awsapi/src/com/cloud/bridge/auth/s3/AuthenticationHandler.java - cloudstack - Git at Google

 // Licensed to the Apache Software Foundation (ASF) under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information
 // regarding copyright ownership.  The ASF licenses this file
 // to you under the Apache License, Version 2.0 (the
 // "License"); you may not use this file except in compliance
 // with the License.  You may obtain a copy of the License at
 //
 //   http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing,
 // software distributed under the License is distributed on an
 // "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 // KIND, either express or implied.  See the License for the
 // specific language governing permissions and limitations
 // under the License.
 package com.cloud.bridge.auth.s3;

 import java.sql.SQLException;

 import javax.inject.Inject;
 import javax.servlet.http.HttpServletRequest;

 import org.apache.axiom.soap.SOAPBody;
 import org.apache.axiom.soap.SOAPEnvelope;
 import org.apache.axis2.AxisFault;
 import org.apache.axis2.context.MessageContext;
 import org.apache.axis2.description.HandlerDescription;
 import org.apache.axis2.description.Parameter;
 import org.apache.axis2.engine.Handler;
 import org.apache.log4j.Logger;

 import com.cloud.bridge.model.UserCredentialsVO;
 import com.cloud.bridge.persist.dao.UserCredentialsDaoImpl;
 import com.cloud.bridge.service.UserContext;
 import com.cloud.bridge.util.S3SoapAuth;

 /*
  *  For SOAP compatibility.
  */

 public class AuthenticationHandler implements Handler {
     protected final static Logger logger = Logger.getLogger(AuthenticationHandler.class);
     @Inject
     UserCredentialsDaoImpl ucDao;
     protected HandlerDescription handlerDesc = new HandlerDescription("default handler");
     private String name = "S3AuthenticationHandler";

     @Override
     public void init(HandlerDescription handlerdesc) {
         this.handlerDesc = handlerdesc;
     }

     @Override
     public String getName() {
         //logger.debug( "getName entry S3AuthenticationHandler" + name );
         return name;
     }

     @Override
     public String toString() {
         return (name != null) ? name.toString() : null;
     }

     @Override
     public HandlerDescription getHandlerDesc() {
         return handlerDesc;
     }

     @Override
     public Parameter getParameter(String name) {
         return handlerDesc.getParameter(name);
     }

     /**
      * Verify the request's authentication signature by extracting all the
      * necessary parts of the request, obtaining the requestor's secret key, and
      * recalculating the signature.
      *
      * On Signature mismatch raise an AxisFault (i.e., a SoapFault) with what Amazon S3
      * defines as a "Client.SignatureMismatch" error.
      *
      * Special case: need to deal with anonymous requests where no AWSAccessKeyId is
      * given.   In this case just pass the request on.
      */
     @Override
     public InvocationResponse invoke(MessageContext msgContext) throws AxisFault {
         String accessKey = null;
         String operation = null;
         String msgSig = null;
         String timestamp = null;
         String secretKey = null;
         String temp = null;

         // [A] Obtain the HttpServletRequest object
         HttpServletRequest httpObj = (HttpServletRequest)msgContext.getProperty("transport.http.servletRequest");
         if (null != httpObj)
             System.out.println("S3 SOAP auth test header access - acceptable Encoding type: " + httpObj.getHeader("Accept-Encoding"));

         // [A] Try to recalculate the signature for non-anonymous requests
         try {
             SOAPEnvelope soapEnvelope = msgContext.getEnvelope();
             SOAPBody soapBody = soapEnvelope.getBody();
             String xmlBody = soapBody.toString();
             //logger.debug( "xmlrequest: " + xmlBody );

             // -> did we get here yet its an EC2 request?
             int offset = xmlBody.indexOf("http://ec2.amazonaws.com");
             if (-1 != offset)
                 return InvocationResponse.CONTINUE;

             // -> if it is anonymous request, then no access key should exist
             int start = xmlBody.indexOf("AWSAccessKeyId>");
             if (-1 == start) {
                 UserContext.current().initContext();
                 return InvocationResponse.CONTINUE;
             }
             temp = xmlBody.substring(start + 15);
             int end = temp.indexOf("</");
             accessKey = temp.substring(0, end);
             //logger.debug( "accesskey " + accessKey );

