Java Code Examples for org.owasp.security.logging.SecurityMarkers#SECURITY_AUDIT

The following examples show how to use org.owasp.security.logging.SecurityMarkers#SECURITY_AUDIT . You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example 1
Source File: UserResource.java    From dependency-track with Apache License 2.0 6 votes vote down vote up
@DELETE
@Path("oidc")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Deletes an OpenID Connect user.",
        code = 204
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The user could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response deleteOidcUser(final OidcUser jsonUser) {
    try (QueryManager qm = new QueryManager()) {
        final OidcUser user = qm.getOidcUser(jsonUser.getUsername());
        if (user != null) {
            qm.delete(user);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "OpenID Connect user deleted: " + jsonUser.getUsername());
            return Response.status(Response.Status.NO_CONTENT).build();
        } else {
            return Response.status(Response.Status.NOT_FOUND).entity("The user could not be found.").build();
        }
    }
}
 
Example 2
Source File: TeamResource.java    From dependency-track with Apache License 2.0 6 votes vote down vote up
@PUT
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Creates a new team along with an associated API key",
        response = Team.class,
        code = 201
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
//public Response createTeam(String jsonRequest) {
public Response createTeam(Team jsonTeam) {
    //Team team = MapperUtil.readAsObjectOf(Team.class, jsonRequest);
    final Validator validator = super.getValidator();
    failOnValidationError(
            validator.validateProperty(jsonTeam, "name")
    );

    try (QueryManager qm = new QueryManager()) {
        final Team team = qm.createTeam(jsonTeam.getName(), true);
        super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Team created: " + team.getName());
        return Response.status(Response.Status.CREATED).entity(team).build();
    }
}
 
Example 3
Source File: UserResource.java    From dependency-track with Apache License 2.0 6 votes vote down vote up
@DELETE
@Path("managed")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Deletes a user.",
        code = 204
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The user could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response deleteManagedUser(ManagedUser jsonUser) {
    try (QueryManager qm = new QueryManager()) {
        final ManagedUser user = qm.getManagedUser(jsonUser.getUsername());
        if (user != null) {
            qm.delete(user);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Managed user deleted: " + jsonUser.getUsername());
            return Response.status(Response.Status.NO_CONTENT).build();
        } else {
            return Response.status(Response.Status.NOT_FOUND).entity("The user could not be found.").build();
        }
    }
}
 
Example 4
Source File: UserResource.java    From dependency-track with Apache License 2.0 6 votes vote down vote up
@DELETE
@Path("ldap")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Deletes a user.",
        code = 204
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The user could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response deleteLdapUser(LdapUser jsonUser) {
    try (QueryManager qm = new QueryManager()) {
        final LdapUser user = qm.getLdapUser(jsonUser.getUsername());
        if (user != null) {
            qm.delete(user);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "LDAP user deleted: " + jsonUser.getUsername());
            return Response.status(Response.Status.NO_CONTENT).build();
        } else {
            return Response.status(Response.Status.NOT_FOUND).entity("The user could not be found.").build();
        }
    }
}
 
Example 5
Source File: OidcResource.java    From dependency-track with Apache License 2.0 6 votes vote down vote up
@DELETE
@Path("/group/{uuid}")
@Consumes(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Deletes a group",
        code = 204
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The group could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response deleteGroup(@ApiParam(value = "The UUID of the group to delete", required = true)
                            @PathParam("uuid") final String uuid) {
    try (QueryManager qm = new QueryManager()) {
        final OidcGroup group = qm.getObjectByUuid(OidcGroup.class, uuid);
        if (group != null) {
            qm.delete(qm.getMappedOidcGroups(group));
            qm.delete(group);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Group deleted: " + group.getName());
            return Response.status(Response.Status.NO_CONTENT).build();
        } else {
            return Response.status(Response.Status.NOT_FOUND).entity("An OpenID Connect group with the specified UUID could not be found.").build();
        }
    }
}
 
