You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@usergrid.apache.org by mr...@apache.org on 2016/06/16 00:31:04 UTC
[1/2] usergrid git commit: Revert "USERGRID-1300: localhost superuser
setting"
Repository: usergrid
Updated Branches:
refs/heads/release-2.1.1 29c287b22 -> 802416899
Revert "USERGRID-1300: localhost superuser setting"
This reverts commit 7ea48c27885da00a9a1d2251702e02bfe8ddf1ef.
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/de6ecb91
Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/de6ecb91
Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/de6ecb91
Branch: refs/heads/release-2.1.1
Commit: de6ecb91caafa352dc3e04c0867e0739df8bfe86
Parents: 29c287b
Author: Mike Dunker <md...@apigee.com>
Authored: Wed Jun 15 14:31:16 2016 -0700
Committer: Mike Dunker <md...@apigee.com>
Committed: Wed Jun 15 14:31:16 2016 -0700
----------------------------------------------------------------------
.../main/resources/usergrid-default.properties | 4 ---
.../rest/management/ManagementResource.java | 4 +--
.../shiro/filters/BasicAuthSecurityFilter.java | 19 ++----------
.../management/AccountCreationProps.java | 3 +-
.../usergrid/management/ManagementService.java | 6 +---
.../cassandra/AccountCreationPropsImpl.java | 17 ++---------
.../cassandra/ManagementServiceImpl.java | 32 ++++----------------
.../apache/usergrid/security/shiro/Realm.java | 6 ++++
.../shiro/principals/AdminUserPrincipal.java | 4 +--
.../usergrid/management/OrganizationIT.java | 2 +-
.../cassandra/ManagementServiceIT.java | 6 ++--
11 files changed, 26 insertions(+), 77 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/config/src/main/resources/usergrid-default.properties
----------------------------------------------------------------------
diff --git a/stack/config/src/main/resources/usergrid-default.properties b/stack/config/src/main/resources/usergrid-default.properties
index d2141cf..0fc31ef 100644
--- a/stack/config/src/main/resources/usergrid-default.properties
+++ b/stack/config/src/main/resources/usergrid-default.properties
@@ -535,10 +535,6 @@ usergrid.sysadmin.login.email=super@usergrid.com
usergrid.sysadmin.login.password=test
usergrid.sysadmin.login.allowed=true
-# if usergrid.sysadmin.login.allowed=true, only allows sysadmin login if request is localhost
-# if usergrid.sysadmin.login.allowed=false, this property has no effect
-usergrid.sysadmin.localhost.only=false
-
# Set admin notification email properties
#
usergrid.sysadmin.email=
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
index c4a921c..1aa75ee 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/management/ManagementResource.java
@@ -220,7 +220,7 @@ public class ManagementResource extends AbstractContextResource {
// do checking for different grant types
if ( GrantType.PASSWORD.toString().equals( grant_type ) ) {
try {
- user = management.verifyAdminUserPasswordCredentials( username, password, ui );
+ user = management.verifyAdminUserPasswordCredentials( username, password );
if ( user != null ) {
if (logger.isTraceEnabled()) {
@@ -438,7 +438,7 @@ public class ManagementResource extends AbstractContextResource {
UserInfo user = null;
try {
- user = management.verifyAdminUserPasswordCredentials( username, password, ui );
+ user = management.verifyAdminUserPasswordCredentials( username, password );
}
catch ( Exception e1 ) {
// intentionally empty
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
index 7d6b40c..a5d7272 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/shiro/filters/BasicAuthSecurityFilter.java
@@ -25,7 +25,6 @@ import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
-import java.net.InetAddress;
import java.security.Principal;
import java.util.Map;
@@ -66,25 +65,11 @@ public class BasicAuthSecurityFilter extends SecurityFilter {
String sysadmin_login_password = properties.getProperty( "usergrid.sysadmin.login.password" );
boolean sysadmin_login_allowed =
Boolean.parseBoolean( properties.getProperty( "usergrid.sysadmin.login.allowed" ) );
- boolean sysadmin_localhost_only =
- Boolean.parseBoolean( properties.getProperty( "usergrid.sysadmin.localhost.only", "false" ) );
-
- boolean is_localhost = false;
- try {
- is_localhost = InetAddress.getByName(request.getUriInfo().getBaseUri().getHost()).isLoopbackAddress();
- }
- catch (Exception e) {
- // won't treat as localhost
- }
- boolean password_match = password.equals( sysadmin_login_password );
- if ( name.equals( sysadmin_login_name ) && (password_match || is_localhost)
