Skip to content

Commit

Permalink
SAK-46627 WebDav: Connection could fail if user id and user eid are s…
Browse files Browse the repository at this point in the history 
…ame valued (sakaiproject#10059)
  • Loading branch information
@josecebe
josecebe authored Feb 15, 2022
1 parent 95bd18d commit 040c7c6
Show file tree
Hide file tree
Showing 3 changed files with 183 additions and 30 deletions.
9 changes: 9 additions & 0 deletions dav/dav/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,15 @@
<version>${sakai.tomcat.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-lang3</artifactId>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
<!-- in tomcat server lib, so we need it here, too -->
<!--
<dependency>
Expand Down
71 changes: 41 additions & 30 deletions dav/dav/src/java/org/sakaiproject/dav/DavServlet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,10 +116,12 @@
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;

import lombok.Setter;
import lombok.extern.slf4j.Slf4j;

import org.apache.catalina.util.DOMWriter;
import org.apache.catalina.util.XMLWriter;
import org.apache.commons.lang3.StringUtils;
import org.apache.tomcat.util.buf.UDecoder;

import org.w3c.dom.Document;
Expand Down Expand Up @@ -169,9 +171,9 @@
import org.sakaiproject.user.api.AuthenticationException;
import org.sakaiproject.user.api.Evidence;
import org.sakaiproject.user.api.User;
import org.sakaiproject.user.api.UserDirectoryService;
import org.sakaiproject.user.api.UserNotDefinedException;
import org.sakaiproject.user.cover.AuthenticationManager;
import org.sakaiproject.user.cover.UserDirectoryService;
import org.sakaiproject.util.IdPwEvidence;
import org.sakaiproject.util.RequestFilter;
import org.sakaiproject.util.ResourceLoader;
Expand Down Expand Up @@ -348,34 +350,32 @@ protected String adjustId(String id)
{
if (parts[1].equals("user"))
{
User user = null;

try
{
// if successful, the context is already a valid user id
UserDirectoryService.getUser(parts[2]);
user = userDirectoryService.getUser(parts[2]);
}
catch (UserNotDefinedException tryEid)
{
try
{
// try using it as an EID
String userId = UserDirectoryService.getUserId(parts[2]);

// switch to the ID
parts[2] = userId;
String newId = StringUtil.unsplit(parts, Entity.SEPARATOR);

// add the trailing separator if needed
if (id.endsWith(Entity.SEPARATOR)) newId += Entity.SEPARATOR;

id = newId;
user = userDirectoryService.getUserByEid(parts[2]);
}
catch (UserNotDefinedException notEid)
{
// if context was not a valid EID, leave it alone
}
}

}

if (user != null) {
// Switch introduced value to internal user ID to ensure it is the correct ID
parts[2] = user.getId();
id = mountNewId(id, parts);
}
}
else if (parts[1].equals("group"))
{
String context = parts[2];
Expand Down Expand Up @@ -431,37 +431,45 @@ else if ("sakai:mailarchive".equals(targetRef.getType()))
{
if (parts[1].equals("group-user"))
{
User user = null;

try
{
// if successful, the context is already a valid user id
UserDirectoryService.getUser(parts[3]);
user = userDirectoryService.getUser(parts[3]);
}
catch (UserNotDefinedException tryEid)
{
try
{
// try using it as an EID
String userId = UserDirectoryService.getUserId(parts[3]);

// switch to the ID
parts[3] = userId;
String newId = StringUtil.unsplit(parts, Entity.SEPARATOR);

// add the trailing separator if needed
if (id.endsWith(Entity.SEPARATOR)) newId += Entity.SEPARATOR;

id = newId;
user = userDirectoryService.getUserByEid(parts[3]);
}
catch (UserNotDefinedException notEid)
{
// if context was not a valid EID, leave it alone
}
}

if (user != null) {
// Switch introduced value to internal user ID to ensure it is the correct ID
parts[3] = user.getId();
id = mountNewId(id, parts);
}
}
}

return id;
}

private String mountNewId(String id, String[] parts) {
String newId = StringUtils.join(parts, Entity.SEPARATOR);

