awsapi/src/com/cloud/bridge/auth/ec2/AuthenticationHandler.java - cloudstack - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 package com.cloud.bridge.auth.ec2;

 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;

 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;

 import org.apache.axiom.soap.SOAPEnvelope;
 import org.apache.axis2.AxisFault;
 import org.apache.axis2.context.MessageContext;
 import org.apache.axis2.description.HandlerDescription;
 import org.apache.axis2.description.Parameter;
 import org.apache.axis2.engine.Handler;
 import org.apache.commons.codec.binary.Base64;
 import org.apache.log4j.Logger;
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;

 import com.cloud.bridge.model.UserCredentialsVO;
 import com.cloud.bridge.persist.dao.UserCredentialsDao;
 import com.cloud.bridge.persist.dao.UserCredentialsDaoImpl;
 import com.cloud.bridge.service.UserContext;
 import com.cloud.bridge.util.AuthenticationUtils;

 public class AuthenticationHandler implements Handler {
     protected final static Logger logger = Logger.getLogger(AuthenticationHandler.class);
     private DocumentBuilderFactory dbf = null;

     protected HandlerDescription handlerDesc = new HandlerDescription("EC2AuthenticationHandler");
     private String name = "EC2AuthenticationHandler";

     @Override
     public void init(HandlerDescription handlerdesc) {
         dbf = DocumentBuilderFactory.newInstance();
         dbf.setNamespaceAware(true);

         this.handlerDesc = handlerdesc;
     }

     @Override
     public String getName() {
         return name;
     }

     @Override
     public String toString() {
         return (name != null) ? name.toString() : null;
     }

     @Override
     public HandlerDescription getHandlerDesc() {
         return handlerDesc;
     }

     @Override
     public Parameter getParameter(String name) {
         return handlerDesc.getParameter(name);
     }

     /**
      * For EC2 SOAP calls this function's goal is to extract the X509 certificate that is
      * part of the WS-Security wrapped SOAP request.   We need the cert in order to
      * map it to the user's Cloud API key and Cloud Secret Key.
      */
     @Override
     public InvocationResponse invoke(MessageContext msgContext) throws AxisFault {
         // -> the certificate we want is embedded into the soap header
         try {
             SOAPEnvelope soapEnvelope = msgContext.getEnvelope();
             String xmlHeader = soapEnvelope.toString();
             //System.out.println( "entire request: " + xmlHeader );

             InputStream is = new ByteArrayInputStream(xmlHeader.getBytes("UTF-8"));
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document request = db.parse(is);
             NodeList certs = request.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken");
             if (0 < certs.getLength()) {
                 Node item = certs.item(0);
                 String result = new String(item.getFirstChild().getNodeValue());
                 byte[] certBytes = Base64.decodeBase64(result.getBytes());

                 Certificate userCert = null;
                 CertificateFactory cf = CertificateFactory.getInstance("X.509");
                 ByteArrayInputStream bs = new ByteArrayInputStream(certBytes);
                 while (bs.available() > 0)
                     userCert = cf.generateCertificate(bs);
                 //System.out.println( "cert: " + userCert.toString());
                 String uniqueId = AuthenticationUtils.X509CertUniqueId(userCert);
                 logger.debug("X509 cert's uniqueId: " + uniqueId);

                 // -> find the Cloud API key and the secret key from the cert's uniqueId
                 UserCredentialsDao ucDao = new UserCredentialsDaoImpl();
                 UserCredentialsVO cloudKeys = ucDao.getByCertUniqueId(uniqueId);
                 if (null == cloudKeys) {
                     logger.error("Cert does not map to Cloud API keys: " + uniqueId);
                     throw new AxisFault("User not properly registered: Certificate does not map to Cloud API Keys", "Client.Blocked");
                 } else
                     UserContext.current().initContext(cloudKeys.getAccessKey(), cloudKeys.getSecretKey(), cloudKeys.getAccessKey(), "SOAP Request", null);
                 //System.out.println( "end of cert match: " + UserContext.current().getSecretKey());
             }
         } catch (AxisFault e) {
             throw e;
         } catch (Exception e) {
             logger.error("EC2 Authentication Handler: ", e);
             throw new AxisFault("An unknown error occurred.", "Server.InternalError");
         }
         return InvocationResponse.CONTINUE;
     }

     public void revoke(MessageContext msgContext) {
         logger.info(msgContext.getEnvelope().toString());
     }

     public void setName(String name) {
         this.name = name;
     }

     @Override
     public void cleanup() {
     }

     @Override
     public void flowComplete(MessageContext arg0) {
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	package com.cloud.bridge.auth.ec2;

	import java.io.ByteArrayInputStream;
	import java.io.InputStream;
	import java.security.cert.Certificate;
	import java.security.cert.CertificateFactory;

