Merge pull request #106 from support-project/develop

koda-masaru · web-flow · commit abf4eb60e6b8 · 2018-01-08T13:14:26.000+09:00
Release v1.12.0
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,5 @@
 .project
 .settings
 .checkstyle
+.idea
+web.iml
diff --git a/pom.xml b/pom.xml
@@ -4,7 +4,7 @@
 
     <groupId>org.support-project</groupId>
     <artifactId>web</artifactId>
-    <version>1.11.1</version>
+    <version>1.12.0</version>
     <packaging>jar</packaging>
 
     <name>web</name>
@@ -59,13 +59,13 @@
         <dependency>
             <groupId>org.support-project</groupId>
             <artifactId>common</artifactId>
-            <version>1.11.0</version>
+            <version>1.12.0</version>
         </dependency>
 
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
-            <version>1.4.183</version>
+            <version>1.4.196</version>
             <scope>provided</scope>
         </dependency>
 
@@ -91,27 +91,27 @@
         <dependency>
             <groupId>commons-fileupload</groupId>
             <artifactId>commons-fileupload</artifactId>
-            <version>1.3.1</version>
+            <version>1.3.3</version>
         </dependency>
 
         <dependency>
             <groupId>org.apache.directory.api</groupId>
             <artifactId>api-all</artifactId>
-            <version>1.0.0-M30</version>
+            <version>1.0.0</version>
         </dependency>
 
         <dependency>
             <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
             <artifactId>owasp-java-html-sanitizer</artifactId>
-            <version>20160827.1</version>
+            <version>20171016.1</version>
         </dependency>
+        
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>19.0</version>
+            <version>20.0</version>
         </dependency>
 
-
     </dependencies>
 
     <profiles>
diff --git a/src/main/java/org/support/project/web/bean/CSRFTokens.java b/src/main/java/org/support/project/web/bean/CSRFTokens.java
@@ -2,8 +2,8 @@
 
 import java.io.Serializable;
 import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.List;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
 
 import org.support.project.common.serialize.Serialize;
 import org.support.project.common.serialize.SerializerValue;
@@ -14,33 +14,48 @@ public class CSRFTokens implements Serializable {
      * シリアルバージョン
      */
     private static final long serialVersionUID = 1L;
-    
-    private List<CSRFToken> tokens = new ArrayList<>();
-    
+
+    private LinkedHashMap<String, CSRFToken> tokens = new LinkedHashMap<>();
+
     /**
      * 指定のキーに対するTokenを発行する
-     * @param key key 
+     * 
+     * @param key key
      * @throws NoSuchAlgorithmException NoSuchAlgorithmException
      */
     public String addToken(String key) throws NoSuchAlgorithmException {
+        if (tokens.containsKey(key)) {
+            CSRFToken token = tokens.get(key);
+            return token.getToken();
+        }
         if (tokens.size() > 20) {
-            tokens.remove(0);
+            Iterator<String> iterator = tokens.keySet().iterator();
+            while (iterator.hasNext()) {
+                String string = (String) iterator.next();
+                tokens.remove(string); // 初めの1件を削除（古いもの）
+                break;
+            }
         }
         CSRFToken token = CSRFToken.create(key);
-        tokens.add(token);
+        tokens.put(key, token);
         return token.getToken();
     }
-    
+
     /**
      * トークンが正しい値かチェックする
+     * 
      * @param key key
      * @param reqTokens CSRFTokens
      * @return チェック結果
      */
     public boolean checkToken(String key, CSRFTokens reqTokens) {
-        for (CSRFToken csrfToken : tokens) {
+        Iterator<CSRFToken> iterator = tokens.values().iterator();
+        while (iterator.hasNext()) {
+            CSRFToken csrfToken = (CSRFToken) iterator.next();
             if (csrfToken.getKey().equals(key)) {
-                for (CSRFToken reqToken : reqTokens.tokens) {
+                Iterator<CSRFToken> iterator2 = reqTokens.tokens.values().iterator();
+                while (iterator2.hasNext()) {
+                    CSRFToken reqToken = (CSRFToken) iterator2.next();
                     if (reqToken.getKey().equals(key) && csrfToken.getToken().equals(reqToken.getToken())) {
                         return true;
                     }
@@ -49,20 +64,23 @@ public boolean checkToken(String key, CSRFTokens reqTokens) {
         }
         return false;
     }
-    
+
     /**
      * リクエストのHiddenトークンが正しい値かチェックする
+     * 
      * @param key key
      * @return チェック結果
      */
     public boolean checkToken(String key) {
-        for (CSRFToken csrfToken : tokens) {
+        Iterator<CSRFToken> iterator = tokens.values().iterator();
+        while (iterator.hasNext()) {
+            CSRFToken csrfToken = (CSRFToken) iterator.next();
             if (csrfToken.getToken().equals(key)) {
                 // 保持されているTokenのリストの中に存在すればOK
                 return true;
             }
         }
         return false;
     }
-    
+
 }
diff --git a/src/main/java/org/support/project/web/common/InvokeSearch.java b/src/main/java/org/support/project/web/common/InvokeSearch.java
@@ -159,8 +159,17 @@ private void addTarget(Class<?> class1, Method method, String targetPackageName,
         }
         InvokeTarget invokeTarget = new InvokeTarget(class1, method, targetPackageName, classSuffix, new LinkedHashMap<>());
         if (invokeTargets.containsKey(key)) {
+            InvokeTarget exists =  invokeTargets.get(key);
+            if (exists.getTargetClass().getName().equals(invokeTarget.getTargetClass().getName())
+                    && exists.getTargetMethod().getName().equals(invokeTarget.getTargetMethod().getName())) {
+                //なぜか、同じクラスの同じメソッドが二回登録されることがあるのでスキップ
+                LOG.info("same target duplicate add. [" + key + "]");
+                return;
+            }
             // 既に指定のパスが使われている
             LOG.error("Target duplicated. [" + key + "]");
+            LOG.error("class:" + invokeTarget.getTargetClass().getName() + "  method:" + invokeTarget.getTargetMethod().getName());
+            LOG.error("class:" + exists.getTargetClass().getName() + "  method:" + exists.getTargetMethod().getName());
             throw new SystemException("Target duplicated. [" + key + "]");
         }
         // 大文字／小文字は判定しない
diff --git a/src/main/java/org/support/project/web/control/ApiControl.java b/src/main/java/org/support/project/web/control/ApiControl.java
@@ -1,8 +1,6 @@
 package org.support.project.web.control;
 
