LUTECE-2184 : Add a CSRF token to portlet creation and modification

The protection is in place if portlet JspBeans call setPortletCommonData.

Author: rzara

src/java/fr/paris/lutece/portal/web/portlet/PortletJspBean.java

@@ -39,9 +39,12 @@
 import fr.paris.lutece.portal.business.portlet.PortletType;
 import fr.paris.lutece.portal.business.portlet.PortletTypeHome;
 import fr.paris.lutece.portal.business.role.RoleHome;
+import fr.paris.lutece.portal.service.admin.AccessDeniedException;
 import fr.paris.lutece.portal.service.message.AdminMessage;
 import fr.paris.lutece.portal.service.message.AdminMessageService;
+import fr.paris.lutece.portal.service.security.SecurityTokenService;
 import fr.paris.lutece.portal.service.template.AppTemplateService;
+import fr.paris.lutece.portal.service.util.AppException;
 import fr.paris.lutece.portal.service.util.AppLogService;
 import fr.paris.lutece.portal.service.util.AppPropertiesService;
 import fr.paris.lutece.portal.web.admin.AdminFeaturesPageJspBean;
@@ -56,9 +59,12 @@
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
 /**
  * This class represents user interface Portlet. It is the base class of all user interface portlets. It is abstract and the implementation of the interface
- * PortletJspBeanInterface is compulsary.
+ * PortletJspBeanInterface is compulsory.
  */
 public abstract class PortletJspBean extends AdminFeaturesPageJspBean
 {
@@ -240,7 +246,11 @@ protected String setPortletCommonData( HttpServletRequest request, Portlet portl
 
             return AdminMessageService.getMessageUrl( request, MESSAGE_INVALID_PAGE_ID, AdminMessage.TYPE_STOP );
         }
-
+        if ( !SecurityTokenService.getInstance( ).validate( request, TEMPLATE_CREATE_PORTLET ) )
+        {
+            // FIXME we wrap the AccessDeniedException so as to to break the API
+            throw new AppException( "Invalid security token", new AccessDeniedException( "Invalid security token" ) );
+        }
         int nOrder = Integer.parseInt( strOrder );
         int nColumn = Integer.parseInt( strColumn );
         int nAcceptAlias = Integer.parseInt( strAcceptAlias );
@@ -321,6 +331,7 @@ protected HtmlTemplate getCreateTemplate( String strPageId, String strPortletTyp
         model.put( MARK_PORTLET_COLUMNS_COMBO, getColumnsList( ) );
         model.put( MARK_PORTLET_STYLES_COMBO, PortletHome.getStylesList( strPortletTypeId ) );
         model.put( MARK_PORTLET_ROLES_COMBO, RoleHome.getRolesList( getUser( ) ) );
+        model.put( SecurityTokenService.MARK_TOKEN, SecurityTokenService.getInstance( ).getToken( getRequest( ), TEMPLATE_CREATE_PORTLET ) );
 
         HtmlTemplate template = AppTemplateService.getTemplate( TEMPLATE_CREATE_PORTLET, locale, model );
 
@@ -362,6 +373,7 @@ protected HtmlTemplate getModifyTemplate( Portlet portlet, Map<String, Object> m
         putCheckBox( model, MARK_NORMAL_CHECKED, portlet.hasDeviceDisplayFlag( Portlet.FLAG_DISPLAY_ON_NORMAL_DEVICE ) );
         putCheckBox( model, MARK_LARGE_CHECKED, portlet.hasDeviceDisplayFlag( Portlet.FLAG_DISPLAY_ON_LARGE_DEVICE ) );
         putCheckBox( model, MARK_XLARGE_CHECKED, portlet.hasDeviceDisplayFlag( Portlet.FLAG_DISPLAY_ON_XLARGE_DEVICE ) );
+        model.put( SecurityTokenService.MARK_TOKEN, SecurityTokenService.getInstance( ).getToken( getRequest( ), TEMPLATE_CREATE_PORTLET ) );
 
         HtmlTemplate template = AppTemplateService.getTemplate( TEMPLATE_MODIFY_PORTLET, getLocale( ), model );
 
@@ -395,4 +407,15 @@ protected String getPageUrl( int nIdPage )
     {
         return JSP_ADMIN_SITE + "?" + PARAMETER_PAGE_ID + "=" + nIdPage;
     }
+
+    /**
+     * Gets the current request
+     * 
+     * @return the current request
+     */
+    private HttpServletRequest getRequest( )
+    {
+        ServletRequestAttributes sra = ( ServletRequestAttributes ) RequestContextHolder.getRequestAttributes( );
+        return sra.getRequest( );
+    }
 }