// Add the trailing separator if needed
if (id.endsWith(Entity.SEPARATOR)) newId += Entity.SEPARATOR;

return newId;
}

/**
* Simple date format for the creation date ISO representation (partial).
Expand Down Expand Up @@ -554,14 +562,16 @@ private SimpleDateFormat[] dateFormats()
*/
private String[] nonDavUserAgent = null;

private ContentHostingService contentHostingService;
@Setter private ContentHostingService contentHostingService;

private CitationService citationService;

private org.sakaiproject.entity.api.EntityManager entityManager;

private AliasService aliasService;

@Setter private UserDirectoryService userDirectoryService;

// --------------------------------------------------------- Public Methods

/**
Expand All @@ -573,6 +583,7 @@ public void init() throws ServletException
citationService = ComponentManager.get(CitationService.class);
entityManager = ComponentManager.get(org.sakaiproject.entity.api.EntityManager.class);
aliasService = ComponentManager.get(AliasService.class);
userDirectoryService = ComponentManager.get(UserDirectoryService.class);

// Set our properties from the initialization parameters
String value = null;
Expand Down Expand Up @@ -716,7 +727,7 @@ protected String getUserPropertyDisplayName(ResourceProperties props, String nam
{
try
{
User u = UserDirectoryService.getUser(id);
User u = userDirectoryService.getUser(id);
return u.getDisplayName();
}
catch (UserNotDefinedException e)
Expand Down Expand Up @@ -1972,14 +1983,14 @@ else if (idx.startsWith("/") && !idx.endsWith("/") && idx.length() > 2)
try
{
// try using it as an ID
resourceName = UserDirectoryService.getUserEid(parts[3]);
resourceName = userDirectoryService.getUserEid(parts[3]);
}
catch (UserNotDefinedException tryId)
{
try
{
// if successful, the context is already a valid user EID
UserDirectoryService.getUserByEid(parts[3]);
userDirectoryService.getUserByEid(parts[3]);
}
catch (UserNotDefinedException notId)
{
Expand Down Expand Up @@ -2741,7 +2752,7 @@ protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws Se
final ResourcePropertiesEdit p = edit.getPropertiesEdit();
p.addProperty(ResourceProperties.PROP_DISPLAY_NAME, name);

User user = UserDirectoryService.getCurrentUser();
User user = userDirectoryService.getCurrentUser();
final TimeBreakdown timeBreakdown = TimeService.newTime().breakdownLocal();
p.addProperty(ResourceProperties.PROP_COPYRIGHT, "copyright (c)" + " " + timeBreakdown.getYear() + ", " + user.getDisplayName() + ". All Rights Reserved. ");
}
Expand Down
133 changes: 133 additions & 0 deletions dav/dav/src/test/org/sakaiproject/dav/DavTest.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
/*
* Copyright (c) 2003-2021 The Apereo Foundation
*
* Licensed under the Educational Community License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://opensource.org/licenses/ecl2
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.sakaiproject.dav;

import static org.mockito.Mockito.when;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.anyString;

import java.util.ArrayList;
import java.util.List;
import java.util.Optional;

import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;

import org.sakaiproject.content.api.ContentHostingService;
import org.sakaiproject.user.api.User;
import org.sakaiproject.user.api.UserDirectoryService;
import org.sakaiproject.user.api.UserNotDefinedException;

public class DavTest {
private static final String ADJUST_ID_NOT_VALID = "ID is not valid";
private static final String USER_1_EID = "e123456";
private static final String USER_1_ID = USER_1_EID;
private static final String USER_2_EID = "y123456";
private static final String USER_2_ID = "p123456";

private static ContentHostingService contentHostingService;
private static UserDirectoryService userDirectoryService;
private static DavServlet davServlet;

private static final List<User> users = new ArrayList<>();

