com.cloud.bridge.util.RestAuth.java Source code

Java tutorial

Introduction

Here is the source code for com.cloud.bridge.util.RestAuth.java

Source

// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.
package com.cloud.bridge.util;

import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.util.*;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

import org.apache.commons.codec.binary.Base64;
import org.apache.log4j.Logger;

/**
 * This class expects that the caller pulls the required headers from the standard
 * HTTPServeletRequest structure.   This class is responsible for providing the
 * RFC2104 calculation to ensure that the signature is valid for the signing string.
 * The signing string is a representation of the request.
 * Notes are given below on what values are expected.
 * This class is used for the Authentication check for REST requests and Query String
 * Authentication requests.
 *
 */

public class RestAuth {
    protected final static Logger logger = Logger.getLogger(RestAuth.class);

    // TreeMap: used when constructing the CanonicalizedAmzHeaders Element of the StringToSign
    protected TreeMap<String, String> AmazonHeaders = null; // not always present
    protected String bucketName = null; // not always present
    protected String queryString = null; // for CanonicalizedResource - only interested in a string starting with particular values
    protected String uriPath = null; // only interested in the resource path
    protected String date = null; // only if x-amz-date is not set
    protected String contentType = null; // not always present
    protected String contentMD5 = null; // not always present
    protected boolean amzDateSet = false;
    protected boolean useSubDomain = false;

    protected Set<String> allowedQueryParams;

    public RestAuth() {
        // these must be lexicographically sorted
        AmazonHeaders = new TreeMap<String, String>();
        allowedQueryParams = new HashSet<String>() {
            {
                add("acl");
                add("lifecycle");
                add("location");
                add("logging");
                add("notification");
                add("partNumber");
                add("policy");
                add("requestPayment");
                add("torrent");
                add("uploadId");
                add("uploads");
                add("versionId");
                add("versioning");
                add("versions");
                add("website");
                add("delete");
            }
        };
    }

    public RestAuth(boolean useSubDomain) {
        //invoke the other constructor
        this();
        this.useSubDomain = useSubDomain;
    }

    public void setUseSubDomain(boolean value) {
        useSubDomain = value;
    }

    public boolean getUseSubDomain() {
        return useSubDomain;
    }

    /**
     * This header is used iff the "x-amz-date:" header is not defined.
     * Value is used in constructing the StringToSign for signature verification.
     * 
     * @param date - the contents of the "Date:" header, skipping the 'Date:' preamble.
     *        OR pass in the value of the "Expires=" query string parameter passed in
     *        for "Query String Authentication".
     */
    public void setDateHeader(String date) {
        if (this.amzDateSet)
            return;
        if (null != date)
            date = date.trim();
        this.date = date;
    }

    /**
     * Value is used in constructing the StringToSign for signature verification.
      *
     * @param type - the contents of the "Content-Type:" header, skipping the 'Content-Type:' preamble.
     */
    public void setContentTypeHeader(String type) {
        if (null != type)
            type = type.trim();
        this.contentType = type;
    }

    /**
     * Value is used in constructing the StringToSign for signature verification.
     * @param type - the contents of the "Content-MD5:" header, skipping the 'Content-MD5:' preamble.
     */
    public void setContentMD5Header(String md5) {
        if (null != md5)
            md5 = md5.trim();
        this.contentMD5 = md5;
    }

    /**
     * The bucket name can be in the "Host:" header but it does not have to be.  It can 
     * instead be in the uriPath as the first step in the path.
     * 
     * Used as part of the CanonalizedResource element of the StringToSign.
     * If we get "Host: static.johnsmith.net:8080",  then the bucket name is "static.johnsmith.net"
     * 
     * @param header - contents of the "Host:" header, skipping the 'Host:' preamble. 
     */
    public void setHostHeader(String header) {
        if (null == header) {
            this.bucketName = null;
            return;
        }

        // -> is there a port on the name?
        header = header.trim();
        int offset = header.indexOf(":");
        if (-1 != offset)
            header = header.substring(0, offset);
        this.bucketName = header;
    }

