dbuser.isIsPVP2Generated() != null) ispvp2 = dbuser.isIsPVP2Generated(); if (dbuser.isIsMandateUser() != null) ismandate = dbuser.isIsMandateUser(); errors = validator.validate(user, userID, ispvp2, ismandate, request); if (errors.size() > 0) { log.info("UserDataForm has some erros."); for (String el : errors) addActionError(el); user.setPassword(""); if (MiscUtil.isEmpty(user.getUsername())) newUser = true; user.setIsmandateuser(ismandate); user.setPVPGenerated(ispvp2); if (dbuser.isIsUsernamePasswordAllowed() != null) user.setIsusernamepasswordallowed(dbuser.isIsUsernamePasswordAllowed()); formID = Random.nextRandom(); session.setAttribute(Constants.SESSION_FORMID, formID); return Constants.STRUTS_ERROR_VALIDATION; } if (!authUser.isAdmin()) { if (authUser.getUserID() != userID) { log.warn("User with ID " + authUser.getUserID() + " would access UserDatabase Entry " + user.getUsername()); addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); return Constants.STRUTS_ERROR; } } if (!user.getMail().equals(dbuser.getMail()) && !authUser.isAdmin()) { dbuser.setIsMailAddressVerified(false); dbuser.setUserRequestTokken(Random.nextRandom()); try { MailHelper.sendUserMailAddressVerification(dbuser); addActionMessage(LanguageHelper.getGUIString("webpages.edituser.changemailaddress.verify", request)); } catch (ConfigurationException e) { log.warn("Sending of mailaddress verification mail failed.", e); addActionError(LanguageHelper.getErrorString("error.mail.send", request)); } } Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); if (nextPageAttr != null && nextPageAttr instanceof String && MiscUtil.isNotEmpty((String)nextPageAttr) ) { nextPage = (String) nextPageAttr; if (nextPage.equals(Constants.STRUTS_RETURNAREA_VALUES.adminRequestsInit.name()) && user.isActive()) { dbuser.setIsAdminRequest(false); try { if (dbuser.isIsMandateUser()) MailHelper.sendUserAccountActivationMail(dbuser.getGivenname(), dbuser.getFamilyname(), dbuser.getInstitut(), user.getMail()); else MailHelper.sendUserAccountActivationMail(dbuser.getGivenname(), dbuser.getFamilyname(), null, user.getMail()); } catch (ConfigurationException e) { log.warn("Send UserAccountActivation mail failed", e); } } session.setAttribute(Constants.SESSION_RETURNAREA, null); } else { nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name(); } String error = saveFormToDB(dbuser); if (error != null) { log.warn("UserData can not be stored in Database"); addActionError(error); return Constants.STRUTS_SUCCESS; } return Constants.STRUTS_SUCCESS; } public String deleteuser() { try { populateBasicInformations(); } catch (BasicActionException e) { return Constants.STRUTS_ERROR; } Object formidobj = session.getAttribute(Constants.SESSION_FORMID); if (formidobj != null && formidobj instanceof String) { String formid = (String) formidobj; if (!formid.equals(formID)) { log.warn("FormIDs does not match. Some suspect Form is received from user " + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; } } else { log.warn("FormIDs does not match. Some suspect Form is received from user " + authUser.getFamilyName() + authUser.getGivenName() + authUser.getUserID()); return Constants.STRUTS_ERROR; } session.setAttribute(Constants.SESSION_FORMID, null); String useridobj = user.getUserID(); long userID = -1; if (MiscUtil.isEmpty(useridobj)) { userID = -1; } else { if (!ValidationHelper.validateOAID(useridobj)){ log.warn("User with ID " + authUser.getUserID() + " would access UserDatabase ID " + useridobj); addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); return Constants.STRUTS_ERROR; } userID = Long.valueOf(useridobj); } if (!authUser.isAdmin()) { if (authUser.getUserID() != userID) { log.warn("User with ID " + authUser.getUserID() + " would access UserDatabase Entry " + user.getUsername()); addActionError(LanguageHelper.getErrorString("errors.edit.user.notallowed", request)); return Constants.STRUTS_ERROR; } } Object nextPageAttr = session.getAttribute(Constants.SESSION_RETURNAREA); if (nextPageAttr != null && nextPageAttr instanceof String && MiscUtil.isNotEmpty((String)nextPageAttr) ) { nextPage = (String) nextPageAttr; session.setAttribute(Constants.SESSION_RETURNAREA, null); } else { nextPage = Constants.STRUTS_RETURNAREA_VALUES.usermanagementInit.name(); } UserDatabase dbuser = configuration.getUserManagement().getUserWithID(userID); if (dbuser != null) { dbuser.setOaIDs(null); try { configuration.getUserManagement().saveOrUpdate(dbuser); configuration.getUserManagement().delete(dbuser); if (authUser.isAdmin()) { MailHelper.sendUserAccountRevocationMail(dbuser); } if (dbuser.getHjid().equals(String.valueOf(authUser.getUserID()))) { return Constants.STRUTS_REAUTHENTICATE; } } catch (MOADatabaseException e) { log.warn("UserData can not be deleted from Database", e); addActionError(e.getMessage()); return Constants.STRUTS_SUCCESS; } catch (ConfigurationException e) { log.warn("Information mail sending failed.", e); addActionError(e.getMessage()); return Constants.STRUTS_SUCCESS; } finally { } } return Constants.STRUTS_SUCCESS; } public String sendVerificationMail () { try { populateBasicInformations(); } catch (BasicActionException e) { return Constants.STRUTS_ERROR; } String message = LanguageHelper.getErrorString("error.mail.send", request); if (authUser != null) { UserDatabase dbuser = configuration.getUserManagement().getUserWithID(authUser.getUserID()); if (dbuser != null) { dbuser.setIsMailAddressVerified(false); dbuser.setUserRequestTokken(Random.nextRandom()); try { configuration.getUserManagement().saveOrUpdate(dbuser); MailHelper.sendUserMailAddressVerification(dbuser); message = LanguageHelper.getErrorString("webpages.edituser.verify.mail.message", request); } catch (ConfigurationException e) { log.warn("Sending of mailaddress verification mail failed.", e); message = LanguageHelper.getErrorString("error.mail.send", request); } catch (MOADatabaseException e) { log.warn("Access UserInformationDatabase failed.", e); } } } stream = new ByteArrayInputStream(message.getBytes()); return SUCCESS; } private String saveFormToDB(UserDatabase dbuser) { dbuser.setMail(user.getMail()); dbuser.setPhone(user.getPhone()); if (authUser.isAdmin() || dbuser.isIsUsernamePasswordAllowed()) { dbuser.setIsUsernamePasswordAllowed(user.isIsusernamepasswordallowed()); if (authUser.isAdmin()) { dbuser.setIsActive(user.isActive()); dbuser.setIsAdmin(user.isAdmin()); } } if (dbuser.isIsPVP2Generated() == null || !dbuser.isIsPVP2Generated()) { dbuser.setFamilyname(user.getFamilyName()); dbuser.setGivenname(user.getGivenName()); dbuser.setInstitut(user.getInstitut()); if (authUser.isAdmin()) { dbuser.setBpk(user.getBpk()); if ( user.getBpk().startsWith(Constants.IDENIFICATIONTYPE_BASEID + "X" + Constants.IDENIFICATIONTYPE_FN) || user.getBpk().startsWith(Constants.IDENIFICATIONTYPE_BASEID + "X" + Constants.IDENIFICATIONTYPE_ZVR) || user.getBpk().startsWith(Constants.IDENIFICATIONTYPE_BASEID + "X" + Constants.IDENIFICATIONTYPE_ERSB)) { dbuser.setIsMandateUser(true); } } } else { if (!dbuser.isIsMandateUser()) dbuser.setInstitut(user.getInstitut()); } if (dbuser.isIsUsernamePasswordAllowed()) { if (MiscUtil.isNotEmpty(user.getUsername()) && MiscUtil.isEmpty(dbuser.getUsername())) dbuser.setUsername(user.getUsername()); if (MiscUtil.isNotEmpty(user.getPassword())) { String key = AuthenticationHelper.generateKeyFormPassword(user.getPassword()); if (key == null) { return LanguageHelper.getErrorString("errors.edit.user.save", request); } dbuser.setPassword(key); } } try { configuration.getUserManagement().saveOrUpdate(dbuser); } catch (MOADatabaseException e) { log.warn("User information can not be stored in Database.", e); return LanguageHelper.getErrorString("errors.edit.user.save", request); } return null; } /** * @return the userlist */ public List getUserlist() { return userlist; } /** * @param userlist the userlist to set */ public void setUserlist(List userlist) { this.userlist = userlist; } /** * @return the user */ public UserDatabaseFrom getUser() { return user; } /** * @param user the user to set */ public void setUser(UserDatabaseFrom user) { this.user = user; } /** * @return the useridobj */ public String getUseridobj() { return useridobj; } /** * @param useridobj the useridobj to set */ public void setUseridobj(String useridobj) { this.useridobj = useridobj; } /** * @return the newUser */ public boolean isNewUser() { return newUser; } /** * @return the nextPage */ public String getNextPage() { return nextPage; } /** * @return the stream */ public InputStream getStream() { return stream; } /** * @return the formID */ public String getFormID() { return formID; } /** * @param formID the formID to set */ public void setFormID(String formID) { this.formID = formID; } }