Examples with SecurityHole org.candlepin.common.auth.SecurityHole used on opensource projects

Example 1 with SecurityHole

use of org.candlepin.common.auth.SecurityHole in project candlepin by candlepin.

the class AuthenticationFilter method filter.

@Override
public void filter(ContainerRequestContext requestContext) throws IOException {
    log.debug("Authentication check for {}", requestContext.getUriInfo().getPath());
    HttpRequest httpRequest = ResteasyProviderFactory.getContextData(HttpRequest.class);
    ResourceInfo resourceInfo = ResteasyProviderFactory.getContextData(ResourceInfo.class);
    Method method = resourceInfo.getResourceMethod();
    SecurityHole hole = method.getAnnotation(SecurityHole.class);
    Principal principal = null;
    if (hole != null && hole.anon()) {
        principal = new NoAuthPrincipal();
    } else if (resourceInfo.getResourceClass().equals(ApiListingResource.class)) {
        log.debug("Swagger API request made; no principal required.");
        principal = new NoAuthPrincipal();
    } else {
        for (AuthProvider provider : providers) {
            principal = provider.getPrincipal(httpRequest);
            if (principal != null) {
                log.debug("Establishing principal with {}", provider.getClass().getName());
                break;
            }
        }
    }
    /* At this point, there is no provider that has given a valid principal,
         * so we use the NoAuthPrincipal here if it is allowed. */
    if (principal == null) {
        if (hole != null && hole.noAuth()) {
            log.debug("No auth allowed for resource; setting NoAuth principal");
            principal = new NoAuthPrincipal();
        } else if (!config.getBoolean(ConfigProperties.AUTH_OVER_HTTP) && !request.isSecure()) {
            throw new BadRequestException("Please use SSL when accessing protected resources");
        } else {
            throw new NotAuthorizedException("Invalid credentials.");
        }
    }
    SecurityContext securityContext = new CandlepinSecurityContext(principal);
    requestContext.setSecurityContext(securityContext);
    // Push the principal into the context for the PrincipalProvider to access directly
    ResteasyProviderFactory.pushContext(Principal.class, principal);
}

Example 2 with SecurityHole

use of org.candlepin.common.auth.SecurityHole in project candlepin by candlepin.

the class ConsumerResource method create.

@ApiOperation(notes = "Creates a Consumer. NOTE: Opening this method up " + "to everyone, as we have nothing we can reliably " + "verify in the method signature. Instead we have to " + "figure out what owner this consumer is destined for " + "(due to backward compatability with existing clients " + "which do not specify an owner during registration), " + "and then check the access to the specified owner in " + "the method itself.", value = "create")
@ApiResponses({ @ApiResponse(code = 400, message = ""), @ApiResponse(code = 403, message = ""), @ApiResponse(code = 404, message = "") })
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@SecurityHole(noAuth = true)
@Transactional
public ConsumerDTO create(@ApiParam(name = "consumer", required = true) ConsumerDTO dto, @Context Principal principal, @QueryParam("username") String userName, @QueryParam("owner") String ownerKey, @QueryParam("activation_keys") String activationKeys, @QueryParam("identity_cert_creation") @DefaultValue("true") boolean identityCertCreation) throws BadRequestException {
    // fix for duplicate hypervisor/consumer problem
    Consumer consumer = null;
    if (ownerKey != null && dto.getFact("system_uuid") != null && !"true".equalsIgnoreCase(dto.getFact("virt.is_guest"))) {
        Owner owner = ownerCurator.lookupByKey(ownerKey);
        if (owner != null) {
            consumer = consumerCurator.getHypervisor(dto.getFact("system_uuid"), owner);
            if (consumer != null) {
                consumer.setIdCert(generateIdCert(consumer, false));
                this.updateConsumer(consumer.getUuid(), dto, principal);
                return translator.translate(consumer, ConsumerDTO.class);
            }
        }
    }
    if (consumer == null) {
        consumer = new Consumer();
    }
    if (dto.getUuid() != null) {
        consumer.setUuid(dto.getUuid());
    }
    consumer.setOwner(ownerCurator.lookupByKey(ownerKey));
    populateEntity(consumer, dto);
    if (dto.getType() == null) {
        throw new BadRequestException(i18n.tr("Unit type must be specified."));
    }
    ConsumerType ctype = this.consumerTypeCurator.lookupByLabel(dto.getType().getLabel());
    if (ctype == null) {
        throw new BadRequestException(i18n.tr("Invalid unit type: {0}", dto.getType().getLabel()));
    }
    return translator.translate(createConsumerFromDTO(dto, ctype, principal, userName, ownerKey, activationKeys, identityCertCreation), ConsumerDTO.class);
}

