/ - Diff - Metacat - Ecoinformatics Redmine

« Previous | Next »

Revision 9551

Added by Chris Jones over 8 years ago

Validate the session during the modification stage, rather than just assuming a CGI session (support tokens too).

Also, fix the XML document validation issue where an <additionalParty> element is added prior to the <metadataProvider> element. This seems to be an intermittent issue, and may be due to more recent versions of perl returning hash contents more randomly than previous versions. The %orig hash passed in to personnelList() is assumed to be random now, and I just ensured the metadataProvider is first in the produced string.

https://github.nceas.ucsb.edu/KNB/arctic-data/issues/59
refs https://github.nceas.ucsb.edu/KNB/arctic-data/issues/42

     my $der_file_path = "/tmp/server.der";
     # Signing certificate file name is based on the CN environment
     if ( $cnUrl && $tempDir ) {
     if ( $cnUrl && $tempDir ) {
         my @parts = split(/\//, $cnUrl);
         $cn = $parts[2];
         $pem_file_path = $tempDir . "/" . $cn . ".pem";
         $der_file_path = $tempDir . "/" . $cn . ".der";
         $der_file_path = $tempDir . "/" . $cn . ".der";
+    }
     # url configuration
-...
+    	}
     	$template->process( $templates->{'login'}, $templateVars );
     	exit();
+    }
     elsif ( $FORM::stage =~ "logout" ) {
-...
     	#debug("in modify stage");
     	# Modification of a file has been requested.
     	# check if the user is logged in...
     	my $session = CGI::Session->load() or die CGI::Session->errstr();
     	if ( $session->is_empty ) {
     	if ( !validateSession() ) {
     		# no session found ... redirect to login page template
     		$$templateVars{'message'} = 'You must login to modify your dataset.';
     		$$templateVars{'message'} = 'Please login to modify your dataset.';
     		$template->process( $templates->{'login'}, $templateVars );
+    	}
     	else {
-...
     		# no session found ... redirect to login page template
     		$$templateVars{'showInstructions'} = 'true';
     		$$templateVars{'message'} = 'You must login to register your dataset.';
     		$$templateVars{'message'} = 'Please login to register your dataset.';
     		$template->process( $templates->{'login'}, $templateVars );
+    	}
     	else {
-...
         	my ( $username, $password ) = getCredentials();
         	$response = $metacat->login( $username, $password );
         	my $errorMessage = "";
+        }
     	# Parameters have been validated and Create the XML document
     	my $xmldoc = createXMLDocument();
     	my $xmldocWithDocID = $xmldoc;
     	my $errorMessage    = "";
-...
     			# document is being inserted
     			my $docStatus = "INCOMPLETE";
     			while ($docStatus eq "INCOMPLETE") {
                     #Create the docid
                     $docid = newDocid($scope, $metacat);
                     $xmldocWithDocID =~ s/docid/$docid/;
                     debugDoc($xmldocWithDocID);
                     $docStatus = insertMetadata( $xmldocWithDocID, $docid );
+    			}
                 if ( $docStatus ne "SUCCESS" ) {
                     debug("NO SUCCESS");
                     debug("Message is: $docStatus");
                     push( @errorMessages, $docStatus );
+                }
                 else{
                     deleteRemovedData();
+                }
+    		}
     		else {
     			debug("The form has an existing docid: " . $FORM::docid);
-...
     		modSendNotification( $title, $contactEmailAddress, $contactName,
     			"Document $docid review pending" );
+    	}
+    }
     if ( scalar(@errorMessages) ) {
-...
     # checks metacat using newAccessionNumber
     ################################################################################
     sub newDocid {
         my $scope   = shift;
         my $metacat = shift;
         my $scopeFound = 0;
         #Lock a local file while we are creating a new docid
         my $lockFilePath = "docids.lock";
         open(LOCK, ">$lockFilePath");
         flock(LOCK, LOCK_EX);
         my $lastdocid = newAccessionNumber($scope, $metacat);
         #Extract the docid number from the docid
         my @line = split(/\./, $lastdocid);
         my $num = $line[1];
         my $docidsFilePath    = $tempDir."/docids.txt";
         my $docidsFilePathNew = $tempDir."/docids.txt.new";
         #Open/create a local file while we are creating a new docid
