Java tutorial
// Licensed to the Apache Software Foundation (ASF) under one // or more contributor license agreements. See the NOTICE file // distributed with this work for additional information // regarding copyright ownership. The ASF licenses this file // to you under the Apache License, Version 2.0 (the // "License"); you may not use this file except in compliance // with the License. You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, // software distributed under the License is distributed on an // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY // KIND, either express or implied. See the License for the // specific language governing permissions and limitations // under the License. package com.cloud.bridge.util; import java.security.InvalidKeyException; import java.security.SignatureException; import java.util.*; import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import javax.crypto.Mac; import javax.crypto.spec.SecretKeySpec; import org.apache.commons.codec.binary.Base64; import org.apache.log4j.Logger; /** * This class expects that the caller pulls the required headers from the standard * HTTPServeletRequest structure. This class is responsible for providing the * RFC2104 calculation to ensure that the signature is valid for the signing string. * The signing string is a representation of the request. * Notes are given below on what values are expected. * This class is used for the Authentication check for REST requests and Query String * Authentication requests. * */ public class RestAuth { protected final static Logger logger = Logger.getLogger(RestAuth.class); // TreeMap: used when constructing the CanonicalizedAmzHeaders Element of the StringToSign protected TreeMap<String, String> AmazonHeaders = null; // not always present protected String bucketName = null; // not always present protected String queryString = null; // for CanonicalizedResource - only interested in a string starting with particular values protected String uriPath = null; // only interested in the resource path protected String date = null; // only if x-amz-date is not set protected String contentType = null; // not always present protected String contentMD5 = null; // not always present protected boolean amzDateSet = false; protected boolean useSubDomain = false; protected Set<String> allowedQueryParams; public RestAuth() { // these must be lexicographically sorted AmazonHeaders = new TreeMap<String, String>(); allowedQueryParams = new HashSet<String>() { { add("acl"); add("lifecycle"); add("location"); add("logging"); add("notification"); add("partNumber"); add("policy"); add("requestPayment"); add("torrent"); add("uploadId"); add("uploads"); add("versionId"); add("versioning"); add("versions"); add("website"); add("delete"); } }; } public RestAuth(boolean useSubDomain) { //invoke the other constructor this(); this.useSubDomain = useSubDomain; } public void setUseSubDomain(boolean value) { useSubDomain = value; } public boolean getUseSubDomain() { return useSubDomain; } /** * This header is used iff the "x-amz-date:" header is not defined. * Value is used in constructing the StringToSign for signature verification. * * @param date - the contents of the "Date:" header, skipping the 'Date:' preamble. * OR pass in the value of the "Expires=" query string parameter passed in * for "Query String Authentication". */ public void setDateHeader(String date) { if (this.amzDateSet) return; if (null != date) date = date.trim(); this.date = date; } /** * Value is used in constructing the StringToSign for signature verification. * * @param type - the contents of the "Content-Type:" header, skipping the 'Content-Type:' preamble. */ public void setContentTypeHeader(String type) { if (null != type) type = type.trim(); this.contentType = type; } /** * Value is used in constructing the StringToSign for signature verification. * @param type - the contents of the "Content-MD5:" header, skipping the 'Content-MD5:' preamble. */ public void setContentMD5Header(String md5) { if (null != md5) md5 = md5.trim(); this.contentMD5 = md5; } /** * The bucket name can be in the "Host:" header but it does not have to be. It can * instead be in the uriPath as the first step in the path. * * Used as part of the CanonalizedResource element of the StringToSign. * If we get "Host: static.johnsmith.net:8080", then the bucket name is "static.johnsmith.net" * * @param header - contents of