 import org.support.project.common.config.Resources;
-import org.support.project.common.util.StringUtils;
-import org.support.project.web.bean.ApiParams;
 import org.support.project.web.bean.Msg;
 import org.support.project.web.boundary.Boundary;
 import org.support.project.web.common.HttpStatus;
@@ -30,48 +28,4 @@ protected Boundary sendError(InvalidParamException e) {
             return this.sendError(HttpStatus.SC_400_BAD_REQUEST);
         }
     }
-    
-    public abstract Boundary getList(ApiParams params);
-    public abstract Boundary getSingle(String id);
-    public int maxLimit() {
-        return 50;
-    }
-    
-    protected ApiParams getApiParams() {
-         // 一覧取得
-        int limit = 10;
-        int offset = 0;
-        String limitStr = getParam("limit");
-        if (StringUtils.isInteger(limitStr)) {
-            limit = Integer.parseInt(limitStr);
-        }
-        if (limit > maxLimit()) {
-            limit = maxLimit();
-        }
-        String offsetStr = getParam("offset");
-        if (StringUtils.isInteger(offsetStr)) {
-            offset = Integer.parseInt(offsetStr);
-        }
-        ApiParams params = new ApiParams();
-        params.setLimit(limit);
-        params.setOffset(offset);
-        return params;
-    }
-    
-    /**
-     * APIの基本的なGetのパターンを処理
-     * 上の getList or getSingle が呼び出される
-     * @return
-     */
-    protected Boundary get() {
-        String id = super.getPathString("");
-        if (StringUtils.isEmpty(id)) {
-            ApiParams params = getApiParams();
-            return getList(params);
-        } else {
-            // 1件取得
-            return getSingle(id);
-        }
-    }
-    
 }
diff --git a/src/main/java/org/support/project/web/control/Control.java b/src/main/java/org/support/project/web/control/Control.java
@@ -786,7 +786,27 @@ protected Map<String, String> getParams() {
         }
         return map;
     }
-
+    
+    /**
+     * 数値の情報を取得
+     * @param param パラメータ名
+     * @param defaultVal デフォルト
+     * @param maxVal 最大値
+     * @return 数値
+     */
+    protected int getParamInt(String param, int defaultVal, int maxVal) {
+        int num = defaultVal;
+        String str = getParam(param);
+        if (StringUtils.isInteger(str)) {
+            num = Integer.parseInt(str);
+        }
+        if(num > maxVal) {
+            num = maxVal;
+        }
+        return num;
+    }
+    
+    
     /**
      * @return the sendEscapeHtml
      */
diff --git a/src/main/java/org/support/project/web/control/GetApiControl.java b/src/main/java/org/support/project/web/control/GetApiControl.java
@@ -0,0 +1,52 @@
+package org.support.project.web.control;
+
+import org.support.project.common.util.StringUtils;
+import org.support.project.web.bean.ApiParams;
+import org.support.project.web.boundary.Boundary;
+
+public abstract class GetApiControl extends ApiControl {
+
+    public abstract Boundary getList(ApiParams params);
+    public abstract Boundary getSingle(String id);
+    public int maxLimit() {
+        return 50;
+    }
+
+    protected ApiParams getApiParams() {
+        // 一覧取得
+        int limit = 10;
+        int offset = 0;
+        String limitStr = getParam("limit");
+        if (StringUtils.isInteger(limitStr)) {
+            limit = Integer.parseInt(limitStr);
+        }
+        if (limit > maxLimit()) {
+            limit = maxLimit();
+        }
+        String offsetStr = getParam("offset");
+        if (StringUtils.isInteger(offsetStr)) {
+            offset = Integer.parseInt(offsetStr);
+        }
+        ApiParams params = new ApiParams();
+        params.setLimit(limit);
+        params.setOffset(offset);
+        return params;
+    }
+
+    /**
+     * APIの基本的なGetのパターンを処理
+     * 上の getList or getSingle が呼び出される
+     * @return
+     */
+    protected Boundary get() {
+        String id = super.getPathString("");
+        if (StringUtils.isEmpty(id)) {
+            ApiParams params = getApiParams();
+            return getList(params);
+        } else {
+            // 1件取得
+            return getSingle(id);
+        }
+    }
+}
+
diff --git a/src/main/java/org/support/project/web/dao/UsersDao.java b/src/main/java/org/support/project/web/dao/UsersDao.java
@@ -159,7 +159,7 @@ public List<UsersEntity> selectOnKeyword(int offset, int pageLimit, String keywo
         List<Object> params = new ArrayList<Object>();
         sql.append("SELECT * FROM USERS WHERE DELETE_FLAG = 0 ");
         if (!StringUtils.isEmpty(keyword)) {
-            sql.append("AND USER_NAME LIKE ? ");
+            sql.append("AND USER_NAME ILIKE ? ");
             params.add("%" + keyword + "%");
         }
         sql.append("ORDER BY USER_ID ASC Limit ? offset ?;");
diff --git a/src/main/java/org/support/project/web/logic/HttpRequestCheckLogic.java b/src/main/java/org/support/project/web/logic/HttpRequestCheckLogic.java
@@ -171,7 +171,10 @@ public void setCSRFTocken(InvokeTarget invokeTarget, HttpServletRequest request,
                 tokens = new CSRFTokens();
                 session.setAttribute(CSRF_TOKENS, tokens);
             }
-            tokens.addToken(tokenkey);
+            String result = tokens.addToken(tokenkey);
+            if (LOG.isDebugEnabled()) {
+                LOG.debug("Add token to CSRF_TOKENS. key:" + tokenkey + "  token:" + result);
+            }
             try {
                 HttpUtil.setCookie(request, response, CSRF_TOKENS, SerializeUtils.objectToBase64(tokens));
             } catch (SerializeException e) {
@@ -185,7 +188,7 @@ public void setCSRFTocken(InvokeTarget invokeTarget, HttpServletRequest request,
             }
             String reqid = reqids.addToken(tokenkey);
             if (LOG.isDebugEnabled()) {
-                LOG.debug("Req Token : " + reqid);
+                LOG.debug("Add token to CSRF_REQIDS. key:" + tokenkey + "  token:" + reqid);
             }
             request.setAttribute(REQ_ID_KEY, reqid);
         }
@@ -230,6 +233,7 @@ public boolean checkCSRF(InvokeTarget invokeTarget, HttpServletRequest request)
             }
             
