Critical security fixes

Andrew Shvayka
1 parent a64d2123
Showing 3 changed files with 54 additions and 43 deletions
application/src/main/java/org/thingsboard/server/controller/BaseController.java
application/src/main/java/org/thingsboard/server/service/security/ValidationCallback.java
application/src/main/java/org/thingsboard/server/service/telemetry/DefaultTelemetryWebSocketService.java
--- a/application/src/main/java/org/thingsboard/server/controller/BaseController.java
View file @78436f9
+++ b/application/src/main/java/org/thingsboard/server/controller/BaseController.java
View file @78436f9
@@ -259,7 +259,6 @@ public abstract class BaseController {
     Customer checkCustomerId(CustomerId customerId) throws ThingsboardException {
         try {
-            validateId(customerId, "Incorrect customerId " + customerId);
             SecurityUser authUser = getCurrentUser();
             if (authUser.getAuthority() == Authority.SYS_ADMIN ||
                     (authUser.getAuthority() != Authority.TENANT_ADMIN &&
@@ -267,9 +266,13 @@ public abstract class BaseController {
                 throw new ThingsboardException(YOU_DON_T_HAVE_PERMISSION_TO_PERFORM_THIS_OPERATION,
                         ThingsboardErrorCode.PERMISSION_DENIED);
             }
-            Customer customer = customerService.findCustomerById(customerId);
-            checkCustomer(customer);
-            return customer;
+            if (customerId != null && !customerId.isNullUid()) {
+                Customer customer = customerService.findCustomerById(customerId);
+                checkCustomer(customer);
+                return customer;
+            } else {
+                return null;
+            }
         } catch (Exception e) {
             throw handleException(e, false);
         }
@@ -350,9 +353,7 @@ public abstract class BaseController {
     protected void checkDevice(Device device) throws ThingsboardException {
         checkNotNull(device);
         checkTenantId(device.getTenantId());
-        if (device.getCustomerId() != null && !device.getCustomerId().getId().equals(ModelConstants.NULL_UUID)) {
-            checkCustomerId(device.getCustomerId());
-        }
+        checkCustomerId(device.getCustomerId());
     }
     protected EntityView checkEntityViewId(EntityViewId entityViewId) throws ThingsboardException {
@@ -369,9 +370,7 @@ public abstract class BaseController {
     protected void checkEntityView(EntityView entityView) throws ThingsboardException {
         checkNotNull(entityView);
         checkTenantId(entityView.getTenantId());
-        if (entityView.getCustomerId() != null && !entityView.getCustomerId().getId().equals(ModelConstants.NULL_UUID)) {
-            checkCustomerId(entityView.getCustomerId());
-        }
+        checkCustomerId(entityView.getCustomerId());
     }
     Asset checkAssetId(AssetId assetId) throws ThingsboardException {
@@ -388,9 +387,7 @@ public abstract class BaseController {
     protected void checkAsset(Asset asset) throws ThingsboardException {
         checkNotNull(asset);
         checkTenantId(asset.getTenantId());
-        if (asset.getCustomerId() != null && !asset.getCustomerId().getId().equals(ModelConstants.NULL_UUID)) {
-            checkCustomerId(asset.getCustomerId());
-        }
+        checkCustomerId(asset.getCustomerId());
     }
     Alarm checkAlarmId(AlarmId alarmId) throws ThingsboardException {
@@ -499,8 +496,7 @@ public abstract class BaseController {
     ComponentDescriptor checkComponentDescriptorByClazz(String clazz) throws ThingsboardException {
         try {
             log.debug("[{}] Lookup component descriptor", clazz);
-            ComponentDescriptor componentDescriptor = checkNotNull(componentDescriptorService.getComponent(clazz));
-            return componentDescriptor;
+            return checkNotNull(componentDescriptorService.getComponent(clazz));
         } catch (Exception e) {
             throw handleException(e, false);
         }
@@ -564,16 +560,16 @@ public abstract class BaseController {
     }
     protected <I extends EntityId> I emptyId(EntityType entityType) {
-        return (I)EntityIdFactory.getByTypeAndUuid(entityType, ModelConstants.NULL_UUID);
+        return (I) EntityIdFactory.getByTypeAndUuid(entityType, ModelConstants.NULL_UUID);
     }
     protected <E extends HasName, I extends EntityId> void logEntityAction(I entityId, E entity, CustomerId customerId,
-                                                                 ActionType actionType, Exception e, Object... additionalInfo) throws ThingsboardException {
+                                                                           ActionType actionType, Exception e, Object... additionalInfo) throws ThingsboardException {
         logEntityAction(getCurrentUser(), entityId, entity, customerId, actionType, e, additionalInfo);
     }
     protected <E extends HasName, I extends EntityId> void logEntityAction(User user, I entityId, E entity, CustomerId customerId,
-                                                                 ActionType actionType, Exception e, Object... additionalInfo) throws ThingsboardException {
+                                                                           ActionType actionType, Exception e, Object... additionalInfo) throws ThingsboardException {
         if (customerId == null || customerId.isNullUid()) {
             customerId = user.getCustomerId();
         }
@@ -589,7 +585,7 @@ public abstract class BaseController {
     }
     private <E extends HasName, I extends EntityId> void pushEntityActionToRuleEngine(I entityId, E entity, User user, CustomerId customerId,
-                                                                         ActionType actionType, Object... additionalInfo) {
