password.pwm.http.PwmHttpRequestWrapper.java Source code

Java tutorial

Introduction

Here is the source code for password.pwm.http.PwmHttpRequestWrapper.java

Source

/*
 * Password Management Servlets (PWM)
 * http://www.pwm-project.org
 *
 * Copyright (c) 2006-2009 Novell, Inc.
 * Copyright (c) 2009-2017 The PWM Project
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program; if not, write to the Free Software
 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 */

package password.pwm.http;

import org.apache.commons.io.IOUtils;
import password.pwm.AppProperty;
import password.pwm.PwmConstants;
import password.pwm.config.Configuration;
import password.pwm.error.ErrorInformation;
import password.pwm.error.PwmError;
import password.pwm.error.PwmUnrecoverableException;
import password.pwm.util.java.JsonUtil;
import password.pwm.util.PasswordData;
import password.pwm.util.java.StringUtil;
import password.pwm.util.Validator;
import password.pwm.util.logging.PwmLogger;

import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.Reader;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;

public abstract class PwmHttpRequestWrapper {
    private static final PwmLogger LOGGER = PwmLogger.forClass(PwmHttpRequestWrapper.class);

    private final HttpServletRequest httpServletRequest;
    private final Configuration configuration;

    public enum Flag {
        BypassValidation
    }

    protected PwmHttpRequestWrapper(final HttpServletRequest request, final Configuration configuration) {
        this.httpServletRequest = request;
        this.configuration = configuration;
    }

    public HttpServletRequest getHttpServletRequest() {
        return this.httpServletRequest;
    }

    public boolean isJsonRequest() {
        final String acceptHeader = this.readHeaderValueAsString(HttpHeader.Accept);
        return acceptHeader.contains(PwmConstants.AcceptValue.json.getHeaderValue());
    }

    public boolean isHtmlRequest() {
        final String acceptHeader = this.readHeaderValueAsString(HttpHeader.Accept);
        return acceptHeader.contains(PwmConstants.AcceptValue.html.getHeaderValue())
                || acceptHeader.contains("*/*");
    }

    public String getContextPath() {
        return httpServletRequest.getContextPath();
    }

    public String readRequestBodyAsString() throws IOException, PwmUnrecoverableException {
        final int maxChars = Integer.parseInt(configuration.readAppProperty(AppProperty.HTTP_BODY_MAXREAD_LENGTH));
        return readRequestBodyAsString(maxChars);
    }

    public String readRequestBodyAsString(final int maxChars) throws IOException, PwmUnrecoverableException {
        return readRequestBodyAsString(this.getHttpServletRequest(), maxChars);
    }

    public static String readRequestBodyAsString(final HttpServletRequest httpServletRequest, final int maxChars)
            throws IOException, PwmUnrecoverableException {
        final StringWriter stringWriter = new StringWriter();
        final Reader readerStream = new InputStreamReader(httpServletRequest.getInputStream(),
                PwmConstants.DEFAULT_CHARSET);

        try {
            IOUtils.copy(readerStream, stringWriter);
        } catch (Exception e) {
            final String errorMsg = "error reading request body stream: " + e.getMessage();
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN, errorMsg));
        } finally {
            IOUtils.closeQuietly(readerStream);
        }

        final String stringValue = stringWriter.toString();
        if (stringValue.length() > maxChars) {
            throw new PwmUnrecoverableException(new ErrorInformation(PwmError.ERROR_UNKNOWN,
                    "input request body is to big, size=" + stringValue.length() + ", max=" + maxChars));
        }
        return stringValue;
    }

    public Map<String, String> readBodyAsJsonStringMap(final Flag... flags)
            throws IOException, PwmUnrecoverableException {
        final boolean bypassInputValidation = flags != null && Arrays.asList(flags).contains(Flag.BypassValidation);
        final String bodyString = readRequestBodyAsString();
        final Map<String, String> inputMap = JsonUtil.deserializeStringMap(bodyString);

        final boolean trim = Boolean.parseBoolean(configuration.readAppProperty(AppProperty.SECURITY_INPUT_TRIM));
        final boolean passwordTrim = Boolean
                .parseBoolean(configuration.readAppProperty(AppProperty.SECURITY_INPUT_PASSWORD_TRIM));
        final int maxLength = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));

        final Map<String, String> outputMap = new LinkedHashMap<>();
        if (inputMap != null) {
            for (final String key : inputMap.keySet()) {
                if (key != null) {
                    final boolean passwordType = key.toLowerCase().contains("password");
                    String value;
                    value = bypassInputValidation ? inputMap.get(key)
                            : Validator.sanitizeInputValue(configuration, inputMap.get(key), maxLength);
                    value = passwordType && passwordTrim ? value.trim() : value;
                    value = !passwordType && trim ? value.trim() : value;