             if (isCheckReqToken(invokeTarget)) {
+                // HiddenパラメータにRequestTokenがセットされているかチェックする場合
                 String reqId = request.getParameter(REQ_ID_KEY);
                 CSRFTokens reqids = (CSRFTokens) session.getAttribute(CSRF_REQIDS);
                 if (reqids == null) {
diff --git a/src/main/java/org/support/project/web/logic/SanitizingLogic.java b/src/main/java/org/support/project/web/logic/SanitizingLogic.java
@@ -85,6 +85,8 @@ public boolean apply(String s) {
                     "var")
             .allowAttributes("id").matching(HTML_ID).globally()
             .allowAttributes("slide").matching(NUMBER).globally()
+            .allowAttributes("transition").matching(HTML_CLASS).globally()
+            .allowAttributes("centered").matching(HTML_CLASS).globally()
             .allowAttributes("class").matching(HTML_CLASS).globally()
             .allowAttributes("lang").matching(Pattern.compile("[a-zA-Z]{2,20}")).globally()
             .allowAttributes("title").matching(HTML_TITLE).globally()
diff --git a/src/main/java/org/support/project/web/logic/UserLogic.java b/src/main/java/org/support/project/web/logic/UserLogic.java
@@ -240,5 +240,20 @@ public void insertDefaultGroup(UsersEntity user) {
             userGroupsDao.insert(userGroupsEntity);
         }
     }
+    
+    /**
+     * ユーザの一覧を取得
+     * @param keyword keyword
+     * @param offset offset
+     * @param limit limit
+     * @return ユーザの一覧
+     */
+    public List<UsersEntity> getUser(String keyword, int offset, int limit) {
+        List<UsersEntity> list = UsersDao.get().selectOnKeyword(offset, limit, keyword);
+        for (UsersEntity usersEntity : list) {
+            usersEntity.setPassword(null); // パスワードは返さない
+        }
+        return list;
+    }
 
