Sign upLogin

alsutton/enterprisepasswordsafe

View on GitHub
Star
src/main/java/com/enterprisepasswordsafe/ui/web/servlets/ViewObjectEvents.java

Summary

Maintainability
A
3 hrs
Test Coverage
F
0%
/*
 * Copyright (c) 2017 Carbon Security Ltd. <opensource@carbonsecurity.co.uk>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

package com.enterprisepasswordsafe.ui.web.servlets;

import com.enterprisepasswordsafe.database.*;
import com.enterprisepasswordsafe.database.TamperproofEventLogDAO.EventsForDay;
import com.enterprisepasswordsafe.engine.accesscontrol.AccessControl;
import com.enterprisepasswordsafe.engine.users.UserClassifier;
import com.enterprisepasswordsafe.engine.utils.DateFormatter;
import com.enterprisepasswordsafe.ui.web.utils.SecurityUtils;
import com.enterprisepasswordsafe.ui.web.utils.ServletUtils;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.security.GeneralSecurityException;
import java.util.Calendar;
import java.util.List;

public final class ViewObjectEvents extends HttpServlet {

    private final UserClassifier userClassifier = new UserClassifier();

    @Override
    protected void doGet(final HttpServletRequest request, final HttpServletResponse response)
        throws ServletException {
        try {
            User remoteUser = SecurityUtils.getRemoteUser(request);
            String passwordLimit = ServletUtils.getInstance().getParameterValue(request, SharedParameterNames.PASSWORD_ID_PARAMETER);
            if (passwordLimit == null) {
                throw new RuntimeException("A password was not specified.");
            }

            boolean allowedAccess = false;
            if    ( AccessRoleDAO.getInstance().hasRole(remoteUser.getId(), passwordLimit, AccessRole.HISTORYVIEWER_ROLE) ) {
                allowedAccess = Boolean.TRUE;
            } else if    ( userClassifier.isAdministrator(remoteUser) ) {
                allowedAccess = Boolean.TRUE;
            } else if    ( userClassifier.isSubadministrator(remoteUser) ) {
                String showSubadminHistory = ConfigurationDAO.getValue(ConfigurationOption.SUBADMINS_HAVE_HISTORY_ACCESS);
                if( showSubadminHistory.charAt(0) == 'Y' ) {
                    allowedAccess = Boolean.TRUE;
                }
            }
            if(!allowedAccess) {
                throw new GeneralSecurityException("You are not allowed to view the history of that password.");
            }

            String day = request.getParameter("start_day");
            String month = request.getParameter("start_month");
            String year = request.getParameter("start_year");
            long startDate = DateFormatter.combineDate(day, month, year);
            if (startDate < 0) {
                startDate = DateFormatter.getToday();
            }


            day = request.getParameter("end_day");
            month = request.getParameter("end_month");
            year = request.getParameter("end_year");
            long endDate = DateFormatter.combineDate(day, month, year);
            if (endDate < 0) {
                endDate = DateFormatter.getToday();
            }

            AccessControl ac = AccessControlDAO.getInstance().getAccessControl(remoteUser, passwordLimit);
            if( ac == null ) {
                throw new GeneralSecurityException("You are not allowed to view the history for that password.");
            }
            Password thePassword = PasswordDAO.getInstance().getById(passwordLimit, ac);
            if( thePassword == null ) {
                throw new GeneralSecurityException("The password was not found.");
            }

            request.setAttribute("object.name", thePassword.toString());


            List<EventsForDay> events = TamperproofEventLogDAO.getInstance().
                                getEventsForDateRange( startDate, endDate, null,
                                    passwordLimit, remoteUser, true, false);

            request.setAttribute(SharedParameterNames.PASSWORD_ID_PARAMETER, passwordLimit);

            request.setAttribute("events", events);
            request.setAttribute("viewing.user", remoteUser);

            Calendar cal = Calendar.getInstance();
            cal.setTimeInMillis(startDate);
            request.setAttribute("start_day",    cal.get(Calendar.DAY_OF_MONTH));
            request.setAttribute("start_month",    cal.get(Calendar.MONTH));
            request.setAttribute("start_year",    cal.get(Calendar.YEAR));

            cal.setTimeInMillis(endDate);
            request.setAttribute("end_day",        cal.get(Calendar.DAY_OF_MONTH));
            request.setAttribute("end_month",    cal.get(Calendar.MONTH));
            request.setAttribute("end_year",    cal.get(Calendar.YEAR));
            request.setAttribute(BaseServlet.USER_LIST, UserSummaryDAO.getInstance().getSummaryList());

            request.getRequestDispatcher("/system/view_object_events.jsp").forward(request, response);
        } catch(Exception ex) {
            throw new ServletException("There was a problem retrieving the data for the date given.", ex);
        }
    }
}