         open my $docidsFile,  '+<',  $docidsFilePath;
         open my $docidsNewFile, '>', $docidsFilePathNew;
         #Read each docid scope,num in the file
         while( <$docidsFile> ) {
             my @line = split /,/;
             my $currentScope = $line[0];
             if($currentScope eq $scope){
                 my $docidNum = $line[1] + 1;
                 if($num > $docidNum){
                   $docid = "$scope.$num.1";
                   print $docidsNewFile "$scope,$num \n";
-...
                 print $docidsNewFile $_;
+            }
+        }
         #If this scope is not in the local docid store then add it
         if(!$scopeFound){
             #Add to the local file
             print $docidsNewFile "$scope,$num \n";
+        }
         #Close the file and replace the old docids file with this new one
         close $docidsNewFile;
         close $docidsFile;
         move($docidsFilePathNew, $docidsFilePath);
         close LOCK;
         return $docid;
+    }
-...
     	  unless hasContent($FORM::providerSurName);
     	push( @invalidParams, "Dataset title is missing." )
     	  unless hasContent($FORM::title);
     	if ( $show->{'siteList'} eq 'true' ) {
     	if ( $show->{'siteList'} eq 'true' ) {
     		push( @invalidParams, ucfirst( $config->{'site'} ) . " name is missing." )
     		  unless ( ( hasContent($FORM::site) && !( $FORM::site =~ /^Select/ ) )
     			|| $skinName eq "nceas" );
-...
     	if ( $fileHash =~ /ondisk/ ) {
     		( $docid, $fileHash ) = datafileInfo($fileHash);
     		$outFile = $dataDir . "/" . $docid;
+    	}
     	else {
     		# normalize input filenames; Windows filenames include full paths
     		$cleanName =~ s/.*[\/\\](.*)/$1/;
     		$outFile = $tempDir . "/" . $cleanName;
     		$outFile = $tempDir . "/" . $cleanName;
+    	}
     	debug("Reading file from disk: $outFile");
     	my $fileSize = stat($outFile)->size;
     	if ( $fileSize == 0 ) {
     		push( @errorMessages, "file $fileName is zero bytes!" );
     		debug("File $fileName is zero bytes!");
+    	}
     	# Now the file is on disk, send the object to Metacat
     	if ( ! validateSession() ) {
     		push( @errorMessages, "Must be logged in to upload files." );
-...
     	# remove the uniqueness of the filename
     	# 'tempXXXXX'
     	$cleanName = substr($cleanName, 9);
     	if ( !$docid ) {
             my $uploadStatus = shift;
             while(!$uploadStatus){
                 $docid = newDocid($scope, $metacat);
                 $uploadStatus = uploadData( $outFile, $docid, $cleanName );
                 if ( !$uploadStatus ) {
                     debug("Uploading the data failed.");
                     push( @errorMessages, "Data file $cleanName failed to upload");
-...
     	# TODO:  should match the object promotion path, so that an
     	#        Excel upload results in 'dataTable' in this field
     	my $entityType = 'Other';
     	my %dataInfo = (
     		'docid'       => $docid,
     		'entityid'    => $entityid,
-...
     	my $ctx = Digest::SHA1->new;
     	$ctx->add($fileData);
     	my $digest = $ctx->hexdigest;
     	# use tempfile for writing
     	my $tmp = File::Temp->new(
     	my $tmp = File::Temp->new(
     						TEMPLATE => 'tempXXXXX',
                             DIR => $tempDir,
                             SUFFIX => $cleanName,
                             SUFFIX => $cleanName,
                             UNLINK => 0);
     	my $outputName = $tmp->filename();
     	#open( OUT, ">$outputName" ) or die "Could not open: $!";
     	print $tmp $fileData;
     	close($tmp);
     	debug("Writing output, result is: $outputName");
     	return ( $outputName, $digest );
+    }
-...
     	my ($username, $password);
         my $metacat = Metacat->new($metacatUrl);
         setAuthToken($metacat);
         my $response = hasValidAuthToken();
         if ( ! $response ) {
         	( $username, $password ) = getCredentials();
         	$response = $metacat->login( $username, $password );
+        }
     	if ( !$response ) {
     		my $msg = $metacat->getMessage();
-...
     	my $filename = shift;
     	debug("Upload -- Starting upload of $docid");
     	my $response = $metacat->upload( $docid, $data, $filename );
     	if ( !$response ) {
             my $uploadMsg = $metacat->getMessage();
             push( @errorMessages,