Example 6
Source File: OidcResource.java    From dependency-track with Apache License 2.0 6 votes vote down vote up
@DELETE
@Path("/mapping/{uuid}")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Deletes a mapping",
        code = 204
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The UUID of the mapping could not be found"),
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response deleteMappingByUuid(@ApiParam(value = "The UUID of the mapping to delete", required = true)
                                    @PathParam("uuid") final String uuid) {
    try (QueryManager qm = new QueryManager()) {
        final MappedOidcGroup mapping = qm.getObjectByUuid(MappedOidcGroup.class, uuid);
        if (mapping != null) {
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Mapping for group " + mapping.getGroup().getName() + " and team " + mapping.getTeam().getName() + " deleted");
            qm.delete(mapping);
            return Response.status(Response.Status.NO_CONTENT).build();
        } else {
            return Response.status(Response.Status.NOT_FOUND).entity("The UUID of the mapping could not be found.").build();
        }
    }
}
 
Example 7
Source File: AlpineResource.java    From Alpine with Apache License 2.0 6 votes vote down vote up
/**
 * Logs a security event to the security audit log. Expects one of:
 * {@link SecurityMarkers#SECURITY_AUDIT}
 * {@link SecurityMarkers#SECURITY_SUCCESS}
 * {@link SecurityMarkers#SECURITY_FAILURE}
 * @param logger the logger to use
 * @param marker the marker to add to the event
 * @param message the initial content of the event
 * @since 1.0.0
 */
protected void logSecurityEvent(final Logger logger, final Marker marker, final String message) {
    if (!(SecurityMarkers.SECURITY_AUDIT == marker ||
          SecurityMarkers.SECURITY_SUCCESS == marker ||
          SecurityMarkers.SECURITY_FAILURE == marker)) {
        return;
    }
    final StringBuilder sb = new StringBuilder();
    sb.append(message).append(" ");
    if (getPrincipal() != null) {
        sb.append("by: ").append(getPrincipal().getName()).append(" ");
    }
    sb.append("/ IP Address: ").append(getRemoteAddress()).append(" ");
    sb.append("/ User Agent: ").append(getUserAgent());
    logger.info(marker, sb.toString());
}
 
Example 8
Source File: OidcResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@DELETE
@Path("/group/{groupUuid}/team/{teamUuid}/mapping")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Deletes a mapping",
        code = 204
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The UUID of the mapping could not be found"),
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response deleteMapping(@ApiParam(value = "The UUID of the group to delete a mapping for", required = true)
                              @PathParam("groupUuid") final String groupUuid,
                              @ApiParam(value = "The UUID of the team to delete a mapping for", required = true)
                              @PathParam("teamUuid") final String teamUuid) {
    try (QueryManager qm = new QueryManager()) {
        final Team team = qm.getObjectByUuid(Team.class, teamUuid);
        if (team == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The UUID of the team could not be found.").build();
        }

        final OidcGroup group = qm.getObjectByUuid(OidcGroup.class, groupUuid);
        if (group == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The UUID of the group could not be found.").build();
        }

        final MappedOidcGroup mapping = qm.getMappedOidcGroup(team, group);
        if (mapping != null) {
            qm.delete(mapping);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Mapping for group " + group.getName() + " and team " + team.getName() + " deleted");
            return Response.status(Response.Status.NO_CONTENT).build();
        } else {
            return Response.status(Response.Status.NOT_FOUND).entity("A mapping for the group " + group.getName() + " and team " + team.getName() + " does not exist.").build();
        }
    }
}
 
