Java tutorial
/* * #%L * Alfresco Remote API * %% * Copyright (C) 2005 - 2016 Alfresco Software Limited * %% * This file is part of the Alfresco software. * If the software was purchased under a paid Alfresco license, the terms of * the paid license agreement will prevail. Otherwise, the software is * provided under the following open source license terms: * * Alfresco is free software: you can redistribute it and/or modify * it under the terms of the GNU Lesser General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * Alfresco is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public License * along with Alfresco. If not, see <http://www.gnu.org/licenses/>. * #L% */ package org.alfresco.repo.web.scripts.links; import java.io.IOException; import java.io.StringWriter; import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; import java.util.regex.Pattern; import org.alfresco.query.PagingRequest; import org.alfresco.repo.content.MimetypeMap; import org.alfresco.service.cmr.activities.ActivityService; import org.alfresco.service.cmr.links.LinkInfo; import org.alfresco.service.cmr.links.LinksService; import org.alfresco.service.cmr.repository.NodeRef; import org.alfresco.service.cmr.repository.NodeService; import org.alfresco.service.cmr.security.NoSuchPersonException; import org.alfresco.service.cmr.security.PersonService; import org.alfresco.service.cmr.site.SiteInfo; import org.alfresco.service.cmr.site.SiteService; import org.alfresco.util.ScriptPagingDetails; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.json.simple.JSONArray; import org.json.simple.JSONObject; import org.json.simple.parser.JSONParser; import org.json.simple.parser.ParseException; import org.springframework.extensions.webscripts.Cache; import org.springframework.extensions.webscripts.DeclarativeWebScript; import org.springframework.extensions.webscripts.Status; import org.springframework.extensions.webscripts.WebScriptException; import org.springframework.extensions.webscripts.WebScriptRequest; import org.springframework.extensions.webscripts.json.JSONWriter; /** * @author Nick Burch * @since 4.0 */ public abstract class AbstractLinksWebScript extends DeclarativeWebScript { public static final String LINKS_SERVICE_ACTIVITY_APP_NAME = "links"; protected static final String PARAM_MESSAGE = "message"; protected static final String PARAM_ITEM = "item"; private static Log logger = LogFactory.getLog(AbstractLinksWebScript.class); // Injected services protected NodeService nodeService; protected SiteService siteService; protected LinksService linksService; protected PersonService personService; protected ActivityService activityService; private String protocolsWhiteList = "http,https,ftp,mailto"; private ArrayList<String> allowedProtocols; private ArrayList<Pattern> xssPatterns; public void setNodeService(NodeService nodeService) { this.nodeService = nodeService; } public void setSiteService(SiteService siteService) { this.siteService = siteService; } public void setLinksService(LinksService linksService) { this.linksService = linksService; } public void setPersonService(PersonService personService) { this.personService = personService; } public void setActivityService(ActivityService activityService) { this.activityService = activityService; } public void setProtocolsWhiteList(String protocolsWhiteList) { this.protocolsWhiteList = protocolsWhiteList; } public void setXssRegexp(ArrayList<String> xssRegexp) { xssPatterns = new ArrayList<>(xssRegexp.size()); for (String xssRegexpStr : xssRegexp) { xssPatterns.add(Pattern.compile(xssRegexpStr)); } } private boolean isProtocolAllowed(String protocol) { // will be used default protocol prefix if (protocol.length() == 0) { return true; } if (allowedProtocols == null) { allowedProtocols = new ArrayList<String>(); for (String delimProtocol : protocolsWhiteList.split(",")) { if (delimProtocol.trim().length() == 0) { continue; } allowedProtocols.add(delimProtocol.trim()); } } return allowedProtocols.contains(protocol); } private boolean isPossibleXSS(String url) { // check for null if (xssPatterns == null) { return false; } boolean result = false; for (Pattern pattern : xssPatterns) { if (pattern.matcher(url).matches()) { result = true; } } return result; } private boolean isUrlCorrect(String url) { //default behavior if url absent if (url == null) { return true; } if (url.trim().length() == 0 || isPossibleXSS(url)) { return false; } int colonPos = url.indexOf(":"); colonPos = colonPos > 0 ? colonPos : 0; String protocol = url.substring(0, colonPos); boolean result = isProtocolAllowed(protocol); //check for record host:port e.g.: localhost:8080 if (!result) { String secondUrlPart = url.substring(colonPos + 1); int slashPos = secondUrlPart.indexOf("/"); slashPos = slashPos > 0 ? slashPos : secondUrlPart.length(); String port = secondUrlPart.substring(0, slashPos); Pattern p = Pattern.compile("^[0-9]*$"); if (p.matcher(port).matches()) { result = true; } } return result; } protected String getOrNull(JSONObject json, String key) { if (json.containsKey(key)) { return (String) json.get(key); } return null; } protected List<String> getTags(JSONObject json) { List<String> tags = null; if (json.containsKey("tags")) { // Is it "tags":"" or "tags":[...] ? if (json.get("tags") instanceof String) { // This is normally an empty string, skip String tagsS = (String) json.get("tags"); if ("".equals(tagsS)) { // No tags were given return null; } else { // Log, and treat as empty // (We don't support "tags":"a,b,c" in these webscripts) logger.warn("Unexpected tag data: " + tagsS); return null; } } else { tags = new ArrayList<String>(); JSONArray jsTags = (JSONArray) json.get("tags"); for (int i = 0; i < jsTags.size(); i++) { tags.add((String) jsTags.get(i)); } } } return tags; } /** * Builds up a listing Paging request, based on the arguments * specified in the URL */ protected PagingRequest buildPagingRequest(WebScriptRequest req) { if (req.getParameter("page") == null || req.getParameter("pageSize") == null) { throw new WebScriptException(Status.STATUS_BAD_REQUEST, "Paging size parameters missing"); } return new ScriptPagingDetails(req, 100); } /** * Generates an activity entry for the link */ protected void addActivityEntry(String event, LinkInfo link, SiteInfo site, WebScriptRequest req, JSONObject json) { // What page is this for? String page = req.getParameter("page"); if (page == null && json != null) { if (json.containsKey("page")) { page = (String) json.get("page"); } } if (page == null) { // Default page = "links"; } try { StringWriter activityJson = new StringWriter(); JSONWriter activity = new JSONWriter(activityJson); activity.startObject(); activity.writeValue("title", link.getTitle()); activity.writeValue("page", page + "?linkId=" + link.getSystemName()); activity.endObject(); activityService.postActivity("org.alfresco.links.link-" + event, site.getShortName(), LINKS_SERVICE_ACTIVITY_APP_NAME, activityJson.toString()); } catch (Exception e) { // Warn, but carry on logger.warn("Error adding link " + event + " to activities feed", e); } } protected Map<String, Object> renderLink(LinkInfo link) { Map<String, Object> res = new HashMap<String, Object>(); res.put("node", link.getNodeRef()); res.put("name", link.getSystemName()); res.put("title", link.getTitle()); res.put("description", link.getDescription()); res.put("url", link.getURL()); res.put("createdOn", link.getCreatedAt()); res.put("modifiedOn", link.getModifiedAt()); res.put("tags", link.getTags()); res.put("internal", link.isInternal()); // FTL needs a script node of the person, if available String creator = link.getCreator(); Object creatorO; if ((null == creator) || !personService.personExists(creator)) { creatorO = ""; } else { NodeRef person = personService.getPerson(creator); creatorO = person; } res.put("creator", creatorO); // We want blank instead of null for (String key : res.keySet()) { if (res.get(key) == null) { res.put(key, ""); } } return res; } @Override protected Map<String, Object> executeImpl(WebScriptRequest req, Status status, Cache cache) { Map<String, String> templateVars = req.getServiceMatch().getTemplateVars(); if (templateVars == null) { String error = "No parameters supplied"; throw new WebScriptException(Status.STATUS_BAD_REQUEST, error); } // Parse the JSON, if supplied JSONObject json = null; String contentType = req.getContentType(); if (contentType != null && contentType.indexOf(';') != -1) { contentType = contentType.substring(0, contentType.indexOf(';')); } if (MimetypeMap.MIMETYPE_JSON.equals(contentType)) { JSONParser parser = new JSONParser(); try { json = (JSONObject) parser.parse(req.getContent().getContent()); } catch (IOException io) { throw new WebScriptException(Status.STATUS_BAD_REQUEST, "Invalid JSON: " + io.getMessage()); } catch (ParseException pe) { throw new WebScriptException(Status.STATUS_BAD_REQUEST, "Invalid JSON: " + pe.getMessage()); } } // Get the site short name. Try quite hard to do so... String siteName = templateVars.get("site"); if (siteName == null) { siteName = req.getParameter("site"); } if (siteName == null && json != null) { if (json.containsKey("siteid")) { siteName = (String) json.get("siteid"); } else if (json.containsKey("site")) { siteName = (String) json.get("site"); } } if (siteName == null) { String error = "No site given"; throw new WebScriptException(Status.STATUS_BAD_REQUEST, error); } // Grab the requested site SiteInfo site = siteService.getSite(siteName); if (site == null) { String error = "Could not find site: " + siteName; throw new WebScriptException(Status.STATUS_NOT_FOUND, error); } // Link name is optional String linkName = templateVars.get("path"); //sanitise url if (json != null) { String url = getOrNull(json, "url"); if (!isUrlCorrect(url)) { String error = "Url not allowed"; throw new WebScriptException(Status.STATUS_BAD_REQUEST, error); } } // Have the real work done return executeImpl(site, linkName, req, json, status, cache); } protected abstract Map<String, Object> executeImpl(SiteInfo site, String linkName, WebScriptRequest req, JSONObject json, Status status, Cache cache); }