001: /*
002: * Copyright 2005-2007 The Kuali Foundation.
003: *
004: * Licensed under the Educational Community License, Version 1.0 (the "License");
005: * you may not use this file except in compliance with the License.
006: * You may obtain a copy of the License at
007: *
008: * http://www.opensource.org/licenses/ecl1.php
009: *
010: * Unless required by applicable law or agreed to in writing, software
011: * distributed under the License is distributed on an "AS IS" BASIS,
012: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
013: * See the License for the specific language governing permissions and
014: * limitations under the License.
015: */
016: package org.kuali.core.web.struts.form;
017:
018: import java.lang.reflect.Constructor;
019: import java.security.GeneralSecurityException;
020: import java.util.ArrayList;
021: import java.util.Arrays;
022: import java.util.Enumeration;
023: import java.util.HashMap;
024: import java.util.Iterator;
025: import java.util.List;
026: import java.util.Map;
027:
028: import javax.servlet.http.HttpServletRequest;
029:
030: import org.apache.commons.lang.StringUtils;
031: import org.kuali.RiceConstants;
032: import org.kuali.core.authorization.AuthorizationConstants;
033: import org.kuali.core.inquiry.Inquirable;
034: import org.kuali.core.service.DataDictionaryService;
035: import org.kuali.core.service.EncryptionService;
036: import org.kuali.rice.KNSServiceLocator;
037:
038: /**
039: * This class is the action form for inquiries.
040: */
041: public class InquiryForm extends KualiForm {
042: private static final org.apache.log4j.Logger LOG = org.apache.log4j.Logger
043: .getLogger(InquiryForm.class);
044:
045: private static final long serialVersionUID = 1L;
046: private String fieldConversions;
047: private List sections;
048: private String businessObjectClassName;
049: private Map editingMode;
050:
051: /**
052: * The following map is used to pass primary key values between invocations of the inquiry screens after the start method has been called. Values in this map will remain encrypted
053: * if the value was passed in as encrypted
054: */
055: private Map<String, String> inquiryPrimaryKeys;
056:
057: private Map<String, String> inquiryDecryptedPrimaryKeys;
058:
059: /**
060: * A comma separated list of field names. Each field name in this list has an encrypted value in the request.
061: */
062: private String encryptedValues;
063:
064: /**
065: * A map of collection name -> Boolean mappings. Used to denote whether a collection name is configured to show inactive records.
066: */
067: private Map<String, Boolean> inactiveRecordDisplay;
068:
069: private Inquirable inquirable;
070:
071: public InquiryForm() {
072: super ();
073: this .editingMode = new HashMap();
074: this .editingMode.put(AuthorizationConstants.EditMode.VIEW_ONLY,
075: "TRUE");
076: this .inactiveRecordDisplay = null;
077: }
078:
079: @Override
080: public void populate(HttpServletRequest request) {
081: // set to null for security reasons (so POJO form base can't access it), then we'll make an new instance of it after
082: // POJO form base is done
083: this .inquirable = null;
084: super .populate(request);
085:
086: inquirable = getInquirable(getBusinessObjectClassName());
087:
088: // the following variable is true if the method to call is not start, meaning that we already called start
089: boolean passedFromPreviousInquiry = !RiceConstants.START_METHOD
090: .equals(getMethodToCall());
091:
092: // There is no requirement that an inquiry screen must display the primary key values. However, when clicking on hide/show (without javascript) and
093: // hide/show inactive, the PK values are needed to allow the server to properly render results after the user clicks on a hide/show button that results
094: // in server processing. This line will populate the form with the PK values so that they may be used in subsequent requests. Note that encrypted
095: // values will remain encrypted in this map.
