added AdminApi filter

fe9619a4 · Felix Sidokhine · aca5230e · fe9619a4 · fe9619a4 · fe9619a4
Commit fe9619a4 authored 4 years ago by Felix Sidokhine
--- a/jams-server/src/main/java/net/jami/jams/server/Server.java
+++ b/jams-server/src/main/java/net/jami/jams/server/Server.java
@@ -31,16 +31,21 @@ public class Server {
        JsoniterRegistry.initCodecs();
    }

-    public static DataStore dataStore;
+    public  static DataStore dataStore;
    //This one gets loaded via JAR, to make it more flexible.
-    public static CertificateAuthority certificateAuthority;
-    public static AuthenticationModule userAuthenticationModule;
-    public static NameServer nameServer;
+    public  static CertificateAuthority certificateAuthority;
+    public  static AuthenticationModule userAuthenticationModule;
+    public  static NameServer nameServer;
+    private static TomcatLauncher tomcatLauncher = null;

    public static void main(String[] args) {
        //Start tomcat.
-        TomcatLauncher tomcatLauncher = new TomcatLauncher();
-        tomcatLauncher.startServer();
+        switch (args.length){
+            case 0: tomcatLauncher = new TomcatLauncher(8080); break;
+            case 1: tomcatLauncher = new TomcatLauncher(Integer.parseInt(args[0])); break;
+            case 3: tomcatLauncher = new TomcatLauncher(Integer.parseInt(args[0]),args[1],args[2]);
+            default: log.error("Incorrect number of start arguments provided!"); System.exit(-1); break;
+        }

        //Look for the config.json file locally.


--- a/jams-server/src/main/java/net/jami/jams/server/core/TomcatLauncher.java
+++ b/jams-server/src/main/java/net/jami/jams/server/core/TomcatLauncher.java
@@ -10,22 +10,36 @@ import org.apache.catalina.webresources.JarResourceSet;
 import org.apache.catalina.webresources.StandardRoot;

 import java.io.File;
+import java.net.URI;
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;

+import static net.jami.jams.server.core.TomcatConnectorFactory.getSSLConnectorWithTrustStore;
+
 //This class boots the tomcat server which provides the subsystem
 //for the API calls.
 @Slf4j
 public class TomcatLauncher {

    private static final Tomcat tomcat = new Tomcat();
-    private static StandardContext context;
+
+    public TomcatLauncher(int port) {
+        tomcat.getService().addConnector(TomcatConnectorFactory.getNoSSLConnector(port));
+        this.startServer();
+    }
+
+    public TomcatLauncher(int port, String certificateFile, String keyFile) {
+        //If running in SSL mode, we need a trusts store in order to let clients authenticate.
+        //In this case this is a bit of a dirty hack...
+        log.error("This functionality is not yet implemented!");
+    }
+
+

    public void startServer() {
-        tomcat.getService().addConnector(TomcatConnectorFactory.getNoSSLConnector(8080));
        String jarName = URLDecoder.decode(new File(Server.class.getProtectionDomain().getCodeSource().getLocation().getPath()).getAbsolutePath(), StandardCharsets.UTF_8);
        log.info("JAR Resource File = " + jarName);
-        context = (StandardContext) tomcat.addWebapp("", new File(System.getProperty("user.dir")).getAbsolutePath());
+        StandardContext context = (StandardContext) tomcat.addWebapp("", new File(System.getProperty("user.dir")).getAbsolutePath());
        //Hack to prevent useless verbose messages.
        context.getJarScanner().setJarScanFilter((jarScanType, s) -> false);
        WebResourceRoot resources = new StandardRoot(context);
@@ -43,7 +57,6 @@ public class TomcatLauncher {
            basePath.append("/jams-server");
            resources.addPreResources(new DirResourceSet(resources, "/WEB-INF/classes", basePath.toString() + "/target/classes/net/jami/jams/server/servlets", "/"));
            resources.addPreResources(new DirResourceSet(resources, "/", basePath.toString() + "/target/classes", "/webapp"));
-
        }
        context.setResources(resources);
        //We always go to login by default.

--- a/jams-server/src/main/java/net/jami/jams/server/servlets/filters/AdminApiFilter.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/filters/AdminApiFilter.java
+package net.jami.jams.server.servlets.filters;
+
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.RSASSAVerifier;
+import com.nimbusds.jwt.SignedJWT;
+import jakarta.servlet.*;
+import jakarta.servlet.annotation.WebFilter;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import lombok.extern.slf4j.Slf4j;
+import net.jami.jams.common.objects.user.AccessLevel;
+import net.jami.jams.server.Server;
+
+import java.io.IOException;
+import java.util.Date;
+
+import static net.jami.jams.server.Server.userAuthenticationModule;
+
+@WebFilter(urlPatterns = {"/api/admin/*"})
+@Slf4j
+public class AdminApiFilter implements Filter {
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest request = (HttpServletRequest) servletRequest;
+        HttpServletResponse response = (HttpServletResponse) servletResponse;
+        if (!Server.isInstalled.get()) {
+            response.sendError(404,"This endpoint requires setup to be complete!");
+        } else {
+            boolean authsuccess = false;
+            boolean isLogin = false;
+            if (request.getServletPath().contains("login")) isLogin = true;
+            if (request.getHeader("Bearer") != null){
+                SignedJWT signedJWT = null;
+                try {
+                    JWSVerifier jwsVerifier = new RSASSAVerifier(userAuthenticationModule.getAuthModulePubKey());
+                    signedJWT = SignedJWT.parse(request.getHeader("Bearer"));
+                    if(signedJWT.verify(jwsVerifier) && signedJWT.getJWTClaimsSet().getExpirationTime().compareTo(new Date()) > 0
+                    && AccessLevel.valueOf(signedJWT.getJWTClaimsSet().getClaim("scope").toString()).equals(AccessLevel.ADMIN)){
+                        authsuccess = true;
+                        request.setAttribute("username",signedJWT.getJWTClaimsSet().getSubject());
+                    }
+                } catch (Exception e) {
+                    log.info("Received an invalid token, declining access...");
+                }
+            }
+            if (authsuccess || isLogin){
+                filterChain.doFilter(servletRequest, servletResponse);
+            }
+            else response.sendError(403,"This endpoint requires setup to be complete!");
+        }
+    }
+
+}
--- a/jams-server/src/main/java/net/jami/jams/server/servlets/filters/APIFilter.java
+++ b/jams-server/src/main/java/net/jami/jams/server/servlets/filters/APIFilter.java
@@ -17,7 +17,7 @@ import static net.jami.jams.server.Server.userAuthenticationModule;

 @WebFilter(urlPatterns = {"/api/auth/*"})
 @Slf4j
-public class APIFilter implements Filter {
+public class ApiFilter implements Filter {

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
@@ -37,7 +37,6 @@ public class APIFilter implements Filter {
                    if(signedJWT.verify(jwsVerifier) && signedJWT.getJWTClaimsSet().getExpirationTime().compareTo(new Date()) > 0){
                        authsuccess = true;
                        request.setAttribute("username",signedJWT.getJWTClaimsSet().getSubject());
-                        request.setAttribute("accessLevel",signedJWT.getJWTClaimsSet().getClaim("scope"));
                    }
                } catch (Exception e) {
                    log.info("Received an invalid token, declining access...");