001    /**
002     * Copyright (c) 2000-2013 Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.security.pacl.DoPrivileged;
018    import com.liferay.portal.kernel.util.CharPool;
019    import com.liferay.portal.kernel.util.SetUtil;
020    import com.liferay.portal.kernel.util.Validator;
021    import com.liferay.portal.model.Portlet;
022    import com.liferay.portal.model.PortletConstants;
023    import com.liferay.portal.service.PortletLocalServiceUtil;
024    import com.liferay.portal.util.PropsValues;
025    
026    import java.util.Collections;
027    import java.util.Set;
028    
029    /**
030     * @author Raymond Aug??
031     * @author Tomas Polesovsky
032     */
033    @DoPrivileged
034    public class AuthTokenWhitelistImpl implements AuthTokenWhitelist {
035    
036            public AuthTokenWhitelistImpl() {
037                    resetPortletCSRFWhitelist();
038                    resetPortletCSRFWhitelistActions();
039                    resetPortletInvocationWhitelist();
040                    resetPortletInvocationWhitelistActions();
041            }
042    
043            @Override
044            public Set<String> getPortletCSRFWhitelist() {
045                    return _portletCSRFWhitelist;
046            }
047    
048            @Override
049            public Set<String> getPortletCSRFWhitelistActions() {
050                    return _portletCSRFWhitelistActions;
051            }
052    
053            @Override
054            public Set<String> getPortletInvocationWhitelist() {
055                    return _portletInvocationWhitelist;
056            }
057    
058            @Override
059            public Set<String> getPortletInvocationWhitelistActions() {
060                    return _portletInvocationWhitelistActions;
061            }
062    
063            @Override
064            public boolean isPortletCSRFWhitelisted(
065                    long companyId, String portletId, String strutsAction) {
066    
067                    String rootPortletId = PortletConstants.getRootPortletId(portletId);
068    
069                    Set<String> whitelist = getPortletCSRFWhitelist();
070    
071                    if (whitelist.contains(rootPortletId)) {
072                            return true;
073                    }
074    
075                    if (Validator.isNotNull(strutsAction)) {
076                            Set<String> whitelistActions = getPortletCSRFWhitelistActions();
077    
078                            if (whitelistActions.contains(strutsAction) &&
079                                    isValidStrutsAction(companyId, rootPortletId, strutsAction)) {
080    
081                                    return true;
082                            }
083                    }
084    
085                    return false;
086            }
087    
088            @Override
089            public boolean isPortletInvocationWhitelisted(
090                    long companyId, String portletId, String strutsAction) {
091    
092                    Set<String> whitelist = getPortletInvocationWhitelist();
093    
094                    if (whitelist.contains(portletId)) {
095                            return true;
096                    }
097    
098                    if (Validator.isNotNull(strutsAction)) {
099                            Set<String> whitelistActions =
100                                    getPortletInvocationWhitelistActions();
101    
102                            if (whitelistActions.contains(strutsAction) &&
103                                    isValidStrutsAction(companyId, portletId, strutsAction)) {
104    
105                                    return true;
106                            }
107                    }
108    
109                    return false;
110            }
111    
112            @Override
113            public Set<String> resetPortletCSRFWhitelist() {
114                    _portletCSRFWhitelist = SetUtil.fromArray(
115                            PropsValues.AUTH_TOKEN_IGNORE_PORTLETS);
116                    _portletCSRFWhitelist = Collections.unmodifiableSet(
117                            _portletCSRFWhitelist);
118    
119                    return _portletCSRFWhitelist;
120            }
121    
122            @Override
123            public Set<String> resetPortletCSRFWhitelistActions() {
124                    _portletCSRFWhitelistActions = SetUtil.fromArray(
125                            PropsValues.AUTH_TOKEN_IGNORE_ACTIONS);
126                    _portletCSRFWhitelistActions = Collections.unmodifiableSet(
127                            _portletCSRFWhitelistActions);
128    
129                    return _portletCSRFWhitelistActions;
130            }
131    
132            @Override
133            public Set<String> resetPortletInvocationWhitelist() {
134                    _portletInvocationWhitelist = SetUtil.fromArray(
135                            PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST);
136                    _portletInvocationWhitelist = Collections.unmodifiableSet(
137                            _portletInvocationWhitelist);
138    
139                    return _portletInvocationWhitelist;
140            }
141    
142            @Override
143            public Set<String> resetPortletInvocationWhitelistActions() {
144                    _portletInvocationWhitelistActions = SetUtil.fromArray(
145                            PropsValues.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST_ACTIONS);
146                    _portletInvocationWhitelistActions = Collections.unmodifiableSet(
147                            _portletInvocationWhitelistActions);
148    
149                    return _portletInvocationWhitelistActions;
150            }
151    
152            protected boolean isValidStrutsAction(
153                    long companyId, String portletId, String strutsAction) {
154    
155                    try {
156                            Portlet portlet = PortletLocalServiceUtil.getPortletById(
157                                    companyId, portletId);
158    
159                            if (portlet == null) {
160                                    return false;
161                            }
162    
163                            String strutsPath = strutsAction.substring(
164                                    1, strutsAction.lastIndexOf(CharPool.SLASH));
165    
166                            if (strutsPath.equals(portlet.getStrutsPath()) ||
167                                    strutsPath.equals(portlet.getParentStrutsPath())) {
168    
169                                    return true;
170                            }
171                    }
172                    catch (Exception e) {
173                    }
174    
175                    return false;
176            }
177    
178            private Set<String> _portletCSRFWhitelist;
179            private Set<String> _portletCSRFWhitelistActions;
180            private Set<String> _portletInvocationWhitelist;
181            private Set<String> _portletInvocationWhitelistActions;
182    
183    }