                    final String sanitizedName = Validator.sanitizeInputValue(configuration, key, maxLength);
                    outputMap.put(sanitizedName, value);
                }
            }
        }

        return Collections.unmodifiableMap(outputMap);
    }

    public Map<String, Object> readBodyAsJsonMap(final Flag... flags)
            throws IOException, PwmUnrecoverableException {
        final boolean bypassInputValidation = flags != null && Arrays.asList(flags).contains(Flag.BypassValidation);
        final String bodyString = readRequestBodyAsString();
        final Map<String, Object> inputMap = JsonUtil.deserializeMap(bodyString);

        final boolean trim = Boolean.parseBoolean(configuration.readAppProperty(AppProperty.SECURITY_INPUT_TRIM));
        final boolean passwordTrim = Boolean
                .parseBoolean(configuration.readAppProperty(AppProperty.SECURITY_INPUT_PASSWORD_TRIM));
        final int maxLength = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));

        final Map<String, Object> outputMap = new LinkedHashMap<>();
        if (inputMap != null) {
            for (final String key : inputMap.keySet()) {
                if (key != null) {
                    final boolean passwordType = key.toLowerCase().contains("password");
                    final Object value;
                    if (inputMap.get(key) instanceof String) {
                        String stringValue = bypassInputValidation ? (String) inputMap.get(key)
                                : Validator.sanitizeInputValue(configuration, (String) inputMap.get(key),
                                        maxLength);
                        stringValue = passwordType && passwordTrim ? stringValue.trim() : stringValue;
                        stringValue = !passwordType && trim ? stringValue.trim() : stringValue;
                        value = stringValue;
                    } else {
                        value = inputMap.get(key);
                    }

                    final String sanitizedName = Validator.sanitizeInputValue(configuration, key, maxLength);
                    outputMap.put(sanitizedName, value);
                }
            }
        }

        return Collections.unmodifiableMap(outputMap);
    }

    public PasswordData readParameterAsPassword(final String name) throws PwmUnrecoverableException {
        final int maxLength = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));
        final boolean trim = Boolean
                .parseBoolean(configuration.readAppProperty(AppProperty.SECURITY_INPUT_PASSWORD_TRIM));

        final String rawValue = httpServletRequest.getParameter(name);
        if (rawValue != null && !rawValue.isEmpty()) {
            final String decodedValue = decodeStringToDefaultCharSet(rawValue);
            final String sanitizedValue = Validator.sanitizeInputValue(configuration, decodedValue, maxLength);
            if (sanitizedValue != null) {
                final String trimmedVale = trim ? sanitizedValue.trim() : sanitizedValue;
                return new PasswordData(trimmedVale);
            }
        }
        return null;
    }

    public String readParameterAsString(final String name, final int maxLength, final Flag... flags)
            throws PwmUnrecoverableException {
        final List<String> results = readParameterAsStrings(name, maxLength, flags);
        if (results == null || results.isEmpty()) {
            return "";
        }

        return results.iterator().next();
    }

    public String readParameterAsString(final String name, final String valueIfNotPresent)
            throws PwmUnrecoverableException {
        final int maxLength = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));
        final String returnValue = readParameterAsString(name, maxLength);
        return returnValue == null || returnValue.isEmpty() ? valueIfNotPresent : returnValue;
    }

    public boolean hasParameter(final String name) throws PwmUnrecoverableException {
        return this.getHttpServletRequest().getParameterMap().containsKey(name);
    }

    public String readParameterAsString(final String name, final Flag... flags) throws PwmUnrecoverableException {
        final int maxLength = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));
        return readParameterAsString(name, maxLength, flags);
    }

    public boolean readParameterAsBoolean(final String name) throws PwmUnrecoverableException {
        final String strValue = readParameterAsString(name);
        return strValue != null && Boolean.parseBoolean(strValue);
    }

    public int readParameterAsInt(final String name, final int defaultValue) throws PwmUnrecoverableException {
        final String strValue = readParameterAsString(name);
        try {
            return Integer.parseInt(strValue);
        } catch (NumberFormatException e) {
            return defaultValue;
        }
    }

    public List<String> readParameterAsStrings(final String name, final int maxLength, final Flag... flags)
            throws PwmUnrecoverableException {
        final boolean bypassInputValidation = flags != null && Arrays.asList(flags).contains(Flag.BypassValidation);
        final HttpServletRequest req = this.getHttpServletRequest();
        final boolean trim = Boolean.parseBoolean(configuration.readAppProperty(AppProperty.SECURITY_INPUT_TRIM));
        final String[] rawValues = req.getParameterValues(name);
        if (rawValues == null || rawValues.length == 0) {
            return Collections.emptyList();
        }

