From 7e8d3ace1229c6910f1efe28e56e74494cfd88dd Mon Sep 17 00:00:00 2001
From: Tor-Einar Skog <tor-einar.skog@bioforsk.no>
Date: Fri, 3 Jan 2014 16:00:28 +0100
Subject: [PATCH] Support for login as VIPSLogic on behalf of client

---
 .../VIPSCoreManagerApplication.java           |  2 +-
 .../service/ManagerResourceImpl.java          | 23 +++++++++++++++----
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/src/main/java/no/bioforsk/vips/coremanager/VIPSCoreManagerApplication.java b/src/main/java/no/bioforsk/vips/coremanager/VIPSCoreManagerApplication.java
index 5defcfb..265a7cf 100644
--- a/src/main/java/no/bioforsk/vips/coremanager/VIPSCoreManagerApplication.java
+++ b/src/main/java/no/bioforsk/vips/coremanager/VIPSCoreManagerApplication.java
@@ -37,8 +37,8 @@ public class VIPSCoreManagerApplication extends Application
      * given list with all resources defined in the project.
      */
     private void addRestResourceClasses(Set<Class<?>> resources) {
+        resources.add(no.bioforsk.vips.core.service.ModelResource.class);
         resources.add(no.bioforsk.vips.coremanager.service.JsonParseExceptionMapper.class);
-        resources.add(no.bioforsk.vips.coremanager.service.ManagerResource.class);
         resources.add(no.bioforsk.vips.coremanager.service.ManagerResourceImpl.class);
     }
 }
\ No newline at end of file
diff --git a/src/main/java/no/bioforsk/vips/coremanager/service/ManagerResourceImpl.java b/src/main/java/no/bioforsk/vips/coremanager/service/ManagerResourceImpl.java
index cbe742c..62fd04d 100644
--- a/src/main/java/no/bioforsk/vips/coremanager/service/ManagerResourceImpl.java
+++ b/src/main/java/no/bioforsk/vips/coremanager/service/ManagerResourceImpl.java
@@ -49,7 +49,8 @@ public class ManagerResourceImpl implements ManagerResource{
     private final String VIPSCORE_URL = "http://localhost:8080/VIPSCore";
     private final Integer VIPS_BATCH_SYSTEM_USER_ID = -10;
     
-    
+    @Context
+    HttpServletRequest servletRequest;
     
     
     private InputStream getStaticFileAsInputStream(ServletContext servletContext, String filePath)
@@ -274,7 +275,7 @@ public class ManagerResourceImpl implements ManagerResource{
             VIPSCoreCredentials credentials = ControllerGetter.getUserController().getVIPSCoreCredentials(request.getLoginInfo());
             if(credentials == null)
             {
-                throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity("Ikke godtatt!").build());
+                throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity("Credentials not accepted").build());
             }
             
             // We get the user
@@ -283,9 +284,21 @@ public class ManagerResourceImpl implements ManagerResource{
             // to find which user the batch system operates on behalf of ("batchSystemClientId")
             if(user.getVipsCoreUserId().equals(VIPS_BATCH_SYSTEM_USER_ID))
             {
-                // TODO: Check IP of caller to be sure that this is not someone
-                // who has hijacked the credentials for the batch system??
-                user = ControllerGetter.getUserController().getVipsCoreUser(request.getBatchSystemClientId());
+                String[] allowedIPS = System.getProperty("no.bioforsk.vips.core.VIPSBATCH_ALLOWED_IPS").split(",");
+                String remoteIP = servletRequest.getRemoteAddr();
+                boolean isIPValid = false;
+                for(String allowedIP:allowedIPS)
+                {
+                    if(allowedIP.equals(remoteIP))
+                    {
+                        isIPValid = true;
+                    }
+                }
+                if(!isIPValid)
+                {
+                    throw new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).entity("Invalid IP address").build());
+                }
+                user = ControllerGetter.getUserController().getVipsCoreUser(request.getVipsCoreUserId());
             }
             
             ModelUsageLog log = new ModelUsageLog();
-- 
GitLab