096: this .inquiryPrimaryKeys = new HashMap<String, String>();
097: this .inquiryDecryptedPrimaryKeys = new HashMap<String, String>();
098:
099: populatePKFieldValues(request, getBusinessObjectClassName(),
100: passedFromPreviousInquiry);
101:
102: populateInactiveRecordsInIntoInquirable(inquirable, request);
103: }
104:
105: protected Inquirable getInquirable(String boClassName) {
106: try {
107: Class customInquirableClass = null;
108:
109: try {
110: customInquirableClass = KNSServiceLocator
111: .getDataDictionaryService().getDataDictionary()
112: .getBusinessObjectEntry(boClassName)
113: .getInquiryDefinition().getInquirableClass();
114: } catch (Exception e) {
115: LOG
116: .error("Unable to correlate business object class with maintenance document entry");
117: }
118:
119: Inquirable kualiInquirable = KNSServiceLocator
120: .getKualiInquirable(); // get inquirable impl from Spring
121:
122: if (customInquirableClass != null) {
123: Class[] defaultConstructor = new Class[] {};
124: Constructor cons = customInquirableClass
125: .getConstructor(defaultConstructor);
126: kualiInquirable = (Inquirable) cons.newInstance();
127: }
128:
129: kualiInquirable.setBusinessObjectClass(Class
130: .forName(boClassName));
131:
132: return kualiInquirable;
133: } catch (Exception e) {
134: LOG.error("Error attempting to retrieve inquirable.", e);
135: throw new RuntimeException(
136: "Error attempting to retrieve inquirable.");
137: }
138: }
139:
140: protected void populatePKFieldValues(HttpServletRequest request,
141: String boClassName, boolean passedFromPreviousInquiry) {
142: try {
143: EncryptionService encryptionService = KNSServiceLocator
144: .getEncryptionService();
145:
146: // List of encrypted values
147: List encryptedList = new ArrayList();
148: if (StringUtils.isNotBlank(getEncryptedValues())) {
149: encryptedList = Arrays.asList(StringUtils.split(
150: getEncryptedValues(),
151: RiceConstants.FIELD_CONVERSIONS_SEPERATOR));
152: }
153:
154: Class businessObjectClass = Class.forName(boClassName);
155:
156: DataDictionaryService dataDictionaryService = KNSServiceLocator
157: .getDataDictionaryService();
158: // build list of key values from request, if all keys not given throw error
159: List boKeys = KNSServiceLocator
160: .getPersistenceStructureService()
161: .listPrimaryKeyFieldNames(businessObjectClass);
162: for (Iterator iter = boKeys.iterator(); iter.hasNext();) {
163: String realPkFieldName = (String) iter.next();
164: String pkParamName = realPkFieldName;
165: if (passedFromPreviousInquiry) {
166: pkParamName = RiceConstants.INQUIRY_PK_VALUE_PASSED_FROM_PREVIOUS_REQUEST_PREFIX
167: + pkParamName;
168: }
169:
170: if (request.getParameter(pkParamName) != null) {
171: String parameter = (String) request
172: .getParameter(pkParamName);
173:
174: inquiryPrimaryKeys.put(realPkFieldName, parameter);
175: if (StringUtils.isNotBlank(dataDictionaryService
176: .getAttributeDisplayWorkgroup(boClassName,
177: realPkFieldName))) {
178: // This PK field needs to be encrypted coming in from the request, if it was decrypt it, if not, throw exception
179:
180: // this check prevents a brute-force attacker from passing in an unencrypted PK value that's supposed to be encrypted and determining whether
181: // a record with that guessed PK value exists in the DB, effectively bypassing encryption
182: if (encryptedList.contains(realPkFieldName)) {
183: inquiryDecryptedPrimaryKeys.put(
184: realPkFieldName, encryptionService
185: .decrypt(parameter));
186: } else {
187: LOG
188: .error("All PK fields that are specified as encrypted in the DD must be encrypted when passed into the inquiry page. Field not encrypted is "
189: + realPkFieldName);
190: throw new RuntimeException(
191: "All PK fields that are specified as encrypted in the DD must be encrypted when passed into the inquiry page");
192: }
193: } else {
194: inquiryDecryptedPrimaryKeys.put(
195: realPkFieldName, parameter);
196: }
197: } else {
198: LOG
199: .error("All keys not given to lookup for bo class name "
200: + businessObjectClass.getName());
201: throw new RuntimeException(
202: "All keys not given to lookup for bo class name "
203: + businessObjectClass.getName());
204: }
205: }
206: } catch (ClassNotFoundException e) {
207: LOG.error("Can't instantiate class: " + boClassName, e);
208: throw new RuntimeException("Can't instantiate class: "
209: + boClassName);
210: } catch (GeneralSecurityException e) {
211: LOG.error("Can't decrypt value", e);
212: throw new RuntimeException("Can't decrypt value");
213: }
214: }
215:
216: /**
217: * @return Returns the fieldConversions.
