0ct0pu5/fess
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix #2489 add time validation

Browse source
This commit is contained in:
Shinsuke Sugaya 2020-10-08 22:06:29 +09:00
parent ad83edf75f
commit 5f02aa3f8f
2 changed files with 60 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
src/main/java/org/codelibs/fess/helper/RoleQueryHelper.java
View file

@ -74,6 +74,8 @@ public class RoleQueryHelper {
protected boolean encryptedCookieValue = true;
protected long maxAge = 30 * 60 * 1000L; // msec
protected Map<String, String> cookieNameMap;
protected final List<String> defaultRoleList = new ArrayList<>();
@ -237,6 +239,20 @@ public class RoleQueryHelper {
if (valueSeparator.length() > 0) {
final String[] values = rolesStr.split(valueSeparator);
if (maxAge > 0) {
try {
final long time = getCurrentTime() - Long.parseLong(values[0]);
if (time > maxAge || time < 0) {
if (logger.isDebugEnabled()) {
logger.debug("role info is expired: {} > {}", time, maxAge);
}
return;
}
} catch (NumberFormatException e) {
logger.warn("Invalid role infor: {}", rolesStr, e);
return;
}
}
if (values.length > 1) {
final String[] roles = values[1].split(roleSeparator);
for (final String role : roles) {
@ -255,6 +271,10 @@ public class RoleQueryHelper {
}
}
protected long getCurrentTime() {
return ComponentUtil.getSystemHelper().getCurrentTimeAsLong();
}
public void addCookieNameMapping(final String cookieName, final String roleName) {
if (cookieNameMap == null) {
cookieNameMap = new HashMap<>();
@ -298,4 +318,8 @@ public class RoleQueryHelper {
this.encryptedCookieValue = encryptedCookieValue;
}
public void setMaxAge(long maxAge) {
this.maxAge = maxAge;
}
}