Example 9
Source File: UserResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@DELETE
@Path("/{username}/membership")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Removes the username from the specified team.",
        response = UserPrincipal.class
)
@ApiResponses(value = {
        @ApiResponse(code = 304, message = "The user was not a member of the specified team"),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The user or team could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response removeTeamFromUser(
        @ApiParam(value = "A valid username", required = true)
        @PathParam("username") String username,
        @ApiParam(value = "The UUID of the team to un-associate username from", required = true)
                IdentifiableObject identifiableObject) {
    try (QueryManager qm = new QueryManager()) {
        final Team team = qm.getObjectByUuid(Team.class, identifiableObject.getUuid());
        if (team == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The team could not be found.").build();
        }
        UserPrincipal principal = qm.getUserPrincipal(username);
        if (principal == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The user could not be found.").build();
        }
        final boolean modified = qm.removeUserFromTeam(principal, team);
        principal = qm.getObjectById(principal.getClass(), principal.getId());
        if (modified) {
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Removed team membership for: " + principal.getName() + " / team: " + team.getName());
            return Response.ok(principal).build();
        } else {
            return Response.status(Response.Status.NOT_MODIFIED)
                    .entity("The user was not a member of the specified team.")
                    .build();
        }
    }
}
 
Example 10
Source File: UserResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@PUT
@Path("oidc")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Creates a new user that references an existing OpenID Connect user.",
        response = OidcUser.class,
        code = 201
)
@ApiResponses(value = {
        @ApiResponse(code = 400, message = "Username cannot be null or blank."),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 409, message = "A user with the same username already exists. Cannot create new user")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response createOidcUser(final OidcUser jsonUser) {
    try (QueryManager qm = new QueryManager()) {
        if (StringUtils.isBlank(jsonUser.getUsername())) {
            return Response.status(Response.Status.BAD_REQUEST).entity("Username cannot be null or blank.").build();
        }
        OidcUser user = qm.getOidcUser(jsonUser.getUsername());
        if (user == null) {
            user = qm.createOidcUser(jsonUser.getUsername());
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "OpenID Connect user created: " + jsonUser.getUsername());
            return Response.status(Response.Status.CREATED).entity(user).build();
        } else {
            return Response.status(Response.Status.CONFLICT).entity("A user with the same username already exists. Cannot create new user.").build();
        }
    }
}
 
Example 11
Source File: UserResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@PUT
@Path("ldap")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Creates a new user that references an existing LDAP object.",
        response = LdapUser.class,
        code = 201
)
@ApiResponses(value = {
        @ApiResponse(code = 400, message = "Username cannot be null or blank."),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 409, message = "A user with the same username already exists. Cannot create new user")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response createLdapUser(LdapUser jsonUser) {
    try (QueryManager qm = new QueryManager()) {
        if (StringUtils.isBlank(jsonUser.getUsername())) {
            return Response.status(Response.Status.BAD_REQUEST).entity("Username cannot be null or blank.").build();
        }
        LdapUser user = qm.getLdapUser(jsonUser.getUsername());
        if (user == null) {
            user = qm.createLdapUser(jsonUser.getUsername());
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "LDAP user created: " + jsonUser.getUsername());
            return Response.status(Response.Status.CREATED).entity(user).build();
        } else {
            return Response.status(Response.Status.CONFLICT).entity("A user with the same username already exists. Cannot create new user.").build();
        }
    }
}
 
Example 12
Source File: OidcResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@PUT
@Path("/mapping")
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Adds a mapping",
        response = MappedOidcGroup.class
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The UUID of the team or group could not be found"),
        @ApiResponse(code = 409, message = "A mapping with the same team and group name already exists")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response addMapping(final MappedOidcGroupRequest request) {
    final Validator validator = super.getValidator();
    failOnValidationError(
            validator.validateProperty(request, "team"),
            validator.validateProperty(request, "group")
    );

    try (QueryManager qm = new QueryManager()) {
        final Team team = qm.getObjectByUuid(Team.class, request.getTeam());
        if (team == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("A team with the specified UUID could not be found.").build();
        }

        final OidcGroup group = qm.getObjectByUuid(OidcGroup.class, request.getGroup());
        if (group == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("A group with the specified UUID could not be found.").build();
        }

        if (!qm.isOidcGroupMapped(team, group)) {
            final MappedOidcGroup mappedOidcGroup = qm.createMappedOidcGroup(team, group);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Mapping created for group " + group.getName() + " and team " + team.getName());
            return Response.ok(mappedOidcGroup).build();
        } else {
            return Response.status(Response.Status.CONFLICT).entity("A mapping for the same team and group already exists.").build();
        }
    }
}
 
