diff --git a/src/main/java/io/shiftleft/controller/AdminController.java b/src/main/java/io/shiftleft/controller/AdminController.java index 296c26573..cd4f40fd8 100644 --- a/src/main/java/io/shiftleft/controller/AdminController.java +++ b/src/main/java/io/shiftleft/controller/AdminController.java @@ -81,17 +81,63 @@ public String doGetPrintSecrets(@CookieValue(value = "auth", defaultValue = "not * @return redirect to company numbers * @throws Exception */ - @RequestMapping(value = "/admin/login", method = RequestMethod.POST) - public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception { - String succ = "redirect:/admin/printSecrets"; + @RequestMapping(value = "/admin/login", method = RequestMethod.POST) + public String doPostLogin(@CookieValue(value = "auth", defaultValue = "notset") String auth, @RequestBody String password, HttpServletResponse response, HttpServletRequest request) throws Exception { + String succ = "redirect:/admin/printSecrets"; + String fail = "redirect:/admin/fail"; + + try { + // no cookie no fun + if (!auth.equals("notset")) { + if(isAdmin(auth)) { + request.getSession().setAttribute("auth",auth); + return succ; + } + } + + // split password=value + String[] pass = password.split("="); + if(pass.length!=2) { + return fail; + } + // compare pass + if(pass[1] != null && pass[1].length()>0 && pass[1].equals("shiftleftsecret")) + { + AuthToken authToken = new AuthToken(AuthToken.ADMIN); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + ObjectOutputStream oos = new ObjectOutputStream(bos); + oos.writeObject(authToken); + String cookieValue = new String(Base64.getEncoder().encode(bos.toByteArray())); + response.addCookie(new Cookie("auth", cookieValue )); + + // cookie is lost after redirection + request.getSession().setAttribute("auth",cookieValue); + + return succ; + } + return fail; + } + catch (Exception ex) + { + ex.printStackTrace(); + // no succ == fail + return fail; + } + } + + private boolean isAdmin(String auth) + { + try { + ByteArrayInputStream bis = new ByteArrayInputStream(Base64.getDecoder().decode(auth)); + ObjectInputStream objectInputStream = new ObjectInputStream(bis); + Object authToken = objectInputStream.readObject(); + return ((AuthToken) authToken).isAdmin(); + } catch (Exception ex) { + System.out.println(" cookie cannot be deserialized: "+ex.getMessage()); + return false; + } + } - try { - // no cookie no fun - if (!auth.equals("notset")) { - if(isAdmin(auth)) { - request.getSession().setAttribute("auth",auth); - return succ; - } } // split password=value @@ -135,3 +181,4 @@ public String doGetLogin(HttpServletResponse response, HttpServletRequest reques return "redirect:/"; } } + diff --git a/src/main/java/io/shiftleft/controller/CustomerController.java b/src/main/java/io/shiftleft/controller/CustomerController.java index 40e1c4917..0b9f9c688 100644 --- a/src/main/java/io/shiftleft/controller/CustomerController.java +++ b/src/main/java/io/shiftleft/controller/CustomerController.java @@ -216,7 +216,7 @@ public void loadSettings(HttpServletResponse httpResponse, WebRequest request) t * @param request * @throws Exception */ - @RequestMapping(value = "/saveSettings", method = RequestMethod.GET) + @RequestMapping(value = "/saveSettings", method = RequestMethod.GET) public void saveSettings(HttpServletResponse httpResponse, WebRequest request) throws Exception { // "Settings" will be stored in a cookie // schema: base64(filename,value1,value2...), md5sum(base64(filename,value1,value2...)) @@ -263,6 +263,44 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t httpResponse.getOutputStream().println("Settings Saved"); } + + String settingsCookie = request.getHeader("Cookie"); + String[] cookie = settingsCookie.split(","); + if(cookie.length<2) { + httpResponse.getOutputStream().println("Malformed