fix personium#535

shimono · Mar 5, 2020 · 65ea886 · 65ea886
1 parent 3d3e85a
commit 65ea886
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 28 deletions.
diff --git a/src/main/java/io/personium/core/PersoniumCoreException.java b/src/main/java/io/personium/core/PersoniumCoreException.java
@@ -1002,6 +1002,14 @@ public static class Common {
          * {0} : Parse string
          */
         public static final PersoniumCoreException JSON_PARSE_ERROR = create("PR400-CM-0004");
+        /**
+         * Invalid URL authority.
+         * <p>
+         * {0} : Given authority
+         * {1} : Configured authority
+         */
+        public static final PersoniumCoreException INVALID_URL_AUTHORITY = create("PR400-CM-0005");
+
         /**
          * Executing API that is not allowed when the cell status is "import failed".
          */

diff --git a/src/main/java/io/personium/core/PersoniumUnitConfig.java b/src/main/java/io/personium/core/PersoniumUnitConfig.java
@@ -869,6 +869,21 @@ public static int getUnitPort() {
         }
         return port;
     }
+    /**
+     * Returns the URL authority of the Unit.
+     * For path-based cell URL mode, this will be the only allowable authority.
+     * For sub-domain-based cell URL mode, this and its sub-domain FQDN will be allowed.
+     * @return URL authority of the Unit.
+     */
+    public static String getUnitAuthority() {
+        String ret = CommonUtils.getFQDN();
+        int p = getUnitPort();
+        if (p == -1) {
+            return ret;
+        }
+        ret = ret + ":" + p;
+        return ret;
+    }
 
     /**
      * URL format to access cell.

diff --git a/src/main/java/io/personium/core/model/ModelFactory.java b/src/main/java/io/personium/core/model/ModelFactory.java
@@ -28,7 +28,7 @@
 import io.personium.core.model.impl.fs.CellSnapshotCellCmpFsImpl;
 
 /**
- * Factory class of model object.
+ * Factory class for model objects.
  */
 public final class ModelFactory {
     /**
@@ -150,7 +150,5 @@ public static UserSchemaODataProducer userSchema(final Cell cell, final DavCmp d
         public static UserDataODataProducer userData(final Cell cell, final DavCmp davCmp) {
             return new UserDataODataProducer(cell, davCmp);
         }
-
     }
-
 }
diff --git a/src/main/java/io/personium/core/rs/FacadeResource.java b/src/main/java/io/personium/core/rs/FacadeResource.java
@@ -102,36 +102,43 @@ public Object facade(
             PersoniumCoreLog.Server.REQUEST_KEY.params("received", headerPersoniumRequestKey).writeLog();
         }
 
-        if (PersoniumUnitConfig.isPathBasedCellUrlEnabled()) {
+        String accessUrlAuthority = uriInfo.getBaseUri().getAuthority();
+        String unitAuthority = PersoniumUnitConfig.getUnitAuthority();
+
+        // if URL authority matches the config then OK.
+        if (unitAuthority.equals(accessUrlAuthority)) {
             return new UnitResource(cookieAuthValue, cookiePeer, headerAuthz, headerHost,
                     headerPersoniumUnitUser, uriInfo);
         }
 
-        String accessUrl = uriInfo.getBaseUri().toString();
-        String configUrl = PersoniumUnitConfig.getBaseUrl();
-        if (configUrl.equals(accessUrl)) {
-            return new UnitResource(cookieAuthValue, cookiePeer, headerAuthz, headerHost,
-                    headerPersoniumUnitUser, uriInfo);
+        if (PersoniumUnitConfig.isPathBasedCellUrlEnabled()) {
+            // if path based, then respond error since unitAuthority itself is the only allowable authority.
+            throw PersoniumCoreException.Common.INVALID_URL_AUTHORITY.params(accessUrlAuthority, unitAuthority);
         } else {
-            // {CellName}.{FQDN} access
+            // if sub-domain based, then ..
             String cellName = headerHost.split("\\.")[0];
-            Cell cell = ModelFactory.cellFromName(cellName);
-            if (cell == null) {
-                throw PersoniumCoreException.Dav.CELL_NOT_FOUND;
-            }
-            AccessContext ac = AccessContext.create(headerAuthz, uriInfo, cookiePeer, cookieAuthValue, cell,
-                    uriInfo.getBaseUri().toString(), headerHost, headerPersoniumUnitUser);
+            // subdomain case is also fine
+            if (accessUrlAuthority.equals(cellName + "." + unitAuthority)) {
+                Cell cell = ModelFactory.cellFromName(cellName);
+                if (cell == null) {
+                    throw PersoniumCoreException.Dav.CELL_NOT_FOUND;
+                }
+                AccessContext ac = AccessContext.create(headerAuthz, uriInfo, cookiePeer, cookieAuthValue, cell,
+                        uriInfo.getBaseUri().toString(), headerHost, headerPersoniumUnitUser);
 