	import javax.xml.parsers.DocumentBuilder;
	import javax.xml.parsers.DocumentBuilderFactory;

	import org.apache.axiom.soap.SOAPEnvelope;
	import org.apache.axis2.AxisFault;
	import org.apache.axis2.context.MessageContext;
	import org.apache.axis2.description.HandlerDescription;
	import org.apache.axis2.description.Parameter;
	import org.apache.axis2.engine.Handler;
	import org.apache.commons.codec.binary.Base64;
	import org.apache.log4j.Logger;
	import org.w3c.dom.Document;
	import org.w3c.dom.Node;
	import org.w3c.dom.NodeList;

	import com.cloud.bridge.model.UserCredentialsVO;
	import com.cloud.bridge.persist.dao.UserCredentialsDao;
	import com.cloud.bridge.persist.dao.UserCredentialsDaoImpl;
	import com.cloud.bridge.service.UserContext;
	import com.cloud.bridge.util.AuthenticationUtils;

	public class AuthenticationHandler implements Handler {
	protected final static Logger logger = Logger.getLogger(AuthenticationHandler.class);
	private DocumentBuilderFactory dbf = null;

	protected HandlerDescription handlerDesc = new HandlerDescription("EC2AuthenticationHandler");
	private String name = "EC2AuthenticationHandler";

	@Override
	public void init(HandlerDescription handlerdesc) {
	dbf = DocumentBuilderFactory.newInstance();
	dbf.setNamespaceAware(true);

	this.handlerDesc = handlerdesc;
	}

	@Override
	public String getName() {
	return name;
	}

	@Override
	public String toString() {
	return (name != null) ? name.toString() : null;
	}

	@Override
	public HandlerDescription getHandlerDesc() {
	return handlerDesc;
	}

	@Override
	public Parameter getParameter(String name) {
	return handlerDesc.getParameter(name);
	}

	/**
	* For EC2 SOAP calls this function's goal is to extract the X509 certificate that is
	* part of the WS-Security wrapped SOAP request. We need the cert in order to
	* map it to the user's Cloud API key and Cloud Secret Key.
	*/
	@Override
	public InvocationResponse invoke(MessageContext msgContext) throws AxisFault {
	// -> the certificate we want is embedded into the soap header
	try {
	SOAPEnvelope soapEnvelope = msgContext.getEnvelope();
	String xmlHeader = soapEnvelope.toString();
	//System.out.println( "entire request: " + xmlHeader );

	InputStream is = new ByteArrayInputStream(xmlHeader.getBytes("UTF-8"));
	DocumentBuilder db = dbf.newDocumentBuilder();
	Document request = db.parse(is);
	NodeList certs = request.getElementsByTagNameNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken");
	if (0 < certs.getLength()) {
	Node item = certs.item(0);
	String result = new String(item.getFirstChild().getNodeValue());
	byte[] certBytes = Base64.decodeBase64(result.getBytes());

	Certificate userCert = null;
	CertificateFactory cf = CertificateFactory.getInstance("X.509");
	ByteArrayInputStream bs = new ByteArrayInputStream(certBytes);
	while (bs.available() > 0)
	userCert = cf.generateCertificate(bs);
	//System.out.println( "cert: " + userCert.toString());
	String uniqueId = AuthenticationUtils.X509CertUniqueId(userCert);
	logger.debug("X509 cert's uniqueId: " + uniqueId);

	// -> find the Cloud API key and the secret key from the cert's uniqueId
	UserCredentialsDao ucDao = new UserCredentialsDaoImpl();
	UserCredentialsVO cloudKeys = ucDao.getByCertUniqueId(uniqueId);
	if (null == cloudKeys) {
	logger.error("Cert does not map to Cloud API keys: " + uniqueId);
	throw new AxisFault("User not properly registered: Certificate does not map to Cloud API Keys", "Client.Blocked");
	} else
	UserContext.current().initContext(cloudKeys.getAccessKey(), cloudKeys.getSecretKey(), cloudKeys.getAccessKey(), "SOAP Request", null);
	//System.out.println( "end of cert match: " + UserContext.current().getSecretKey());
	}
	} catch (AxisFault e) {
	throw e;
	} catch (Exception e) {
	logger.error("EC2 Authentication Handler: ", e);
	throw new AxisFault("An unknown error occurred.", "Server.InternalError");
	}
	return InvocationResponse.CONTINUE;
	}

	public void revoke(MessageContext msgContext) {
	logger.info(msgContext.getEnvelope().toString());
	}

	public void setName(String name) {
	this.name = name;
	}

	@Override
	public void cleanup() {
	}

	@Override
	public void flowComplete(MessageContext arg0) {
	}
	}