IQSS · rtreacy · Jun 9, 2022 · Jun 9, 2022 · Jun 9, 2022 · Jun 9, 2022
diff --git a/src/main/java/edu/harvard/iq/dataverse/api/AbstractApiBean.java b/src/main/java/edu/harvard/iq/dataverse/api/AbstractApiBean.java
@@ -432,14 +432,22 @@ private AuthenticatedUser findAuthenticatedUserOrDie( String key, String wfid )
 
     private AuthenticatedUser getAuthenticatedUserFromSignedUrl() {
         AuthenticatedUser authUser = null;
-        String signedUrl = httpRequest.getRequestURL().toString();
+        // The signUrl contains a param telling which user this is supposed to be for.
+        // We don't trust this. So we lookup that user, and get their API key, and use
+        // that as a secret in validation the signedURL. If the signature can't be
+        // validating with their key, the user (or their API key) has been changed and
+        // we reject the request.
+        //ToDo - add null checks/ verify that calling methods catch things.
         String user = httpRequest.getParameter("user");
+        AuthenticatedUser targetUser = authSvc.getAuthenticatedUser(user);
+        String key = authSvc.findApiTokenByUser(targetUser).getTokenString();
+        String signedUrl = httpRequest.getRequestURL().toString();
         String method = httpRequest.getMethod();
-        String key = httpRequest.getParameter("token");
+
         boolean validated = UrlSignerUtil.isValidUrl(signedUrl, method, user, key);
         if (validated){
-            authUser = authSvc.getAuthenticatedUser(user);
-        }     
+            authUser = targetUser;
+        }
         return authUser;
     }    
 

diff --git a/src/main/java/edu/harvard/iq/dataverse/api/Admin.java b/src/main/java/edu/harvard/iq/dataverse/api/Admin.java
@@ -31,6 +31,7 @@
 import edu.harvard.iq.dataverse.authorization.providers.shib.ShibAuthenticationProvider;
 import edu.harvard.iq.dataverse.authorization.providers.shib.ShibServiceBean;
 import edu.harvard.iq.dataverse.authorization.providers.shib.ShibUtil;
+import edu.harvard.iq.dataverse.authorization.users.ApiToken;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
 import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailData;
 import edu.harvard.iq.dataverse.confirmemail.ConfirmEmailException;
@@ -44,6 +45,7 @@
 import javax.json.Json;
 import javax.json.JsonArrayBuilder;
 import javax.json.JsonObjectBuilder;
+import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
@@ -94,6 +96,7 @@
 import edu.harvard.iq.dataverse.util.BundleUtil;
 import edu.harvard.iq.dataverse.util.FileUtil;
 import edu.harvard.iq.dataverse.util.SystemConfig;
+import edu.harvard.iq.dataverse.util.UrlSignerUtil;
 
 import java.io.IOException;
 import java.io.OutputStream;
@@ -2061,4 +2064,43 @@ public Response getBannerMessages(@PathParam("id") Long id) throws WrappedRespon
                 .collect(toJsonArray()));
 
     }
+
+    @POST
+    @Consumes("application/json")
+    @Path("/requestSignedUrl")
+    public Response getSignedUrl(JsonObject urlInfo) throws WrappedResponse {
+        AuthenticatedUser superuser = authSvc.getAdminUser();
+
+        if (superuser == null) {
+            return error(Response.Status.FORBIDDEN, "Requesting signed URLs is restricted to superusers.");
+        }
+
+        String userId = urlInfo.getString("user");
+        String key=null;
+        if(userId!=null) {
+        AuthenticatedUser user = authSvc.getAuthenticatedUser(userId);
+        if(user!=null) {
+            ApiToken apiToken = authSvc.findApiTokenByUser(user);
+            if(apiToken!=null && !apiToken.isExpired() &&  ! apiToken.isDisabled()) {
+                key = apiToken.getTokenString();
+            }
+        } else {
+            userId=superuser.getIdentifier();
+            //We ~know this exists - the superuser just used it and it was unexpired/not disabled. (ToDo - if we want this to work with workflow tokens (or as a signed URL, we should do more checking as for the user above))
+        }
+            key =  authSvc.findApiTokenByUser(superuser).getTokenString();
+        }
+        if(key==null) {
+            return error(Response.Status.CONFLICT, "Do not have a valid user with apiToken");
+        }
+
+        String baseUrl = urlInfo.getString("url");
+        int timeout = urlInfo.getInt("timeout", 10);
+        String method = urlInfo.getString("method", "GET");
+
+        String signedUrl = UrlSignerUtil.signUrl(baseUrl, timeout, userId, method, key); 
+
+        return ok(Json.createObjectBuilder().add("signedUrl", signedUrl));
+    }
+
 }
diff --git a/src/main/java/edu/harvard/iq/dataverse/util/json/JsonUtil.java b/src/main/java/edu/harvard/iq/dataverse/util/json/JsonUtil.java
@@ -3,6 +3,8 @@
 import com.google.gson.Gson;
 import com.google.gson.GsonBuilder;
 import com.google.gson.JsonObject;
+
+import java.io.StringReader;
 import java.io.StringWriter;
 import java.util.HashMap;
 import java.util.Map;
@@ -55,5 +57,16 @@ public static String prettyPrint(javax.json.JsonObject jsonObject) {
         }
         return stringWriter.toString();
     }
+
+    public static javax.json.JsonObject getJsonObject(String serializedJson) {
+        try (StringReader rdr = new StringReader(serializedJson)) {
+            return Json.createReader(rdr).readObject();
+        }
+    }
 
+    public static JsonArray getJsonArray(String serializedJson) {
+        try (StringReader rdr = new StringReader(serializedJson)) {
+            return Json.createReader(rdr).readArray();
+        }
+    }
 }