             		"Failed to upload file. Error was: $uploadMsg\n" );
             debug("Upload -- Error is: $uploadMsg");
+    	}
     	else {
     		debug("Upload -- Success! New docid $docid");
+    	}
         return $response;
+    }
-...
     sub createXMLDocument {
         if ( $debug_enabled ) {
             debug("createXMLDocument() called.");
+        }
     	#FIXME placeholder for $FORM element, should be determined by config
     	if ( $skinName eq "ebm" ) {
-...
+    }
     sub createDatasetDocument {
         if ( $debug_enabled ) {
             debug("createDatasetDocument() called.");
+        }
         my $doc = EMLStart();
     	$doc .= accessElement();
     	$doc .= datasetStart();
-...
     			$elem .= "</individualName>\n";
     			if ( ( $role eq 'personnel' ) && ($FORM::origNameOrgContact) ) {
     				$elem .=
     "<organizationName>$FORM::origNameOrgContact</organizationName>\n";
     				$elem .= "<organizationName>$FORM::origNameOrgContact</organizationName>\n";
+    			}
     			if ( ( $role eq 'personnel' ) || ( $role eq 'associatedParty' ) ) {
-...
+    				}
     				$elem .= "<role>" . normalize($roleElem) . "</role>\n";
+    			}
     			$elemList .= "<$role>$elem</$role>\n";
                             # Ensure the metadataProvider is added before additionalParty
                             my $fullElement = "<$role>$elem</$role>\n";
                             if ( $role eq "metadataProvider" ) {
     				$fullElement .= $elemList;
     				$elemList = $fullElement;
                             } else {
     				$elemList .= $fullElement;
+    			}
+    		}
+    	}
     	return $elemList;
-...
     		$accessList = qq|
                     <access authSystem="knb" order="allowFirst">
                         $skinAccess
                         $userAccess
                         $userAccess
                         <$defaultAccess>
                             <principal>public</principal>
                             <permission>read</permission>
-...
+    }
     sub accessElement {
         if ( $debug_enabled ) {
             debug('accessElement() called.');
+        }
         my $public = shift;
     	if ( !$public ) {
     		$public = $config->{'publicReadable'};
-...
+    }
     sub getUsername() {
         if ( $debug_enabled ) {
             debug('getUsername() called.');
+        }
     	my $username = '';
     	my $authBase = $properties->getProperty("auth.base");
         # Support authentication token usernames
         my $token_info = getTokenInfo();
         if ( $token_info->{'isValid'} ) {
             $username = $token_info->{'sub'};
             debug("Username: $username");
             return $token_info->{'sub'};
+        }
         # Support CGI session usernames
     	if ( $FORM::username ne '' ) {
     		$username =
-...
         if ( ! hasValidAuthToken() ) {
             my ( $username, $password ) = getCredentials();
     	    $metacat->login( $username, $password );
+        }
     	$httpMessage = $metacat->read($docid);
-...
     	push( @admins, $adminUsername );
     	#debug("getting user groups for current user");
     	my @userGroups = getUserGroups();
     	foreach $node ( $results->get_nodelist ) {
-...
     				$permission = $child->textContent();
+    			}
+    		}
     		if (($principal eq 'public') && ($permission ne 'read')) {
     			# If the principal is 'public' and the permission is not 'read' then this document
     	    	# could not have been created in the registry.
     	    	# could not have been created in the registry.
     			$errorMessage = "The ACL for this document has been changed outside the registry. Please use Morpho to edit this document (Access Error: public principal cannot have $permission permission).\n";
     			$accessError = 1;
     			debug($errorMessage);
+    		}
+    		}
     		if (($principal eq $adminUsername) && ($permission ne 'all')) {
     			# If the principal is the admin and permission is not 'all' then this document
     	    	# could not have been created in the registry.
     	    	# could not have been created in the registry.
     			$errorMessage = "The ACL for this document has been changed outside the registry. Please use Morpho to edit this document (Access Error: admin principal cannot have $permission permission).\n";
     			$accessError = 1;
     			debug($errorMessage);
+    		}
+    		}
