From 014b017fad363ceebedae6bc60096b9472802818 Mon Sep 17 00:00:00 2001 From: "C. Alexander Leigh" Date: Wed, 15 Feb 2023 02:01:24 -0800 Subject: [PATCH] lc-gdn-api: Bugfixes --- .../main/java/lc/gdn/api/GdnApiService.java | 125 +++++++++--------- 1 file changed, 65 insertions(+), 60 deletions(-) diff --git a/java/lc-gdn-api-svc/src/main/java/lc/gdn/api/GdnApiService.java b/java/lc-gdn-api-svc/src/main/java/lc/gdn/api/GdnApiService.java index ef006ddc1..dc891df22 100644 --- a/java/lc-gdn-api-svc/src/main/java/lc/gdn/api/GdnApiService.java +++ b/java/lc-gdn-api-svc/src/main/java/lc/gdn/api/GdnApiService.java @@ -80,84 +80,89 @@ public class GdnApiService extends PrefixedHandler { @Override public HandlerStatus handlePrefixedWebRequest(WebTransaction request) throws Exception { - final String authorization = request.httpServletRequest.getHeader("Authorization"); + try { + final String authorization = request.httpServletRequest.getHeader("Authorization"); - if (authorization != null && authorization.toLowerCase().startsWith("basic")) { - // Authorization: Basic base64credentials - String base64Credentials = authorization.substring("Basic".length()).trim(); - byte[] credDecoded = Base64.getDecoder().decode(base64Credentials); - String credentials = new String(credDecoded, StandardCharsets.UTF_8); - // credentials = username:password - final String[] values = credentials.split(":", 2); + if (authorization != null && authorization.toLowerCase().startsWith("basic")) { + // Authorization: Basic base64credentials + String base64Credentials = authorization.substring("Basic".length()).trim(); + byte[] credDecoded = Base64.getDecoder().decode(base64Credentials); + String credentials = new String(credDecoded, StandardCharsets.UTF_8); + // credentials = username:password + final String[] values = credentials.split(":", 2); - // FIXME: Should be gdn.leigh-co.com, but the SSL certs don't have a altname for this. - ActiveDirectory ad = new ActiveDirectory("gdn.leigh-co.com", "ldaps://dc0.gdn.leigh-co.com", - "cn=users,dc=gdn,dc=leigh-co,dc=com", null, null); + // FIXME: Should be gdn.leigh-co.com, but the SSL certs don't have a altname for this. + ActiveDirectory ad = new ActiveDirectory("gdn.leigh-co.com", "ldaps://dc0.gdn.leigh-co.com", + "cn=users,dc=gdn,dc=leigh-co,dc=com", null, null); - Map user = ad.authenticate(values[0], values[1]); + Map user = ad.authenticate(values[0], values[1]); - logger.info("AD returns: {}", user); - if (user == null) { - request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); - request.httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - return HandlerStatus.BREAK; - } + logger.info("AD returns: {}", user); + if (user == null) { + request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); + request.httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + return HandlerStatus.BREAK; + } - // If we got this far, it was a good login, so we can continue to use these credentials since we - // have them anyways. - ad.setInfoUser(values[0]); - ad.setInfoPassword(values[1]); + // If we got this far, it was a good login, so we can continue to use these credentials since we + // have them anyways. + ad.setInfoUser(values[0]); + ad.setInfoPassword(values[1]); - String userSid = (String) user.get("objectSid"); + String userSid = (String) user.get("objectSid"); - Set groups = ad.findGroups(userSid); + Set groups = ad.findGroups(userSid); - Integer tunNumber = Integer.parseInt(request.httpServletRequest.getParameter("tunnelId")); - InetAddress ipAddr = Inet4Address.getByName(request.httpServletRequest.getParameter("ip")); + Integer tunNumber = Integer.parseInt(request.httpServletRequest.getParameter("id")); + InetAddress ipAddr = Inet4Address.getByName(request.httpServletRequest.getParameter("ip")); - // Are we authorized? - if (!groups.contains(SID_DOMAIN_ADMINS) && !groups.contains(permissions.get(tunNumber))) { - // FORBIDDEN since the u/p was good, but unauthorized. - request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); - request.httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN); - return HandlerStatus.BREAK; - } + // Are we authorized? + if (!groups.contains(SID_DOMAIN_ADMINS) && !groups.contains(permissions.get(tunNumber))) { + // FORBIDDEN since the u/p was good, but unauthorized. + request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); + request.httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN); + return HandlerStatus.BREAK; + } - // We're authorized, so go do the thing. + // We're authorized, so go do the thing. - // Are we wasting our time? - InetAddress old = cache.get(tunNumber); - if (old != null & old.equals(ipAddr)) { - // This is not actually an update since last time; so do nothing. - request.httpServletResponse.getOutputStream().write("{\"router\":[]}".getBytes()); - return HandlerStatus.BREAK; - } + // Are we wasting our time? + InetAddress old = cache.get(tunNumber); + if (old != null && old.equals(ipAddr)) { + // This is not actually an update since last time; so do nothing. + request.httpServletResponse.getOutputStream().write("{\"router\":[]}".getBytes()); + return HandlerStatus.BREAK; + } - logger.info("Updating tunnel configuration. [tun: {}] [ip: {}]", tunNumber, ipAddr.getHostAddress()); + logger.info("Updating tunnel configuration. [tun: {}] [ip: {}]", tunNumber, ipAddr.getHostAddress()); - CiscoController gw0 = new CiscoController("gw0.gdn.leigh-co.com", - new Credential(gw0User, gw0Password), gw0Enable); - CiscoController gw3 = new CiscoController("gw3.gdn.leigh-co.com", - new Credential(gw3User, gw3Password), gw3Enable); + CiscoController gw0 = new CiscoController("gw0.gdn.leigh-co.com", + new Credential(gw0User, gw0Password), gw0Enable); + CiscoController gw3 = new CiscoController("gw3.gdn.leigh-co.com", + new Credential(gw3User, gw3Password), gw3Enable); - cache.put(tunNumber, ipAddr); + cache.put(tunNumber, ipAddr); - synchronized (this) { - gw0.getSession().setTunnelDestination(tunNumber, ipAddr.getHostAddress()); - gw3.getSession().setTunnelDestination(tunNumber, ipAddr.getHostAddress()); - } - logger.info("Router updated."); + synchronized (this) { + gw0.getSession().setTunnelDestination(tunNumber, ipAddr.getHostAddress()); + gw3.getSession().setTunnelDestination(tunNumber, ipAddr.getHostAddress()); + } + logger.info("Router updated."); - request.httpServletResponse.getOutputStream() - .write("{\"router\":[\"gw0.gdn.leigh-co.com\",\"gw3.gdn.leigh-co.com\"]}".getBytes()); - - return HandlerStatus.BREAK; + request.httpServletResponse.getOutputStream() + .write("{\"router\":[\"gw0.gdn.leigh-co.com\",\"gw3.gdn.leigh-co.com\"]}".getBytes()); + + return HandlerStatus.BREAK; - } else { - request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); - request.httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); - return HandlerStatus.BREAK; + } else { + request.httpServletResponse.setHeader("WWW-Authenticate", "BASIC realm=\"LEIGH&CO\""); + request.httpServletResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED); + return HandlerStatus.BREAK; + } + } catch (Exception e) { + e.printStackTrace(); + throw e; } } -- GitLab