AuthorizableNodeNameHealthCheck.java
3.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
/*
* Decompiled with CFR 0_118.
*
* Could not load the following classes:
* org.apache.felix.scr.annotations.Activate
* org.apache.felix.scr.annotations.Component
* org.apache.felix.scr.annotations.Properties
* org.apache.felix.scr.annotations.Property
* org.apache.felix.scr.annotations.PropertyUnbounded
* org.apache.felix.scr.annotations.Reference
* org.apache.felix.scr.annotations.Service
* org.apache.jackrabbit.oak.spi.security.ConfigurationParameters
* org.apache.jackrabbit.oak.spi.security.user.AuthorizableNodeName
* org.apache.jackrabbit.oak.spi.security.user.UserConfiguration
* org.apache.sling.hc.api.HealthCheck
* org.apache.sling.hc.api.Result
* org.apache.sling.hc.api.ResultLog
* org.apache.sling.hc.util.FormattingResultLog
*/
package com.adobe.granite.repository.hc.impl;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableNodeName;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.sling.hc.api.HealthCheck;
import org.apache.sling.hc.api.Result;
import org.apache.sling.hc.api.ResultLog;
import org.apache.sling.hc.util.FormattingResultLog;
@Component(metatype=1, label="Adobe Granite Authorizable Node Name Health Check", description="This health check verifies if the default node name generation for user/group nodes has been replace in order to avoid exposing the authorizable ID in the node name and path.")
@Properties(value={@Property(name="hc.name", value={"Authorizable Node Name Generation"}, propertyPrivate=1), @Property(name="hc.tags", unbounded=PropertyUnbounded.ARRAY, value={"security", "production"}, label="Tags", description="Tags for this check to be used by composite health checks."), @Property(name="hc.mbean.name", value={"authorizableNodeName"}, propertyPrivate=1)})
@Service(value={HealthCheck.class})
public class AuthorizableNodeNameHealthCheck
implements HealthCheck {
@Reference
UserConfiguration userConfiguration;
@Activate
protected void activate() {
}
public Result execute() {
FormattingResultLog resultLog = new FormattingResultLog();
if (this.userConfiguration != null) {
String id;
ConfigurationParameters params = this.userConfiguration.getParameters();
AuthorizableNodeName nnGenerator = (AuthorizableNodeName)params.getConfigValue("authorizableNodeName", (Object)AuthorizableNodeName.DEFAULT, AuthorizableNodeName.class);
if (nnGenerator.generateNodeName(id = "userid").contains(id)) {
resultLog.warn("AuthorizableNodeName implementation exposes authorizable ID in the node name/path.", new Object[0]);
resultLog.warn("Please enable 'RandomAuthorizableNodeName' or provide your custom implementation. See security checklist for details.", new Object[0]);
} else {
resultLog.debug("AuthorizableNodeName implementation doesn't expose authorizable ID.", new Object[0]);
}
} else {
resultLog.warn("Unable to verify AuthorizableNodeName implementation; UserConfiguration is missing.", new Object[0]);
}
return new Result((ResultLog)resultLog);
}
protected void bindUserConfiguration(UserConfiguration userConfiguration) {
this.userConfiguration = userConfiguration;
}
protected void unbindUserConfiguration(UserConfiguration userConfiguration) {
if (this.userConfiguration == userConfiguration) {
this.userConfiguration = null;
}
}
}