        final List<String> resultSet = new ArrayList<>();
        for (final String rawValue : rawValues) {
            final String decodedValue = decodeStringToDefaultCharSet(rawValue);
            final String sanitizedValue = bypassInputValidation ? decodedValue
                    : Validator.sanitizeInputValue(configuration, decodedValue, maxLength);

            if (sanitizedValue.length() > 0) {
                resultSet.add(trim ? sanitizedValue.trim() : sanitizedValue);
            }
        }

        return resultSet;
    }

    public String readHeaderValueAsString(final HttpHeader headerName) {
        return readHeaderValueAsString(headerName.getHttpName());
    }

    public String readHeaderValueAsString(final String headerName) {
        final int maxChars = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));
        final HttpServletRequest req = this.getHttpServletRequest();
        final String rawValue = req.getHeader(headerName);
        final String sanitizedInputValue = Validator.sanitizeInputValue(configuration, rawValue, maxChars);
        return Validator.sanitizeHeaderValue(configuration, sanitizedInputValue);
    }

    public Map<String, List<String>> readHeaderValuesMap() {
        final int maxChars = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));
        final HttpServletRequest req = this.getHttpServletRequest();
        final Map<String, List<String>> returnObj = new LinkedHashMap<>();

        for (final Enumeration<String> headerNameEnum = req.getHeaderNames(); headerNameEnum.hasMoreElements();) {
            final String headerName = headerNameEnum.nextElement();
            final List<String> valueList = new ArrayList<>();
            for (final Enumeration<String> headerValueEnum = req.getHeaders(headerName); headerValueEnum
                    .hasMoreElements();) {
                final String headerValue = headerValueEnum.nextElement();
                final String sanitizedInputValue = Validator.sanitizeInputValue(configuration, headerValue,
                        maxChars);
                final String sanitizedHeaderValue = Validator.sanitizeHeaderValue(configuration,
                        sanitizedInputValue);
                if (sanitizedHeaderValue != null && !sanitizedHeaderValue.isEmpty()) {
                    valueList.add(sanitizedHeaderValue);
                }
            }
            if (!valueList.isEmpty()) {
                returnObj.put(headerName, Collections.unmodifiableList(valueList));
            }
        }
        return Collections.unmodifiableMap(returnObj);
    }

    public List<String> parameterNames() {
        final int maxChars = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));
        final List<String> returnObj = new ArrayList();
        for (final Enumeration nameEnum = getHttpServletRequest().getParameterNames(); nameEnum
                .hasMoreElements();) {
            final String paramName = nameEnum.nextElement().toString();
            final String returnName = Validator.sanitizeInputValue(configuration, paramName, maxChars);
            returnObj.add(returnName);
        }
        return Collections.unmodifiableList(returnObj);
    }

    public Map<String, String> readParametersAsMap() throws PwmUnrecoverableException {
        final Map<String, String> returnObj = new HashMap<>();
        for (final String paramName : parameterNames()) {
            final String paramValue = readParameterAsString(paramName);
            returnObj.put(paramName, paramValue);
        }
        return Collections.unmodifiableMap(returnObj);
    }

    public Map<String, List<String>> readMultiParametersAsMap() throws PwmUnrecoverableException {
        final int maxLength = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_PARAM_MAX_READ_LENGTH));
        final Map<String, List<String>> returnObj = new HashMap<>();
        for (final String paramName : parameterNames()) {
            final List<String> values = readParameterAsStrings(paramName, maxLength);
            returnObj.put(paramName, values);
        }
        return Collections.unmodifiableMap(returnObj);
    }

    public String readCookie(final String cookieName) {
        final int maxChars = Integer
                .parseInt(configuration.readAppProperty(AppProperty.HTTP_COOKIE_MAX_READ_LENGTH));
        final Cookie[] cookies = this.getHttpServletRequest().getCookies();
        if (cookies != null) {
            for (final Cookie cookie : cookies) {
                if (cookie.getName() != null && cookie.getName().equals(cookieName)) {
                    final String rawCookieValue = cookie.getValue();
                    final String decodedCookieValue = StringUtil.urlDecode(rawCookieValue);
                    return Validator.sanitizeInputValue(configuration, decodedCookieValue, maxChars);
                }
            }
        }

        return null;
    }

    private static String decodeStringToDefaultCharSet(final String input) {
        String decodedValue = input;
        try {
            decodedValue = new String(input.getBytes("ISO-8859-1"), PwmConstants.DEFAULT_CHARSET);
        } catch (UnsupportedEncodingException e) {
            LOGGER.error("error decoding request parameter: " + e.getMessage());
        }
        return decodedValue;
    }

    public HttpMethod getMethod() {
        return HttpMethod.fromString(this.getHttpServletRequest().getMethod());
    }

}