Sign upLogin

alsutton/enterprisepasswordsafe

View on GitHub
Star
src/main/java/com/enterprisepasswordsafe/ui/web/servlets/ViewRAPassword.java

Summary

Maintainability
A
1 hr
Test Coverage
F
0%
/*
 * Copyright (c) 2017 Carbon Security Ltd. <opensource@carbonsecurity.co.uk>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

package com.enterprisepasswordsafe.ui.web.servlets;

import com.enterprisepasswordsafe.database.*;
import com.enterprisepasswordsafe.database.AccessRole.ApproverSummary;
import com.enterprisepasswordsafe.engine.accesscontrol.AccessControl;
import com.enterprisepasswordsafe.engine.users.UserClassifier;
import com.enterprisepasswordsafe.ui.web.utils.ApprovalRequestMailer;
import com.enterprisepasswordsafe.ui.web.utils.SecurityUtils;
import com.enterprisepasswordsafe.ui.web.utils.ServletPaths;
import com.enterprisepasswordsafe.ui.web.utils.ServletUtils;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.sql.SQLException;
import java.util.Set;

public final class ViewRAPassword extends HttpServlet {

    public static final String REASON_PARAMETER = "reason";

    private final UserClassifier userClassifier = new UserClassifier();

    @Override
    protected void doPost(final HttpServletRequest request, final HttpServletResponse response)
            throws ServletException {
        try {
            User thisUser = SecurityUtils.getRemoteUser(request);

            String passwordId = ServletUtils.getInstance().getParameterValue(request, "id");
            AccessControl ac;
            if (userClassifier.isPriviledgedUser(thisUser)) {
                ac = AccessControlDAO.getInstance().getAccessControlEvenIfDisabled(thisUser, passwordId);
            } else {
                ac = AccessControlDAO.getInstance().getAccessControl(thisUser, passwordId);
            }
            Password password = PasswordDAO.getInstance().getById(passwordId, ac);

            if (ac == null) {
                ServletUtils.getInstance().generateMessage(request,"You are not allowed to view the selected password.");
                request.getRequestDispatcher(ServletPaths.getExplorerPath()).forward(request, response);
                return;
            }
            password.decrypt(ac);

            String includeApprover =
                    ConfigurationDAO.getInstance().get(ConfigurationOption.VOTE_ON_OWN_RA_REQUESTS);
            String ignoreUserId = null;
            if(includeApprover.equals("n")) {
                ignoreUserId = thisUser.getId();
            }

            String reason = request.getParameter(REASON_PARAMETER);
            RestrictedAccessRequest raRequest =
                RestrictedAccessRequestDAO.getInstance().create(
                        passwordId,
                        thisUser.getId(),
                        reason,
                        ignoreUserId
                    );

            String approvalURL =
                    getServerBaseURL(request) + "/system/AnalyseRARequest?rarId=" + raRequest.getRequestId();

            Set<ApproverSummary> approvers = AccessRoleDAO.getInstance().getApprovers(passwordId, ignoreUserId);

            new ApprovalRequestMailer(approvers, thisUser, password, raRequest, approvalURL).start();

            request.setAttribute("otid", request.getSession().getAttribute("nextOtid"));
            request.getRequestDispatcher("/system/ViewPassword").forward(request, response);
        } catch(Exception ex) {
            throw new ServletException("You can not view the request at the current time because of an error.", ex);
        }
    }

    private String getServerBaseURL(final HttpServletRequest request)
        throws SQLException {
        String baseUrl = ConfigurationDAO.getValue(ConfigurationOption.PROPERTY_SERVER_BASE_URL);
        if(baseUrl == null || baseUrl.isEmpty()) {
            baseUrl = constructBaseURLFromRequest(request);
        }
        return baseUrl;
    }

    private String constructBaseURLFromRequest(final HttpServletRequest request) {
        StringBuilder baseUrl = new StringBuilder();
        baseUrl.append(request.getScheme());
        baseUrl.append("://");
        baseUrl.append(request.getServerName());
        int serverPort = request.getServerPort();
        if( serverPort != 80 ) {
            baseUrl.append(':');
            baseUrl.append(request.getServerPort());
        }
        baseUrl.append(request.getContextPath());
        return baseUrl.toString();
    }
}