+ access control

ad765f46 · Alina Habibulina · d9ffbde5 · ad765f46 · ad765f46 · ad765f46
Commit ad765f46 authored Jun 19, 2018 by Alina Habibulina
4 changed files
--- a/src/main/java/kz/arta/ext/sap/db/UserManager.java
+++ b/src/main/java/kz/arta/ext/sap/db/UserManager.java
@@ -8,12 +8,14 @@ import javax.naming.NamingException;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.SQLException;
+import java.sql.ResultSet;
 /**
 * Created by val
 * Date: 04.10.2015
 * Time: 12:49
 *
+ * Modified: 06.2018
 * работа с СУБД
 * использует соединение, указанное в @{@link ConnectionPool}
 */
@@ -21,8 +23,37 @@ public class UserManager {
    private static final Logger LOGGER = LoggerFactory.getLogger(UserManager.class);
-    public static String set_pass(String login, String new_pass) {
+    public static String ifUserExist(String login) {
-		//123
+		Connection con = null;
+        try {
+            con = ConnectionPool.getConnection();
+			PreparedStatement chechExistance = con.prepareStatement("SELECT * FROM users WHERE login = ? ");
+			chechExistance.setString(1, login);
+			ResultSet res = chechExistance.executeQuery();
+			int columns = res.getMetaData().getColumnCount();
+			StringBuilder message = new StringBuilder();
+			while (res.next()) {
+				for (int i = 1; i <= columns; i++){
+					message.append(res.getString(i) + " ");
+				}
+			}	
+			if(message.toString().length() > 0) return "true";
+			else return "{\"status\":\"User is not exist!\", \"errorCode\": \"404\"}";
+        } catch (SQLException | NamingException e) {
+            LOGGER.error("", e);
+			return "{\"status\":\"something gone wrong\", \"error\":\"" + e + "\", \"errorCode\": \"500\"}"; 
+        } finally {
+            ConnectionPool.close(con);
+        }
+    }
+    public static String setPass(String login, String new_pass) {
+    	if(UserManager.ifUserExist(login) == "true") {
 			Connection con = null;
 	        try {
 	            con = ConnectionPool.getConnection();
@@ -34,10 +65,68 @@ public class UserManager {
 	        } catch (SQLException | NamingException e) {
 	            LOGGER.error("", e);
-			return "{\"status\":\"something gone wrong\", \"error\":\"" + e + "\", \"errorCode\": \"500\"}"; 
+				return "{\"status\":\"something has gone wrong\", \"error\":\"" + e + "\", \"errorCode\": \"500\"}"; 
 	        } finally {
 	            ConnectionPool.close(con);
 	        }
+    	} else return "{\"status\":\"There is no user with such login!\", \"errorCode\": \"404\"}";
+    }
+	public static String checkAuth(String login, String password) {
+		Connection con = null;
+        try {
+            con = ConnectionPool.getConnection();
+			PreparedStatement searchUser = con.prepareStatement("SELECT * FROM users WHERE login = ? AND password = md5(?)");
+			searchUser.setString(1, login);
+			searchUser.setString(2, password);
+			ResultSet rs = searchUser.executeQuery();
+			int columns = rs.getMetaData().getColumnCount();
+			StringBuilder message = new StringBuilder();
+			while (rs.next()) {
+				for (int i = 1; i <= columns; i++){
+					message.append(rs.getString(i) + " ");
+				}
 			}	
+			if(message.toString().length() > 0) return "true";
+			return "{\"status\":\"Not authorized\", \"errorCode\": \"404\"}";
+        } catch (SQLException | NamingException e) {
+            LOGGER.error("", e);
+			return "{\"status\":\"Something has gone wrong\", \"error\":\"" + e + "\", \"errorCode\": \"500\"}"; 
+        } finally {
+            ConnectionPool.close(con);
+        }	
+    }
+	public static String isAdmin(String login) {
+		Connection con = null;
+        try {
+            con = ConnectionPool.getConnection();
+			PreparedStatement isAdminCheck = con.prepareStatement("SELECT * FROM users WHERE login = ? AND isadmin = 1");
+			isAdminCheck.setString(1, login);
+			ResultSet rs = isAdminCheck.executeQuery();
+			int columns = rs.getMetaData().getColumnCount();
+			StringBuilder message = new StringBuilder();
+			while (rs.next()) {
+				for (int i = 1; i <= columns; i++){
+					message.append(rs.getString(i) + " ");
+				}
+			}	
+			if(message.toString().length() > 0) return "true";
+			return "false";
+        } catch (SQLException | NamingException e) {
+            LOGGER.error("", e);
+			return "{\"status\":\"Something has gone wrong\", \"error\":\"" + e + "\", \"errorCode\": \"500\"}"; 
+        } finally {
