Skip to content

Commit fc77a92

Browse files
skavanaghskavanagh
committed
v2.05.02
Added access check when users access systems
1 parent f890a2a commit fc77a92

3 files changed

Lines changed: 89 additions & 34 deletions

File tree

pom.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
<modelVersion>4.0.0</modelVersion>
55
<groupId>com.keybox</groupId>
66
<artifactId>keybox</artifactId>
7-
<version>2.05.01</version>
7+
<version>2.05.02</version>
88
<packaging>war</packaging>
99
<name>KeyBox</name>
1010
<properties>

src/main/java/com/keybox/manage/action/SecureShellAction.java

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -174,6 +174,10 @@ public String selectSystemsForCompositeTerms() {
174174
//exit any previous terms
175175
exitTerms();
176176
if (systemSelectId != null && !systemSelectId.isEmpty()) {
177+
//check to see if user has perms to access selected systems
178+
if (!Auth.MANAGER.equals(AuthUtil.getUserType(servletRequest.getSession()))) {
179+
systemSelectId = SystemDB.checkSystemPerms(systemSelectId, userId);
180+
}
177181

178182
SystemStatusDB.setInitialSystemStatus(systemSelectId, userId);
179183
pendingSystemStatus = SystemStatusDB.getNextPendingSystem(userId);
@@ -304,9 +308,13 @@ public static void setUserSchSessionMap(Map<Long, UserSchSessions> userSchSessio
304308
SecureShellAction.userSchSessionMap = userSchSessionMap;
305309
}
306310

307-
public String getTerminalRefreshRate() { return terminalRefreshRate; }
311+
public String getTerminalRefreshRate() {
312+
return terminalRefreshRate;
313+
}
308314

309-
public void setTerminalRefreshRate(String terminalRefreshRate) { this.terminalRefreshRate = terminalRefreshRate; }
315+
public void setTerminalRefreshRate(String terminalRefreshRate) {
316+
this.terminalRefreshRate = terminalRefreshRate;
317+
}
310318
}
311319

312320

src/main/java/com/keybox/manage/db/SystemDB.java

Lines changed: 78 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -31,33 +31,34 @@
3131
*/
3232
public class SystemDB {
3333

34-
public static final String SORT_BY_NAME="display_nm";
35-
public static final String SORT_BY_USER="user";
36-
public static final String SORT_BY_HOST="host";
37-
public static final String SORT_BY_STATUS="status_cd";
34+
public static final String SORT_BY_NAME = "display_nm";
35+
public static final String SORT_BY_USER = "user";
36+
public static final String SORT_BY_HOST = "host";
37+
public static final String SORT_BY_STATUS = "status_cd";
3838

3939

4040
/**
4141
* method to do order by based on the sorted set object for systems for user
42+
*
4243
* @param sortedSet sorted set object
43-
* @param userId user id
44+
* @param userId user id
4445
* @return sortedSet with list of host systems
4546
*/
46-
public static SortedSet getUserSystemSet(SortedSet sortedSet, Long userId){
47+
public static SortedSet getUserSystemSet(SortedSet sortedSet, Long userId) {
4748
List<HostSystem> hostSystemList = new ArrayList<HostSystem>();
4849

49-
String orderBy="";
50-
if(sortedSet.getOrderByField()!=null && !sortedSet.getOrderByField().trim().equals("")){
51-
orderBy="order by " + sortedSet.getOrderByField()+ " " + sortedSet.getOrderByDirection();
50+
String orderBy = "";
51+
if (sortedSet.getOrderByField() != null && !sortedSet.getOrderByField().trim().equals("")) {
52+
orderBy = "order by " + sortedSet.getOrderByField() + " " + sortedSet.getOrderByDirection();
5253
}
53-
String sql="select * from system where id in (select distinct system_id from system_map m, user_map um where m.profile_id=um.profile_id and um.user_id=?) "+orderBy;
54+
String sql = "select * from system where id in (select distinct system_id from system_map m, user_map um where m.profile_id=um.profile_id and um.user_id=?) " + orderBy;
5455

5556
//get user for auth token
56-
Connection con=null;
57+
Connection con = null;
5758
try {
58-
con=DBUtils.getConn();
59+
con = DBUtils.getConn();
5960
PreparedStatement stmt = con.prepareStatement(sql);
60-
stmt.setLong(1,userId);
61+
stmt.setLong(1, userId);
6162
ResultSet rs = stmt.executeQuery();
6263

6364
while (rs.next()) {
@@ -88,21 +89,22 @@ public static SortedSet getUserSystemSet(SortedSet sortedSet, Long userId){
8889

8990
/**
9091
* method to do order by based on the sorted set object for systems
92+
*
9193
* @param sortedSet sorted set object
9294
* @return sortedSet with list of host systems
9395
*/
94-
public static SortedSet getSystemSet(SortedSet sortedSet){
96+
public static SortedSet getSystemSet(SortedSet sortedSet) {
9597
List<HostSystem> hostSystemList = new ArrayList<HostSystem>();
9698

97-
String orderBy="";
98-
if(sortedSet.getOrderByField()!=null && !sortedSet.getOrderByField().trim().equals("")){
99-
orderBy="order by " + sortedSet.getOrderByField()+ " " + sortedSet.getOrderByDirection();
99+
String orderBy = "";
100+
if (sortedSet.getOrderByField() != null && !sortedSet.getOrderByField().trim().equals("")) {
101+
orderBy = "order by " + sortedSet.getOrderByField() + " " + sortedSet.getOrderByDirection();
100102
}
101-
String sql="select * from system "+ orderBy;
103+
String sql = "select * from system " + orderBy;
102104