src/test/java/fr/paris/lutece/portal/web/portlet/PortletJspBeanTest.java

@@ -0,0 +1,185 @@
+/*
+ * Copyright (c) 2002-2017, Mairie de Paris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice
+ *     and the following disclaimer.
+ *
+ *  2. Redistributions in binary form must reproduce the above copyright notice
+ *     and the following disclaimer in the documentation and/or other materials
+ *     provided with the distribution.
+ *
+ *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * License 1.0
+ */
+package fr.paris.lutece.portal.web.portlet;
+
+import java.math.BigInteger;
+import java.security.SecureRandom;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Random;
+
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import fr.paris.lutece.portal.business.portlet.Portlet;
+import fr.paris.lutece.portal.business.user.AdminUser;
+import fr.paris.lutece.portal.service.admin.AccessDeniedException;
+import fr.paris.lutece.portal.service.admin.PasswordResetException;
+import fr.paris.lutece.portal.service.security.SecurityTokenService;
+import fr.paris.lutece.portal.service.util.AppException;
+import fr.paris.lutece.portal.web.constants.Parameters;
+import fr.paris.lutece.test.LuteceTestCase;
+import fr.paris.lutece.test.Utils;
+
+public class PortletJspBeanTest extends LuteceTestCase
+{
+    public void testGetCreateTemplate( ) throws PasswordResetException, AccessDeniedException
+    {
+        PortletJspBean instance = new TestPortletJspBean( );
+        MockHttpServletRequest request = new MockHttpServletRequest( );
+        Utils.registerAdminUserWithRigth( request, new AdminUser( ), PortletJspBean.RIGHT_MANAGE_ADMIN_SITE );
+        instance.init( request, PortletJspBean.RIGHT_MANAGE_ADMIN_SITE );
+        RequestContextHolder.setRequestAttributes( new ServletRequestAttributes( request ) );
+
+        Map<String, Object> model = new HashMap<>( );
+        assertNotNull( instance.getCreateTemplate( "1", "ALIAS_PORTLET", model ) );
+        assertTrue( model.containsKey( SecurityTokenService.MARK_TOKEN ) );
+    }
+
+    public void testGetModifyTemplateTemplate( ) throws PasswordResetException, AccessDeniedException
+    {
+        PortletJspBean instance = new TestPortletJspBean( );
+        MockHttpServletRequest request = new MockHttpServletRequest( );
+        Utils.registerAdminUserWithRigth( request, new AdminUser( ), PortletJspBean.RIGHT_MANAGE_ADMIN_SITE );
+        instance.init( request, PortletJspBean.RIGHT_MANAGE_ADMIN_SITE );
+        RequestContextHolder.setRequestAttributes( new ServletRequestAttributes( request ) );
+
+        Map<String, Object> model = new HashMap<>( );
+        model.put( "alias_portlet", "1" );
+        Portlet portlet = new TestPortlet( "ALIAS_PORTLET" );
+        assertNotNull( instance.getModifyTemplate( portlet, model ) );
+        assertTrue( model.containsKey( SecurityTokenService.MARK_TOKEN ) );
+    }
+
+    public void testSetPortletCommonData( )
+    {
+        PortletJspBean instance = new TestPortletJspBean( );
+        MockHttpServletRequest request = new MockHttpServletRequest( );
+        String strName = getRandomName( );
+        request.setParameter( Parameters.PORTLET_NAME, strName );
+        request.setParameter( Parameters.ORDER, "1" );
+        request.setParameter( Parameters.COLUMN, "1" );
+        request.setParameter( Parameters.ACCEPT_ALIAS, "1" );
+        request.setParameter( Parameters.DISPLAY_PORTLET_TITLE, "1" );
+        request.setParameter( Parameters.STYLE, "1" );
+        request.setParameter( "page_id", "1" );
+        request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
+                SecurityTokenService.getInstance( ).getToken( request, "admin/portlet/create_portlet.html" ) );
+        Portlet portlet = new TestPortlet( "ALIAS_PORTLET" );
+        instance.setPortletCommonData( request, portlet );
+
+        assertEquals( strName, portlet.getName( ) );
+        assertEquals( 1, portlet.getOrder( ) );
+        assertEquals( 1, portlet.getColumn( ) );
+        assertEquals( 1, portlet.getAcceptAlias( ) );
+        assertEquals( 1, portlet.getDisplayPortletTitle( ) );
+        assertEquals( 1, portlet.getStyleId( ) );
+        assertEquals( 1, portlet.getPageId( ) );
+    }
+
+    public void testSetPortletCommonDataInvalidToken( )
+    {
+        PortletJspBean instance = new TestPortletJspBean( );
+        MockHttpServletRequest request = new MockHttpServletRequest( );
+        String strName = getRandomName( );
+        request.setParameter( Parameters.PORTLET_NAME, strName );
+        request.setParameter( Parameters.ORDER, "1" );
+        request.setParameter( Parameters.COLUMN, "1" );
+        request.setParameter( Parameters.ACCEPT_ALIAS, "1" );
+        request.setParameter( Parameters.DISPLAY_PORTLET_TITLE, "1" );
+        request.setParameter( Parameters.STYLE, "1" );
+        request.setParameter( "page_id", "1" );
+        request.setParameter( SecurityTokenService.PARAMETER_TOKEN,
+                SecurityTokenService.getInstance( ).getToken( request, "admin/portlet/create_portlet.html" ) + "b" );
+        Portlet portlet = new TestPortlet( "ALIAS_PORTLET" );
+        try
+        {
+            instance.setPortletCommonData( request, portlet );
+            fail( "Should have thrown" );
+        }
+        catch ( AppException e )
+        {
+            assertNotNull( e.getCause( ) );
+            assertTrue( e.getCause( ) instanceof AccessDeniedException );
+            assertEquals( "ALIAS_PORTLET", portlet.getName( ) );
+            assertEquals( 0, portlet.getOrder( ) );
+            assertEquals( 0, portlet.getColumn( ) );
+            assertEquals( 0, portlet.getAcceptAlias( ) );
+            assertEquals( 0, portlet.getDisplayPortletTitle( ) );
+            assertEquals( 0, portlet.getStyleId( ) );
+            assertEquals( 0, portlet.getPageId( ) );
+        }
+    }
+
+    public void testSetPortletCommonDataNoToken( )
+    {
+        PortletJspBean instance = new TestPortletJspBean( );
+        MockHttpServletRequest request = new MockHttpServletRequest( );
+        String strName = getRandomName( );
+        request.setParameter( Parameters.PORTLET_NAME, strName );
+        request.setParameter( Parameters.ORDER, "1" );
+        request.setParameter( Parameters.COLUMN, "1" );
+        request.setParameter( Parameters.ACCEPT_ALIAS, "1" );
+        request.setParameter( Parameters.DISPLAY_PORTLET_TITLE, "1" );
+        request.setParameter( Parameters.STYLE, "1" );
+        request.setParameter( "page_id", "1" );
+
+        Portlet portlet = new TestPortlet( "ALIAS_PORTLET" );
+        try
+        {
+            instance.setPortletCommonData( request, portlet );
+            fail( "Should have thrown" );
+        }
+        catch ( AppException e )
+        {
+            assertNotNull( e.getCause( ) );
+            assertTrue( e.getCause( ) instanceof AccessDeniedException );
+            assertEquals( "ALIAS_PORTLET", portlet.getName( ) );
+            assertEquals( 0, portlet.getOrder( ) );
+            assertEquals( 0, portlet.getColumn( ) );
+            assertEquals( 0, portlet.getAcceptAlias( ) );
+            assertEquals( 0, portlet.getDisplayPortletTitle( ) );
+            assertEquals( 0, portlet.getStyleId( ) );
+            assertEquals( 0, portlet.getPageId( ) );
+        }
+    }
+
+    private String getRandomName( )
+    {
+        Random rand = new SecureRandom( );
+        BigInteger bigInt = new BigInteger( 128, rand );
+        return "junit" + bigInt.toString( 36 );
+    }
+}

