com.denimgroup.threadfix.webapp.controller.DocumentController.java Source code

Java tutorial

Introduction

Here is the source code for com.denimgroup.threadfix.webapp.controller.DocumentController.java

Source

////////////////////////////////////////////////////////////////////////
//
//     Copyright (c) 2009-2013 Denim Group, Ltd.
//
//     The contents of this file are subject to the Mozilla Public License
//     Version 2.0 (the "License"); you may not use this file except in
//     compliance with the License. You may obtain a copy of the License at
//     http://www.mozilla.org/MPL/
//
//     Software distributed under the License is distributed on an "AS IS"
//     basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the
//     License for the specific language governing rights and limitations
//     under the License.
//
//     The Original Code is ThreadFix.
//
//     The Initial Developer of the Original Code is Denim Group, Ltd.
//     Portions created by Denim Group, Ltd. are Copyright (C)
//     Denim Group, Ltd. All Rights Reserved.
//
//     Contributor(s): Denim Group, Ltd.
//
////////////////////////////////////////////////////////////////////////
package com.denimgroup.threadfix.webapp.controller;

import java.io.IOException;
import java.io.InputStream;
import java.sql.SQLException;

import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.io.IOUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.servlet.ModelAndView;

import com.denimgroup.threadfix.data.entities.Document;
import com.denimgroup.threadfix.data.entities.Permission;
import com.denimgroup.threadfix.service.DocumentService;
import com.denimgroup.threadfix.service.PermissionService;
import com.denimgroup.threadfix.service.SanitizedLogger;

@Controller
@RequestMapping("/organizations/{orgId}/applications/{appId}/documents")
public class DocumentController {

    public static final String SCANNER_TYPE_ERROR = "ThreadFix was unable to find a suitable "
            + "scanner type for the file. Please choose one from the list.";

    private PermissionService permissionService;
    private DocumentService documentService;

    private final SanitizedLogger log = new SanitizedLogger(UploadScanController.class);

    @Autowired
    public DocumentController(PermissionService permissionService, DocumentService documentService) {
        this.permissionService = permissionService;
        this.documentService = documentService;
    }

    public DocumentController() {
    }

    @RequestMapping(value = "/upload", method = RequestMethod.POST)
    public ModelAndView uploadSubmit(@PathVariable("appId") int appId, @PathVariable("orgId") int orgId,
            HttpServletRequest request, @RequestParam("file") MultipartFile file) {

        if (!permissionService.isAuthorized(Permission.CAN_MANAGE_APPLICATIONS, orgId, appId)) {
            return new ModelAndView("403");
        }
        String fileName = documentService.saveFileToApp(appId, file);

        if (fileName == null || fileName.equals("")) {
            log.warn("Saving the document have failed. Returning to document upload page.");
            ModelAndView mav = new ModelAndView("ajaxFailureHarness");
            mav.addObject("message", "Unable to save the document to the application.");
            mav.addObject("contentPage", "applications/forms/uploadDocForm.jsp");
            return mav;
        } else {
            ControllerUtils.addSuccessMessage(request, "The document was successfully added to the application.");
            //         ControllerUtils.addItem(request, "checkForRefresh", 1);      
            ModelAndView mav = new ModelAndView("ajaxRedirectHarness");
            mav.addObject("contentPage", "/organizations/" + orgId + "/applications/" + appId);
            return mav;
        }
    }

    @RequestMapping(value = "/vulnerabilities/{vulnId}/upload", method = RequestMethod.POST)
    public ModelAndView uploadSubmitVuln(@PathVariable("appId") int appId, @PathVariable("orgId") int orgId,
            @PathVariable("vulnId") int vulnId, HttpServletRequest request,
            @RequestParam("file") MultipartFile file) {

        if (!permissionService.isAuthorized(Permission.CAN_MODIFY_VULNERABILITIES, orgId, appId)) {
            return new ModelAndView("403");
        }
        String fileName = documentService.saveFileToVuln(vulnId, file);
        System.out.println(file.getContentType());
        if (fileName == null || fileName.equals("")) {
            log.warn("Saving the document have failed. Returning to document upload page.");
            ModelAndView mav = new ModelAndView("ajaxFailureHarness");
            mav.addObject("message", "Unable to save the document to the vulnerability.");
            mav.addObject("contentPage", "applications/forms/uploadDocVulnForm.jsp");
            return mav;
        } else {
            //         ControllerUtils.addItem(request, "checkForRefresh", 1);      
            ModelAndView mav = new ModelAndView("ajaxRedirectHarness");
            mav.addObject("contentPage",
                    "/organizations/" + orgId + "/applications/" + appId + "/vulnerabilities/" + vulnId);
            return mav;