- && sysadmin_login_allowed && (is_localhost || !sysadmin_localhost_only)) {
+ if ( name.equals( sysadmin_login_name ) && password.equals( sysadmin_login_password )
+ && sysadmin_login_allowed ) {
request.setSecurityContext( new SysAdminRoleAuthenticator() );
if (logger.isTraceEnabled()) {
logger.trace("System administrator access allowed");
- if (!password_match) {
- logger.trace("Allowed sysadmin password mismatch because accessing via localhost");
- }
}
}
}
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java b/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java
index a5a0751..17f2c6a 100644
--- a/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java
+++ b/stack/services/src/main/java/org/apache/usergrid/management/AccountCreationProps.java
@@ -75,7 +75,6 @@ public interface AccountCreationProps {
String PROPERTIES_SYSADMIN_LOGIN_EMAIL = "usergrid.sysadmin.login.email";
String PROPERTIES_SYSADMIN_LOGIN_NAME = "usergrid.sysadmin.login.name";
String PROPERTIES_SYSADMIN_LOGIN_ALLOWED = "usergrid.sysadmin.login.allowed";
- String PROPERTIES_SYSADMIN_LOCALHOST_ONLY = "usergrid.sysadmin.localhost.only";
String PROPERTIES_ADMIN_SYSADMIN_EMAIL = "usergrid.admin.sysadmin.email";
String PROPERTIES_ORG_SYSADMIN_EMAIL = "usergrid.org.sysadmin.email";
@@ -128,7 +127,7 @@ public interface AccountCreationProps {
SuperUser getSuperUser();
interface SuperUser{
- boolean isEnabled(String host);
+ boolean isEnabled();
String getUsername();
String getEmail();
String getPassword();
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java b/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java
index 481f272..1d74ec3 100644
--- a/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java
+++ b/stack/services/src/main/java/org/apache/usergrid/management/ManagementService.java
@@ -39,8 +39,6 @@ import org.apache.usergrid.services.ServiceResults;
import com.google.common.collect.BiMap;
import rx.Observable;
-import javax.ws.rs.core.UriInfo;
-
public interface ManagementService {
@@ -270,9 +268,7 @@ public interface ManagementService {
boolean verifyAdminUserPassword( UUID userId, String password ) throws Exception;
- UserInfo verifyAdminUserPasswordCredentialsOnly( String name, String password ) throws Exception;
-
- UserInfo verifyAdminUserPasswordCredentials( String name, String password, UriInfo uriInfo ) throws Exception;
+ UserInfo verifyAdminUserPasswordCredentials( String name, String password ) throws Exception;
UserInfo verifyMongoCredentials( String name, String nonce, String key ) throws Exception;
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java
index 4077ef9..7c6a091 100644
--- a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java
+++ b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/AccountCreationPropsImpl.java
@@ -17,11 +17,9 @@
package org.apache.usergrid.management.cassandra;
-import java.net.InetAddress;
import java.util.Enumeration;
import java.util.Properties;
-import com.amazonaws.util.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.apache.usergrid.management.AccountCreationProps;
@@ -133,28 +131,17 @@ public class AccountCreationPropsImpl implements AccountCreationProps {
private final String username;
private final String email;
private final String password;
- private final boolean localhostOnly;
public SuperUserImpl(Properties properties) {
enabled = parseBoolean(properties.getProperty(PROPERTIES_SYSADMIN_LOGIN_ALLOWED));
username = properties.getProperty(PROPERTIES_SYSADMIN_LOGIN_NAME);
email = properties.getProperty(PROPERTIES_SYSADMIN_LOGIN_EMAIL);
password = properties.getProperty(PROPERTIES_SYSADMIN_LOGIN_PASSWORD);
- localhostOnly = parseBoolean(properties.getProperty(PROPERTIES_SYSADMIN_LOCALHOST_ONLY, "false"));
}
@Override
- public boolean isEnabled(String host) {
- boolean isLocalhost = false;
- // if host not passed in, assume not localhost
- if (!StringUtils.isNullOrEmpty(host)) {
- try {
- isLocalhost = InetAddress.getByName(host).isLoopbackAddress();
- } catch (Exception e) {
- // will treat as non-localhost
- }
- }
- return superuserEnabled() && (isLocalhost || !localhostOnly);
+ public boolean isEnabled() {
+ return superuserEnabled();
}
@Override
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
index bf20c6d..73a56c8 100644
--- a/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
+++ b/stack/services/src/main/java/org/apache/usergrid/management/cassandra/ManagementServiceImpl.java
@@ -27,7 +27,6 @@ import com.google.inject.Injector;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang.text.StrSubstitutor;