103-
Connection con=null;
105+
Connection con = null;
104106
try {
105-
con=DBUtils.getConn();
107+
con = DBUtils.getConn();
106108
PreparedStatement stmt = con.prepareStatement(sql);
107109
ResultSet rs = stmt.executeQuery();
108110

@@ -132,9 +134,9 @@ public static SortedSet getSystemSet(SortedSet sortedSet){
132134
}
133135

134136

135-
136137
/**
137138
* returns system by id
139+
*
138140
* @param id system id
139141
* @return system
140142
*/
@@ -162,8 +164,9 @@ public static HostSystem getSystem(Long id) {
162164

163165
/**
164166
* returns system by id
167+
*
165168
* @param con DB connection
166-
* @param id system id
169+
* @param id system id
167170
* @return system
168171
*/
169172
public static HostSystem getSystem(Connection con, Long id) {
@@ -201,6 +204,7 @@ public static HostSystem getSystem(Connection con, Long id) {
201204

202205
/**
203206
* inserts host system into DB
207+
*
204208
* @param hostSystem host system object
205209
* @return user id
206210
*/
@@ -209,10 +213,10 @@ public static Long insertSystem(HostSystem hostSystem) {
209213

210214
Connection con = null;
211215

212-
Long userId=null;
216+
Long userId = null;
213217
try {
214218
con = DBUtils.getConn();
215-
PreparedStatement stmt = con.prepareStatement("insert into system (display_nm, user, host, port, authorized_keys, status_cd) values (?,?,?,?,?,?)",PreparedStatement.RETURN_GENERATED_KEYS );
219+
PreparedStatement stmt = con.prepareStatement("insert into system (display_nm, user, host, port, authorized_keys, status_cd) values (?,?,?,?,?,?)", PreparedStatement.RETURN_GENERATED_KEYS);
216220
stmt.setString(1, hostSystem.getDisplayNm());
217221
stmt.setString(2, hostSystem.getUser());
218222
stmt.setString(3, hostSystem.getHost());
@@ -221,9 +225,9 @@ public static Long insertSystem(HostSystem hostSystem) {
221225
stmt.setString(6, hostSystem.getStatusCd());
222226
stmt.execute();
223227

224-
ResultSet rs =stmt.getGeneratedKeys();
225-
if(rs.next()){
226-
userId=rs.getLong(1);
228+
ResultSet rs = stmt.getGeneratedKeys();
229+
if (rs.next()) {
230+
userId = rs.getLong(1);
227231
}
228232
DBUtils.closeStmt(stmt);
229233

@@ -237,6 +241,7 @@ public static Long insertSystem(HostSystem hostSystem) {
237241

238242
/**
239243
* updates host system record
244+
*
240245
* @param hostSystem host system object
241246
*/
242247
public static void updateSystem(HostSystem hostSystem) {
@@ -267,6 +272,7 @@ public static void updateSystem(HostSystem hostSystem) {
267272

268273
/**
269274
* deletes host system
275+
*
270276
* @param hostSystemId host system id
271277
*/
272278
public static void deleteSystem(Long hostSystemId) {
@@ -319,17 +325,15 @@ public static List<HostSystem> getSystems(List<Long> systemIdList) {
319325
}
320326

321327

322-
323328
/**
324329
* returns all system ids
330+
*
325331
* @param con DB connection
326-
* @param id system id
327332
* @return system
328333
*/
329334
public static List<Long> getAllSystemIds(Connection con) {
330335

331-
List<Long> systemIdList= new ArrayList<Long>();
332-
336+
List<Long> systemIdList = new ArrayList<Long>();
333337

334338

335339
try {
@@ -351,4 +355,47 @@ public static List<Long> getAllSystemIds(Connection con) {
351355

352356
}
353357

358+
359+
/**
360+
* method to check system permissions for user
361+
*
362+
* @param systemSelectIdList list of system ids to check
363+
* @param userId user id
364+
* @return only system ids that user has perms for
365+
*/
366+
public static List<Long> checkSystemPerms(List<Long> systemSelectIdList, Long userId) {
367+
368+
List<Long> systemIdList = new ArrayList<Long>();
369+
if (systemSelectIdList != null && !systemSelectIdList.isEmpty()) {
370+
371+
372+
//get user for auth token
373+
Connection con = null;
374+
try {
375+
con = DBUtils.getConn();
376+
String sql = "select * from system where id in (select distinct system_id from system_map m, user_map um where m.profile_id=um.profile_id and um.user_id=?) ";
377+
PreparedStatement stmt = con.prepareStatement(sql);
378+
stmt.setLong(1, userId);
379+
ResultSet rs = stmt.executeQuery();
380+
381+
while (rs.next()) {
382+
Long systemId = rs.getLong("id");
383+
if (systemSelectIdList.contains(systemId)) {
384+
systemIdList.add(systemId);
385+
}
386+
}
387+
DBUtils.closeRs(rs);
388+
DBUtils.closeStmt(stmt);
389+
390+
} catch (Exception e) {
391+
e.printStackTrace();
392+
}
393+
DBUtils.closeConn(con);
394+
395+
}
396+
397+
return systemIdList;
398+
399+
}
400+
354401
}

0 commit comments

Comments
 (0)