001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.security.pacl.DoPrivileged;
018    import com.liferay.portal.kernel.util.CharPool;
019    import com.liferay.portal.kernel.util.SetUtil;
020    import com.liferay.portal.kernel.util.Validator;
021    import com.liferay.portal.model.Portlet;
022    import com.liferay.portal.model.PortletConstants;
023    import com.liferay.portal.service.PortletLocalServiceUtil;
024    import com.liferay.portal.util.PropsValues;
025    import com.liferay.util.Encryptor;
026    
027    import java.util.Collections;
028    import java.util.Set;
029    
030    /**
031     * @author Raymond Aug??
032     * @author Tomas Polesovsky
033     */
034    @DoPrivileged
035    public class AuthTokenWhitelistImpl implements AuthTokenWhitelist {
036    
037            public AuthTokenWhitelistImpl() {
038                    resetOriginCSRFWhitelist();
039                    resetPortletCSRFWhitelist();
040                    resetPortletCSRFWhitelistActions();
041                    resetPortletInvocationWhitelist();
042                    resetPortletInvocationWhitelistActions();
043            }
044    
045            @Override
046            public Set<String> getOriginCSRFWhitelist() {
047                    return _originCSRFWhitelist;
048            }
049    
050            @Override
051            public Set<String> getPortletCSRFWhitelist() {
052                    return _portletCSRFWhitelist;
053            }
054    
055            @Override
056            public Set<String> getPortletCSRFWhitelistActions() {
057                    return _portletCSRFWhitelistActions;
058            }
059    
060            @Override
061            public Set<String> getPortletInvocationWhitelist() {
062                    return _portletInvocationWhitelist;
063            }
064    
065            @Override
066            public Set<String> getPortletInvocationWhitelistActions() {
067                    return _portletInvocationWhitelistActions;
068            }
069    
070            @Override
071            public boolean isOriginCSRFWhitelisted(long companyId, String origin) {
072                    Set<String> whitelist = getOriginCSRFWhitelist();
073    
074                    for (String whitelistedOrigins : whitelist) {
075                            if (origin.startsWith(whitelistedOrigins)) {
076                                    return true;
077                            }
078                    }
079    
080                    return false;
081            }
082    
083            @Override
084            public boolean isPortletCSRFWhitelisted(
085                    long companyId, String portletId, String strutsAction) {
086    
087                    String rootPortletId = PortletConstants.getRootPortletId(portletId);
088    
089                    Set<String> whitelist = getPortletCSRFWhitelist();
090    
091                    if (whitelist.contains(rootPortletId)) {
092                            return true;
093                    }
094    
095                    if (Validator.isNotNull(strutsAction)) {
096                            Set<String> whitelistActions = getPortletCSRFWhitelistActions();
097    
098                            if (whitelistActions.contains(strutsAction) &&
099                                    isValidStrutsAction(companyId, rootPortletId, strutsAction)) {
100    
101                                    return true;
102                            }
103                    }
104    
105                    return false;
106            }
107    
108            @Override
109            public boolean isPortletInvocationWhitelisted(
110                    long companyId, String portletId, String strutsAction) {
111    
112                    Set<String> whitelist = getPortletInvocationWhitelist();
113    
114                    if (whitelist.contains(portletId)) {
115                            return true;
116                    }
117    
118                    if (Validator.isNotNull(strutsAction)) {
119                            Set<String> whitelistActions =
120                                    getPortletInvocationWhitelistActions();
121    
122                            if (whitelistActions.contains(strutsAction) &&
123                                    isValidStrutsAction(companyId, portletId, strutsAction)) {
124    
125                                    return true;
126                            }
127                    }
128    
129                    return false;
130            }
131    
132            @Override
133            public boolean isValidSharedSecret(String sharedSecret) {
134                    if (Validator.isNull(sharedSecret)) {
135                            return false;
136                    }
137    
138                    if (Validator.isNull(PropsValues.AUTH_TOKEN_SHARED_SECRET)) {
139                            return false;
140                    }
141    
142                    return sharedSecret.equals(
143                            Encryptor.digest(PropsValues.AUTH_TOKEN_SHARED_SECRET));
144            }
145    
146            @Override
147            public Set<String> resetOriginCSRFWhitelist() {
148                    _originCSRFWhitelist = SetUtil.fromArray(
149                            PropsValues.AUTH_TOKEN_IGNORE_ORIGINS);
150                    _originCSRFWhitelist = Collections.unmodifiableSet(
151                            _originCSRFWhitelist);
152    
153                    return _originCSRFWhitelist;
154            }
155    
156            @Override
157            public Set<String> resetPortletCSRFWhitelist() {
158                    _portletCSRFWhitelist = SetUtil.fromArray(
159                            PropsValues.AUTH_TOKEN_IGNORE_PORTLETS);
160                    _portletCSRFWhitelist = Collections.unmodifiableSet(
161                            _portletCSRFWhitelist);
162    
163                    return _portletCSRFWhitelist;
164            }
165    
166            @Override
167            public Set<String> resetPortletCSRFWhitelistActions() {
168                    _portletCSRFWhitelistActions = SetUtil.fromArray(
169                            PropsValues.AUTH_TOKEN_IGNORE_ACTIONS);
170                    _portletCSRFWhitelistActions = Collections.unmodifiableSet(
171                            _portletCSRFWhitelistActions);
172    
173                    return _portletCSRFWhitelistActions;
174            }
175    
176            @Override
177            public Set<String> resetPortletInvocationWhitelist() {
178                    _portletInvocationWhitelist = SetUtil.fromArray(
179                            PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST);
180                    _portletInvocationWhitelist = Collections.unmodifiableSet(
181                            _portletInvocationWhitelist);
182    
183                    return _portletInvocationWhitelist;
184            }
185    
186            @Override
187            public Set<String> resetPortletInvocationWhitelistActions() {
188                    _portletInvocationWhitelistActions = SetUtil.fromArray(
189                            PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST_ACTIONS);
190                    _portletInvocationWhitelistActions = Collections.unmodifiableSet(
191                            _portletInvocationWhitelistActions);
192    
193                    return _portletInvocationWhitelistActions;
194            }
195    
196            protected boolean isValidStrutsAction(
197                    long companyId, String portletId, String strutsAction) {
198    
199                    try {
200                            Portlet portlet = PortletLocalServiceUtil.getPortletById(
201                                    companyId, portletId);
202    
203                            if (portlet == null) {
204                                    return false;
205                            }
206    
207                            String strutsPath = strutsAction.substring(
208                                    1, strutsAction.lastIndexOf(CharPool.SLASH));
209    
210                            if (strutsPath.equals(portlet.getStrutsPath()) ||
211                                    strutsPath.equals(portlet.getParentStrutsPath())) {
212    
213                                    return true;
214                            }
215                    }
216                    catch (Exception e) {
217                    }
218    
219                    return false;
220            }
221    
222            private Set<String> _originCSRFWhitelist;
223            private Set<String> _portletCSRFWhitelist;
224            private Set<String> _portletCSRFWhitelistActions;
225            private Set<String> _portletInvocationWhitelist;
226            private Set<String> _portletInvocationWhitelistActions;
227    
228    }