Sat, 30 Dec 2017 20:41:55 +0100
adds getter for the database facade to the abstract servlet
16 | 1 | /* |
2 | * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. | |
3 | * | |
4 | * Copyright 2017 Mike Becker. All rights reserved. | |
5 | * | |
6 | * Redistribution and use in source and binary forms, with or without | |
7 | * modification, are permitted provided that the following conditions are met: | |
8 | * | |
9 | * 1. Redistributions of source code must retain the above copyright | |
10 | * notice, this list of conditions and the following disclaimer. | |
11 | * | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | |
15 | * | |
16 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | |
17 | * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE | |
20 | * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | |
21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | |
22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | |
23 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | |
24 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | |
25 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | |
26 | * POSSIBILITY OF SUCH DAMAGE. | |
27 | * | |
28 | */ | |
29 | package de.uapcore.lightpit; | |
30 | ||
31 | import java.sql.Connection; | |
32 | import java.sql.DatabaseMetaData; | |
33 | import java.sql.SQLException; | |
34 | import java.util.Optional; | |
35 | import javax.naming.Context; | |
36 | import javax.naming.InitialContext; | |
37 | import javax.naming.NamingException; | |
38 | import javax.servlet.ServletContext; | |
39 | import javax.servlet.ServletContextEvent; | |
40 | import javax.servlet.ServletContextListener; | |
41 | import javax.servlet.annotation.WebListener; | |
42 | import javax.sql.DataSource; | |
43 | import org.slf4j.Logger; | |
44 | import org.slf4j.LoggerFactory; | |
45 | ||
46 | /** | |
47 | * Provides access to different privilege layers within the database. | |
48 | */ | |
49 | @WebListener | |
50 | public final class DatabaseFacade implements ServletContextListener { | |
51 | ||
52 | private static final Logger LOG = LoggerFactory.getLogger(DatabaseFacade.class); | |
53 | ||
54 | /** | |
55 | * Timeout in seconds for the validation test. | |
56 | */ | |
57 | private static final int DB_TEST_TIMEOUT = 10; | |
58 | ||
59 | /** | |
60 | * The default schema to test against when validating the connection. | |
61 | * | |
62 | * May be overridden by context parameter. | |
63 | */ | |
64 | private static final String DB_DEFAULT_SCHEMA = "lightpit"; | |
65 | ||
66 | /** | |
67 | * The attribute name in the servlet context under which an instance of this class can be found. | |
68 | */ | |
69 | public static final String SC_ATTR_NAME = DatabaseFacade.class.getName(); | |
70 | private ServletContext sc; | |
71 | ||
72 | private static final String PRIVILEGED_DS_JNDI_NAME = "jdbc/lightpit/dbo"; | |
73 | private Optional<DataSource> privilegedDataSource; | |
74 | ||
75 | private static final String UNPRIVILEGED_DS_JNDI_NAME = "jdbc/lightpit/app"; | |
76 | private Optional<DataSource> unprivilegedDataSource; | |
77 | ||
78 | ||
79 | /** | |
80 | * Returns an optional privileged data source. | |
81 | * | |
82 | * Privileged data sources should be able to execute any kind of DDL | |
83 | * statements to perform installation or configuration steps. | |
84 | * | |
85 | * This optional should always be empty in live operation. Modules which | |
86 | * provide installation or configuration steps MUST check the presence of | |
87 | * a privileged data source and SHOULD display an informative message if | |
88 | * it is currently disabled. | |
89 | * | |
90 | * @return an optional privileged data source | |
91 | */ | |
92 | public Optional<DataSource> getPrivilegedDataSource() { | |
93 | return privilegedDataSource; | |
94 | } | |
95 | ||
96 | /** | |
97 | * Returns an optional unprivileged data source. | |
98 | * | |
99 | * The Optional returned should never be empty. However, if something goes | |
100 | * wrong during initialization, the data source might be absent. | |
101 | * Hence, users of this data source are forced to check the existence. | |
102 | * | |
103 | * @return an optional unprivileged data source | |
104 | */ | |
105 | public Optional<DataSource> getUnprivilegedDataSource() { | |
106 | return unprivilegedDataSource; | |
107 | } | |
108 | ||
109 | /** | |
110 | * Returns the JNDI resource name of the privileged data source. | |
111 | * | |
112 | * Modules may use this information to provide useful information to the user. | |
113 | * | |
114 | * @return the JNDI resource name of the privileged data source | |