Example 13
Source File: OidcResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@PUT
@Path("/group")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Creates group",
        response = OidcGroup.class,
        code = 201
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response createGroup(final OidcGroup jsonGroup) {
    final Validator validator = super.getValidator();
    failOnValidationError(
            validator.validateProperty(jsonGroup, "name")
    );

    try (QueryManager qm = new QueryManager()) {
        if (qm.getOidcGroup(jsonGroup.getName()) == null) {
            final OidcGroup group = qm.createOidcGroup(jsonGroup.getName());
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Group created: " + group.getName());
            return Response.status(Response.Status.CREATED).entity(group).build();
        } else {
            return Response.status(Response.Status.CONFLICT).entity("A group with the same name already exists. Cannot create new group").build();
        }
    }
}
 
Example 14
Source File: PermissionResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@DELETE
@Path("/{permission}/team/{uuid}")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Removes the permission from the team.",
        response = Team.class
)
@ApiResponses(value = {
        @ApiResponse(code = 304, message = "The team already has the specified permission assigned"),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The team could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response removePermissionFromTeam(
        @ApiParam(value = "A valid team uuid", required = true)
        @PathParam("uuid") String uuid,
        @ApiParam(value = "A valid permission", required = true)
        @PathParam("permission") String permissionName) {
    try (QueryManager qm = new QueryManager()) {
        Team team = qm.getObjectByUuid(Team.class, uuid);
        if (team == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The team could not be found.").build();
        }
        final Permission permission = qm.getPermission(permissionName);
        if (permission == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The permission could not be found.").build();
        }
        final List<Permission> permissions = team.getPermissions();
        if (permissions != null && permissions.contains(permission)) {
            permissions.remove(permission);
            team.setPermissions(permissions);
            team = qm.persist(team);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Removed permission for team: " + team.getName() + " / permission: " + permission.getName());
            return Response.ok(team).build();
        }
        return Response.status(Response.Status.NOT_MODIFIED).build();
    }
}
 
Example 15
Source File: PermissionResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@DELETE
@Path("/{permission}/user/{username}")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Removes the permission from the user.",
        response = UserPrincipal.class
)
@ApiResponses(value = {
        @ApiResponse(code = 304, message = "The user already has the specified permission assigned"),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The user could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response removePermissionFromUser(
        @ApiParam(value = "A valid username", required = true)
        @PathParam("username") String username,
        @ApiParam(value = "A valid permission", required = true)
        @PathParam("permission") String permissionName) {
    try (QueryManager qm = new QueryManager()) {
        UserPrincipal principal = qm.getUserPrincipal(username);
        if (principal == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The user could not be found.").build();
        }
        final Permission permission = qm.getPermission(permissionName);
        if (permission == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The permission could not be found.").build();
        }
        final List<Permission> permissions = principal.getPermissions();
        if (permissions != null && permissions.contains(permission)) {
            permissions.remove(permission);
            principal.setPermissions(permissions);
            principal = qm.persist(principal);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Removed permission for user: " + principal.getName() + " / permission: " + permission.getName());
            return Response.ok(principal).build();
        }
        return Response.status(Response.Status.NOT_MODIFIED).build();
    }
}
 
Example 16
Source File: PermissionResource.java    From dependency-track with Apache License 2.0 5 votes vote down vote up
@POST
@Path("/{permission}/user/{username}")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Adds the permission to the specified username.",
        response = UserPrincipal.class
)
@ApiResponses(value = {
        @ApiResponse(code = 304, message = "The user already has the specified permission assigned"),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The user could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response addPermissionToUser(
        @ApiParam(value = "A valid username", required = true)
        @PathParam("username") String username,
        @ApiParam(value = "A valid permission", required = true)
        @PathParam("permission") String permissionName) {
    try (QueryManager qm = new QueryManager()) {
        UserPrincipal principal = qm.getUserPrincipal(username);
        if (principal == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The user could not be found.").build();
        }
        final Permission permission = qm.getPermission(permissionName);
        if (permission == null) {
            return Response.status(Response.Status.NOT_FOUND).entity("The permission could not be found.").build();
        }
        final List<Permission> permissions = principal.getPermissions();
        if (permissions != null && !permissions.contains(permission)) {
            permissions.add(permission);
            principal.setPermissions(permissions);
            principal = qm.persist(principal);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Added permission for user: " + principal.getName() + " / permission: " + permission.getName());
            return Response.ok(principal).build();
        }
        return Response.status(Response.Status.NOT_MODIFIED).build();
    }
}
 