    /**
     * Used as part of the CanonalizedResource element of the StringToSign.
     * CanonicalizedResource = [ "/" + Bucket ] +
     * <HTTP-Request-URI, from the protocol name up to the query string> + [sub-resource]
     * The list of sub-resources that must be included when constructing the CanonicalizedResource Element are: acl, lifecycle, location, 
     * logging, notification, partNumber, policy, requestPayment, torrent, uploadId, uploads, versionId, versioning, versions and website.
     * (http://docs.amazonwebservices.com/AmazonS3/latest/dev/RESTAuthentication.html)
     * @param query - results from calling "HttpServletRequest req.getQueryString()"
     */
    public void setQueryString(String query) {
        if (null == query) {
            this.queryString = null;
            return;
        }

        // Sub-resources (i.e.: query params) must be lex sorted
        Set<String> subResources = new TreeSet<String>();

        String[] queryParams = query.split("&");
        StringBuffer builtQuery = new StringBuffer();
        for (String queryParam : queryParams) {
            // lookup parameter name
            String paramName = queryParam.split("=")[0];
            if (allowedQueryParams.contains(paramName)) {
                subResources.add(queryParam);
            }
        }
        for (String subResource : subResources) {
            builtQuery.append(subResource + "&");
        }
        // If anything inside the string buffer, add a "?" at the beginning, 
        // and then remove the last '&'
        if (builtQuery.length() > 0) {
            builtQuery.insert(0, "?");
            builtQuery.deleteCharAt(builtQuery.length() - 1);
        }
        this.queryString = builtQuery.toString();
    }

    /**
     * Used as part of the CanonalizedResource element of the StringToSign.
     * Append the path part of the un-decoded HTTP Request-URI, up-to but not including the query string.
     * 
     * @param path - - results from calling "HttpServletRequest req.getPathInfo()"
     */
    public void addUriPath(String path) {
        if (null != path)
            path = path.trim();
        this.uriPath = path;
    }

    /**
     * Pass in each complete Amazon header found in the HTTP request one at a time.
     * Each Amazon header added will become part of the signature calculation.
     * We are using a TreeMap here because of the S3 definition:
     *      "Sort the collection of headers lexicographically by header name."
     * 
     * @param headerAndValue - needs to be the complete amazon header (i.e., starts with "x-amz").
     */
    public void addAmazonHeader(String headerAndValue) {
        if (null == headerAndValue)
            return;

        String canonicalized = null;

        // [A] First Canonicalize the header and its value
        //  -> we use the header 'name' as the key since we have to sort on that
        int offset = headerAndValue.indexOf(":");
        String header = headerAndValue.substring(0, offset + 1).toLowerCase();
        String value = headerAndValue.substring(offset + 1).trim();

        // -> RFC 2616, Section 4.2: unfold the header's value by replacing linear white space with a single space character
        // -> does the HTTPServeletReq already do this for us?
        value = value.replaceAll("  ", " "); // -> multiple spaces to one space
        value = value.replaceAll("(\r\n|\t|\n)", " "); // -> CRLF, tab, and LF to one space

        // [B] Does this header already exist?
        if (AmazonHeaders.containsKey(header)) {
            // -> combine header fields with the same name into one "header-name:comma-separated-value-list" pair as prescribed by RFC 2616, section 4.2, without any white-space between values. 
            canonicalized = AmazonHeaders.get(header);
            canonicalized = new String(canonicalized + "," + value + "\n");
            canonicalized = canonicalized.replaceAll("\n,", ","); // remove the '\n' from the first stored value
        } else
            canonicalized = new String(header + value + "\n"); // -> as per spec, no space between header and its value

        AmazonHeaders.put(header, canonicalized);

        // [C] "x-amz-date:" takes precedence over the "Date:" header
        if (header.equals("x-amz-date:")) {
            this.amzDateSet = true;
            if (null != this.date)
                this.date = null;
        }
    }

    /**
     * The request is authenticated if we can regenerate the same signature given 
     * on the request.  Before calling this function make sure to set the header values
     * defined by the public values above.
     * 
     * @param httpVerb  - the type of HTTP request (e.g., GET, PUT)
     * @param secretKey - value obtained from the AWSAccessKeyId
     * @param signature - the signature we are trying to recreate, note can be URL-encoded
     * 
     * @throws SignatureException 
     * 
     * @return true if request has been authenticated, false otherwise
     * @throws UnsupportedEncodingException 
     */

    public boolean verifySignature(String httpVerb, String secretKey, String signature)
            throws SignatureException, UnsupportedEncodingException {

        if (null == httpVerb || null == secretKey || null == signature)
            return false;

        httpVerb = httpVerb.trim();
        secretKey = secretKey.trim();
        signature = signature.trim();