115 | */ | |
116 | public String getPrivilegedDataSourceJNDIName() { | |
117 | return PRIVILEGED_DS_JNDI_NAME; | |
118 | } | |
119 | ||
120 | /** | |
121 | * Returns the JNDI resource name of the unprivileged data source. | |
122 | * | |
123 | * Modules may use this information to provide useful information to the user. | |
124 | * | |
125 | * @return the JNDI resource name of the unprivileged data source | |
126 | */ | |
127 | public String getUnprivilegedDataSourceJNDIName() { | |
128 | return UNPRIVILEGED_DS_JNDI_NAME; | |
129 | } | |
130 | ||
131 | private static void checkConnection(DataSource ds, String testSchema, String errMsg) { | |
132 | try (Connection conn = ds.getConnection()) { | |
133 | if (!conn.isValid(DB_TEST_TIMEOUT)) { | |
134 | throw new SQLException("Validation check failed."); | |
135 | } | |
136 | if (conn.isReadOnly()) { | |
137 | throw new SQLException("Connection is read-only and thus unusable."); | |
138 | } | |
139 | if (!conn.getSchema().equals(testSchema)) { | |
140 | throw new SQLException(String.format("Connection is not configured to use the schema %s.", testSchema)); | |
141 | } | |
142 | DatabaseMetaData metaData = conn.getMetaData(); | |
143 | LOG.info("Connections as {} to {}/{} ready to go.", metaData.getUserName(), metaData.getURL(), conn.getSchema()); | |
144 | } catch (SQLException ex) { | |
145 | LOG.error(errMsg, ex); | |
146 | } | |
147 | } | |
148 | ||
149 | private static Optional<DataSource> retrievePrivilegedDataSource(Context ctx) { | |
150 | DataSource ret = null; | |
151 | try { | |
152 | ret = (DataSource)ctx.lookup(PRIVILEGED_DS_JNDI_NAME); | |
153 | LOG.info("Privileged data source {} retrieved from context.", PRIVILEGED_DS_JNDI_NAME); | |
154 | LOG.warn("Your application may be vulnerable due to privileged database access. Make sure that privileged data sources are only available during installation or configuration."); | |
155 | } catch (NamingException ex) { | |
156 | LOG.info("Privileged data source not available. This is perfectly OK. Activate only, if you need to do installation or configuration."); | |
157 | /* in case the absence of the DataSource is not intended, log something more useful on debug level */ | |
158 | LOG.debug("Reason for the missing data source: ", ex); | |
159 | } | |
160 | return Optional.ofNullable(ret); | |
161 | } | |
162 | ||
163 | private static Optional<DataSource> retrieveUnprivilegedDataSource(Context ctx) { | |
164 | DataSource ret = null; | |
165 | try { | |
166 | ret = (DataSource)ctx.lookup(UNPRIVILEGED_DS_JNDI_NAME); | |
167 | LOG.info("Unprivileged data source retrieved."); | |
168 | } catch (NamingException ex) { | |
169 | LOG.error("Unprivileged data source {} not available.", UNPRIVILEGED_DS_JNDI_NAME); | |
170 | /* for the unprivileged DataSource log the exception on error level (ordinary admins could find this useful) */ | |
171 | LOG.error("Reason for the missing data source: ", ex); | |
172 | } | |
173 | return Optional.ofNullable(ret); | |
174 | } | |
175 | ||
176 | @Override | |
177 | public void contextInitialized(ServletContextEvent sce) { | |
178 | sc = sce.getServletContext(); | |
179 | ||
180 | privilegedDataSource = unprivilegedDataSource = null; | |
181 | ||
182 | final String contextName = Optional | |
183 | .ofNullable(sc.getInitParameter(Constants.CTX_ATTR_JNDI_CONTEXT)) | |
184 | .orElse("java:comp/env"); | |
185 | final String dbSchema = Optional | |
186 | .ofNullable(sc.getInitParameter(Constants.CTX_ATTR_DB_SCHEMA)) | |
187 | .orElse(DB_DEFAULT_SCHEMA); | |
188 | ||
189 | try { | |
190 | LOG.debug("Trying to access JNDI context {}...", contextName); | |
191 | Context initialCtx = new InitialContext(); | |
192 | Context ctx = (Context) initialCtx.lookup(contextName); | |
193 | ||
194 | privilegedDataSource = retrievePrivilegedDataSource(ctx); | |
195 | unprivilegedDataSource = retrieveUnprivilegedDataSource(ctx); | |
196 | ||
197 | privilegedDataSource.ifPresent((ds) -> checkConnection(ds, dbSchema, "Checking privileged connection failed")); | |
198 | unprivilegedDataSource.ifPresent((ds) -> checkConnection(ds, dbSchema, "Checking unprivileged connection failed")); | |
199 | } catch (NamingException | ClassCastException ex) { | |
200 | LOG.error("Cannot access JNDI resources.", ex); | |
201 | } | |
202 | ||
203 | sc.setAttribute(SC_ATTR_NAME, this); | |
204 | LOG.info("Database facade injected into ServletContext."); | |
205 | } | |
206 | ||
207 | @Override | |
208 | public void contextDestroyed(ServletContextEvent sce) { | |
209 | privilegedDataSource = unprivilegedDataSource = null; | |
210 | } | |
211 | } |