 }
diff --git a/src/main/resources/org/support/project/web/dao/sql/GroupsDao/GroupsDao_selectAdminOnKeyword.sql b/src/main/resources/org/support/project/web/dao/sql/GroupsDao/GroupsDao_selectAdminOnKeyword.sql
@@ -5,7 +5,7 @@ SELECT
     WHERE
         GROUPS.DELETE_FLAG = 0
         AND
-        GROUPS.GROUP_NAME LIKE '%' || ? || '%'
+        GROUPS.GROUP_NAME ILIKE '%' || ? || '%'
     GROUP BY
         GROUPS.GROUP_ID
     ORDER BY
diff --git a/src/main/resources/org/support/project/web/dao/sql/GroupsDao/GroupsDao_selectMyGroupOnKeyword.sql b/src/main/resources/org/support/project/web/dao/sql/GroupsDao/GroupsDao_selectMyGroupOnKeyword.sql
diff --git a/src/main/resources/org/support/project/web/dao/sql/GroupsDao/GroupsDao_selectOnKeyword.sql b/src/main/resources/org/support/project/web/dao/sql/GroupsDao/GroupsDao_selectOnKeyword.sql
diff --git a/src/test/java/org/support/project/web/config/AppconfigTest.java b/src/test/java/org/support/project/web/config/AppconfigTest.java

Original file line number	Diff line number	Diff line change
`@@ -159,7 +159,7 @@ public List<UsersEntity> selectOnKeyword(int offset, int pageLimit, String keywo`
`159`	`159`	`List<Object> params = new ArrayList<Object>();`
`160`	`160`	`sql.append("SELECT * FROM USERS WHERE DELETE_FLAG = 0 ");`
`161`	`161`	`if (!StringUtils.isEmpty(keyword)) {`
`162`		`- sql.append("AND USER_NAME LIKE ? ");`
	`162`	`+ sql.append("AND USER_NAME ILIKE ? ");`
`163`	`163`	`params.add("%" + keyword + "%");`
`164`	`164`	`}`
`165`	`165`	`sql.append("ORDER BY USER_ID ASC Limit ? offset ?;");`
Original file line number	Diff line number	Diff line change
`@@ -171,7 +171,10 @@ public void setCSRFTocken(InvokeTarget invokeTarget, HttpServletRequest request,`
`171`	`171`	`tokens = new CSRFTokens();`
`172`	`172`	`session.setAttribute(CSRF_TOKENS, tokens);`
`173`	`173`	`}`
`174`		`- tokens.addToken(tokenkey);`
	`174`	`+ String result = tokens.addToken(tokenkey);`
	`175`	`+ if (LOG.isDebugEnabled()) {`
	`176`	`+ LOG.debug("Add token to CSRF_TOKENS. key:" + tokenkey + " token:" + result);`
	`177`	`+ }`
`175`	`178`	`try {`
`176`	`179`	`HttpUtil.setCookie(request, response, CSRF_TOKENS, SerializeUtils.objectToBase64(tokens));`
`177`	`180`	`} catch (SerializeException e) {`
`@@ -185,7 +188,7 @@ public void setCSRFTocken(InvokeTarget invokeTarget, HttpServletRequest request,`
`185`	`188`	`}`
`186`	`189`	`String reqid = reqids.addToken(tokenkey);`
`187`	`190`	`if (LOG.isDebugEnabled()) {`
`188`		`- LOG.debug("Req Token : " + reqid);`
	`191`	`+ LOG.debug("Add token to CSRF_REQIDS. key:" + tokenkey + " token:" + reqid);`
`189`	`192`	`}`
`190`	`193`	`request.setAttribute(REQ_ID_KEY, reqid);`
`191`	`194`	`}`
`@@ -230,6 +233,7 @@ public boolean checkCSRF(InvokeTarget invokeTarget, HttpServletRequest request)`
`230`	`233`	`}`
`231`	`234`
`232`	`235`	`if (isCheckReqToken(invokeTarget)) {`
	`236`	`+ // HiddenパラメータにRequestTokenがセットされているかチェックする場合`
`233`	`237`	`String reqId = request.getParameter(REQ_ID_KEY);`
`234`	`238`	`CSRFTokens reqids = (CSRFTokens) session.getAttribute(CSRF_REQIDS);`
`235`	`239`	`if (reqids == null) {`