the "Host:" header, skipping the 'Host:' preamble. */ public void setHostHeader(String header) { if (null == header) { this.bucketName = null; return; } // -> is there a port on the name? header = header.trim(); int offset = header.indexOf(":"); if (-1 != offset) header = header.substring(0, offset); this.bucketName = header; } /** * Used as part of the CanonalizedResource element of the StringToSign. * CanonicalizedResource = [ "/" + Bucket ] + * <HTTP-Request-URI, from the protocol name up to the query string> + [sub-resource] * The list of sub-resources that must be included when constructing the CanonicalizedResource Element are: acl, lifecycle, location, * logging, notification, partNumber, policy, requestPayment, torrent, uploadId, uploads, versionId, versioning, versions and website. * (http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html) * @param query - results from calling "HttpServletRequest req.getQueryString()" */ public void setQueryString(String query) { if (null == query) { this.queryString = null; return; } // Sub-resources (i.e.: query params) must be lex sorted Set<String> subResources = new TreeSet<String>(); String[] queryParams = query.split("&"); StringBuffer builtQuery = new StringBuffer(); for (String queryParam : queryParams) { // lookup parameter name String paramName = queryParam.split("=")[0]; if (allowedQueryParams.contains(paramName)) { subResources.add(queryParam); } } for (String subResource : subResources) { builtQuery.append(subResource + "&"); } // If anything inside the string buffer, add a "?" at the beginning, // and then remove the last '&' if (builtQuery.length() > 0) { builtQuery.insert(0, "?"); builtQuery.deleteCharAt(builtQuery.length() - 1); } this.queryString = builtQuery.toString(); } /** * Used as part of the CanonalizedResource element of the StringToSign. * Append the path part of the un-decoded HTTP Request-URI, up-to but not including the query string. * * @param path - - results from calling "HttpServletRequest req.getPathInfo()" */ public void addUriPath(String path) { if (null != path) path = path.trim(); this.uriPath = path; } /** * Pass in each complete Amazon header found in the HTTP request one at a time. * Each Amazon header added will become part of the signature calculation. * We are using a TreeMap here because of the S3 definition: * "Sort the collection of headers lexicographically by header name." * * @param headerAndValue - needs to be the complete amazon header (i.e., starts with "x-amz"). */ public void addAmazonHeader(String headerAndValue) { if (null == headerAndValue) return; String canonicalized = null; // [A] First Canonicalize the header and its value // -> we use the header 'name' as the key since we have to sort on that int offset = headerAndValue.indexOf(":"); String header = headerAndValue.substring(0, offset + 1).toLowerCase(); String value = headerAndValue.substring(offset + 1).trim(); // -> RFC 2616, Section 4.2: unfold the header's value by replacing linear white space with a single space character // -> does the HTTPServeletReq already do this for us? value = value.replaceAll(" ", " "); // -> multiple spaces to one space value = value.replaceAll("(\r\n|\t|\n)", " "); // -> CRLF, tab, and LF to one space // [B] Does this header already exist? if (AmazonHeaders.containsKey(header)) { // -> combine header fields with the same name into one "header-name:comma-separated-value-list" pair as prescribed by RFC 2616, section 4.2, without any white-space between values. canonicalized = AmazonHeaders.get(header); canonicalized = new String(canonicalized + "," + value + "\n"); canonicalized = canonicalized.replaceAll("\n,", ","); // remove the '\n' from the first stored value } else canonicalized = new String(header + value + "\n"); // -> as per spec, no space between header and its value AmazonHeaders.put(header, canonicalized); // [C] "x-amz-date:" takes precedence over the "Date:" header if (header.equals("x-amz-date:")) { this.amzDateSet = true; if (null != this.date) this.date = null; } } /** * The request is authenticated if we can regenerate the same signature given * on the request. Before calling this function make sure to set the header values * defined by the public values above. * * @param httpVerb - the type of HTTP request (e.g., GET, PUT) * @param secretKey - value obtained from the AWSAccessKeyId * @param signature - the signature we are trying to