Example 17
Source File: UserResource.java    From dependency-track with Apache License 2.0 4 votes vote down vote up
/**
 * @since 3.9.0
 */
@POST
@Path("oidc/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.TEXT_PLAIN)
@ApiOperation(
        value = "Login with OpenID Connect",
        notes = "Upon a successful login, a JSON Web Token will be returned in the response body. This functionality requires authentication to be enabled.",
        response = String.class
)
@ApiResponses(value = {
        @ApiResponse(code = 204, message = "No Content"),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 403, message = "Forbidden")
})
@AuthenticationNotRequired
public Response validateOidcAccessToken(@ApiParam(value = "An OAuth2 access token", required = true)
                                        @FormParam("accessToken") final String accessToken) {
    final OidcAuthenticationService authService = new OidcAuthenticationService(accessToken);

    if (!authService.isSpecified()) {
        super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "An OpenID Connect login attempt was made, but OIDC is disabled or not properly configured");
        return Response.status(Response.Status.NO_CONTENT).build();
    }

    try (final QueryManager qm = new QueryManager()) {
        final Principal principal = authService.authenticate();
        super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_SUCCESS, "Successful OpenID Connect login / username: " + principal.getName());
        final List<Permission> permissions = qm.getEffectivePermissions((UserPrincipal) principal);
        final KeyManager km = KeyManager.getInstance();
        final JsonWebToken jwt = new JsonWebToken(km.getSecretKey());
        final String token = jwt.createToken(principal, permissions);
        return Response.ok(token).build();
    } catch (AlpineAuthenticationException e) {
        super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_FAILURE, "Unauthorized OpenID Connect login attempt");
        if (AlpineAuthenticationException.CauseType.SUSPENDED == e.getCauseType() || AlpineAuthenticationException.CauseType.UNMAPPED_ACCOUNT == e.getCauseType()) {
            return Response.status(Response.Status.FORBIDDEN).entity(e.getCauseType().name()).build();
        } else {
            return Response.status(Response.Status.UNAUTHORIZED).entity(e.getCauseType().name()).build();
        }
    }
}
 
Example 18
Source File: OidcResource.java    From dependency-track with Apache License 2.0 4 votes vote down vote up
@POST
@Path("/group")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Updates group",
        response = OidcGroup.class
)
@ApiResponses(value = {
        @ApiResponse(code = 401, message = "Unauthorized")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response updateGroup(final OidcGroup jsonGroup) {
    final Validator validator = super.getValidator();
    failOnValidationError(
            validator.validateProperty(jsonGroup, "uuid"),
            validator.validateProperty(jsonGroup, "name")
    );

    try (QueryManager qm = new QueryManager()) {
        OidcGroup oidcGroup = qm.getObjectByUuid(OidcGroup.class, jsonGroup.getUuid());
        if (oidcGroup != null) {
            oidcGroup.setName(jsonGroup.getName());
            oidcGroup = qm.updateOidcGroup(oidcGroup);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Group updated: " + oidcGroup.getName());
            return Response.ok(oidcGroup).build();
        } else {
            return Response.status(Response.Status.NOT_FOUND).entity("An OpenID Connect group with the specified UUID does not exists.").build();
        }
    }
}
 
