001
014
015 package com.liferay.portal.security.auth;
016
017 import com.liferay.portal.kernel.security.pacl.DoPrivileged;
018 import com.liferay.portal.kernel.util.CharPool;
019 import com.liferay.portal.kernel.util.SetUtil;
020 import com.liferay.portal.kernel.util.Validator;
021 import com.liferay.portal.model.Portlet;
022 import com.liferay.portal.model.PortletConstants;
023 import com.liferay.portal.service.PortletLocalServiceUtil;
024 import com.liferay.portal.util.PropsValues;
025 import com.liferay.util.Encryptor;
026
027 import java.util.Collections;
028 import java.util.Set;
029
030
034 @DoPrivileged
035 public class AuthTokenWhitelistImpl implements AuthTokenWhitelist {
036
037 public AuthTokenWhitelistImpl() {
038 resetOriginCSRFWhitelist();
039 resetPortletCSRFWhitelist();
040 resetPortletCSRFWhitelistActions();
041 resetPortletInvocationWhitelist();
042 resetPortletInvocationWhitelistActions();
043 }
044
045 @Override
046 public Set<String> getOriginCSRFWhitelist() {
047 return _originCSRFWhitelist;
048 }
049
050 @Override
051 public Set<String> getPortletCSRFWhitelist() {
052 return _portletCSRFWhitelist;
053 }
054
055 @Override
056 public Set<String> getPortletCSRFWhitelistActions() {
057 return _portletCSRFWhitelistActions;
058 }
059
060 @Override
061 public Set<String> getPortletInvocationWhitelist() {
062 return _portletInvocationWhitelist;
063 }
064
065 @Override
066 public Set<String> getPortletInvocationWhitelistActions() {
067 return _portletInvocationWhitelistActions;
068 }
069
070 @Override
071 public boolean isOriginCSRFWhitelisted(long companyId, String origin) {
072 Set<String> whitelist = getOriginCSRFWhitelist();
073
074 for (String whitelistedOrigins : whitelist) {
075 if (origin.startsWith(whitelistedOrigins)) {
076 return true;
077 }
078 }
079
080 return false;
081 }
082
083 @Override
084 public boolean isPortletCSRFWhitelisted(
085 long companyId, String portletId, String strutsAction) {
086
087 String rootPortletId = PortletConstants.getRootPortletId(portletId);
088
089 Set<String> whitelist = getPortletCSRFWhitelist();
090
091 if (whitelist.contains(rootPortletId)) {
092 return true;
093 }
094
095 if (Validator.isNotNull(strutsAction)) {
096 Set<String> whitelistActions = getPortletCSRFWhitelistActions();
097
098 if (whitelistActions.contains(strutsAction) &&
099 isValidStrutsAction(companyId, rootPortletId, strutsAction)) {
100
101 return true;
102 }
103 }
104
105 return false;
106 }
107
108 @Override
109 public boolean isPortletInvocationWhitelisted(
110 long companyId, String portletId, String strutsAction) {
111
112 Set<String> whitelist = getPortletInvocationWhitelist();
113
114 if (whitelist.contains(portletId)) {
115 return true;
116 }
117
118 if (Validator.isNotNull(strutsAction)) {
119 Set<String> whitelistActions =
120 getPortletInvocationWhitelistActions();
121
122 if (whitelistActions.contains(strutsAction) &&
123 isValidStrutsAction(companyId, portletId, strutsAction)) {
124
125 return true;
126 }
127 }
128
129 return false;
130 }
131
132 @Override
133 public boolean isValidSharedSecret(String sharedSecret) {
134 if (Validator.isNull(sharedSecret)) {
135 return false;
136 }
137
138 if (Validator.isNull(PropsValues.AUTH_TOKEN_SHARED_SECRET)) {
139 return false;
140 }
141
142 return sharedSecret.equals(
143 Encryptor.digest(PropsValues.AUTH_TOKEN_SHARED_SECRET));
144 }
145
146 @Override
147 public Set<String> resetOriginCSRFWhitelist() {
148 _originCSRFWhitelist = SetUtil.fromArray(
149 PropsValues.AUTH_TOKEN_IGNORE_ORIGINS);
150 _originCSRFWhitelist = Collections.unmodifiableSet(
151 _originCSRFWhitelist);
152
153 return _originCSRFWhitelist;
154 }
155
156 @Override
157 public Set<String> resetPortletCSRFWhitelist() {
158 _portletCSRFWhitelist = SetUtil.fromArray(
159 PropsValues.AUTH_TOKEN_IGNORE_PORTLETS);
160 _portletCSRFWhitelist = Collections.unmodifiableSet(
161 _portletCSRFWhitelist);
162
163 return _portletCSRFWhitelist;
164 }
165
166 @Override
167 public Set<String> resetPortletCSRFWhitelistActions() {
168 _portletCSRFWhitelistActions = SetUtil.fromArray(
169 PropsValues.AUTH_TOKEN_IGNORE_ACTIONS);
170 _portletCSRFWhitelistActions = Collections.unmodifiableSet(
171 _portletCSRFWhitelistActions);
172
173 return _portletCSRFWhitelistActions;
174 }
175
176 @Override
177 public Set<String> resetPortletInvocationWhitelist() {
178 _portletInvocationWhitelist = SetUtil.fromArray(
179 PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST);
180 _portletInvocationWhitelist = Collections.unmodifiableSet(
181 _portletInvocationWhitelist);
182
183 return _portletInvocationWhitelist;
184 }
185
186 @Override
187 public Set<String> resetPortletInvocationWhitelistActions() {
188 _portletInvocationWhitelistActions = SetUtil.fromArray(
189 PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST_ACTIONS);
190 _portletInvocationWhitelistActions = Collections.unmodifiableSet(
191 _portletInvocationWhitelistActions);
192
193 return _portletInvocationWhitelistActions;
194 }
195
196 protected boolean isValidStrutsAction(
197 long companyId, String portletId, String strutsAction) {
198
199 try {
200 Portlet portlet = PortletLocalServiceUtil.getPortletById(
201 companyId, portletId);
202
203 if (portlet == null) {
204 return false;
205 }
206
207 String strutsPath = strutsAction.substring(
208 1, strutsAction.lastIndexOf(CharPool.SLASH));
209
210 if (strutsPath.equals(portlet.getStrutsPath()) ||
211 strutsPath.equals(portlet.getParentStrutsPath())) {
212
213 return true;
214 }
215 }
216 catch (Exception e) {
217 }
218
219 return false;
220 }
221
222 private Set<String> _originCSRFWhitelist;
223 private Set<String> _portletCSRFWhitelist;
224 private Set<String> _portletCSRFWhitelistActions;
225 private Set<String> _portletInvocationWhitelist;
226 private Set<String> _portletInvocationWhitelistActions;
227
228 }