@Before
/**
* When and thenAnswer needs to be reinitialized after each
*/
public void beforeEach() {
User user1 = mock(User.class);
Mockito.lenient().when(user1.getEid()).thenReturn(USER_1_EID);
Mockito.lenient().when(user1.getId()).thenReturn(USER_1_ID);
users.add(user1);

User user2 = mock(User.class);
Mockito.lenient().when(user2.getEid()).thenReturn(USER_2_EID);
Mockito.lenient().when(user2.getId()).thenReturn(USER_2_ID);
users.add(user2);

contentHostingService = mock(ContentHostingService.class);
when(contentHostingService.isShortRefs()).thenReturn(false);

userDirectoryService = mock(UserDirectoryService.class);
try {
Mockito.lenient().when(userDirectoryService.getUser(anyString()))
.thenAnswer(invocation -> this.getUser(invocation.getArgument(0)))
.thenThrow(UserNotDefinedException.class);

} catch (UserNotDefinedException ex) { }

try {
Mockito.lenient().when(userDirectoryService.getUserByEid(anyString()))
.thenAnswer(invocation -> this.getUserByEid(invocation.getArgument(0)))
.thenThrow(UserNotDefinedException.class);

} catch (UserNotDefinedException ex) { }

davServlet = new DavServlet();
davServlet.setContentHostingService(contentHostingService);
davServlet.setUserDirectoryService(userDirectoryService);
}

@Test
/**
* Tests for adjustId method from DavServlet class
* Should return valid IDs
*/
public void testIdIsValid() throws Exception {
Assert.assertEquals(ADJUST_ID_NOT_VALID, "/user/e123456", davServlet.adjustId("/user/E123456"));
Assert.assertEquals(ADJUST_ID_NOT_VALID, "/user/e123456", davServlet.adjustId("/user/e123456"));
Assert.assertEquals(ADJUST_ID_NOT_VALID, "/group-user/RANDOM_SITE/e123456", davServlet.adjustId("/group-user/RANDOM_SITE/E123456"));
Assert.assertEquals(ADJUST_ID_NOT_VALID, "/group-user/RANDOM_SITE/e123456", davServlet.adjustId("/group-user/RANDOM_SITE/e123456"));
Assert.assertEquals(ADJUST_ID_NOT_VALID, "/group-user/RANDOM_SITE/p123456", davServlet.adjustId("/group-user/RANDOM_SITE/Y123456"));
Assert.assertEquals(ADJUST_ID_NOT_VALID, "/group-user/RANDOM_SITE/p123456", davServlet.adjustId("/group-user/RANDOM_SITE/y123456"));
Assert.assertEquals(ADJUST_ID_NOT_VALID, "/group-user/RANDOM_SITE/p123456", davServlet.adjustId("/group-user/RANDOM_SITE/P123456"));
Assert.assertEquals(ADJUST_ID_NOT_VALID, "/group-user/RANDOM_SITE/p123456", davServlet.adjustId("/group-user/RANDOM_SITE/p123456"));
}

/**
* Replacement for UserDirectoryService getUser method
* @param id the user id
* @return a user
* @throws UserNotDefinedException if the user doesn't exist
*/
private User getUser(String id) throws UserNotDefinedException {
Optional<User> theUser = users.stream()
.filter(user -> id.toLowerCase().equals(user.getId().toLowerCase()))
.findFirst();
this.beforeEach(); // Clean methods
if (!theUser.isPresent()) throw new UserNotDefinedException("null");
return theUser.get();
}

/**
* Replacement for UserDirectoryService getUserByEid method
* @param eid the user eid
* @return a user
* @throws UserNotDefinedException if the user doesn't exist
*/
private User getUserByEid(String eid) throws UserNotDefinedException {
Optional<User> theUser = users.stream()
.filter(user -> eid.toLowerCase().equals(user.getEid().toLowerCase()))
.findFirst();
this.beforeEach(); // Clean methods
if (!theUser.isPresent()) throw new UserNotDefinedException("null");
return theUser.get();
}
}

0 comments on commit 040c7c6

Please sign in to comment.