src/test/java/fr/paris/lutece/portal/web/portlet/TestPortlet.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2002-2017, Mairie de Paris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice
+ *     and the following disclaimer.
+ *
+ *  2. Redistributions in binary form must reproduce the above copyright notice
+ *     and the following disclaimer in the documentation and/or other materials
+ *     provided with the distribution.
+ *
+ *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * License 1.0
+ */
+package fr.paris.lutece.portal.web.portlet;
+
+import javax.servlet.http.HttpServletRequest;
+
+import fr.paris.lutece.portal.business.portlet.Portlet;
+import fr.paris.lutece.portal.service.message.SiteMessageException;
+
+final class TestPortlet extends Portlet
+{
+    public TestPortlet( String strTypeId )
+    {
+        setPortletTypeId( strTypeId );
+        setName( strTypeId );
+    }
+    
+    @Override
+    public String getXmlDocument( HttpServletRequest request ) throws SiteMessageException
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public String getXml( HttpServletRequest request ) throws SiteMessageException
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public void remove( )
+    {
+        // TODO Auto-generated method stub
+        
+    }
+}

src/test/java/fr/paris/lutece/portal/web/portlet/TestPortletJspBean.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2002-2017, Mairie de Paris
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *  1. Redistributions of source code must retain the above copyright notice
+ *     and the following disclaimer.
+ *
+ *  2. Redistributions in binary form must reproduce the above copyright notice
+ *     and the following disclaimer in the documentation and/or other materials
+ *     provided with the distribution.
+ *
+ *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * License 1.0
+ */
+package fr.paris.lutece.portal.web.portlet;
+
+import javax.servlet.http.HttpServletRequest;
+
+final class TestPortletJspBean extends PortletJspBean
+{
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public String getModify( HttpServletRequest request )
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public String getCreate( HttpServletRequest request )
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public String doModify( HttpServletRequest request )
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+
+    @Override
+    public String doCreate( HttpServletRequest request )
+    {
+        // TODO Auto-generated method stub
+        return null;
+    }
+}