common/securis.git

..	..	@@ -5,9 +5,11 @@
5	5	import java.util.List;
6	6	import java.util.Set;
7	7
	8	+import javax.annotation.security.RolesAllowed;
8	9	import javax.inject.Inject;
9	10	import javax.inject.Provider;
10	11	import javax.persistence.EntityManager;
	12	+import javax.persistence.PersistenceException;
11	13	import javax.persistence.TypedQuery;
12	14	import javax.servlet.http.HttpServletRequest;
13	15	import javax.ws.rs.Consumes;
..	..	@@ -31,6 +33,8 @@
31	33	import net.curisit.securis.SeCurisException;
32	34	import net.curisit.securis.db.Organization;
33	35	import net.curisit.securis.db.User;
	36	+import net.curisit.securis.security.BasicSecurityContext;
	37	+import net.curisit.securis.security.Securable;
34	38	import net.curisit.securis.utils.TokenHelper;
35	39
36	40	import org.apache.logging.log4j.LogManager;
..	..	@@ -66,6 +70,8 @@
66	70	@Produces({
67	71	MediaType.APPLICATION_JSON
68	72	})
	73	+ @Securable
	74	+ @RolesAllowed(BasicSecurityContext.ROL_ADMIN)
69	75	public Response index() {
70	76	LOG.info("Getting users list ");
71	77
..	..	@@ -86,6 +92,8 @@
86	92	@Produces({
87	93	MediaType.APPLICATION_JSON
88	94	})
	95	+ @Securable
	96	+ @RolesAllowed(BasicSecurityContext.ROL_ADMIN)
89	97	public Response get(@PathParam("uid") String uid, @HeaderParam(TokenHelper.TOKEN_HEADER_PÀRAM) String token) {
90	98	LOG.info("Getting user data for id: {}: ", uid);
91	99	if (uid == null \|\| "".equals(uid)) {
..	..	@@ -109,6 +117,8 @@
109	117	MediaType.APPLICATION_JSON
110	118	})
111	119	@Transactional
	120	+ @Securable
	121	+ @RolesAllowed(BasicSecurityContext.ROL_ADMIN)
112	122	public Response create(User user, @HeaderParam(TokenHelper.TOKEN_HEADER_PÀRAM) String token) {
113	123	LOG.info("Creating new user");
114	124	EntityManager em = emProvider.get();
..	..	@@ -122,6 +132,11 @@
122	132	this.setUserOrg(user, user.getOrgsIds(), em);
123	133	} catch (SeCurisException e) {
124	134	return Response.status(Status.NOT_FOUND).header(DefaultExceptionHandler.ERROR_MESSAGE_HEADER, e.getMessage()).build();
	135	+ }
	136	+ if (user.getPassword() != null && !"".equals(user.getPassword())) {
	137	+ user.setPassword(Utils.sha256(user.getPassword()));
	138	+ } else {
	139	+ return Response.status(DefaultExceptionHandler.DEFAULT_APP_ERROR_STATUS_CODE).header(DefaultExceptionHandler.ERROR_MESSAGE_HEADER, "User password is mandatory").build();
125	140	}
126	141	user.setModificationTimestamp(new Date());
127	142	user.setLastLogin(null);
..	..	@@ -157,6 +172,8 @@
157	172	@Produces({
158	173	MediaType.APPLICATION_JSON
159	174	})
	175	+ @Securable
	176	+ @RolesAllowed(BasicSecurityContext.ROL_ADMIN)
160	177	public Response modify(User user, @PathParam("uid") String uid, @HeaderParam(TokenHelper.TOKEN_HEADER_PÀRAM) String token) {
161	178	LOG.info("Modifying user with id: {}", uid);
162	179	EntityManager em = emProvider.get();
..	..	@@ -176,7 +193,13 @@
176	193	currentUser.setRoles(user.getRoles());
177	194	currentUser.setLang(user.getLang());
178	195	currentUser.setModificationTimestamp(new Date());
179		- currentUser.setPassword(user.getPassword());
	196	+ if (user.getPassword() != null && !"".equals(user.getPassword())) {
	197	+ currentUser.setPassword(Utils.sha256(user.getPassword()));
	198	+ } else {
	199	+ // Password has not been modified
	200	+ //return Response.status(DefaultExceptionHandler.DEFAULT_APP_ERROR_STATUS_CODE).header(DefaultExceptionHandler.ERROR_MESSAGE_HEADER, "User password is mandatory").build();
	201	+ }
	202	+
180	203	currentUser.setLastLogin(user.getLastLogin());
181	204
182	205	em.persist(currentUser);
..	..	@@ -190,6 +213,8 @@
190	213	@Produces({
191	214	MediaType.APPLICATION_JSON
192	215	})
	216	+ @Securable
	217	+ @RolesAllowed(BasicSecurityContext.ROL_ADMIN)
193	218	public Response delete(@PathParam("uid") String uid, @Context HttpServletRequest request) {
194	219	LOG.info("Deleting app with id: {}", uid);
195	220	EntityManager em = emProvider.get();
..	..	@@ -208,16 +233,35 @@
208	233	@Produces({
209	234	MediaType.APPLICATION_JSON
210	235	})
211		- public Response login(@FormParam("username") String user, @FormParam("password") String password, @Context HttpServletRequest request) {
	236	+ public Response login(@FormParam("username") String username, @FormParam("password") String password, @Context HttpServletRequest request) {
212	237	LOG.info("index session: " + request.getSession());
213		- LOG.info("user: {}, pass: {}", user, password);
	238	+ LOG.info("user: {}, pass: {}", username, password);
214	239	LOG.info("is user in role: {} == {} ? ", "advance", request.isUserInRole("advance"));
215		-
216		- if ("no".equals(password)) {
	240	+ LOG.info("is user in role: {} == {} ? ", "admin", request.isUserInRole("admin"));
	241	+
	242	+ EntityManager em = emProvider.get();
	243	+ User user = em.find(User.class, username);
	244	+ if (user == null) {
	245	+ LOG.error("Inknown username {} used in login service", username);
	246	+ return Response.status(Status.UNAUTHORIZED).build();
	247	+ }
	248	+ String securedPassword = Utils.sha256(password);
	249	+
	250	+ if (securedPassword == null \|\| !securedPassword.equals(user.getPassword())) {
217	251	// TODO: Code to test exception handling
218	252	return Response.status(Status.UNAUTHORIZED).build();
219	253	}
220		- String tokenAuth = tokenHelper.generateToken(user);
	254	+ user.setLastLogin(new Date());
	255	+ em.getTransaction().begin();
	256	+ try {
	257	+ em.persist(user);
	258	+ em.getTransaction().commit();
	259	+ } catch(PersistenceException ex) {
	260	+ LOG.error("Error updating last login date for user: {}", username);
	261	+ LOG.error(ex);
	262	+ em.getTransaction().rollback();
	263	+ }
	264	+ String tokenAuth = tokenHelper.generateToken(username);
221	265	return Response.ok(Utils.createMap("success", true, "token", tokenAuth)).build();
222	266	}
223	267