com.eucalyptus.objectstorage.pipeline.WalrusSoapUserAuthenticationHandler.java Source code

Java tutorial

Introduction

Here is the source code for com.eucalyptus.objectstorage.pipeline.WalrusSoapUserAuthenticationHandler.java

Source

/*************************************************************************
 * Copyright 2009-2012 Eucalyptus Systems, Inc.
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; version 3 of the License.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see http://www.gnu.org/licenses/.
 *
 * Please contact Eucalyptus Systems, Inc., 6755 Hollister Ave., Goleta
 * CA 93117, USA or visit http://www.eucalyptus.com/licenses/ if you need
 * additional information or have any questions.
 *
 * This file may incorporate work covered under the following copyright
 * and permission notice:
 *
 *   Software License Agreement (BSD License)
 *
 *   Copyright (c) 2008, Regents of the University of California
 *   All rights reserved.
 *
 *   Redistribution and use of this software in source and binary forms,
 *   with or without modification, are permitted provided that the
 *   following conditions are met:
 *
 *     Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *     Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer
 *     in the documentation and/or other materials provided with the
 *     distribution.
 *
 *   THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 *   "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 *   LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 *   FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 *   COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 *   INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 *   BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 *   LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 *   CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 *   LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 *   ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 *   POSSIBILITY OF SUCH DAMAGE. USERS OF THIS SOFTWARE ACKNOWLEDGE
 *   THE POSSIBLE PRESENCE OF OTHER OPEN SOURCE LICENSED MATERIAL,
 *   COPYRIGHTED MATERIAL OR PATENTED MATERIAL IN THIS SOFTWARE,
 *   AND IF ANY SUCH MATERIAL IS DISCOVERED THE PARTY DISCOVERING
 *   IT MAY INFORM DR. RICH WOLSKI AT THE UNIVERSITY OF CALIFORNIA,
 *   SANTA BARBARA WHO WILL THEN ASCERTAIN THE MOST APPROPRIATE REMEDY,
 *   WHICH IN THE REGENTS' DISCRETION MAY INCLUDE, WITHOUT LIMITATION,
 *   REPLACEMENT OF THE CODE SO IDENTIFIED, LICENSING OF THE CODE SO
 *   IDENTIFIED, OR WITHDRAWAL OF THE CODE CAPABILITY TO THE EXTENT
 *   NEEDED TO COMPLY WITH ANY SUCH LICENSES OR RIGHTS.
 ************************************************************************/

package com.eucalyptus.objectstorage.pipeline;

import java.util.Date;

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;

import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.soap.SOAPBody;
import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.commons.httpclient.util.DateUtil;
import org.apache.log4j.Logger;
import org.bouncycastle.util.encoders.Base64;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.jboss.netty.channel.ChannelPipelineCoverage;
import org.jboss.netty.channel.MessageEvent;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

import com.eucalyptus.auth.AccessKeys;
import com.eucalyptus.auth.login.AuthenticationException;
import com.eucalyptus.auth.principal.AccessKey;
import com.eucalyptus.auth.principal.User;
import com.eucalyptus.binding.HoldMe;
import com.eucalyptus.context.Contexts;
import com.eucalyptus.crypto.Hmac;
import com.eucalyptus.http.MappingHttpRequest;
import com.eucalyptus.objectstorage.util.WalrusProperties;
import com.eucalyptus.ws.handlers.MessageStackHandler;

@ChannelPipelineCoverage("one")
public class WalrusSoapUserAuthenticationHandler extends MessageStackHandler {
    private static Logger LOG = Logger.getLogger(WalrusSoapUserAuthenticationHandler.class);

