From 1397cbeac28a7ebf211aa029e99fb1527f8904c2 Mon Sep 17 00:00:00 2001 From: CalDescent Date: Sun, 14 Nov 2021 15:59:08 +0000 Subject: [PATCH] General API key / security-related updates --- src/main/java/org/qortal/api/ApiKey.java | 3 ++- .../qortal/api/resource/AdminResource.java | 2 +- .../api/resource/ArbitraryResource.java | 26 +++++++------------ 3 files changed, 12 insertions(+), 19 deletions(-) diff --git a/src/main/java/org/qortal/api/ApiKey.java b/src/main/java/org/qortal/api/ApiKey.java index 5ab455fa..53a84f00 100644 --- a/src/main/java/org/qortal/api/ApiKey.java +++ b/src/main/java/org/qortal/api/ApiKey.java @@ -86,7 +86,8 @@ public class ApiKey { return (this.apiKey != null); } - public String getApiKey() { + @Override + public String toString() { return this.apiKey; } diff --git a/src/main/java/org/qortal/api/resource/AdminResource.java b/src/main/java/org/qortal/api/resource/AdminResource.java index 5a755288..ec643d3c 100644 --- a/src/main/java/org/qortal/api/resource/AdminResource.java +++ b/src/main/java/org/qortal/api/resource/AdminResource.java @@ -748,7 +748,7 @@ public class AdminResource { throw ApiExceptionFactory.INSTANCE.createCustomException(request, ApiError.UNAUTHORIZED, "Unable to generate API key"); } - return apiKey.getApiKey(); + return apiKey.toString(); } } diff --git a/src/main/java/org/qortal/api/resource/ArbitraryResource.java b/src/main/java/org/qortal/api/resource/ArbitraryResource.java index ed139673..6eda6326 100644 --- a/src/main/java/org/qortal/api/resource/ArbitraryResource.java +++ b/src/main/java/org/qortal/api/resource/ArbitraryResource.java @@ -7,10 +7,9 @@ import io.swagger.v3.oas.annotations.media.Content; import io.swagger.v3.oas.annotations.media.Schema; import io.swagger.v3.oas.annotations.parameters.RequestBody; import io.swagger.v3.oas.annotations.responses.ApiResponse; +import io.swagger.v3.oas.annotations.security.SecurityRequirement; import io.swagger.v3.oas.annotations.tags.Tag; -import java.net.InetSocketAddress; -import java.net.UnknownHostException; import java.nio.file.Files; import java.nio.file.Paths; import java.util.ArrayList; @@ -22,7 +21,6 @@ import javax.servlet.http.HttpServletResponse; import javax.ws.rs.*; import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.Response; import org.apache.commons.lang3.ArrayUtils; import org.apache.logging.log4j.LogManager; @@ -39,20 +37,11 @@ import org.qortal.data.naming.NameData; import org.qortal.data.transaction.ArbitraryTransactionData; import org.qortal.data.transaction.ArbitraryTransactionData.*; import org.qortal.data.transaction.TransactionData; -import org.qortal.data.transaction.ArbitraryTransactionData.DataType; -import org.qortal.network.Network; -import org.qortal.network.Peer; -import org.qortal.network.PeerAddress; -import org.qortal.network.message.ArbitraryDataFileMessage; -import org.qortal.network.message.GetArbitraryDataFileMessage; -import org.qortal.network.message.Message; import org.qortal.repository.DataException; import org.qortal.repository.Repository; import org.qortal.repository.RepositoryManager; import org.qortal.settings.Settings; import org.qortal.arbitrary.ArbitraryDataFile; -import org.qortal.arbitrary.ArbitraryDataFileChunk; -import org.qortal.transaction.ArbitraryTransaction; import org.qortal.transaction.Transaction; import org.qortal.transaction.Transaction.TransactionType; import org.qortal.transaction.Transaction.ValidationResult; @@ -233,6 +222,7 @@ public class ArbitraryResource { ) } ) + @SecurityRequirement(name = "apiKey") public HttpServletResponse get(@PathParam("service") String serviceString, @PathParam("name") String name, @QueryParam("filepath") String filepath, @@ -259,6 +249,7 @@ public class ArbitraryResource { ) } ) + @SecurityRequirement(name = "apiKey") public HttpServletResponse get(@PathParam("service") String serviceString, @PathParam("name") String name, @PathParam("identifier") String identifier, @@ -295,6 +286,7 @@ public class ArbitraryResource { ) } ) + @SecurityRequirement(name = "apiKey") public String post(@PathParam("service") String serviceString, @PathParam("name") String name, String path) { @@ -329,6 +321,7 @@ public class ArbitraryResource { ) } ) + @SecurityRequirement(name = "apiKey") public String put(@PathParam("service") String serviceString, @PathParam("name") String name, String path) { @@ -364,6 +357,7 @@ public class ArbitraryResource { ) } ) + @SecurityRequirement(name = "apiKey") public String patch(@PathParam("service") String serviceString, @PathParam("name") String name, String path) { @@ -399,6 +393,7 @@ public class ArbitraryResource { ) } ) + @SecurityRequirement(name = "apiKey") public String post(@PathParam("service") String serviceString, @PathParam("name") String name, @PathParam("identifier") String identifier, @@ -434,6 +429,7 @@ public class ArbitraryResource { ) } ) + @SecurityRequirement(name = "apiKey") public String put(@PathParam("service") String serviceString, @PathParam("name") String name, @PathParam("identifier") String identifier, @@ -470,6 +466,7 @@ public class ArbitraryResource { ) } ) + @SecurityRequirement(name = "apiKey") public String patch(@PathParam("service") String serviceString, @PathParam("name") String name, @PathParam("identifier") String identifier, @@ -481,11 +478,6 @@ public class ArbitraryResource { private String upload(Method method, Service service, String name, String identifier, String path) { - // It's too dangerous to allow user-supplied file paths in weaker security contexts - if (Settings.getInstance().isApiRestricted()) { - throw ApiExceptionFactory.INSTANCE.createException(request, ApiError.NON_PRODUCTION); - } - // Fetch public key from registered name try (final Repository repository = RepositoryManager.getRepository()) { NameData nameData = repository.getNameRepository().fromName(name);