-
Notifications
You must be signed in to change notification settings - Fork 271
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add handler for Console API requests and XSRF token creation and veri…
…fication (#2211)
- Loading branch information
Showing
11 changed files
with
266 additions
and
37 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
72 changes: 72 additions & 0 deletions
72
core/src/main/java/google/registry/ui/server/console/ConsoleApiAction.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
// Copyright 2023 The Nomulus Authors. All Rights Reserved. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package google.registry.ui.server.console; | ||
|
||
import static google.registry.request.Action.Method.GET; | ||
|
||
import com.google.api.client.http.HttpStatusCodes; | ||
import google.registry.model.console.User; | ||
import google.registry.security.XsrfTokenManager; | ||
import google.registry.ui.server.registrar.ConsoleApiParams; | ||
import java.util.Arrays; | ||
import java.util.Optional; | ||
import javax.servlet.http.Cookie; | ||
|
||
/** Base class for handling Console API requests */ | ||
public abstract class ConsoleApiAction implements Runnable { | ||
protected ConsoleApiParams consoleApiParams; | ||
|
||
public ConsoleApiAction(ConsoleApiParams consoleApiParams) { | ||
this.consoleApiParams = consoleApiParams; | ||
} | ||
|
||
@Override | ||
public final void run() { | ||
// Shouldn't be even possible because of Auth annotations on the various implementing classes | ||
if (!consoleApiParams.authResult().userAuthInfo().get().consoleUser().isPresent()) { | ||
consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED); | ||
return; | ||
} | ||
User user = consoleApiParams.authResult().userAuthInfo().get().consoleUser().get(); | ||
if (consoleApiParams.request().getMethod().equals(GET.toString())) { | ||
getHandler(user); | ||
} else { | ||
if (verifyXSRF()) { | ||
postHandler(user); | ||
} | ||
} | ||
} | ||
|
||
protected void postHandler(User user) { | ||
throw new UnsupportedOperationException("Console API POST handler not implemented"); | ||
} | ||
|
||
protected void getHandler(User user) { | ||
throw new UnsupportedOperationException("Console API GET handler not implemented"); | ||
} | ||
|
||
private boolean verifyXSRF() { | ||
Optional<Cookie> maybeCookie = | ||
Arrays.stream(consoleApiParams.request().getCookies()) | ||
.filter(c -> XsrfTokenManager.X_CSRF_TOKEN.equals(c.getName())) | ||
.findFirst(); | ||
if (!maybeCookie.isPresent() | ||
|| !consoleApiParams.xsrfTokenManager().validateToken(maybeCookie.get().getValue())) { | ||
consoleApiParams.response().setStatus(HttpStatusCodes.STATUS_CODE_UNAUTHORIZED); | ||
return false; | ||
} | ||
return true; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
41 changes: 41 additions & 0 deletions
41
core/src/main/java/google/registry/ui/server/registrar/ConsoleApiParams.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
// Copyright 2023 The Nomulus Authors. All Rights Reserved. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package google.registry.ui.server.registrar; | ||
|
||
import com.google.auto.value.AutoValue; | ||
import google.registry.request.Response; | ||
import google.registry.request.auth.AuthResult; | ||
import google.registry.security.XsrfTokenManager; | ||
import javax.servlet.http.HttpServletRequest; | ||
|
||
/** Groups necessary dependencies for Console API actions * */ | ||
@AutoValue | ||
public abstract class ConsoleApiParams { | ||
public static ConsoleApiParams create( | ||
HttpServletRequest request, | ||
Response response, | ||
AuthResult authResult, | ||
XsrfTokenManager xsrfTokenManager) { | ||
return new AutoValue_ConsoleApiParams(request, response, authResult, xsrfTokenManager); | ||
} | ||
|
||
public abstract HttpServletRequest request(); | ||
|
||
public abstract Response response(); | ||
|
||
public abstract AuthResult authResult(); | ||
|
||
public abstract XsrfTokenManager xsrfTokenManager(); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
core/src/test/java/google/registry/testing/FakeConsoleApiParams.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
// Copyright 2023 The Nomulus Authors. All Rights Reserved. | ||
// | ||
// Licensed under the Apache License, Version 2.0 (the "License"); | ||
// you may not use this file except in compliance with the License. | ||
// You may obtain a copy of the License at | ||
// | ||
// http://www.apache.org/licenses/LICENSE-2.0 | ||
// | ||
// Unless required by applicable law or agreed to in writing, software | ||
// distributed under the License is distributed on an "AS IS" BASIS, | ||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
// See the License for the specific language governing permissions and | ||
// limitations under the License. | ||
|
||
package google.registry.testing; | ||
|
||
import static org.mockito.Mockito.mock; | ||
|
||
import com.google.appengine.api.users.UserService; | ||
import google.registry.request.auth.AuthResult; | ||
import google.registry.request.auth.UserAuthInfo; | ||
import google.registry.security.XsrfTokenManager; | ||
import google.registry.ui.server.registrar.ConsoleApiParams; | ||
import java.util.Optional; | ||
import javax.servlet.http.HttpServletRequest; | ||
import org.joda.time.DateTime; | ||
|
||
public final class FakeConsoleApiParams { | ||
|
||
public static ConsoleApiParams get(Optional<AuthResult> maybeAuthResult) { | ||
AuthResult authResult = | ||
maybeAuthResult.orElseGet( | ||
() -> | ||
AuthResult.createUser( | ||
UserAuthInfo.create( | ||
new com.google.appengine.api.users.User( | ||
"[email protected]", "theregistrar.com"), | ||
false))); | ||
return ConsoleApiParams.create( | ||
mock(HttpServletRequest.class), | ||
new FakeResponse(), | ||
authResult, | ||
new XsrfTokenManager( | ||
new FakeClock(DateTime.parse("2020-02-02T01:23:45Z")), mock(UserService.class))); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.