Example 3 with SecurityHole

use of org.candlepin.common.auth.SecurityHole in project candlepin by candlepin.

the class ContentOverrideResource method addContentOverrides.

/**
 * Adds a Content Override to a Principal
 *
 * @param info context to get the parent id
 * @param entries overrides to add or update
 *
 * @return a list of ContentOverride objects
 * @httpcode 404
 * @httpcode 200
 */
@PUT
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Transactional
@SecurityHole
public List<T> addContentOverrides(@Context UriInfo info, @Context Principal principal, List<ContentOverride> entries) {
    String parentId = info.getPathParameters().getFirst(this.getParentPath());
    Parent parent = this.verifyAndGetParent(parentId, principal, Access.ALL);
    contentOverrideValidator.validate(entries);
    for (ContentOverride entry : entries) {
        contentOverrideCurator.addOrUpdate(parent, entry);
    }
    return contentOverrideCurator.getList(parent);
}

Example 4 with SecurityHole

use of org.candlepin.common.auth.SecurityHole in project candlepin by candlepin.

the class ContentOverrideResource method deleteContentOverrides.

/**
 * Removes a Content Override from a Principal
 *
 * @param info context to get the parent id
 * @param entries overrides to remove to remove
 *
 * @return a list of ContentOverride objects
 * @httpcode 404
 * @httpcode 200
 */
@DELETE
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@Transactional
@SecurityHole
public List<T> deleteContentOverrides(@Context UriInfo info, @Context Principal principal, List<ContentOverride> entries) {
    String parentId = info.getPathParameters().getFirst(this.getParentPath());
    Parent parent = this.verifyAndGetParent(parentId, principal, Access.ALL);
    if (entries.size() == 0) {
        contentOverrideCurator.removeByParent(parent);
    } else {
        for (ContentOverride entry : entries) {
            String label = entry.getContentLabel();
            if (StringUtils.isBlank(label)) {
                contentOverrideCurator.removeByParent(parent);
            } else {
                String name = entry.getName();
                if (StringUtils.isBlank(name)) {
                    contentOverrideCurator.removeByContentLabel(parent, entry.getContentLabel());
                } else {
                    contentOverrideCurator.removeByName(parent, entry.getContentLabel(), name);
                }
            }
        }
    }
    return contentOverrideCurator.getList(parent);
}

Example 5 with SecurityHole

use of org.candlepin.common.auth.SecurityHole in project candlepin by candlepin.

the class AdminResource method initialize.

@GET
@Produces({ MediaType.TEXT_PLAIN })
@Path("init")
@SecurityHole(noAuth = true)
@ApiOperation(notes = "Initializes the Candlepin database. Currently this just" + " creates the admin user for standalone deployments using the" + " default user service adapter. It must be called once after" + " candlepin is installed, repeat calls are not required, but" + " will be harmless. The String returned is the description if" + " the db was or already is initialized.", value = "initialize")
public String initialize() {
    log.debug("Called initialize()");
    log.info("Initializing Candlepin database.");
    // the default user service adapter, and no other users exist already:
    if (userService instanceof DefaultUserServiceAdapter && userCurator.getUserCount() == 0) {
        // Push the system principal so we can create all these entries as a
        // superuser:
        ResteasyProviderFactory.pushContext(Principal.class, new SystemPrincipal());
        log.info("Creating default super admin.");
        User defaultAdmin = new User("admin", "admin", true);
        userService.createUser(defaultAdmin);
        return "Initialized!";
    } else {
        // Any other user service adapter and we really have nothing to do:
        return "Already initialized.";
    }
}