mv com/google/domain/registry google/registry

This change renames directories in preparation for the great package
rename. The repository is now in a broken state because the code
itself hasn't been updated. However this should ensure that git
correctly preserves history for each file.

java/google/registry/security/XsrfProtectedServlet.java

@@ -0,0 +1,86 @@
+// Copyright 2016 The Domain Registry Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.domain.registry.security;
+
+import static com.google.appengine.api.users.UserServiceFactory.getUserService;
+import static com.google.common.base.Preconditions.checkNotNull;
+import static com.google.common.base.Strings.nullToEmpty;
+import static com.google.domain.registry.security.XsrfTokenManager.X_CSRF_TOKEN;
+import static com.google.domain.registry.security.XsrfTokenManager.validateToken;
+import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
+
+import com.google.appengine.api.users.UserService;
+
+import org.joda.time.Duration;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+/**
+ * Servlet with Cross-Site Request Forgery (XSRF) protection.
+ *
+ * <p>This servlet enforces XSRF protection on all requests by checking the value provided in the
+ * "X-CSRF-Token" header. It can also optionally enforce that only admin users can call it.
+ *
+ * <p>All servlets that handle client requests should use XSRF protection.
+ */
+public abstract class XsrfProtectedServlet extends HttpServlet {
+
+  private static final Duration XSRF_VALIDITY = Duration.standardDays(1);
+
+  /** Used to validate XSRF tokens. */
+  private String xsrfScope;
+
+  /** Whether to do a security check for admin status. */
+  private boolean requireAdmin;
+
+  /** Gets the XSRF scope for this servlet. */
+  public String getScope() {
+    return xsrfScope;
+  }
+
+  protected XsrfProtectedServlet(String xsrfScope, boolean requireAdmin) {
+    this.xsrfScope = checkNotNull(xsrfScope);
+    this.requireAdmin = requireAdmin;
+  }
+
+  @Override
+  public final void service(HttpServletRequest req, HttpServletResponse rsp)
+      throws IOException, ServletException {
+    if (!validateToken(nullToEmpty(req.getHeader(X_CSRF_TOKEN)), xsrfScope, XSRF_VALIDITY)) {
+      rsp.sendError(SC_FORBIDDEN, "Invalid " + X_CSRF_TOKEN);
+      return;
+    }
+    if (!validateAdmin()) {
+      rsp.sendError(SC_FORBIDDEN, "Administrator access only");
+      return;
+    }
+    doPost(req, rsp);
+  }
+
+  /**
+   * If this is an admin-only servlet, require admin permissions or being in development mode. Such
+   * servlets should primarily be defended by being marked internal-only in web.xml, but it's worth
+   * adding a defense-in-depth.
+   */
+  private boolean validateAdmin() {
+    UserService userService = getUserService();
+    return requireAdmin ? (userService.isUserLoggedIn() && userService.isUserAdmin()) : true;
+  }
+}