218: */
219: public String getFieldConversions() {
220: return fieldConversions;
221: }
222:
223: /**
224: * @param fieldConversions The fieldConversions to set.
225: */
226: public void setFieldConversions(String fieldConversions) {
227: this .fieldConversions = fieldConversions;
228: }
229:
230: /**
231: * @return Returns the inquiry sections.
232: */
233: public List getSections() {
234: return sections;
235: }
236:
237: /**
238: * @param sections The sections to set.
239: */
240: public void setSections(List sections) {
241: this .sections = sections;
242: }
243:
244: /**
245: * @return Returns the businessObjectClassName.
246: */
247: public String getBusinessObjectClassName() {
248: return businessObjectClassName;
249: }
250:
251: /**
252: * @param businessObjectClassName The businessObjectClassName to set.
253: */
254: public void setBusinessObjectClassName(
255: String businessObjectClassName) {
256: this .businessObjectClassName = businessObjectClassName;
257: }
258:
259: public Map getEditingMode() {
260: return editingMode;
261: }
262:
263: /**
264: * Gets a comma separated list of field names. Each field name in this list has an encrypted value in the request.
265: *
266: * @return a comma separated list of field names. Each field name in this list has an encrypted value in the request.
267: */
268: public String getEncryptedValues() {
269: return this .encryptedValues;
270: }
271:
272: /**
273: * Sets a comma separated list of field names. Each field name in this list has an encrypted value in the request.
274: *
275: * @param encryptedValues a comma separated list of field names. Each field name in this list has an encrypted value in the request.
276: */
277: public void setEncryptedValues(String encryptedValues) {
278: this .encryptedValues = encryptedValues;
279: }
280:
281: /**
282: * Gets the map used to pass primary key values between invocations of the inquiry screens after the start method has been called. All field values that were passed in encrypted will
283: * be encrypted in this map
284: *
285: * @return
286: */
287: public Map<String, String> getInquiryPrimaryKeys() {
288: return this .inquiryPrimaryKeys;
289: }
290:
291: /**
292: * Gets the map used to pass primary key values between invocations of the inquiry screens after the start method has been called. All fields will be decrypted
293: *
294: * Purposely not named as a getter, to make it harder for POJOFormBase to access it
295: *
296: * @return
297: */
298: public Map<String, String> retrieveInquiryDecryptedPrimaryKeys() {
299: return this .inquiryDecryptedPrimaryKeys;
300: }
301:
302: /**
303: * Sets the map used to pass primary key values between invocations of the inquiry screens after the start method has been called.
304: *
305: * @param inquiryPrimaryKeys
306: */
307: public void setInquiryPrimaryKeys(
308: Map<String, String> inquiryPrimaryKeys) {
309: this .inquiryPrimaryKeys = inquiryPrimaryKeys;
310: }
311:
312: /**
313: * Gets map of collection name -> Boolean mappings. Used to denote whether a collection name is configured to show inactive records.
314: *
315: * @return
316: */
317: public Map<String, Boolean> getInactiveRecordDisplay() {
318: return getInquirable().getInactiveRecordDisplay();
319: }
320:
321: public Inquirable getInquirable() {
322: return inquirable;
323: }
324:
325: protected void populateInactiveRecordsInIntoInquirable(
326: Inquirable inquirable, HttpServletRequest request) {
327: for (Enumeration e = request.getParameterNames(); e
328: .hasMoreElements();) {
329: String paramName = (String) e.nextElement();
330: if (paramName
331: .startsWith(RiceConstants.INACTIVE_RECORD_DISPLAY_PARAM_PREFIX)) {
332: String collectionName = StringUtils
333: .substringAfter(
334: paramName,
335: RiceConstants.INACTIVE_RECORD_DISPLAY_PARAM_PREFIX);
336: Boolean showInactive = Boolean.parseBoolean(request
337: .getParameter(paramName));
338: inquirable.setShowInactiveRecords(collectionName,
339: showInactive);
340: }
341: }
342: }
343: }
|