     		# no access error in doc, if principal is not equal to public and permission is
     		# no access error in doc, if principal is not equal to public and permission is
     		# 'all' (requirements in registry) then try and determine if user has access
     		if (!$accessError && ($principal ne 'public') && ($permission eq 'all' || $permission eq 'write')) {
     			my ($username, $password) = getCredentials();
     			# 1) check if user matches principal
     			#debug("does user $username match principal $principal?");
     			if ($principal eq $username) {
     				$accessGranted = 1;
     				$accessGranted = 1;
     				#debug("Access granted: user $username matches principal");
+    			}
     			# 2) if access not granted, check if user group matches principal
     			# 2) if access not granted, check if user group matches principal
     			if (!$accessGranted) {
     				#debug("is one of the user groups @userGroups the principal $principal?");
     				for my $userGroup (@userGroups) {
-...
                				last;
+           				}
+    				}
+    			}
+    		}
+    			}
+    		}
     		# if there was an access error, we know this is not a valid registry doc.  No need to
     		# continue looking at access sections in doc.  Same it true if we were granted access
     		# already.
-...
     			last;
+    		}
+    	}
     	if (!$accessError) {
     	if (!$accessError) {
     		my ($username, $password) = getCredentials();
     		# 3) if access not granted, check if the user is a moderator or admin
     		if (!$accessGranted) {
     			#debug("is user $username in admins @admins?");
-...
     				#debug("Access granted: user $username is an admin or moderator");
+    			}
+    		}
     		# 4) if access not granted, check if user group in moderator/admin list
     		if (!$accessGranted) {
     			#debug("is one of the user groups @userGroups in admins @admins?");
-...
     					last;
+    				}
+    			}
+    		}
     		# 5) if access not granted, and there was no other error, the user is not authorized.
+    		}
     		# 5) if access not granted, and there was no other error, the user is not authorized.
     		# Set accessError to true and set the error string
     		if (!$accessError && !$accessGranted) {
     			$errorMessage = "User $username is not authorized to access document\n";
-...
     	# Login to metacat
     	my $errorMessage = "";
         my $response = hasValidAuthToken();
         if ( ! $response ) {
         	my ( $username, $password ) = getCredentials();
         	$response = $metacat->login( $username, $password );
+        }
     	if ( !$response ) {
-...
     		my $password = $FORM::password;
     		my $metacat = Metacat->new($metacatUrl);
         	my $returnVal = $metacat->login( $username, $password );
     		debug("Login was $returnVal for login " .
     		debug("Login was $returnVal for login " .
                   "attempt to $metacatUrl, with $username");
     		if ( $returnVal > 0 ) {
     			# valid username and passwd
-...
     		$uname = $session->param("username");
     		$session->delete();
+    	}
     	# send redirect form to metacat and action = logout
     	my $html = "<html><head>";
     	$html .= "</head><body onload=\"document.loginForm.submit()\">";
     	$html .= "<form name=\"loginForm\" method=\"post\" action=\""
     	  . $metacatUrl . "\">";
     	$html .= "<input type=\"hidden\" name=\"action\" value=\"logout\" />";
     	$html .= "<input type=\"hidden\" name=\"username\" value=\""
     	$html .= "<input type=\"hidden\" name=\"username\" value=\""
     	  . $uname . "\" />";
     	$html .= "<input type=\"hidden\" name=\"qformat\" value=\""
     	  . $skinName . "\" />";
-...
+    #
     ################################################################################
     sub getCredentials {
     	my $userDN   = $FORM::username;
     	my $userOrg  = $FORM::organization;
     	my $userPass = $FORM::password;
     	my $authBase = $properties->getProperty("auth.base");
     	my $dname    = "uid=$userDN,o=$userOrg,$authBase";
         my $token_info;
         if ( hasValidAuthToken() ) {
             $token_info = getTokenInfo();
             $dname = $token_info->{'sub'};
         } else {
         	my $session = CGI::Session->load();
         	if ( !( $session->is_empty || $session->is_expired ) ) {
         		$dname    = $session->param("username");
         		$userPass = $session->param("password");