+                                                                                      ActionType actionType, Object... additionalInfo) {
         String msgType = null;
         switch (actionType) {
             case ADDED:
@@ -668,7 +664,7 @@ public abstract class BaseController {
                         String scope = extractParameter(String.class, 0, additionalInfo);
                         List<String> keys = extractParameter(List.class, 1, additionalInfo);
                         metaData.putValue("scope", scope);
-                        ArrayNode attrsArrayNode =  entityNode.putArray("attributes");
+                        ArrayNode attrsArrayNode = entityNode.putArray("attributes");
                         if (keys != null) {
                             keys.forEach(attrsArrayNode::add);
                         }
--- a/application/src/main/java/org/thingsboard/server/service/security/ValidationCallback.java
View file @78436f9
+++ b/application/src/main/java/org/thingsboard/server/service/security/ValidationCallback.java
View file @78436f9
@@ -36,29 +36,10 @@ public class ValidationCallback<T> implements FutureCallback<ValidationResult> {
     @Override
     public void onSuccess(ValidationResult result) {
-        ValidationResultCode resultCode = result.getResultCode();
-        if (resultCode == ValidationResultCode.OK) {
+        if (result.getResultCode() == ValidationResultCode.OK) {
             action.onSuccess(response);
         } else {
-            Exception e;
-            switch (resultCode) {
-                case ENTITY_NOT_FOUND:
-                    e = new EntityNotFoundException(result.getMessage());
-                    break;
-                case UNAUTHORIZED:
-                    e = new UnauthorizedException(result.getMessage());
-                    break;
-                case ACCESS_DENIED:
-                    e = new AccessDeniedException(result.getMessage());
-                    break;
-                case INTERNAL_ERROR:
-                    e = new InternalErrorException(result.getMessage());
-                    break;
-                default:
-                    e = new UnauthorizedException("Permission denied.");
-                    break;
-            }
-            onFailure(e);
+            onFailure(getException(result));
         }
     }
@@ -66,4 +47,28 @@ public class ValidationCallback<T> implements FutureCallback<ValidationResult> {
     public void onFailure(Throwable e) {
         action.onFailure(e);
     }
+
+    public static Exception getException(ValidationResult result) {
+        ValidationResultCode resultCode = result.getResultCode();
+        Exception e;
+        switch (resultCode) {
+            case ENTITY_NOT_FOUND:
+                e = new EntityNotFoundException(result.getMessage());
+                break;
+            case UNAUTHORIZED:
+                e = new UnauthorizedException(result.getMessage());
+                break;
+            case ACCESS_DENIED:
+                e = new AccessDeniedException(result.getMessage());
+                break;
+            case INTERNAL_ERROR:
+                e = new InternalErrorException(result.getMessage());
+                break;
+            default:
+                e = new UnauthorizedException("Permission denied.");
+                break;
+        }
+        return e;
+    }
+
 }
--- a/application/src/main/java/org/thingsboard/server/service/telemetry/DefaultTelemetryWebSocketService.java
View file @78436f9
+++ b/application/src/main/java/org/thingsboard/server/service/telemetry/DefaultTelemetryWebSocketService.java
View file @78436f9
@@ -37,13 +37,18 @@ import org.thingsboard.server.common.data.kv.TsKvEntry;
 import org.thingsboard.server.dao.attributes.AttributesService;
 import org.thingsboard.server.dao.timeseries.TimeseriesService;
 import org.thingsboard.server.service.security.AccessValidator;
+import org.thingsboard.server.service.security.ValidationCallback;
 import org.thingsboard.server.service.security.ValidationResult;
+import org.thingsboard.server.service.security.ValidationResultCode;
 import org.thingsboard.server.service.telemetry.cmd.AttributesSubscriptionCmd;
 import org.thingsboard.server.service.telemetry.cmd.GetHistoryCmd;
 import org.thingsboard.server.service.telemetry.cmd.SubscriptionCmd;
 import org.thingsboard.server.service.telemetry.cmd.TelemetryPluginCmd;
 import org.thingsboard.server.service.telemetry.cmd.TelemetryPluginCmdsWrapper;
 import org.thingsboard.server.service.telemetry.cmd.TimeseriesSubscriptionCmd;
+import org.thingsboard.server.service.telemetry.exception.AccessDeniedException;
+import org.thingsboard.server.service.telemetry.exception.EntityNotFoundException;
+import org.thingsboard.server.service.telemetry.exception.InternalErrorException;
 import org.thingsboard.server.service.telemetry.exception.UnauthorizedException;
 import org.thingsboard.server.service.telemetry.sub.SubscriptionErrorCode;
 import org.thingsboard.server.service.telemetry.sub.SubscriptionState;
@@ -535,11 +540,16 @@ public class DefaultTelemetryWebSocketService implements TelemetryWebSocketServi
         };
     }
-    private FutureCallback<ValidationResult> on(Consumer<ValidationResult> success, Consumer<Throwable> failure) {
+    private FutureCallback<ValidationResult> on(Consumer<Void> success, Consumer<Throwable> failure) {
         return new FutureCallback<ValidationResult>() {
             @Override
             public void onSuccess(@Nullable ValidationResult result) {
-                success.accept(result);
+                ValidationResultCode resultCode = result.getResultCode();
+                if (resultCode == ValidationResultCode.OK) {
+                    success.accept(null);
+                } else {
+                    onFailure(ValidationCallback.getException(result));
+                }
             }
             @Override