import org.apache.shiro.UnavailableSecurityManagerException;
-import org.apache.shiro.authc.ExcessiveAttemptsException;
import org.apache.usergrid.corepersistence.service.AggregationService;
import org.apache.usergrid.corepersistence.service.AggregationServiceFactory;
import org.apache.usergrid.corepersistence.service.ApplicationService;
@@ -77,7 +76,6 @@ import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import rx.Observable;
-import javax.ws.rs.core.UriInfo;
import java.nio.ByteBuffer;
import java.util.*;
import java.util.Map.Entry;
@@ -359,13 +357,13 @@ public class ManagementServiceImpl implements ManagementService {
logger.warn( "Test app creation disabled" );
}
- if ( superuserShouldBeProvisioned() ) {
+ if ( superuserEnabled() ) {
provisionSuperuser();
}
}
- public boolean superuserShouldBeProvisioned() {
+ public boolean superuserEnabled() {
boolean superuser_enabled = getBooleanProperty( PROPERTIES_SYSADMIN_LOGIN_ALLOWED );
String superuser_username = properties.getProperty( PROPERTIES_SYSADMIN_LOGIN_NAME );
String superuser_email = properties.getProperty( PROPERTIES_SYSADMIN_LOGIN_EMAIL );
@@ -1349,27 +1347,10 @@ public class ManagementServiceImpl implements ManagementService {
@Override
- public UserInfo verifyAdminUserPasswordCredentials( String name, String password, UriInfo uriInfo ) throws Exception {
- // uriInfo should not be null
- Preconditions.checkArgument(uriInfo != null, "uriInfo parameter should not be null");
-
- return verifyAdminUserPasswordCredentialsInternal(name, password, uriInfo);
- }
-
-
- @Override
- public UserInfo verifyAdminUserPasswordCredentialsOnly( String name, String password ) throws Exception {
- return verifyAdminUserPasswordCredentialsInternal(name, password, null);
- }
-
-
- private UserInfo verifyAdminUserPasswordCredentialsInternal( String name, String password, UriInfo uriInfo)
- throws Exception {
-
- // null UriInfo means assume not a localhost request
+ public UserInfo verifyAdminUserPasswordCredentials( String name, String password ) throws Exception {
if(logger.isTraceEnabled()){
- logger.trace("verifyAdminUserPasswordCredentialsInternal for {}", name);
+ logger.trace("verifyAdminUserPasswordCredentials for {}", name);
}
User user = findUserEntity( smf.getManagementAppId(), name );
@@ -1380,8 +1361,7 @@ public class ManagementServiceImpl implements ManagementService {
if ( verify( smf.getManagementAppId(), user.getUuid(), password ) ) {
UserInfo userInfo = getUserInfo( smf.getManagementAppId(), user );
- boolean userIsSuperAdmin =
- properties.getSuperUser().isEnabled(uriInfo != null ? uriInfo.getBaseUri().getHost() : null)
+ boolean userIsSuperAdmin = properties.getSuperUser().isEnabled()
&& properties.getSuperUser().getEmail().equals(userInfo.getEmail());
boolean testUserEnabled = parseBoolean( properties.getProperty( PROPERTIES_SETUP_TEST_ACCOUNT ) );
@@ -1654,7 +1634,7 @@ public class ManagementServiceImpl implements ManagementService {
Map<UUID, String> organizations;
AccountCreationProps.SuperUser superUser = properties.getSuperUser();
- if ( superUser.isEnabled(null) && superUser.getUsername().equals( user.getUsername() ) ) {
+ if ( superUser.isEnabled() && superUser.getUsername().equals( user.getUsername() ) ) {
int maxOrganizations = this.getAccountCreationProps().getMaxOrganizationsForSuperUserLogin();
organizations = buildOrgBiMap( getOrganizations( null, maxOrganizations ) );
}
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java b/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java
index c8ca812..4381f01 100644
--- a/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java
+++ b/stack/services/src/main/java/org/apache/usergrid/security/shiro/Realm.java
@@ -56,6 +56,12 @@ public class Realm extends AuthorizingRealm {
private TokenService tokens;
+ @Value( "${" + PROPERTIES_SYSADMIN_LOGIN_ALLOWED + "}" )
+ private boolean superUserEnabled;
+ @Value( "${" + AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_NAME + ":admin}" )
+ private String superUser;
+
+
public Realm() {
setCredentialsMatcher(new AllowAllCredentialsMatcher());
setPermissionResolver(new CustomPermissionResolver());
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java
----------------------------------------------------------------------
diff --git a/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java b/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java
index fd4f0c5..a594d1e 100644