Example 19
Source File: UserResource.java    From dependency-track with Apache License 2.0 4 votes vote down vote up
@PUT
@Path("managed")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Creates a new user.",
        response = ManagedUser.class,
        code = 201
)
@ApiResponses(value = {
        @ApiResponse(code = 400, message = "Missing required field"),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 409, message = "A user with the same username already exists. Cannot create new user")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response createManagedUser(ManagedUser jsonUser) {
    try (QueryManager qm = new QueryManager()) {

        if (StringUtils.isBlank(jsonUser.getUsername())) {
            return Response.status(Response.Status.BAD_REQUEST).entity("Username cannot be null or blank.").build();
        }
        if (StringUtils.isBlank(jsonUser.getFullname())) {
            return Response.status(Response.Status.BAD_REQUEST).entity("The users full name is missing.").build();
        }
        if (StringUtils.isBlank(jsonUser.getEmail())) {
            return Response.status(Response.Status.BAD_REQUEST).entity("The users email address is missing.").build();
        }
        if (StringUtils.isBlank(jsonUser.getNewPassword()) || StringUtils.isBlank(jsonUser.getConfirmPassword())) {
            return Response.status(Response.Status.BAD_REQUEST).entity("A password must be set.").build();
        }
        if (!jsonUser.getNewPassword().equals(jsonUser.getConfirmPassword())) {
            return Response.status(Response.Status.BAD_REQUEST).entity("The passwords do not match.").build();
        }

        ManagedUser user = qm.getManagedUser(jsonUser.getUsername());
        if (user == null) {
            user = qm.createManagedUser(jsonUser.getUsername(), jsonUser.getFullname(), jsonUser.getEmail(),
                    String.valueOf(PasswordService.createHash(jsonUser.getNewPassword().toCharArray())),
                    jsonUser.isForcePasswordChange(), jsonUser.isNonExpiryPassword(), jsonUser.isSuspended());
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Managed user created: " + jsonUser.getUsername());
            return Response.status(Response.Status.CREATED).entity(user).build();
        } else {
            return Response.status(Response.Status.CONFLICT).entity("A user with the same username already exists. Cannot create new user.").build();
        }
    }
}
 
Example 20
Source File: UserResource.java    From dependency-track with Apache License 2.0 4 votes vote down vote up
@POST
@Path("managed")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
@ApiOperation(
        value = "Updates a managed user.",
        response = ManagedUser.class
)
@ApiResponses(value = {
        @ApiResponse(code = 400, message = "Missing required field"),
        @ApiResponse(code = 401, message = "Unauthorized"),
        @ApiResponse(code = 404, message = "The user could not be found")
})
@PermissionRequired(Permissions.Constants.ACCESS_MANAGEMENT)
public Response updateManagedUser(ManagedUser jsonUser) {
    try (QueryManager qm = new QueryManager()) {
        ManagedUser user = qm.getManagedUser(jsonUser.getUsername());
        if (user != null) {
            if (StringUtils.isBlank(jsonUser.getFullname())) {
                return Response.status(Response.Status.BAD_REQUEST).entity("The users full name is missing.").build();
            }
            if (StringUtils.isBlank(jsonUser.getEmail())) {
                return Response.status(Response.Status.BAD_REQUEST).entity("The users email address is missing.").build();
            }
            if (StringUtils.isNotBlank(jsonUser.getNewPassword()) && StringUtils.isNotBlank(jsonUser.getConfirmPassword()) &&
                    jsonUser.getNewPassword().equals(jsonUser.getConfirmPassword())) {
                user.setPassword(String.valueOf(PasswordService.createHash(jsonUser.getNewPassword().toCharArray())));
            }
            user.setFullname(jsonUser.getFullname());
            user.setEmail(jsonUser.getEmail());
            user.setForcePasswordChange(jsonUser.isForcePasswordChange());
            user.setNonExpiryPassword(jsonUser.isNonExpiryPassword());
            user.setSuspended(jsonUser.isSuspended());
            user = qm.updateManagedUser(user);
            super.logSecurityEvent(LOGGER, SecurityMarkers.SECURITY_AUDIT, "Managed user updated: " + jsonUser.getUsername());
            return Response.ok(user).build();
        } else {
            return Response.status(Response.Status.NOT_FOUND).entity("The user could not be found.").build();
        }
    }
}