+        	}
+        }
     	return ( $dname, $userPass );
-...
     ################################################################################
     sub getUserGroups {
     	my $sessionId = shift;
     	#debug("getting user info for session id: $sessionId");
     	my $metacat = Metacat->new($metacatUrl);
     	setAuthToken($metacat);
         if ( ! hasValidAuthToken() ) {
         	my ( $username, $password ) = getCredentials();
         	$metacat->login( $username, $password );
+        }
     	my $userInfo = $metacat->getUserInfo($sessionId);
     	debug("user info xml: $userInfo");
     	my $parser = XML::LibXML->new();
     	my $parsedDoc = $parser->parse_string($userInfo);
     	my $groupString = $parsedDoc->findvalue('//user/groupNames');
     	my @groupArray;
     	foreach (split(":", $groupString)) {
     		$_ =~ s/^\s+//;
-...
         if ( ! hasValidAuthToken() ) {
         	my ( $username, $password ) = getCredentials();
         	$metacat->login( $username, $password );
+        }
     	my $parser = XML::LibXML->new();
     	my $docid  = $FORM::docid;
     	my ( $x, $y, $z ) = split( /\./, $docid );
-...
         my $response = hasValidAuthToken();
         if ( ! $response ) {
         	$response = $metacat->login( $modUsername, $modPassword );
+        }
     	my $docid = $FORM::docid;
-...
         my $response = hasValidAuthToken();
         if ( ! $response ) {
         	$response = $metacat->login( $modUsername, $modPassword );
+        }
     	if ( !$response ) {
-...
         my $response = hasValidAuthToken();
         if ( ! $response ) {
         	$response = $metacat->login( $modUsername, $modPassword );
+        }
     	if ( !$response ) {
-...
     	if ( !$error ) {
             # If no errors, then print out data in confirm Data template
     		$$templateVars{'section'} = "Confirm Data";
             #Just return the data file upload details, if specified
             if(param("justGetUploadDetails")){
                 $template->process( $templates->{'dataUploadDetails'}, $templateVars );
                 $template->process( $templates->{'dataUploadDetails'}, $templateVars );
+            }
             else{
                 $template->process( $templates->{'confirmData'}, $templateVars );
-...
     ################################################################################
+    #
     # Set the incoming HTTP Authorization header as an instance variable in the
     # Set the incoming HTTP Authorization header as an instance variable in the
     # given Metacat object
+    #
     ################################################################################
     sub setAuthToken() {
         my $metacat = shift;
         if ( $debug_enabled ) {
             debug('setAuthToken() called.');
+        }
         eval { $metacat->isa('Metacat'); };
         if ( ! $@ ) {
             # Set the auth_token_header if available
             if ( $ENV{'HTTP_AUTHORIZATION'}) {
                 $metacat->set_options(
                 $metacat->set_options(
                     auth_token_header => $ENV{'HTTP_AUTHORIZATION'});
             } else {
                 if ( $debug_enabled ) {
                     debug("There is no HTTP_AUTHORIZATION variable. " .
                           "Did not set Metacat->{'auth_token_header'}");
+                }
+            }
         } else {
             debug('Not an instance of Metacat.' .
             'Pass a Metacat object only to setAuthToken().');
-...
+    #
     ################################################################################
     sub getSigningCertificate() {
         if ( $debug_enabled ) {
             debug('getSigningCertificate called.');
+        }
+        }
         open(my $pem_cert_file, ">", $pem_file_path)
             or die "\nCould not open PEM certificate file: $!\n";
         # Attempts to use IO::Socket::SSL->peer_certificate()
         # and Net::SSLeay->get_peer_certificate()
         # return an unparseable cert (it seems).
         # and Net::SSLeay->get_peer_certificate()
         # return an unparseable cert (it seems).
         # Settle for the openssl command instead.
         # my $client = IO::Socket::SSL->new('cn-stage.test.dataone.org:443')
         #    or die "error=$!, ssl_error=$SSL_ERROR";
-...
             if ( $line =~ /BEGIN/) {
                 $start_line_number = $count;