--- a/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java
+++ b/stack/services/src/main/java/org/apache/usergrid/security/shiro/principals/AdminUserPrincipal.java
@@ -66,9 +66,9 @@ public class AdminUserPrincipal extends UserPrincipal {
ApplicationInfo application = null;
boolean superUserEnabled = false;
- final String sysadminLoginAllowedProp = management.getProperties().getProperty(
+ final String s = management.getProperties().getProperty(
AccountCreationProps.PROPERTIES_SYSADMIN_LOGIN_ALLOWED);
- if ( sysadminLoginAllowedProp != null && "true".equalsIgnoreCase(sysadminLoginAllowedProp.trim())) {
+ if ( s != null && "true".equalsIgnoreCase(s.trim())) {
superUserEnabled = true;
}
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java
----------------------------------------------------------------------
diff --git a/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java b/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java
index 44599a6..9d20dcb 100644
--- a/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java
+++ b/stack/services/src/test/java/org/apache/usergrid/management/OrganizationIT.java
@@ -103,7 +103,7 @@ public class OrganizationIT {
setup.getEntityIndex().refresh(CpNamingUtils.MANAGEMENT_APPLICATION_ID);
- UserInfo u = setup.getMgmtSvc().verifyAdminUserPasswordCredentialsOnly(
+ UserInfo u = setup.getMgmtSvc().verifyAdminUserPasswordCredentials(
organization.getOwner().getUuid().toString(), "test" );
assertNotNull( u );
http://git-wip-us.apache.org/repos/asf/usergrid/blob/de6ecb91/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java
----------------------------------------------------------------------
diff --git a/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java b/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java
index 83ceae9..6179a6d 100644
--- a/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java
+++ b/stack/services/src/test/java/org/apache/usergrid/management/cassandra/ManagementServiceIT.java
@@ -480,15 +480,15 @@ public class ManagementServiceIT {
EntityManager em = setup.getEmf().getEntityManager( setup.getSmf().getManagementAppId() );
setup.getEntityIndex().refresh(applicationId);
- UserInfo authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentialsOnly( username, password );
+ UserInfo authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentials( username, password );
assertEquals( adminUser.getUuid(), authedUser.getUuid() );
- authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentialsOnly( adminUser.getEmail(), password );
+ authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentials( adminUser.getEmail(), password );
assertEquals( adminUser.getUuid(), authedUser.getUuid() );
- authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentialsOnly( adminUser.getUuid().toString(), password );
+ authedUser = setup.getMgmtSvc().verifyAdminUserPasswordCredentials( adminUser.getUuid().toString(), password );
assertEquals( adminUser.getUuid(), authedUser.getUuid() );
}
[2/2] usergrid git commit: USERGRID-1300: move superuser localhost
check into SecuredResourceFilterFactory
Posted by mr...@apache.org.
USERGRID-1300: move superuser localhost check into SecuredResourceFilterFactory
Project: http://git-wip-us.apache.org/repos/asf/usergrid/repo
Commit: http://git-wip-us.apache.org/repos/asf/usergrid/commit/80241689
Tree: http://git-wip-us.apache.org/repos/asf/usergrid/tree/80241689
Diff: http://git-wip-us.apache.org/repos/asf/usergrid/diff/80241689
Branch: refs/heads/release-2.1.1
Commit: 802416899ad00f87b06f621fd0c2ff7305aba417
Parents: de6ecb9
Author: Mike Dunker <md...@apigee.com>
Authored: Wed Jun 15 17:23:13 2016 -0700
Committer: Mike Dunker <md...@apigee.com>
Committed: Wed Jun 15 17:23:13 2016 -0700
----------------------------------------------------------------------
.../main/resources/usergrid-default.properties | 4 ++
.../security/SecuredResourceFilterFactory.java | 72 ++++++++++++++++++--
2 files changed, 71 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/usergrid/blob/80241689/stack/config/src/main/resources/usergrid-default.properties
----------------------------------------------------------------------
diff --git a/stack/config/src/main/resources/usergrid-default.properties b/stack/config/src/main/resources/usergrid-default.properties
index 0fc31ef..d2141cf 100644
--- a/stack/config/src/main/resources/usergrid-default.properties
+++ b/stack/config/src/main/resources/usergrid-default.properties
@@ -535,6 +535,10 @@ usergrid.sysadmin.login.email=super@usergrid.com
