001    /**
002     * Copyright (c) 2000-present Liferay, Inc. All rights reserved.
003     *
004     * This library is free software; you can redistribute it and/or modify it under
005     * the terms of the GNU Lesser General Public License as published by the Free
006     * Software Foundation; either version 2.1 of the License, or (at your option)
007     * any later version.
008     *
009     * This library is distributed in the hope that it will be useful, but WITHOUT
010     * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
011     * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
012     * details.
013     */
014    
015    package com.liferay.portal.security.auth;
016    
017    import com.liferay.portal.kernel.concurrent.ConcurrentHashSet;
018    import com.liferay.portal.kernel.portlet.LiferayPortletURL;
019    import com.liferay.portal.kernel.security.pacl.DoPrivileged;
020    import com.liferay.portal.kernel.util.PropsKeys;
021    import com.liferay.portal.kernel.util.Validator;
022    import com.liferay.portal.model.Portlet;
023    import com.liferay.portal.model.PortletConstants;
024    import com.liferay.portal.util.PropsValues;
025    import com.liferay.util.Encryptor;
026    
027    import java.util.Set;
028    
029    import javax.servlet.http.HttpServletRequest;
030    
031    /**
032     * @author Raymond Aug??
033     * @author Tomas Polesovsky
034     */
035    @DoPrivileged
036    public class AuthTokenWhitelistImpl extends BaseAuthTokenWhitelist {
037    
038            public AuthTokenWhitelistImpl() {
039                    trackWhitelistServices(
040                            PropsKeys.AUTH_TOKEN_IGNORE_ORIGINS, _originCSRFWhitelist);
041    
042                    registerPortalProperty(PropsKeys.AUTH_TOKEN_IGNORE_ORIGINS);
043    
044                    trackWhitelistServices(
045                            PropsKeys.AUTH_TOKEN_IGNORE_PORTLETS, _portletCSRFWhitelist);
046    
047                    registerPortalProperty(PropsKeys.AUTH_TOKEN_IGNORE_PORTLETS);
048    
049                    trackWhitelistServices(
050                            PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST,
051                            _portletInvocationWhitelist);
052    
053                    registerPortalProperty(
054                            PropsKeys.PORTLET_ADD_DEFAULT_RESOURCE_CHECK_WHITELIST);
055            }
056    
057            /**
058             * @deprecated As of 7.0.0
059             */
060            @Deprecated
061            @Override
062            public Set<String> getOriginCSRFWhitelist() {
063                    return _originCSRFWhitelist;
064            }
065    
066            /**
067             * @deprecated As of 7.0.0
068             */
069            @Deprecated
070            @Override
071            public Set<String> getPortletCSRFWhitelist() {
072                    return _portletCSRFWhitelist;
073            }
074    
075            @Deprecated
076            @Override
077            public Set<String> getPortletInvocationWhitelist() {
078                    return _portletInvocationWhitelist;
079            }
080    
081            @Override
082            public boolean isOriginCSRFWhitelisted(long companyId, String origin) {
083                    for (String whitelistedOrigin : _originCSRFWhitelist) {
084                            if (origin.startsWith(whitelistedOrigin)) {
085                                    return true;
086                            }
087                    }
088    
089                    return false;
090            }
091    
092            @Override
093            public boolean isPortletCSRFWhitelisted(
094                    HttpServletRequest request, Portlet portlet) {
095    
096                    return _portletCSRFWhitelist.contains(portlet.getRootPortletId());
097            }
098    
099            @Override
100            public boolean isPortletInvocationWhitelisted(
101                    HttpServletRequest request, Portlet portlet) {
102    
103                    return _portletInvocationWhitelist.contains(portlet.getPortletId());
104            }
105    
106            @Override
107            public boolean isPortletURLCSRFWhitelisted(
108                    LiferayPortletURL liferayPortletURL) {
109    
110                    String rootPortletId = PortletConstants.getRootPortletId(
111                            liferayPortletURL.getPortletId());
112    
113                    return _portletCSRFWhitelist.contains(rootPortletId);
114            }
115    
116            @Override
117            public boolean isPortletURLPortletInvocationWhitelisted(
118                    LiferayPortletURL liferayPortletURL) {
119    
120                    return _portletInvocationWhitelist.contains(
121                            liferayPortletURL.getPortletId());
122            }
123    
124            @Override
125            public boolean isValidSharedSecret(String sharedSecret) {
126                    if (Validator.isNull(sharedSecret)) {
127                            return false;
128                    }
129    
130                    if (Validator.isNull(PropsValues.AUTH_TOKEN_SHARED_SECRET)) {
131                            return false;
132                    }
133    
134                    return sharedSecret.equals(
135                            Encryptor.digest(PropsValues.AUTH_TOKEN_SHARED_SECRET));
136            }
137    
138            private final Set<String> _originCSRFWhitelist = new ConcurrentHashSet<>();
139            private final Set<String> _portletCSRFWhitelist = new ConcurrentHashSet<>();
140            private final Set<String> _portletInvocationWhitelist =
141                    new ConcurrentHashSet<>();
142    
143    }