-            CellLockManager.STATUS cellStatus = CellLockManager.getCellStatus(cell.getId());
-            if (CellLockManager.STATUS.BULK_DELETION.equals(cellStatus)) {
-                throw PersoniumCoreException.Dav.CELL_NOT_FOUND;
-            }
+                CellLockManager.STATUS cellStatus = CellLockManager.getCellStatus(cell.getId());
+                if (CellLockManager.STATUS.BULK_DELETION.equals(cellStatus)) {
+                    throw PersoniumCoreException.Dav.CELL_NOT_FOUND;
+                }
 
-            CellLockManager.incrementReferenceCount(cell.getId());
-            httpServletRequest.setAttribute("cellId", cell.getId());
+                CellLockManager.incrementReferenceCount(cell.getId());
+                httpServletRequest.setAttribute("cellId", cell.getId());
 
-            return new CellResource(ac, requestKey,
-                    headerPersoniumEventId, headerPersoniumRuleChain, headerPersoniumVia, httpServletRequest);
+                return new CellResource(ac, requestKey,
+                        headerPersoniumEventId, headerPersoniumRuleChain, headerPersoniumVia, httpServletRequest);
+            } 
+            // otherwise respond error
+            throw PersoniumCoreException.Common.INVALID_URL_AUTHORITY.params(accessUrlAuthority, unitAuthority + ", *." + unitAuthority);
         }
     }
 }
diff --git a/src/main/resources/personium-messages.properties b/src/main/resources/personium-messages.properties
@@ -1,6 +1,7 @@
 #
-# personium.io
-# Copyright 2014 FUJITSU LIMITED
+# Personium
+# Copyright 2014-2020 Personium Project Authors 
+# - FUJITSU LIMITED
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -15,7 +16,7 @@
 # limitations under the License.
 #
 
-### PR ResponseMessage
+### ResponseMessages
 ## ODATA
 # PR400-OD
 io.personium.core.msg.PR400-OD-0001=JSON parse error.
@@ -158,7 +159,7 @@ io.personium.core.msg.PR400-SM-0001=ToRelation [{0}] does not exist.
 io.personium.core.msg.PR400-SM-0002=ToRelation [{0}] does not have related ExtCell.
 io.personium.core.msg.PR400-SM-0003=The maximum number of destinations was exceeded.
 io.personium.core.msg.PR400-SM-0004=Box corresponding to the schema can not be found from the schema-authenticated token. Schema[{0}].
-# PR500-RS
+# PR500-SM
 io.personium.core.msg.PR500-SM-0001=Sent Message connection error.
 io.personium.core.msg.PR500-SM-0002=Sent Message body parse error.
 
@@ -369,6 +370,7 @@ io.personium.core.msg.PR400-CM-0001=Required key [{0}] missing.
 io.personium.core.msg.PR400-CM-0002=Field [{0}] format error. Must be [{1}].
 io.personium.core.msg.PR400-CM-0003=Unknown key [{0}] specified.
 io.personium.core.msg.PR400-CM-0004=JSON parse error. [{0}].
+io.personium.core.msg.PR400-CM-0005=Invalid URL authority [{0}]. This unit is configured for URL authority [{1}]
 
 io.personium.core.msg.PR409-CM-0001=Cell status is [import failed]. Only Unit Level's APIs, CellImport and GetToken are executable.
 io.personium.core.msg.PR409-CM-0002=Because [{0}] is being executed, writing to cell can not be done.