From af6c734879aa483efcc8150d5fdb704f40fb59cd Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Thu, 17 Nov 2016 22:48:33 +1300 Subject: Add user expiration and device limit --- schema/changelog-3.8.xml | 10 ++++++ setup/default.xml | 8 +++-- src/org/traccar/api/SecurityRequestFilter.java | 2 +- src/org/traccar/api/resource/DeviceResource.java | 7 ++++ src/org/traccar/api/resource/SessionResource.java | 2 +- src/org/traccar/api/resource/UserResource.java | 11 ++++--- src/org/traccar/database/PermissionsManager.java | 6 ++-- src/org/traccar/model/User.java | 40 +++++++++++++++++++++++ 8 files changed, 75 insertions(+), 11 deletions(-) diff --git a/schema/changelog-3.8.xml b/schema/changelog-3.8.xml index 780a2d029..ba591f192 100644 --- a/schema/changelog-3.8.xml +++ b/schema/changelog-3.8.xml @@ -107,5 +107,15 @@ + + + + + + + + + + diff --git a/setup/default.xml b/setup/default.xml index f50f3904f..a9d7684d4 100644 --- a/setup/default.xml +++ b/setup/default.xml @@ -62,8 +62,8 @@ - INSERT INTO users (name, email, hashedPassword, salt, admin, map, distanceUnit, speedUnit, latitude, longitude, zoom, twelveHourFormat, attributes) - VALUES (:name, :email, :hashedPassword, :salt, :admin, :map, :distanceUnit, :speedUnit, :latitude, :longitude, :zoom, :twelveHourFormat, :attributes) + INSERT INTO users (name, email, hashedPassword, salt, admin, map, distanceUnit, speedUnit, latitude, longitude, zoom, twelveHourFormat, coordinateFormat, disabled, expirationTime, deviceLimit, attributes) + VALUES (:name, :email, :hashedPassword, :salt, :admin, :map, :distanceUnit, :speedUnit, :latitude, :longitude, :zoom, :twelveHourFormat, :coordinateFormat, :disabled, :expirationTime, :deviceLimit, :attributes) @@ -78,6 +78,10 @@ longitude = :longitude, zoom = :zoom, twelveHourFormat = :twelveHourFormat, + coordinateFormat = :coordinateFormat, + disabled = :disabled, + expirationTime = :expirationTime, + deviceLimit = :deviceLimit, attributes = :attributes WHERE id = :id diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java index fd4c77525..598e4566d 100644 --- a/src/org/traccar/api/SecurityRequestFilter.java +++ b/src/org/traccar/api/SecurityRequestFilter.java @@ -67,7 +67,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter { try { String[] auth = decodeBasicAuth(authHeader); - User user = Context.getDataManager().login(auth[0], auth[1]); + User user = Context.getPermissionsManager().login(auth[0], auth[1]); if (user != null) { Context.getStatisticsManager().registerRequest(user.getId()); securityContext = new UserSecurityContext(new UserPrincipal(user.getId())); diff --git a/src/org/traccar/api/resource/DeviceResource.java b/src/org/traccar/api/resource/DeviceResource.java index f20ed86ad..0b389ede1 100644 --- a/src/org/traccar/api/resource/DeviceResource.java +++ b/src/org/traccar/api/resource/DeviceResource.java @@ -58,6 +58,13 @@ public class DeviceResource extends BaseResource { @POST public Response add(Device entity) throws SQLException { Context.getPermissionsManager().checkReadonly(getUserId()); + int deviceLimit = Context.getPermissionsManager().getUser(getUserId()).getDeviceLimit(); + if (deviceLimit != 0) { + int deviceCount = Context.getPermissionsManager().getDevicePermissions(getUserId()).size(); + if (deviceCount >= deviceLimit) { + throw new SecurityException("User device limit reached"); + } + } Context.getDeviceManager().addDevice(entity); Context.getDataManager().linkDevice(getUserId(), entity.getId()); Context.getPermissionsManager().refreshPermissions(); diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java index 2847e41c1..a459186fe 100644 --- a/src/org/traccar/api/resource/SessionResource.java +++ b/src/org/traccar/api/resource/SessionResource.java @@ -64,7 +64,7 @@ public class SessionResource extends BaseResource { } } if (email != null && password != null) { - User user = Context.getDataManager().login(email, password); + User user = Context.getPermissionsManager().login(email, password); if (user != null) { userId = user.getId(); request.getSession().setAttribute(USER_ID_KEY, userId); diff --git a/src/org/traccar/api/resource/UserResource.java b/src/org/traccar/api/resource/UserResource.java index f0a8597cc..c6e84c918 100644 --- a/src/org/traccar/api/resource/UserResource.java +++ b/src/org/traccar/api/resource/UserResource.java @@ -60,13 +60,16 @@ public class UserResource extends BaseResource { @Path("{id}") @PUT public Response update(@PathParam("id") long id, User entity) throws SQLException { - if (entity.getAdmin()) { + User old = Context.getPermissionsManager().getUser(entity.getId()); + if (old.getExpirationTime() == null && entity.getExpirationTime() != null + || old.getExpirationTime() != null && !old.getExpirationTime().equals(entity.getExpirationTime()) + || old.getAdmin() != entity.getAdmin() + || old.getReadonly() != entity.getReadonly() + || old.getDisabled() != entity.getDisabled() + || old.getDeviceLimit() != entity.getDeviceLimit()) { Context.getPermissionsManager().checkAdmin(getUserId()); } else { Context.getPermissionsManager().checkUser(getUserId(), entity.getId()); - if (!entity.getReadonly()) { - Context.getPermissionsManager().checkReadonly(entity.getId()); - } } Context.getPermissionsManager().updateUser(entity); if (Context.getNotificationManager() != null) { diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index b0ae504d0..e620d5334 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -217,11 +217,11 @@ public class PermissionsManager { public User login(String email, String password) throws SQLException { User user = dataManager.login(email, password); - if (user != null && users.get(user.getId()) != null) { + if (user != null && !user.getDisabled() && (user.getExpirationTime() == null + || user.getExpirationTime().getTime() > System.currentTimeMillis())) { return users.get(user.getId()); - } else { - return null; } + return null; } } diff --git a/src/org/traccar/model/User.java b/src/org/traccar/model/User.java index aa0b33713..a36fa0e31 100644 --- a/src/org/traccar/model/User.java +++ b/src/org/traccar/model/User.java @@ -18,6 +18,8 @@ package org.traccar.model; import com.fasterxml.jackson.annotation.JsonIgnore; import org.traccar.helper.Hashing; +import java.util.Date; + public class User extends Extensible { private String name; @@ -140,6 +142,44 @@ public class User extends Extensible { this.coordinateFormat = coordinateFormat; } + private boolean disabled; + + public boolean getDisabled() { + return disabled; + } + + public void setDisabled(boolean disabled) { + this.disabled = disabled; + } + + private Date expirationTime; + + public Date getExpirationTime() { + if (expirationTime != null) { + return new Date(expirationTime.getTime()); + } else { + return null; + } + } + + public void setExpirationTime(Date expirationTime) { + if (expirationTime != null) { + this.expirationTime = new Date(expirationTime.getTime()); + } else { + this.expirationTime = null; + } + } + + private int deviceLimit; + + public int getDeviceLimit() { + return deviceLimit; + } + + public void setDeviceLimit(int deviceLimit) { + this.deviceLimit = deviceLimit; + } + public String getPassword() { return null; } -- cgit v1.2.3 From 468e3b0aa03fbe69b4c590743cf9f6886ef99751 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Fri, 18 Nov 2016 00:16:55 +1300 Subject: Check account on every call --- src/org/traccar/api/SecurityRequestFilter.java | 1 + src/org/traccar/database/PermissionsManager.java | 16 +++++++++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java index 598e4566d..be74a3607 100644 --- a/src/org/traccar/api/SecurityRequestFilter.java +++ b/src/org/traccar/api/SecurityRequestFilter.java @@ -80,6 +80,7 @@ public class SecurityRequestFilter implements ContainerRequestFilter { Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); if (userId != null) { + Context.getPermissionsManager().checkUser(userId); Context.getStatisticsManager().registerRequest(userId); securityContext = new UserSecurityContext(new UserPrincipal(userId)); } diff --git a/src/org/traccar/database/PermissionsManager.java b/src/org/traccar/database/PermissionsManager.java index e620d5334..1c995a11d 100644 --- a/src/org/traccar/database/PermissionsManager.java +++ b/src/org/traccar/database/PermissionsManager.java @@ -146,7 +146,17 @@ public class PermissionsManager { public void checkReadonly(long userId) throws SecurityException { if (!isAdmin(userId) && (server.getReadonly() || isReadonly(userId))) { - throw new SecurityException("User is readonly"); + throw