53
src/test/java/org/codelibs/fess/helper/RoleQueryHelperTest.java
View file

@ -24,6 +24,7 @@ import javax.servlet.http.HttpServletRequest;
import org.codelibs.core.crypto.CachedCipher;
import org.codelibs.core.exception.IllegalBlockSizeRuntimeException;
import org.codelibs.fess.unit.UnitFessTestCase;
import org.codelibs.fess.util.ComponentUtil;
public class RoleQueryHelperTest extends UnitFessTestCase {
public CachedCipher cipher;
@ -60,7 +61,11 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
}
public void test_buildByParameter() {
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper();
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper() {
protected long getCurrentTime() {
return System.currentTimeMillis();
}
};
Set<String> roleSet;
@ -74,7 +79,7 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
assertEquals(0, roleSet.size());
roleQueryHelperImpl.encryptedParameterValue = false;
getMockRequest().setParameter("fess1", "xxx\nrole1,role2,role3");
getMockRequest().setParameter("fess1", System.currentTimeMillis() + "\nrole1,role2,role3");
roleSet = buildByParameter(roleQueryHelperImpl, getMockRequest());
assertEquals(3, roleSet.size());
assertTrue(roleSet.contains("role1"));
@ -85,7 +90,7 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
roleQueryHelperImpl.cipher = cipher;
roleQueryHelperImpl.encryptedParameterValue = true;
getMockRequest().setParameter("fess2", cipher.encryptoText("xxx\nrole1,role2,role3"));
getMockRequest().setParameter("fess2", cipher.encryptoText(System.currentTimeMillis() + "\nrole1,role2,role3"));
roleSet = buildByParameter(roleQueryHelperImpl, getMockRequest());
assertEquals(3, roleSet.size());
assertTrue(roleSet.contains("role1"));
@ -116,7 +121,11 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
}
public void test_buildByHeader() {
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper();
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper() {
protected long getCurrentTime() {
return System.currentTimeMillis();
}
};
Set<String> roleSet;
@ -134,7 +143,7 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
assertEquals(0, roleSet.size());
roleQueryHelperImpl.encryptedHeaderValue = false;
getMockRequest().addHeader("fess1", "xxx\nrole1,role2,role3");
getMockRequest().addHeader("fess1", System.currentTimeMillis() + "\nrole1,role2,role3");
roleSet = buildByHeader(roleQueryHelperImpl, getMockRequest());
assertEquals(3, roleSet.size());
assertTrue(roleSet.contains("role1"));
@ -145,7 +154,7 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
roleQueryHelperImpl.cipher = cipher;
roleQueryHelperImpl.encryptedHeaderValue = true;
getMockRequest().addHeader("fess2", cipher.encryptoText("xxx\nrole1,role2,role3"));
getMockRequest().addHeader("fess2", cipher.encryptoText(System.currentTimeMillis() + "\nrole1,role2,role3"));
roleSet = buildByHeader(roleQueryHelperImpl, getMockRequest());
assertEquals(3, roleSet.size());
assertTrue(roleSet.contains("role1"));
@ -176,7 +185,11 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
}
public void test_buildByCookie() {
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper();
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper() {
protected long getCurrentTime() {
return System.currentTimeMillis();
}
};
Set<String> roleSet;
Cookie cookie;
@ -199,7 +212,7 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
assertEquals(0, roleSet.size());
roleQueryHelperImpl.encryptedCookieValue = false;
cookie = new Cookie("fess1", "xxx\nrole1,role2,role3");
cookie = new Cookie("fess1", System.currentTimeMillis() + "\nrole1,role2,role3");
getMockRequest().addCookie(cookie);
roleSet = buildByCookie(roleQueryHelperImpl, getMockRequest());
assertEquals(3, roleSet.size());
@ -211,7 +224,7 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
roleQueryHelperImpl.cipher = cipher;
roleQueryHelperImpl.encryptedCookieValue = true;
cookie = new Cookie("fess2", cipher.encryptoText("xxx\nrole1,role2,role3"));
cookie = new Cookie("fess2", cipher.encryptoText(System.currentTimeMillis() + "\nrole1,role2,role3"));
getMockRequest().addCookie(cookie);
roleSet = buildByCookie(roleQueryHelperImpl, getMockRequest());
assertEquals(3, roleSet.size());
@ -247,8 +260,11 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
}
public void test_decodedRoleList() {
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper();
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper() {
protected long getCurrentTime() {
return System.currentTimeMillis();
}
};
Set<String> roleSet;
boolean encrypted;
@ -270,13 +286,13 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
assertEquals(0, roleSet.size());
encrypted = false;
value = "xxx\nrole1";
value = System.currentTimeMillis() + "\nrole1";
roleSet = decodedRoleList(roleQueryHelperImpl, value, encrypted);
assertEquals(1, roleSet.size());
assertTrue(roleSet.contains("role1"));
encrypted = false;
value = "xxx\nrole1,role2";
value = System.currentTimeMillis() + "\nrole1,role2";
roleSet = decodedRoleList(roleQueryHelperImpl, value, encrypted);
assertEquals(2, roleSet.size());
assertTrue(roleSet.contains("role1"));
@ -312,8 +328,11 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
}
public void test_decodedRoleList_withCipher() {
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper();
final RoleQueryHelper roleQueryHelperImpl = new RoleQueryHelper() {
protected long getCurrentTime() {
return System.currentTimeMillis();
}
};
roleQueryHelperImpl.cipher = cipher;
Set<String> roleSet;
@ -336,13 +355,13 @@ public class RoleQueryHelperTest extends UnitFessTestCase {
assertEquals(0, roleSet.size());
encrypted = true;
value = cipher.encryptoText("xxx\nrole1");
value = cipher.encryptoText(System.currentTimeMillis() + "\nrole1");
roleSet = decodedRoleList(roleQueryHelperImpl, value, encrypted);
assertEquals(1, roleSet.size());
assertTrue(roleSet.contains("role1"));
encrypted = true;
value = cipher.encryptoText("xxx\nrole1,role2");
value = cipher.encryptoText(System.currentTimeMillis() + "\nrole1,role2");
roleSet = decodedRoleList(roleQueryHelperImpl, value, encrypted);
assertEquals(2, roleSet.size());
assertTrue(roleSet.contains("role1"));