recreate, note can be URL-encoded * * @throws SignatureException * * @return true if request has been authenticated, false otherwise * @throws UnsupportedEncodingException */ public boolean verifySignature(String httpVerb, String secretKey, String signature) throws SignatureException, UnsupportedEncodingException { if (null == httpVerb || null == secretKey || null == signature) return false; httpVerb = httpVerb.trim(); secretKey = secretKey.trim(); signature = signature.trim(); // First calculate the StringToSign after the caller has initialized all the header values String StringToSign = genStringToSign(httpVerb); String calSig = calculateRFC2104HMAC(StringToSign, secretKey); // Was the passed in signature URL encoded? (it must be base64 encoded) int offset = signature.indexOf("%"); if (-1 != offset) signature = URLDecoder.decode(signature, "UTF-8"); boolean match = signature.equals(calSig); if (!match) logger.error("Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]"); return match; } /** * This function generates the single string that will be used to sign with a users * secret key. * * StringToSign = HTTP-Verb + "\n" + * Content-MD5 + "\n" + * Content-Type + "\n" + * Date + "\n" + * CanonicalizedAmzHeaders + * CanonicalizedResource; * * @return The single StringToSign or null. */ private String genStringToSign(String httpVerb) { StringBuffer canonicalized = new StringBuffer(); String temp = null; String canonicalizedResourceElement = genCanonicalizedResourceElement(); canonicalized.append(httpVerb).append("\n"); if ((null != this.contentMD5)) canonicalized.append(this.contentMD5); canonicalized.append("\n"); if ((null != this.contentType)) canonicalized.append(this.contentType); canonicalized.append("\n"); if (null != this.date) canonicalized.append(this.date); canonicalized.append("\n"); if (null != (temp = genCanonicalizedAmzHeadersElement())) canonicalized.append(temp); if (null != canonicalizedResourceElement) canonicalized.append(canonicalizedResourceElement); if (0 == canonicalized.length()) return null; return canonicalized.toString(); } /** * CanonicalizedResource represents the Amazon S3 resource targeted by the request. * CanonicalizedResource = [ "/" + Bucket ] + * <HTTP-Request-URI, from the protocol name up to the query string> + * [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"]; * * @return A single string representing CanonicalizedResource or null. */ private String genCanonicalizedResourceElement() { StringBuffer canonicalized = new StringBuffer(); if (this.useSubDomain && this.bucketName != null) canonicalized.append("/").append(this.bucketName); if (null != this.uriPath) canonicalized.append(this.uriPath); if (null != this.queryString) canonicalized.append(this.queryString); if (0 == canonicalized.length()) return null; return canonicalized.toString(); } /** * Construct the Canonicalized Amazon headers element of the StringToSign by * concatenating all headers in the TreeMap into a single string. * * @return A single string with all the Amazon headers glued together, or null * if no Amazon headers appeared in the request. */ private String genCanonicalizedAmzHeadersElement() { Collection<String> headers = AmazonHeaders.values(); Iterator<String> itr = headers.iterator(); StringBuffer canonicalized = new StringBuffer(); while (itr.hasNext()) canonicalized.append(itr.next()); if (0 == canonicalized.length()) return null; return canonicalized.toString(); } /** * Create a signature by the following method: * new String( Base64( SHA1( key, byte array ))) * * @param signIt - the data to generate a keyed HMAC over * @param secretKey - the user's unique key for the HMAC operation * @return String - the recalculated string * @throws SignatureException */ private String calculateRFC2104HMAC(String signIt, String secretKey) throws SignatureException { String result = null; try { SecretKeySpec key = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1"); Mac hmacSha1 = Mac.getInstance("HmacSHA1"); hmacSha1.init(key); byte[] rawHmac = hmacSha1.doFinal(signIt.getBytes()); result = new String(Base64.encodeBase64(rawHmac)); } catch (InvalidKeyException e) { throw new SignatureException("Failed to generate keyed HMAC on REST request because key " + secretKey + " is invalid" + e.getMessage()); } catch (Exception e) { throw new SignatureException("Failed to generate keyed HMAC on REST request: " + e.getMessage()); } return result.trim(); } }