new SecurityException("Account is readonly"); + } + } + + public void checkUser(long userId) throws SecurityException { + User user = getUser(userId); + if (user.getDisabled()) { + throw new SecurityException("Account is disabled"); + } + if (user.getExpirationTime() != null && System.currentTimeMillis() > user.getExpirationTime().getTime()) { + throw new SecurityException("Account has expired"); } } @@ -217,8 +227,8 @@ public class PermissionsManager { public User login(String email, String password) throws SQLException { User user = dataManager.login(email, password); - if (user != null && !user.getDisabled() && (user.getExpirationTime() == null - || user.getExpirationTime().getTime() > System.currentTimeMillis())) { + if (user != null) { + checkUser(user.getId()); return users.get(user.getId()); } return null; -- cgit v1.2.3 From 2bd0cdf04b2849a510f178cafea17fffa5d34961 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Fri, 18 Nov 2016 03:51:43 +1300 Subject: Fix the problem with session --- src/org/traccar/api/SecurityRequestFilter.java | 41 +++++++++++++++----------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/src/org/traccar/api/SecurityRequestFilter.java b/src/org/traccar/api/SecurityRequestFilter.java index be74a3607..3f2390754 100644 --- a/src/org/traccar/api/SecurityRequestFilter.java +++ b/src/org/traccar/api/SecurityRequestFilter.java @@ -17,6 +17,7 @@ package org.traccar.api; import org.traccar.Context; import org.traccar.api.resource.SessionResource; +import org.traccar.helper.Log; import org.traccar.model.User; import javax.annotation.security.PermitAll; @@ -62,29 +63,35 @@ public class SecurityRequestFilter implements ContainerRequestFilter { SecurityContext securityContext = null; - String authHeader = requestContext.getHeaderString(AUTHORIZATION_HEADER); - if (authHeader != null) { + try { - try { - String[] auth = decodeBasicAuth(authHeader); - User user = Context.getPermissionsManager().login(auth[0], auth[1]); - if (user != null) { - Context.getStatisticsManager().registerRequest(user.getId()); - securityContext = new UserSecurityContext(new UserPrincipal(user.getId())); + String authHeader = requestContext.getHeaderString(AUTHORIZATION_HEADER); + if (authHeader != null) { + + try { + String[] auth = decodeBasicAuth(authHeader); + User user = Context.getPermissionsManager().login(auth[0], auth[1]); + if (user != null) { + Context.getStatisticsManager().registerRequest(user.getId()); + securityContext = new UserSecurityContext(new UserPrincipal(user.getId())); + } + } catch (SQLException e) { + throw new WebApplicationException(e); } - } catch (SQLException e) { - throw new WebApplicationException(e); - } - } else if (request.getSession() != null) { + } else if (request.getSession() != null) { + + Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); + if (userId != null) { + Context.getPermissionsManager().checkUser(userId); + Context.getStatisticsManager().registerRequest(userId); + securityContext = new UserSecurityContext(new UserPrincipal(userId)); + } - Long userId = (Long) request.getSession().getAttribute(SessionResource.USER_ID_KEY); - if (userId != null) { - Context.getPermissionsManager().checkUser(userId); - Context.getStatisticsManager().registerRequest(userId); - securityContext = new UserSecurityContext(new UserPrincipal(userId)); } + } catch (SecurityException e) { + Log.warning(e); } if (securityContext != null) { -- cgit v1.2.3 From f35da3ffdf6f960a877149b72b819a1979c9395a Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Fri, 18 Nov 2016 18:43:33 +1300 Subject: Check user in session resource --- src/org/traccar/api/resource/SessionResource.java | 1 + 1 file changed, 1 insertion(+) diff --git a/src/org/traccar/api/resource/SessionResource.java b/src/org/traccar/api/resource/SessionResource.java index a459186fe..a61738c7e 100644 --- a/src/org/traccar/api/resource/SessionResource.java +++ b/src/org/traccar/api/resource/SessionResource.java @@ -73,6 +73,7 @@ public class SessionResource extends BaseResource { } if (userId != null) { + Context.getPermissionsManager().checkUser(userId); return Context.getPermissionsManager().getUser(userId); } else { throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).build()); -- cgit v1.2.3