        // First calculate the StringToSign after the caller has initialized all the header values
        String StringToSign = genStringToSign(httpVerb);
        String calSig = calculateRFC2104HMAC(StringToSign, secretKey);
        // Was the passed in signature URL encoded? (it must be base64 encoded)
        int offset = signature.indexOf("%");
        if (-1 != offset)
            signature = URLDecoder.decode(signature, "UTF-8");

        boolean match = signature.equals(calSig);
        if (!match)
            logger.error("Signature mismatch, [" + signature + "] [" + calSig + "] over [" + StringToSign + "]");

        return match;
    }

    /**
     * This function generates the single string that will be used to sign with a users
     * secret key.
     * 
     * StringToSign = HTTP-Verb + "\n" +
     * Content-MD5 + "\n" +
     * Content-Type + "\n" +
     * Date + "\n" +
     * CanonicalizedAmzHeaders +
     * CanonicalizedResource;
     * 
     * @return The single StringToSign or null.
      */
    private String genStringToSign(String httpVerb) {
        StringBuffer canonicalized = new StringBuffer();
        String temp = null;
        String canonicalizedResourceElement = genCanonicalizedResourceElement();
        canonicalized.append(httpVerb).append("\n");
        if ((null != this.contentMD5))
            canonicalized.append(this.contentMD5);
        canonicalized.append("\n");

        if ((null != this.contentType))
            canonicalized.append(this.contentType);
        canonicalized.append("\n");

        if (null != this.date)
            canonicalized.append(this.date);

        canonicalized.append("\n");

        if (null != (temp = genCanonicalizedAmzHeadersElement()))
            canonicalized.append(temp);
        if (null != canonicalizedResourceElement)
            canonicalized.append(canonicalizedResourceElement);

        if (0 == canonicalized.length())
            return null;

        return canonicalized.toString();
    }

    /**
     * CanonicalizedResource represents the Amazon S3 resource targeted by the request.
     * CanonicalizedResource = [ "/" + Bucket ] +
     *    <HTTP-Request-URI, from the protocol name up to the query string> +
     *    [ sub-resource, if present. For example "?acl", "?location", "?logging", or "?torrent"];
      *
     * @return A single string representing CanonicalizedResource or null.
     */
    private String genCanonicalizedResourceElement() {
        StringBuffer canonicalized = new StringBuffer();

        if (this.useSubDomain && this.bucketName != null)
            canonicalized.append("/").append(this.bucketName);

        if (null != this.uriPath)
            canonicalized.append(this.uriPath);
        if (null != this.queryString)
            canonicalized.append(this.queryString);

        if (0 == canonicalized.length())
            return null;

        return canonicalized.toString();
    }

    /**
     * Construct the Canonicalized Amazon headers element of the StringToSign by 
     * concatenating all headers in the TreeMap into a single string.
     * 
     * @return A single string with all the Amazon headers glued together, or null
     *         if no Amazon headers appeared in the request.
     */
    private String genCanonicalizedAmzHeadersElement() {
        Collection<String> headers = AmazonHeaders.values();
        Iterator<String> itr = headers.iterator();
        StringBuffer canonicalized = new StringBuffer();

        while (itr.hasNext())
            canonicalized.append(itr.next());

        if (0 == canonicalized.length())
            return null;

        return canonicalized.toString();
    }

    /**
     * Create a signature by the following method:
     *     new String( Base64( SHA1( key, byte array )))
     * 
     * @param signIt    - the data to generate a keyed HMAC over
     * @param secretKey - the user's unique key for the HMAC operation
     * @return String   - the recalculated string
     * @throws SignatureException
     */
    private String calculateRFC2104HMAC(String signIt, String secretKey) throws SignatureException {
        String result = null;
        try {
            SecretKeySpec key = new SecretKeySpec(secretKey.getBytes(), "HmacSHA1");
            Mac hmacSha1 = Mac.getInstance("HmacSHA1");
            hmacSha1.init(key);
            byte[] rawHmac = hmacSha1.doFinal(signIt.getBytes());
            result = new String(Base64.encodeBase64(rawHmac));
        } catch (InvalidKeyException e) {
            throw new SignatureException("Failed to generate keyed HMAC on REST request because key " + secretKey
                    + " is invalid" + e.getMessage());
        } catch (Exception e) {
            throw new SignatureException("Failed to generate keyed HMAC on REST request: " + e.getMessage());
        }
        return result.trim();
    }
}