apis/sts/src/main/java/org/jclouds/aws/filters/FormSigner.java

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.jclouds.aws.filters;

import static com.google.common.base.Charsets.UTF_8;
import static com.google.common.base.Preconditions.checkNotNull;
import static com.google.common.base.Preconditions.checkState;
import static com.google.common.collect.Ordering.natural;
import static com.google.common.io.BaseEncoding.base64;
import static com.google.common.io.ByteStreams.readBytes;
import static org.jclouds.aws.filters.FormSignerUtils.getAnnotatedApiVersion;
import static org.jclouds.aws.reference.FormParameters.ACTION;
import static org.jclouds.aws.reference.FormParameters.AWS_ACCESS_KEY_ID;
import static org.jclouds.aws.reference.FormParameters.SECURITY_TOKEN;
import static org.jclouds.aws.reference.FormParameters.SIGNATURE;
import static org.jclouds.aws.reference.FormParameters.SIGNATURE_METHOD;
import static org.jclouds.aws.reference.FormParameters.SIGNATURE_VERSION;
import static org.jclouds.aws.reference.FormParameters.TIMESTAMP;
import static org.jclouds.aws.reference.FormParameters.VERSION;
import static org.jclouds.crypto.Macs.asByteProcessor;
import static org.jclouds.http.utils.Queries.encodeQueryLine;
import static org.jclouds.http.utils.Queries.queryParser;
import static org.jclouds.util.Strings2.toInputStream;

import java.util.Comparator;
import java.util.Set;

import javax.annotation.Resource;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Provider;

import org.jclouds.Constants;
import org.jclouds.aws.domain.SessionCredentials;
import org.jclouds.crypto.Crypto;
import org.jclouds.date.TimeStamp;
import org.jclouds.domain.Credentials;
import org.jclouds.http.HttpException;
import org.jclouds.http.HttpRequest;
import org.jclouds.http.HttpRequestFilter;
import org.jclouds.http.HttpUtils;
import org.jclouds.http.internal.SignatureWire;
import org.jclouds.logging.Logger;
import org.jclouds.rest.RequestSigner;
import org.jclouds.rest.annotations.ApiVersion;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Objects;
import com.google.common.base.Optional;
import com.google.common.base.Supplier;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Multimap;
import com.google.common.collect.TreeMultimap;
import com.google.common.io.ByteProcessor;
import com.google.common.net.HttpHeaders;
import com.google.inject.ImplementedBy;

@ImplementedBy(FormSigner.FormSignerV2.class)
public interface FormSigner extends HttpRequestFilter {

   static final class FormSignerV2 implements FormSigner, RequestSigner {

      public static final Set<String> mandatoryParametersForSignature = ImmutableSet
            .of(ACTION, SIGNATURE_METHOD, SIGNATURE_VERSION, VERSION);

      private final SignatureWire signatureWire;
      private final String apiVersion;
      private final Supplier<Credentials> creds;
      private final Provider<String> dateService;
      private final Crypto crypto;
      private final HttpUtils utils;

      @Resource @Named(Constants.LOGGER_SIGNATURE)
      private Logger signatureLog = Logger.NULL;

      @Inject FormSignerV2(SignatureWire signatureWire, @ApiVersion String apiVersion,
            @org.jclouds.location.Provider Supplier<Credentials> creds, @TimeStamp Provider<String> dateService,
            Crypto crypto, HttpUtils utils) {
         this.signatureWire = signatureWire;
         this.apiVersion = apiVersion;
         this.creds = creds;
         this.dateService = dateService;
         this.crypto = crypto;
         this.utils = utils;
      }

      public HttpRequest filter(HttpRequest request) throws HttpException {
         checkNotNull(request.getFirstHeaderOrNull(HttpHeaders.HOST), "request is not ready to sign; host not present");
         Multimap<String, String> decodedParams = queryParser().apply(request.getPayload().getRawContent().toString());
         Optional<String> optAnnotatedVersion = getAnnotatedApiVersion(request);
         String version;
         if (optAnnotatedVersion.isPresent()) {
            String annotatedVersion = optAnnotatedVersion.get();
            version = annotatedVersion.compareTo(apiVersion) > 0 ? annotatedVersion : apiVersion;
         } else {
            version = apiVersion;
         }
         decodedParams.replaceValues(VERSION, ImmutableSet.of(version));
         addSigningParams(decodedParams);
         validateParams(decodedParams);
         String stringToSign = createStringToSign(request, decodedParams);
         String signature = sign(stringToSign);
         addSignature(decodedParams, signature);
         request = setPayload(request, decodedParams);
         utils.logRequest(signatureLog, request, "<<");
         return request;
      }