                 last;
+            }
+            }
+        }
         # Find the end line of the first cert
-...
             if ( $line =~ /END/) {
                 $end_line_number = $count;
                 last;
+            }
+            }
+        }
         # print the cert to a PEM file
-...
             $count = $count + 1;
             if ( $count >= $start_line_number && $count <= $end_line_number) {
                 print $pem_cert_file $line;
+            }
+            }
+        }
         close($pem_cert_file);
         # Convert the PEM to DER
         my @convert_der_args = ("openssl", "x509",
         my @convert_der_args = ("openssl", "x509",
             "-in", $pem_file_path, "-inform", "PEM",
             "-out", $der_file_path, "-outform", "DER");
         system(@convert_der_args);
         # For debugging, display the cert details
         if ( $debug_enabled ) {
             my @cert_info = `openssl x509 -noout -issuer -subject -dates -in $pem_file_path`;
             debug("Signing certificate info: ");
             for my $info_line (@cert_info) {
                 debug($info_line);
+            }
+        }
+    }
-...
         if ( $debug_enabled ) {
             debug('getTokenInfo() called.');
+        }
         my $token_info = {
                 userId      => '',
                 issuedAt    => '',
-...
                 isValid     => 0
         };
         my $token = "";
         my $token = "NO TOKEN YET";
         if ( $ENV{'HTTP_AUTHORIZATION'} ) {
             my @token_parts = split(/ /, $ENV{'HTTP_AUTHORIZATION'});
             $token = @token_parts[1];
+        }
         my $der_cert_file;
         my $signing_cert;
         # If we don't already have the CN signing cert, get it
         if ( ! -e $der_file_path )   {
             getSigningCertificate();
+        }
         # Read the DER-encoded certificate
         open($der_cert_file, "<", $der_file_path)
             or die "\nCould not open DER certificate file: $!\n";
-...
         read($der_cert_file, $signing_cert, 4096)
             or die "Problem reading the DER-encoded server cert: $!\n" if $!;
         close($der_cert_file);
         my $cert = Crypt::X509->new(cert=>$signing_cert);
         # Decode the token using Crypt::JWT
         # Decode the token using Crypt::JWT
         eval{ $token_info = decode_jwt(token=>$token, key=>$cert) };
         if ( ! $@ ) {
         if ( ! $@ ) {
             $$token_info{isValid} = 1;
         } else {
             debug("There was a problem parsing the token: $token");
             debug($@);
+        }
         return $token_info;
+    }
     ################################################################################
-...
+    #
     ################################################################################
     sub validateSession() {
         if ( $debug_enabled ) {
             debug('validateSession() called.');
+        }
         my $token_info = getTokenInfo();
         my $session = CGI::Session->load();
         my $valid = 0;
         if ( $token_info->{"isValid"} ) {
             $valid = 1;
             if ( $debug_enabled ) {
                     debug('The auth token session is valid.');
+            }
         } elsif ( ! $session->is_empty && ! $session->is_expired ) {
         } elsif ( $session->is_empty && ! $session->is_expired ) {
             $valid = 1;
             if ( $debug_enabled ) {
                     debug('The CGI session is valid.');
+            }
+        }
         if ( $debug_enabled ) {
             if ( ! $valid ) {
                 debug('The session is not valid.');
+            }
+        }
         if ( $debug_enabled ) {
             while( my ($k, $v) = each %$token_info ) {
                 debug("$k: $v");
+            }
+        }
         return $valid;
+    }
-...
+    #
     ################################################################################
     sub hasValidAuthToken() {
         if ( $debug_enabled ) {
             debug('hasValidAuthToken() called.');
+        }
         my $token_info = getTokenInfo();
         if ( $debug_enabled ) {
             debug("Auth token is valid: $token_info->{'isValid'}");
+        }
         return $token_info->{'isValid'};
+    }

Also available in: Unified diff

Project

General

Profile

Metacat

Revision 9551

Added by Chris Jones over 8 years ago