Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LPD-1476 AuthVerifier imp. #311

Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

LPD-1476 AuthVerifier imp. #311

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6892bf3
LPD-1476 If user is being properly impersonated, we can skip business…
ChrisKian Jan 27, 2024
c1ca4ec
LPD-1476 ant build-services (manually added, since command didn't work)
ChrisKian Jan 27, 2024
c8e6eb1
LPD-1476 Refactor to make the make the condition more human readable …
stian-sigvartsen Feb 21, 2024
e1dcf7a
LPD-1476 Basically we are not allowing users whose setup is incomplete
stian-sigvartsen Feb 21, 2024
ad90220
LPD-1476 Only FORM_AUTH supports impersonation
stian-sigvartsen Feb 21, 2024
89defed
LPD-1476 The caller should not have to unwrap the HttpServletRequest
stian-sigvartsen Feb 22, 2024
1e37e9d
LPD-1476 Be more precise
stian-sigvartsen Feb 22, 2024
1ec5aea
LPD-1476 SemVer
stian-sigvartsen Feb 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 75 additions & 31 deletions portal-impl/src/com/liferay/portal/security/auth/AuthVerifierPipeline.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,78 @@ private Map<String, Object> _mergeSettings(
return mergedSettings;
}

private boolean _validate(
AccessControlContext accessControlContext,
AuthVerifier authVerifier, AuthVerifierResult authVerifierResult) {

User user = UserLocalServiceUtil.fetchUser(
authVerifierResult.getUserId());
Class<?> authVerifierClass = authVerifier.getClass();

if (!user.isActive()) {
if (_log.isDebugEnabled()) {
_log.debug(
StringBundler.concat(
"Auth verifier ", authVerifierClass.getName(),
" returned inactive user ", user.getUserId()));
}

return false;
}

if (PortalUtil.isImpersonated(accessControlContext.getRequest())) {
if (HttpServletRequest.FORM_AUTH.equals(
authVerifier.getAuthType())) {

return true;
}
else if (_log.isDebugEnabled()) {
_log.debug(
StringBundler.concat(
"Auth verifier ", authVerifierClass.getName(),
" returned user ", user.getUserId(), " through ",
"impersonation, but this is is unsupported for ",
"auth type ", authVerifier.getAuthType()));
}
}

if (!user.isEmailAddressVerificationComplete()) {
if (_log.isDebugEnabled()) {
_log.debug(
StringBundler.concat(
"Auth verifier ", authVerifierClass.getName(),
" returned user ", user.getUserId(),
" who must verify his email address"));
}

return false;
}
else if (user.isPasswordReset()) {
if (_log.isDebugEnabled()) {
_log.debug(
StringBundler.concat(
"Auth verifier ", authVerifierClass.getName(),
" returned user ", user.getUserId(),
" who must reset his password"));
}

return false;
}
else if (!user.isSetupComplete()) {
if (_log.isDebugEnabled()) {
_log.debug(
StringBundler.concat(
"Auth verifier ", authVerifierClass.getName(),
" returned user ", user.getUserId(),
" whose setup is incomplete"));
}

return false;
}

return true;
}

private AuthVerifierResult _verifyWithAuthVerifierConfiguration(
AccessControlContext accessControlContext,
AuthVerifierConfiguration authVerifierConfiguration) {
Expand Down Expand Up @@ -328,43 +400,15 @@ private AuthVerifierResult _verifyWithAuthVerifierConfiguration(
authVerifierResult.getUserId());

if ((user != null) &&
(!user.isActive() ||
!user.isEmailAddressVerificationComplete() ||
user.isPasswordReset())) {

long userId = authVerifierResult.getUserId();

if (_log.isDebugEnabled()) {
Class<?> authVerifierClass = authVerifier.getClass();

if (!user.isActive()) {
_log.debug(
StringBundler.concat(
"Auth verifier ", authVerifierClass.getName(),
" returned inactive user ", userId));
}
else if (!user.isEmailAddressVerificationComplete()) {
_log.debug(
StringBundler.concat(
"Auth verifier ", authVerifierClass.getName(),
" returned user ", userId,
" who must verify his email address"));
}
else {
_log.debug(
StringBundler.concat(
"Auth verifier ", authVerifierClass.getName(),
" returned user ", userId,
" who must reset his password"));
}
}
!_validate(
accessControlContext, authVerifier, authVerifierResult)) {

authVerifierResult = new AuthVerifierResult();

authVerifierResult.setState(
AuthVerifierResult.State.UNSUCCESSFUL);

authVerifierResult.setUserId(userId);
authVerifierResult.setUserId(authVerifierResult.getUserId());
}

Map<String, Object> settings = _mergeSettings(
Expand Down
28 changes: 28 additions & 0 deletions portal-impl/src/com/liferay/portal/util/PortalImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5775,6 +5775,34 @@ public boolean isGroupOwner(User user, long groupId) throws Exception {
return permissionChecker.isGroupOwner(groupId);
}

@Override
public boolean isImpersonated(HttpServletRequest httpServletRequest) {
if (!PropsValues.PORTAL_IMPERSONATION_ENABLE) {
return false;
}

String doAsUserIdString = httpServletRequest.getParameter("doAsUserId");

try {
if (getDoAsUserId(
getOriginalServletRequest(httpServletRequest),
doAsUserIdString, false) > 0) {

return true;
}

return false;
}
catch (Exception exception) {
if (_log.isWarnEnabled()) {
_log.warn(
"Unable to impersonate " + doAsUserIdString, exception);
}

return false;
}
}

@Override
public boolean isLayoutDescendant(Layout layout, long layoutId)
throws PortalException {
Expand Down
2 changes: 1 addition & 1 deletion portal-impl/src/com/liferay/portal/util/packageinfo
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
version 62.0.0
version 62.1.0
2 changes: 2 additions & 0 deletions portal-kernel/src/com/liferay/portal/kernel/util/Portal.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1020,6 +1020,8 @@ public boolean isGroupFriendlyURL(

public boolean isGroupOwner(User user, long groupId) throws Exception;

public boolean isImpersonated(HttpServletRequest httpServletRequest);

public boolean isLayoutDescendant(Layout layout, long layoutId)
throws PortalException;

Expand Down
6 changes: 6 additions & 0 deletions portal-kernel/src/com/liferay/portal/kernel/util/PortalUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1662,6 +1662,12 @@ public static boolean isGroupOwner(User user, long groupId)
return _portal.isGroupOwner(user, groupId);
}

public static boolean isImpersonated(
HttpServletRequest httpServletRequest) {

return _portal.isImpersonated(httpServletRequest);
}

public static boolean isLayoutDescendant(Layout layout, long layoutId)
throws PortalException {

Expand Down