             // -> what if we cannot find the user's key?
             if (null != (secretKey = lookupSecretKey(accessKey))) {
                 // -> if any other field is missing, then the signature will not match
                 if (null != (operation = soapBody.getFirstElementLocalName()))
                     operation = operation.trim();
                 else
                     operation = "";
                 //logger.debug( "operation " + operation );

                 start = xmlBody.indexOf("Timestamp>");
                 if (-1 < start) {
                     temp = xmlBody.substring(start + 10);
                     end = temp.indexOf("</");
                     timestamp = temp.substring(0, end);
                     //logger.debug( "timestamp " + timestamp );
                 } else
                     timestamp = "";

                 start = xmlBody.indexOf("Signature>");
                 if (-1 < start) {
                     temp = xmlBody.substring(start + 10);
                     end = temp.indexOf("</");
                     msgSig = temp.substring(0, end);
                     //logger.debug( "signature " + msgSig );
                 } else
                     msgSig = "";
             }
         } catch (Exception e) {
             logger.error("Signature calculation failed due to: ", e);
             throw new AxisFault(e.toString(), "Server.InternalError");
         }

         // [B] Verify that the given signature matches what we calculated here
         if (null == secretKey) {
             logger.error("Unknown AWSAccessKeyId: [" + accessKey + "]");
             throw new AxisFault("Unknown AWSAccessKeyId: [" + accessKey + "]", "Client.InvalidAccessKeyId");
         }

         // -> for SOAP requests the Cloud API keys are sent here and only here
         S3SoapAuth.verifySignature(msgSig, operation, timestamp, accessKey, secretKey);
         UserContext.current().initContext(accessKey, secretKey, accessKey, "S3 SOAP request", httpObj);
         return InvocationResponse.CONTINUE;
     }

     public void revoke(MessageContext msgContext) {
         logger.info(msgContext.getEnvelope().toString());
     }

     public void setName(String name) {
         //logger.debug( "setName entry S3AuthenticationHandler " + name );
         this.name = name;
     }

     /**
      * Given the user's access key, then obtain his secret key in the user database.
      *
      * @param accessKey - a unique string allocated for each registered user
      * @return the secret key or null of no matching user found
      */
     private String lookupSecretKey(String accessKey) throws InstantiationException, IllegalAccessException, ClassNotFoundException, SQLException {
         UserCredentialsVO cloudKeys = ucDao.getByAccessKey(accessKey);
         if (null == cloudKeys) {
             logger.debug(accessKey + " is not defined in the S3 service - call SetUserKeys");
             return null;
         } else
             return cloudKeys.getSecretKey();
     }

     @Override
     public void cleanup() {
         //logger.debug( "cleanup entry S3AuthenticationHandler " );
     }

     @Override
     public void flowComplete(MessageContext arg0) {
         //logger.debug( "flowComplete entry S3AuthenticationHandler " );
     }
 }
	// Licensed to the Apache Software Foundation (ASF) under one
	// or more contributor license agreements. See the NOTICE file
	// distributed with this work for additional information
	// regarding copyright ownership. The ASF licenses this file
	// to you under the Apache License, Version 2.0 (the
	// "License"); you may not use this file except in compliance
	// with the License. You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing,
	// software distributed under the License is distributed on an
	// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	// KIND, either express or implied. See the License for the
	// specific language governing permissions and limitations
	// under the License.
	package com.cloud.bridge.auth.s3;

	import java.sql.SQLException;

	import javax.inject.Inject;
	import javax.servlet.http.HttpServletRequest;

	import org.apache.axiom.soap.SOAPBody;
	import org.apache.axiom.soap.SOAPEnvelope;
	import org.apache.axis2.AxisFault;
	import org.apache.axis2.context.MessageContext;
	import org.apache.axis2.description.HandlerDescription;
	import org.apache.axis2.description.Parameter;
	import org.apache.axis2.engine.Handler;
	import org.apache.log4j.Logger;

	import com.cloud.bridge.model.UserCredentialsVO;
	import com.cloud.bridge.persist.dao.UserCredentialsDaoImpl;
	import com.cloud.bridge.service.UserContext;
	import com.cloud.bridge.util.S3SoapAuth;

	/*
	* For SOAP compatibility.
	*/

	public class AuthenticationHandler implements Handler {
	protected final static Logger logger = Logger.getLogger(AuthenticationHandler.class);
	@Inject
	UserCredentialsDaoImpl ucDao;
	protected HandlerDescription handlerDesc = new HandlerDescription("default handler");
	private String name = "S3AuthenticationHandler";

	@Override
	public void init(HandlerDescription handlerdesc) {
	this.handlerDesc = handlerdesc;
	}

	@Override
	public String getName() {
	//logger.debug( "getName entry S3AuthenticationHandler" + name );
	return name;
	}

	@Override
	public String toString() {
	return (name != null) ? name.toString() : null;
	}

	@Override
	public HandlerDescription getHandlerDesc() {
	return handlerDesc;
	}

	@Override
	public Parameter getParameter(String name) {
	return handlerDesc.getParameter(name);
	}

