/**
* Copyright (c) 2008-2011 Sonatype, Inc.
* All rights reserved. Includes the third-party code listed at http://www.sonatype.com/products/nexus/attributions.
*
* This program is free software: you can redistribute it and/or modify it only under the terms of the GNU Affero General
* Public License Version 3 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License Version 3
* for more details.
*
* You should have received a copy of the GNU Affero General Public License Version 3 along with this program. If not, see
* http://www.gnu.org/licenses.
*
* Sonatype Nexus (TM) Open Source Version is available from Sonatype, Inc. Sonatype and Sonatype Nexus are trademarks of
* Sonatype, Inc. Apache Maven is a trademark of the Apache Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
* All other trademarks are the property of their respective owners.
*/
package org.sonatype.nexus.security.filter.authz;
import java.io.IOException;
import java.util.regex.Matcher;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.shiro.web.util.WebUtils;
import org.sonatype.nexus.proxy.AccessDeniedException;
import org.sonatype.nexus.proxy.ItemNotFoundException;
import org.sonatype.nexus.proxy.RequestContext;
import org.sonatype.nexus.proxy.ResourceStoreRequest;
import org.sonatype.nexus.proxy.access.Action;
/**
* A filter that maps the targetId from the Request.
*
* @author cstamas
*/
public class NexusTargetMappingAuthorizationFilter
extends AbstractNexusAuthorizationFilter
{
private String pathReplacement;
public String getPathReplacement()
{
if ( pathReplacement == null )
{
pathReplacement = "";
}
return pathReplacement;
}
public void setPathReplacement( String pathReplacement )
{
this.pathReplacement = pathReplacement;
}
public String getResourceStorePath( ServletRequest request )
{
String path = WebUtils.getPathWithinApplication( (HttpServletRequest) request );
if ( getPathPrefix() != null )
{
Matcher m = this.getPathPrefixPattern().matcher( path );
if ( m.matches() )
{
path = getPathReplacement();
// TODO: hardcoded currently
if ( path.contains( "@1" ) )
{
path = path.replaceAll( "@1", Matcher.quoteReplacement( m.group( 1 ) ) );
}
if ( path.contains( "@2" ) )
{
path = path.replaceAll( "@2", Matcher.quoteReplacement( m.group( 2 ) ) );
}
// and so on... this will be reworked to be dynamic
}
else
{
throw new IllegalArgumentException(
"The request path does not matches the incoming request? This is misconfiguration in web.xml!" );
}
}
return path;
}
protected ResourceStoreRequest getResourceStoreRequest( ServletRequest request, boolean localOnly )
{
ResourceStoreRequest rsr = new ResourceStoreRequest( getResourceStorePath( request ), localOnly );
rsr.getRequestContext().put( RequestContext.CTX_AUTH_CHECK_ONLY, true );
return rsr;
}
@Override
protected String getHttpMethodAction(ServletRequest request) {
String method = ((HttpServletRequest) request).getMethod().toLowerCase();
if ( "put".equals( method ) )
{
// heavy handed thing
// doing a LOCAL ONLY request to check is this exists?
try
{
getNexus( request ).getRootRouter().retrieveItem( getResourceStoreRequest( request, true ) );
}
catch ( ItemNotFoundException e )
{
// the path does not exists, it is a CREATE
method = "post";
}
catch ( AccessDeniedException e )
{
// no access for read, so chances are post or put doesnt matter
method = "post";
}
catch ( Exception e )
{
// huh?
throw new IllegalStateException( "Got exception during target mapping!", e );
}
// the path exists, this is UPDATE
return super.getHttpMethodAction( method );
}
else
{
return super.getHttpMethodAction( request );
}
}
@Override
public boolean isAccessAllowed( ServletRequest request, ServletResponse response, Object mappedValue )
throws IOException
{
// let check the mappedValues 1st
boolean result = false;
if ( mappedValue != null )
{
result = super.isAccessAllowed( request, response, mappedValue );
// if we are not allowed at start, forbid it
if ( !result )
{
return false;
}
}
String actionVerb = getHttpMethodAction( request );
Action action = Action.valueOf( actionVerb );
if ( null == action )
{
return false;
}
return this.getRepositoryRouter().authorizePath( getResourceStoreRequest( request, false ), action );
}
}