cookie"); + throw new Exception("cookie is incorrect"); + } + + String base64txt = cookie[0].replace("settings=",""); + + // Check md5sum + String cookieMD5sum = cookie[1]; + String calcMD5Sum = DigestUtils.md5Hex(base64txt); + if(!cookieMD5sum.equals(calcMD5Sum)) + { + httpResponse.getOutputStream().println("Wrong md5"); + throw new Exception("Invalid MD5"); + } + + // Now we can store on filesystem + String[] settings = new String(Base64.getDecoder().decode(base64txt)).split(","); + // storage will have ClassPathResource as basepath + ClassPathResource cpr = new ClassPathResource("./static/"); + File file = new File(cpr.getPath()+settings[0]); + if(!file.exists()) { + file.getParentFile().mkdirs(); + } + + FileOutputStream fos = new FileOutputStream(file, true); + // First entry is the filename -> remove it + String[] settingsArr = Arrays.copyOfRange(settings, 1, settings.length); + // on setting at a linez + fos.write(String.join("\n",settingsArr).getBytes()); + fos.write(("\n"+cookie[cookie.length-1]).getBytes()); + fos.close(); + httpResponse.getOutputStream().println("Settings Saved"); + } + /** * Debug test for saving and reading a customer * @@ -277,7 +315,7 @@ public void saveSettings(HttpServletResponse httpResponse, WebRequest request) t * @return String * @throws IOException */ - @RequestMapping(value = "/debug", method = RequestMethod.GET) + @RequestMapping(value = "/debug", method = RequestMethod.GET) public String debug(@RequestParam String customerId, @RequestParam int clientId, @RequestParam String firstName, @@ -306,6 +344,11 @@ ssn, socialSecurityNum, tin, phoneNumber, new Address("Debug str", return customer1.toString().toLowerCase().replace("script",""); } + + + + + /** * Debug test for saving and reading a customer * @@ -388,3 +431,9 @@ public void removeCustomer(@PathVariable("customerId") Long customerId, HttpServ } } + + + + + + diff --git a/src/main/java/io/shiftleft/controller/SearchController.java b/src/main/java/io/shiftleft/controller/SearchController.java index faa409760..48ac93666 100644 --- a/src/main/java/io/shiftleft/controller/SearchController.java +++ b/src/main/java/io/shiftleft/controller/SearchController.java @@ -18,15 +18,17 @@ public class SearchController { @RequestMapping(value = "/search/user", method = RequestMethod.GET) - public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { - java.lang.Object message = new Object(); - try { - ExpressionParser parser = new SpelExpressionParser(); - Expression exp = parser.parseExpression(foo); - message = (Object) exp.getValue(); - } catch (Exception ex) { - System.out.println(ex.getMessage()); - } - return message.toString(); - } -} + @RequestMapping(value = "/search/user", method = RequestMethod.GET) + public String doGetSearch(@RequestParam String foo, HttpServletResponse response, HttpServletRequest request) { + String message = ""; + try { + ExpressionParser parser = new SpelExpressionParser(); + Expression exp = parser.parseExpression(foo); + message = String.valueOf(exp.getValue()); + } catch (Exception ex) { + System.out.println(ex.getMessage()); + } + return message; + } + + diff --git a/src/main/java/io/shiftleft/model/Customer.java b/src/main/java/io/shiftleft/model/Customer.java index 6ecdc3000..caa928c5b 100644 --- a/src/main/java/io/shiftleft/model/Customer.java +++ b/src/main/java/io/shiftleft/model/Customer.java @@ -156,7 +156,7 @@ public void setAccounts(Set accounts) { this.accounts = accounts; } - @Override + @Override public String toString() { return "Customer [id=" + id + ", customerId=" + customerId + ", clientId=" + clientId + ", firstName=" + firstName + ", lastName=" + lastName + ", dateOfBirth=" + dateOfBirth + ", ssn=" + ssn + ", socialInsurancenum=" @@ -164,4 +164,10 @@ public String toString() { + accounts + "]"; } + + + } + + +