      HttpRequest setPayload(HttpRequest request, Multimap<String, String> decodedParams) {
         String queryLine = buildQueryLine(decodedParams);
         request.setPayload(queryLine);
         request.getPayload().getContentMetadata().setContentType("application/x-www-form-urlencoded");
         return request;
      }

      private static final Comparator<String> actionFirstAccessKeyLast = new Comparator<String>() {
         static final int LEFT_IS_GREATER = 1;
         static final int RIGHT_IS_GREATER = -1;

         @Override
         public int compare(String left, String right) {
            if (Objects.equal(left, right)) {
               return 0;
            }
            if ("Action".equals(right) || "AWSAccessKeyId".equals(left)) {
               return LEFT_IS_GREATER;
            }
            if ("Action".equals(left) || "AWSAccessKeyId".equals(right)) {
               return RIGHT_IS_GREATER;
            }
            return natural().compare(left, right);
         }
      };

      private static String buildQueryLine(Multimap<String, String> decodedParams) {
         Multimap<String, String> sortedParams = TreeMultimap.create(actionFirstAccessKeyLast, natural());
         sortedParams.putAll(decodedParams);
         return encodeQueryLine(sortedParams);
      }

      @VisibleForTesting void validateParams(Multimap<String, String> params) {
         for (String parameter : mandatoryParametersForSignature) {
            checkState(params.containsKey(parameter), "parameter " + parameter + " is required for signature");
         }
      }

      @VisibleForTesting void addSignature(Multimap<String, String> params, String signature) {
         params.replaceValues(SIGNATURE, ImmutableList.of(signature));
      }

      @VisibleForTesting
      public String sign(String toSign) {
         String signature;
         try {
            ByteProcessor<byte[]> hmacSHA256 = asByteProcessor(
                  crypto.hmacSHA256(creds.get().credential.getBytes(UTF_8)));
            signature = base64().encode(readBytes(toInputStream(toSign), hmacSHA256));
            if (signatureWire.enabled())
               signatureWire.input(toInputStream(signature));
         } catch (Exception e) {
            throw new HttpException("error signing request", e);
         }
         return signature;
      }

      @VisibleForTesting
      public String createStringToSign(HttpRequest request, Multimap<String, String> decodedParams) {
         utils.logRequest(signatureLog, request, ">>");
         StringBuilder stringToSign = new StringBuilder();
         // StringToSign = HTTPVerb + "\n" +
         stringToSign.append(request.getMethod()).append("\n");
         // ValueOfHostHeaderInLowercase + "\n" +
         stringToSign.append(request.getFirstHeaderOrNull(HttpHeaders.HOST).toLowerCase()).append("\n");
         // HTTPRequestURI + "\n" +
         stringToSign.append(request.getEndpoint().getPath()).append("\n");
         // CanonicalizedFormString <from the preceding step>
         stringToSign.append(buildCanonicalizedString(decodedParams));
         if (signatureWire.enabled())
            signatureWire.output(stringToSign.toString());
         return stringToSign.toString();
      }

      @VisibleForTesting String buildCanonicalizedString(Multimap<String, String> decodedParams) {
         // note that aws wants to percent encode the canonicalized string without skipping '/' and '?'
         return encodeQueryLine(TreeMultimap.create(decodedParams), ImmutableList.<Character>of());
      }

      @VisibleForTesting void addSigningParams(Multimap<String, String> params) {
         params.removeAll(SIGNATURE);
         params.removeAll(SECURITY_TOKEN);
         Credentials current = creds.get();
         if (current instanceof SessionCredentials) {
            params.put(SECURITY_TOKEN, SessionCredentials.class.cast(current).getSessionToken());
         }
         params.replaceValues(SIGNATURE_METHOD, ImmutableList.of("HmacSHA256"));
         params.replaceValues(SIGNATURE_VERSION, ImmutableList.of("2"));
         params.replaceValues(TIMESTAMP, ImmutableList.of(dateService.get()));
         params.replaceValues(AWS_ACCESS_KEY_ID, ImmutableList.of(creds.get().identity));
      }

      public String createStringToSign(HttpRequest input) {
         return createStringToSign(input, queryParser().apply(input.getPayload().getRawContent().toString()));
      }
   }
}