usergrid.sysadmin.login.password=test
usergrid.sysadmin.login.allowed=true
+# if usergrid.sysadmin.login.allowed=true, only allows sysadmin login if request is localhost
+# if usergrid.sysadmin.login.allowed=false, this property has no effect
+usergrid.sysadmin.localhost.only=false
+
# Set admin notification email properties
#
usergrid.sysadmin.email=
http://git-wip-us.apache.org/repos/asf/usergrid/blob/80241689/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
----------------------------------------------------------------------
diff --git a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
index bd1ab46..85e6210 100644
--- a/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
+++ b/stack/rest/src/main/java/org/apache/usergrid/rest/security/SecuredResourceFilterFactory.java
@@ -45,6 +45,7 @@ import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.UriInfo;
import java.io.IOException;
import java.lang.reflect.Method;
+import java.net.InetAddress;
import java.util.Map;
import java.util.Properties;
@@ -68,6 +69,9 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
ManagementService management;
+ private static final int PRIORITY_SUPERUSER = 1;
+ private static final int PRIORITY_DEFAULT = 5000;
+
@Inject
public SecuredResourceFilterFactory() {
@@ -112,6 +116,7 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
@Override
public void configure(ResourceInfo resourceInfo, FeatureContext featureContext) {
+
Method am = resourceInfo.getResourceMethod();
if (logger.isTraceEnabled()) {
@@ -119,20 +124,28 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
resourceInfo.getResourceClass().getSimpleName(), resourceInfo.getResourceMethod().getName());
}
+ boolean sysadminLocalhostOnly =
+ Boolean.parseBoolean(properties.getProperty("usergrid.sysadmin.localhost.only", "false"));
+
+ if (sysadminLocalhostOnly) {
+ // priority = PRIORITY_SUPERUSER forces this to run first
+ featureContext.register( SysadminLocalhostFilter.class, PRIORITY_SUPERUSER );
+ }
+
if ( am.isAnnotationPresent( RequireApplicationAccess.class ) ) {
- featureContext.register( ApplicationFilter.class );
+ featureContext.register( ApplicationFilter.class, PRIORITY_DEFAULT);
}
else if ( am.isAnnotationPresent( RequireOrganizationAccess.class ) ) {
- featureContext.register( OrganizationFilter.class );
+ featureContext.register( OrganizationFilter.class, PRIORITY_DEFAULT);
}
else if ( am.isAnnotationPresent( RequireSystemAccess.class ) ) {
- featureContext.register( SystemFilter.class );
+ featureContext.register( SystemFilter.class, PRIORITY_DEFAULT);
}
else if ( am.isAnnotationPresent( RequireAdminUserAccess.class ) ) {
- featureContext.register( SystemFilter.AdminUserFilter.class );
+ featureContext.register( SystemFilter.AdminUserFilter.class, PRIORITY_DEFAULT);
}
else if ( am.isAnnotationPresent( CheckPermissionsForPath.class ) ) {
- featureContext.register( PathPermissionsFilter.class );
+ featureContext.register( PathPermissionsFilter.class, PRIORITY_DEFAULT);
}
}
@@ -228,6 +241,55 @@ public class SecuredResourceFilterFactory implements DynamicFeature {
}
@Resource
+ public static class SysadminLocalhostFilter extends AbstractFilter {
+
+ @Inject
+ public SysadminLocalhostFilter( UriInfo uriInfo ) {
+ super(uriInfo);
+ }
+
+ @Override
+ public void authorize( ContainerRequestContext request ) {
+ if (logger.isTraceEnabled()) {
+ logger.trace("SysadminLocalhostFilter.authorize");
+ }
+
+ if (!request.getSecurityContext().isUserInRole( ROLE_SERVICE_ADMIN )) {
+ // not a sysadmin request
+ return;
+ }
+
+ boolean isLocalhost = false;
+ try {
+ byte[] address = InetAddress.getByName(request.getUriInfo().getBaseUri().getHost()).getAddress();
+ if (address[0] == 127) {
+ // loopback address
+ isLocalhost = true;
+ } else if (address[0] == 0 && address[1] == 0 && address[2] == 0 && address[3] == 0) {
+ // 0.0.0.0, used for requests like curl 0:8080
+ isLocalhost = true;
+ } else {
+ // everything else
+ isLocalhost = false;
+ }
+ }
+ catch (Exception e) {
+ // couldn't parse host, so assume not localhost
+ logger.error("Unable to parse host for sysadmin request, request rejected: path = {}",
+ request.getUriInfo().getPath());
+ }
+
+ if (!isLocalhost) {
+ throw mappableSecurityException( "unauthorized", "No remote sysadmin access authorized" );
+ }
+
+ if (logger.isTraceEnabled()) {
+ logger.trace("SysadminLocalhostFilter.authorize - leaving");
+ }
+ }
+ }
+
+ @Resource
public static class OrganizationFilter extends AbstractFilter {
@Inject