com.tethrnet.manage.db.AuthDB.java Source code

Java tutorial

Introduction

Here is the source code for com.tethrnet.manage.db.AuthDB.java

Source

/**
 * Copyright 2013 Sean Kavanagh - sean.p.kavanagh6@gmail.com
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.tethrnet.manage.db;

import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.util.UUID;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.tethrnet.manage.model.Auth;
import com.tethrnet.manage.model.User;
import com.tethrnet.manage.util.DBUtils;
import com.tethrnet.manage.util.EncryptionUtil;
import com.tethrnet.manage.util.ExternalAuthUtil;

/**
 * DAO to login administrative users
 */
public class AuthDB {

    private static Logger log = LoggerFactory.getLogger(AuthDB.class);

    /**
     * auth user and return auth token if valid auth
     *
     * @param auth username and password object
     * @return auth token if success
     */
    public static String login(Auth auth) {
        String authToken = null;
        //admin just for locally
        if (!auth.getUsername().equals("admin")) {
            //check ldap first
            authToken = ExternalAuthUtil.login(auth);
        }

        if (StringUtils.isEmpty(authToken)) {

            Connection con = null;

            try {
                con = DBUtils.getConn();

                //get salt for user
                String salt = getSaltByUsername(con, auth.getUsername());
                //login
                PreparedStatement stmt = con
                        .prepareStatement("select * from users where enabled=true and username=? and password=?");
                stmt.setString(1, auth.getUsername());
                stmt.setString(2, EncryptionUtil.hash(auth.getPassword() + salt));
                ResultSet rs = stmt.executeQuery();

                if (rs.next()) {

                    auth.setId(rs.getLong("id"));
                    authToken = UUID.randomUUID().toString();
                    auth.setAuthToken(authToken);
                    auth.setAuthType(Auth.AUTH_BASIC);
                    updateLogin(con, auth);

                }
                DBUtils.closeRs(rs);
                DBUtils.closeStmt(stmt);

            } catch (Exception e) {
                log.error(e.toString(), e);
            }

            DBUtils.closeConn(con);
        }

        return authToken;

    }

    /**
     * checks to see if user is an admin based on auth token
     *
     * @param userId    user id
     * @param authToken auth token string
     * @return user type if authorized, null if not authorized
     */
    public static String isAuthorized(Long userId, String authToken) {

        String authorized = null;

        Connection con = null;
        if (authToken != null && !authToken.trim().equals("")) {

            try {
                con = DBUtils.getConn();
                PreparedStatement stmt = con
                        .prepareStatement("select * from users where enabled=true and id=? and auth_token=?");
                stmt.setLong(1, userId);
                stmt.setString(2, authToken);
                ResultSet rs = stmt.executeQuery();

                if (rs.next()) {
                    authorized = rs.getString("user_type");

                }
                DBUtils.closeRs(rs);

                DBUtils.closeStmt(stmt);

            } catch (Exception e) {
                log.error(e.toString(), e);
            }
        }
        DBUtils.closeConn(con);
        return authorized;

    }

    /**
     * updates the admin table based on auth id
     *
     * @param con  DB connection
     * @param auth username and password object
     */
    public static void updateLogin(Connection con, Auth auth) {

        try {
            PreparedStatement stmt = con.prepareStatement(
                    "update users set username=?, auth_type=?, auth_token=?, password=?, salt=? where id=?");
            stmt.setString(1, auth.getUsername());
            stmt.setString(2, auth.getAuthType());
            stmt.setString(3, auth.getAuthToken());
            if (StringUtils.isNotEmpty(auth.getPassword())) {
                String salt = EncryptionUtil.generateSalt();
                stmt.setString(4, EncryptionUtil.hash(auth.getPassword() + salt));
                stmt.setString(5, salt);
            } else {
                stmt.setString(4, null);
                stmt.setString(5, null);
            }
            stmt.setLong(6, auth.getId());
            stmt.execute();

            DBUtils.closeStmt(stmt);

        } catch (Exception e) {
            log.error(e.toString(), e);
        }

    }

    /**
     * updates password for admin using auth token
     */
    public static boolean updatePassword(Auth auth) {
        boolean success = false;

        Connection con = null;
        try {
            con = DBUtils.getConn();

            String prevSalt = getSaltByAuthToken(con, auth.getAuthToken());
            PreparedStatement stmt = con
                    .prepareStatement("select * from users where auth_token like ? and password like ?");
            stmt.setString(1, auth.getAuthToken());
            stmt.setString(2, EncryptionUtil.hash(auth.getPrevPassword() + prevSalt));
            ResultSet rs = stmt.executeQuery();
            if (rs.next()) {

                String salt = EncryptionUtil.generateSalt();
                stmt = con.prepareStatement("update users set password=?, salt=? where auth_token like ?");
                stmt.setString(1, EncryptionUtil.hash(auth.getPassword() + salt));
                stmt.setString(2, salt);
                stmt.setString(3, auth.getAuthToken());
                stmt.execute();
                success = true;
            }