+            ConnectionPool.close(con);
+        }	
+    }
 }
--- a/src/main/java/kz/arta/ext/sap/service/Activator.java
+++ b/src/main/java/kz/arta/ext/sap/service/Activator.java
 package kz.arta.ext.sap.service;
+import java.util.Set;
 import javax.ws.rs.ApplicationPath;
 import javax.ws.rs.core.Application;
@@ -10,4 +12,11 @@ import javax.ws.rs.core.Application;
 */
 @ApplicationPath("proxy")
 public class Activator extends Application {
+	@Override
+	public Set<Class<?>> getClasses() {
+		// TODO Auto-generated method stub
+		return null;
+	}
 }
--- a/src/main/java/kz/arta/ext/sap/service/UnsecuredProxyService.java
+++ b/src/main/java/kz/arta/ext/sap/service/UnsecuredProxyService.java
 package kz.arta.ext.sap.service;
-import kz.arta.ext.sap.util.Config;
+import kz.arta.ext.sap.util.SubsidiaryLib;
-import org.apache.commons.codec.binary.Base64;
-import org.apache.http.Header;
-import org.apache.http.HttpEntity;
-import org.apache.http.HttpHeaders;
-import org.apache.http.HttpResponse;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.impl.client.CloseableHttpClient;
-import org.apache.http.impl.client.HttpClientBuilder;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import kz.arta.ext.sap.util.ConnectionPool;
-import kz.arta.ext.sap.db.UserManager;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import javax.naming.NamingException;
-import java.sql.Connection;
-import java.sql.PreparedStatement;
-import java.sql.SQLException;
-import java.sql.ResultSet;
 import javax.enterprise.context.RequestScoped;
 import javax.ws.rs.GET;
+import javax.ws.rs.POST;
 import javax.ws.rs.Path;
+import javax.ws.rs.HeaderParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
 import javax.ws.rs.core.MediaType;
-import javax.ws.rs.core.Response;
-import java.io.IOException;
-import java.nio.charset.Charset;
 /**
 * Created by val
@@ -43,10 +22,10 @@ import java.nio.charset.Charset;
 * Date: 06.2018
 * REST API метод для смены/установки пароля
 */
 @Path("/uservice")
 @RequestScoped
 public class UnsecuredProxyService {
-    private static final Logger LOGGER = LoggerFactory.getLogger(UnsecuredProxyService.class);
    @GET
    @Path("/test")
@@ -55,10 +34,11 @@ public class UnsecuredProxyService {
        return "{\"status\":\"working\"}";
    }
-	@GET
+	@POST
 	@Path("/set_password")
 	@Produces(MediaType.APPLICATION_JSON + "; charset=utf-8")
-    public String setPassword(@QueryParam("login") String login, @QueryParam("new_password") String new_pass){
+    public String setPassword(@HeaderParam("authorization") String authParam, @QueryParam("login") String login, @QueryParam("new_password") String new_pass){
-		return UserManager.set_pass(login, new_pass); 
+		return SubsidiaryLib.checkTheAccess(authParam, login, new_pass);
    }
 }
--- a/src/main/java/kz/arta/ext/sap/util/SubsidiaryLib.java
+++ b/src/main/java/kz/arta/ext/sap/util/SubsidiaryLib.java
+package kz.arta.ext.sap.util;
+import kz.arta.ext.sap.db.UserManager;
+import sun.misc.BASE64Decoder;
+import java.io.IOException;
+import java.lang.Exception;
+public class SubsidiaryLib {
+	public static String checkTheAccess(String authParam, String logingForChange, String newPassword){
+		try {
+			String decodedAuth = "";
+			String[] authParts = authParam.toString().split(" ");
+			String authInfo = authParts[1];
+			byte[] bytes = null;
+			 try {
+	            bytes = new BASE64Decoder().decodeBuffer(authInfo);
+	        } catch (IOException e) {
+	            e.printStackTrace();
+	        }
+			decodedAuth = new String(bytes);
+			String[] authArray = decodedAuth.split(":");
+			String login = authArray[0];
+			String pass = authArray[1];
+			String authResult = UserManager.checkAuth(login, pass);
+			if (authResult == "true"){
+				String isAdminResult = UserManager.isAdmin(login);
+				if (isAdminResult == "true") {
+					return UserManager.setPass(logingForChange, newPassword);
+				} else if (isAdminResult == "false"){
+					if(login.equals(logingForChange)) return UserManager.setPass(logingForChange, newPassword);
+					else return "{\"status\":\"403 Forbidden. " + login + " vs " + logingForChange + "\", \"error\":\"You don't have any access to the requested account\", \"errorCode\": \"403\"}";
+				} else { 
+					return isAdminResult;
+				}
+			} else {
+				return authResult;
+			}
+		} catch (Exception e) {
+			return "Error: " + e;
+		}
+	}
+}