    @Override
    public void incomingMessage(ChannelHandlerContext ctx, MessageEvent event) throws Exception {
        if (event.getMessage() instanceof MappingHttpRequest) {
            MappingHttpRequest httpRequest = (MappingHttpRequest) event.getMessage();
            SOAPEnvelope envelope = httpRequest.getSoapEnvelope();
            SOAPBody body = envelope.getBody();
            HoldMe.canHas.lock();
            try {
                final StAXOMBuilder doomBuilder = HoldMe.getStAXOMBuilder(HoldMe.getDOOMFactory(),
                        body.getXMLStreamReader());
                final OMElement elem = doomBuilder.getDocumentElement();
                elem.build();
                final Document doc = ((Element) elem).getOwnerDocument();
                handle(httpRequest, doc);
            } finally {
                HoldMe.canHas.unlock();
            }
        }
    }

    public void handle(MappingHttpRequest httpRequest, Document doc) throws AuthenticationException {
        NodeList childNodes = doc.getChildNodes();
        Element bodyElem = doc.getDocumentElement();
        Node operationElem = bodyElem.getFirstChild();
        String operationName = operationElem.getNodeName();
        if (operationName.length() > 0) {
            NodeList authNodes = operationElem.getChildNodes();
            String queryId = null, timestamp = null, signature = null;
            for (int i = 0; i < authNodes.getLength(); ++i) {
                Node node = authNodes.item(i);
                if (node.getNodeName().equals(WalrusProperties.RequiredSOAPTags.AWSAccessKeyId.toString())) {
                    queryId = node.getFirstChild().getNodeValue().trim();
                } else if (node.getNodeName().equals(WalrusProperties.RequiredSOAPTags.Timestamp.toString())) {
                    timestamp = node.getFirstChild().getNodeValue().trim();
                } else if (node.getNodeName().equals(WalrusProperties.RequiredSOAPTags.Signature.toString())) {
                    signature = node.getFirstChild().getNodeValue().trim();
                }
            }
            if (queryId == null)
                throw new AuthenticationException("Unable to parse access key id");
            if (signature == null)
                throw new AuthenticationException("Unable to parse signature");
            if (timestamp == null)
                throw new AuthenticationException("Unable to parse timestamp");
            //check timestamp
            verifyTimestamp(timestamp);
            String data = "AmazonS3" + operationName + timestamp;
            //check signature
            authenticate(httpRequest, queryId, signature, data);
        } else {
            throw new AuthenticationException("Invalid operation specified");
        }
    }

    private void authenticate(MappingHttpRequest httpRequest, String accessKeyID, String signature, String data)
            throws AuthenticationException {
        signature = signature.replaceAll("=", "");
        try {
            final AccessKey key = AccessKeys.lookupAccessKey(accessKeyID, null); //Walrus SOAP API does not currently support temporary credentials
            final User user = key.getUser();
            final String queryKey = key.getSecretKey();
            final String authSig = checkSignature(queryKey, data);
            if (!authSig.equals(signature))
                throw new AuthenticationException("User authentication failed. Could not verify signature");
            Contexts.lookup(httpRequest.getCorrelationId()).setUser(user);
        } catch (Exception ex) {
            throw new AuthenticationException("User authentication failed. Unable to obtain query key");
        }
    }

    private void verifyTimestamp(String timestamp) throws AuthenticationException {
        try {
            Date dateToVerify = DateUtil.parseDate(timestamp);
            Date currentDate = new Date();
            if (Math.abs(currentDate.getTime() - dateToVerify.getTime()) > WalrusProperties.EXPIRATION_LIMIT)
                throw new AuthenticationException("Message expired. Sorry.");
        } catch (Exception ex) {
            throw new AuthenticationException("Unable to parse date.");
        }
    }

    private String[] getSigInfo(String auth_part) {
        int index = auth_part.lastIndexOf(" ");
        String sigString = auth_part.substring(index + 1);
        return sigString.split(":");
    }

    protected String checkSignature(final String queryKey, final String subject) throws AuthenticationException {
        SecretKeySpec signingKey = new SecretKeySpec(queryKey.getBytes(), Hmac.HmacSHA1.toString());
        try {
            Mac mac = Hmac.HmacSHA1.getInstance();
            mac.init(signingKey);
            byte[] rawHmac = mac.doFinal(subject.getBytes());
            return new String(Base64.encode(rawHmac)).replaceAll("=", "");
        } catch (Exception e) {
            LOG.error(e, e);
            throw new AuthenticationException("Failed to compute signature");
        }
    }
}