            DBUtils.closeRs(rs);
            DBUtils.closeStmt(stmt);

        } catch (Exception e) {
            log.error(e.toString(), e);
        }
        DBUtils.closeConn(con);
        return success;
    }

    /**
     * returns user id based on auth token
     *
     * @param authToken auth token
     * @param con       DB connection
     * @return user
     */
    public static User getUserByAuthToken(Connection con, String authToken) {

        User user = null;
        try {
            PreparedStatement stmt = con
                    .prepareStatement("select * from users where enabled=true and auth_token like ?");
            stmt.setString(1, authToken);
            ResultSet rs = stmt.executeQuery();
            if (rs.next()) {
                Long userId = rs.getLong("id");

                user = UserDB.getUser(con, userId);
            }
            DBUtils.closeRs(rs);
            DBUtils.closeStmt(stmt);

        } catch (Exception e) {
            log.error(e.toString(), e);
        }

        return user;

    }

    /**
     * returns user based on auth token
     *
     * @param authToken auth token
     * @return user
     */
    public static User getUserByAuthToken(String authToken) {

        User user = null;
        Connection con = null;
        try {
            con = DBUtils.getConn();
            user = getUserByAuthToken(con, authToken);
        } catch (Exception e) {
            log.error(e.toString(), e);
        }
        DBUtils.closeConn(con);

        return user;

    }

    /**
     * returns the shared secret based on user id
     *
     * @param userId user id
     * @return auth object
     */
    public static String getSharedSecret(Long userId) {

        String sharedSecret = null;
        Connection con = null;
        try {
            con = DBUtils.getConn();
            PreparedStatement stmt = con.prepareStatement("select * from users where id like ?");
            stmt.setLong(1, userId);
            ResultSet rs = stmt.executeQuery();
            if (rs.next()) {
                sharedSecret = EncryptionUtil.decrypt(rs.getString("otp_secret"));
            }
            DBUtils.closeRs(rs);
            DBUtils.closeStmt(stmt);

        } catch (Exception e) {
            log.error(e.toString(), e);
        }
        DBUtils.closeConn(con);

        return sharedSecret;

    }

    /**
     * updates shared secret based on auth token
     *
     * @param secret    OTP shared secret
     * @param authToken auth token
     */
    public static void updateSharedSecret(String secret, String authToken) {

        Connection con = null;
        try {
            con = DBUtils.getConn();
            PreparedStatement stmt = con.prepareStatement("update users set otp_secret=? where auth_token=?");
            stmt.setString(1, EncryptionUtil.encrypt(secret));
            stmt.setString(2, authToken);
            stmt.execute();
            DBUtils.closeStmt(stmt);

        } catch (Exception e) {
            log.error(e.toString(), e);
        }
        DBUtils.closeConn(con);

    }

    /**
     * get salt by user name
     *
     * @param con      DB connection
     * @param username username
     * @return salt
     */
    private static String getSaltByUsername(Connection con, String username) {

        String salt = "";
        try {
            PreparedStatement stmt = con
                    .prepareStatement("select salt from users where enabled=true and username=?");
            stmt.setString(1, username);
            ResultSet rs = stmt.executeQuery();
            if (rs.next() && rs.getString("salt") != null) {
                salt = rs.getString("salt");
            }
            DBUtils.closeRs(rs);
            DBUtils.closeStmt(stmt);

        } catch (Exception e) {
            log.error(e.toString(), e);
        }
        return salt;
    }

    /**
     * get salt by authentication token
     *
     * @param con       DB connection
     * @param authToken auth token
     * @return salt
     */
    private static String getSaltByAuthToken(Connection con, String authToken) {

        String salt = "";
        try {
            PreparedStatement stmt = con
                    .prepareStatement("select salt from users where enabled=true and auth_token=?");
            stmt.setString(1, authToken);
            ResultSet rs = stmt.executeQuery();
            if (rs.next() && rs.getString("salt") != null) {
                salt = rs.getString("salt");
            }
            DBUtils.closeRs(rs);
            DBUtils.closeStmt(stmt);

        } catch (Exception e) {
            log.error(e.toString(), e);
        }
        return salt;
    }

    /**
     * returns user base on username
     *
     * @param con DB connection
     * @param uid username id
     * @return user object
     */
    public static User getUserByUID(Connection con, String uid) {

        User user = null;
        try {
            PreparedStatement stmt = con
                    .prepareStatement("select * from  users where lower(username) like lower(?) and enabled=true");
            stmt.setString(1, uid);
            ResultSet rs = stmt.executeQuery();

            while (rs.next()) {
                user = new User();
                user.setId(rs.getLong("id"));
                user.setEmail(rs.getString("email"));
                user.setUsername(rs.getString("username"));
                user.setUserType(rs.getString("user_type"));
                user.setProfileList(UserProfileDB.getProfilesByUser(con, user.getId()));
            }
            DBUtils.closeRs(rs);
            DBUtils.closeStmt(stmt);

        } catch (Exception e) {
            log.error(e.toString(), e);
        }

        return user;
    }
}