        }
    }

    @RequestMapping(value = "/{docId}/view", method = RequestMethod.GET)
    public String detailDocument(Model model, @PathVariable("orgId") Integer orgId,
            @PathVariable("appId") Integer appId, @PathVariable("docId") Integer docId, HttpServletRequest request,
            HttpServletResponse response) throws SQLException, IOException {

        if (!permissionService.isAuthorized(Permission.READ_ACCESS, orgId, appId)) {
            return "403";
        }

        Document document = null;
        if (docId != null) {
            document = documentService.loadDocument(docId);
        }

        if (document == null) {
            if (orgId != null && appId != null)
                return "redirect:/organizations/" + orgId + "/applications/" + appId + "/documents";
            else if (orgId != null)
                return "redirect:/organizations/" + orgId;
            else
                return "redirect:/";
        }

        String contentType = document.getContentType();
        //      if (contentType == null || contentType.contains("htm") || contentType.contains("js")) {
        //         contentType = "text/plain";
        //      }
        response.setContentType(contentType);
        if (contentType.equals(documentService.getContentTypeService().getDefaultType()) || contentType == null) {
            response.addHeader("Content-Disposition",
                    "attachment; filename=\"" + document.getName() + "." + document.getType() + "\"");
            response.setContentType("application/octet-stream");
        }
        response.addHeader("X-Content-Type-Options", "nosniff");
        InputStream in = document.getFile().getBinaryStream();
        ServletOutputStream out = response.getOutputStream();
        IOUtils.copy(in, out);
        in.close();
        out.flush();
        out.close();

        return null;
    }

    @RequestMapping(value = "/{docId}/download", method = RequestMethod.POST)
    public String downloadDocument(Model model, @PathVariable("orgId") Integer orgId,
            @PathVariable("appId") Integer appId, @PathVariable("docId") Integer docId, HttpServletRequest request,
            HttpServletResponse response) throws SQLException, IOException {

        if (!permissionService.isAuthorized(Permission.READ_ACCESS, orgId, appId)) {
            return "403";
        }

        Document document = null;
        if (docId != null) {
            document = documentService.loadDocument(docId);
        }

        if (document == null) {
            if (orgId != null && appId != null)
                return "redirect:/organizations/" + orgId + "/applications/" + appId + "/documents";
            else if (orgId != null)
                return "redirect:/organizations/" + orgId;
            else
                return "redirect:/";
        }
        response.setHeader("Content-Disposition",
                "attachment; filename=\"" + document.getName() + "." + document.getType() + "\"");
        response.setContentType(document.getContentType());
        InputStream in = document.getFile().getBinaryStream();
        ServletOutputStream out = response.getOutputStream();
        IOUtils.copy(in, out);
        in.close();
        out.flush();
        out.close();

        return null;
    }

    @RequestMapping(value = "/{docId}/delete", method = RequestMethod.POST)
    public String deleteDocument(@PathVariable("orgId") Integer orgId, @PathVariable("appId") Integer appId,
            @PathVariable("docId") Integer docId, HttpServletRequest request, HttpServletResponse response)
            throws SQLException, IOException {

        if (!permissionService.isAuthorized(Permission.CAN_MANAGE_APPLICATIONS, orgId, appId)) {
            return "403";
        }

        Document document = null;
        if (docId != null) {
            document = documentService.loadDocument(docId);
        }

        if (document == null) {
            if (orgId != null && appId != null)
                return "redirect:/organizations/" + orgId + "/applications/" + appId + "/documents";
            else if (orgId != null)
                return "redirect:/organizations/" + orgId;
            else
                return "redirect:/";
        }

        String urlReturn = documentService.deleteDocument(document);

        return urlReturn;
    }

}