	/**
	* Verify the request's authentication signature by extracting all the
	* necessary parts of the request, obtaining the requestor's secret key, and
	* recalculating the signature.
	*
	* On Signature mismatch raise an AxisFault (i.e., a SoapFault) with what Amazon S3
	* defines as a "Client.SignatureMismatch" error.
	*
	* Special case: need to deal with anonymous requests where no AWSAccessKeyId is
	* given. In this case just pass the request on.
	*/
	@Override
	public InvocationResponse invoke(MessageContext msgContext) throws AxisFault {
	String accessKey = null;
	String operation = null;
	String msgSig = null;
	String timestamp = null;
	String secretKey = null;
	String temp = null;

	// [A] Obtain the HttpServletRequest object
	HttpServletRequest httpObj = (HttpServletRequest)msgContext.getProperty("transport.http.servletRequest");
	if (null != httpObj)
	System.out.println("S3 SOAP auth test header access - acceptable Encoding type: " + httpObj.getHeader("Accept-Encoding"));

	// [A] Try to recalculate the signature for non-anonymous requests
	try {
	SOAPEnvelope soapEnvelope = msgContext.getEnvelope();
	SOAPBody soapBody = soapEnvelope.getBody();
	String xmlBody = soapBody.toString();
	//logger.debug( "xmlrequest: " + xmlBody );

	// -> did we get here yet its an EC2 request?
	int offset = xmlBody.indexOf("http://ec2.amazonaws.com");
	if (-1 != offset)
	return InvocationResponse.CONTINUE;

	// -> if it is anonymous request, then no access key should exist
	int start = xmlBody.indexOf("AWSAccessKeyId>");
	if (-1 == start) {
	UserContext.current().initContext();
	return InvocationResponse.CONTINUE;
	}
	temp = xmlBody.substring(start + 15);
	int end = temp.indexOf("</");
	accessKey = temp.substring(0, end);
	//logger.debug( "accesskey " + accessKey );

	// -> what if we cannot find the user's key?
	if (null != (secretKey = lookupSecretKey(accessKey))) {
	// -> if any other field is missing, then the signature will not match
	if (null != (operation = soapBody.getFirstElementLocalName()))
	operation = operation.trim();
	else
	operation = "";
	//logger.debug( "operation " + operation );

	start = xmlBody.indexOf("Timestamp>");
	if (-1 < start) {
	temp = xmlBody.substring(start + 10);
	end = temp.indexOf("</");
	timestamp = temp.substring(0, end);
	//logger.debug( "timestamp " + timestamp );
	} else
	timestamp = "";

	start = xmlBody.indexOf("Signature>");
	if (-1 < start) {
	temp = xmlBody.substring(start + 10);
	end = temp.indexOf("</");
	msgSig = temp.substring(0, end);
	//logger.debug( "signature " + msgSig );
	} else
	msgSig = "";
	}
	} catch (Exception e) {
	logger.error("Signature calculation failed due to: ", e);
	throw new AxisFault(e.toString(), "Server.InternalError");
	}

	// [B] Verify that the given signature matches what we calculated here
	if (null == secretKey) {
	logger.error("Unknown AWSAccessKeyId: [" + accessKey + "]");
	throw new AxisFault("Unknown AWSAccessKeyId: [" + accessKey + "]", "Client.InvalidAccessKeyId");
	}

	// -> for SOAP requests the Cloud API keys are sent here and only here
	S3SoapAuth.verifySignature(msgSig, operation, timestamp, accessKey, secretKey);
	UserContext.current().initContext(accessKey, secretKey, accessKey, "S3 SOAP request", httpObj);
	return InvocationResponse.CONTINUE;
	}

	public void revoke(MessageContext msgContext) {
	logger.info(msgContext.getEnvelope().toString());
	}

	public void setName(String name) {
	//logger.debug( "setName entry S3AuthenticationHandler " + name );
	this.name = name;
	}

	/**
	* Given the user's access key, then obtain his secret key in the user database.
	*
	* @param accessKey - a unique string allocated for each registered user
	* @return the secret key or null of no matching user found
	*/
	private String lookupSecretKey(String accessKey) throws InstantiationException, IllegalAccessException, ClassNotFoundException, SQLException {
	UserCredentialsVO cloudKeys = ucDao.getByAccessKey(accessKey);
	if (null == cloudKeys) {
	logger.debug(accessKey + " is not defined in the S3 service - call SetUserKeys");
	return null;
	} else
	return cloudKeys.getSecretKey();
	}

	@Override
	public void cleanup() {
	//logger.debug( "cleanup entry S3AuthenticationHandler " );
	}

	@Override
	public void flowComplete(MessageContext arg0) {
	//logger.debug( "flowComplete entry S3AuthenticationHandler " );
	}
	}