Coverage Report

Coverage Report - org.kuali.rice.ksb.messaging.KSBHttpInvokerRequestExecutor

Classes in this File

Line Coverage

Branch Coverage

Complexity

KSBHttpInvokerRequestExecutor

0/55

0/26

2.583

 /*
  * Copyright 2007 The Kuali Foundation
  *
  * Licensed under the Educational Community License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  * http://www.opensource.org/licenses/ecl2.php
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.kuali.rice.ksb.messaging;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.GeneralSecurityException;
 import java.security.Signature;
 import java.security.cert.CertificateFactory;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.httpclient.Header;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.methods.PostMethod;
 import org.apache.commons.lang.StringUtils;
 import org.kuali.rice.core.resourceloader.GlobalResourceLoader;
 import org.kuali.rice.ksb.security.HttpClientHeaderDigitalSigner;
 import org.kuali.rice.ksb.security.SignatureVerifyingInputStream;
 import org.kuali.rice.ksb.security.admin.service.JavaSecurityManagementService;
 import org.kuali.rice.ksb.security.service.DigitalSignatureService;
 import org.kuali.rice.ksb.util.KSBConstants;
 import org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor;
 import org.springframework.remoting.httpinvoker.HttpInvokerClientConfiguration;
 
 
 /**
  * At HttpInvokerRequestExecutor which is capable of digitally signing and verifying messages.  It's capabilities
  * to execute the signing and verification can be turned on or off via an application constant.
  * 
  * @author Kuali Rice Team (rice.collab@kuali.org)
  */
 public class KSBHttpInvokerRequestExecutor extends CommonsHttpInvokerRequestExecutor {
         
         private Boolean secure = Boolean.TRUE;
         
         public KSBHttpInvokerRequestExecutor() {
                 super();
         }
         
         public KSBHttpInvokerRequestExecutor(Boolean secure) {
                 super();
                 this.secure = secure;
         }
 
         public KSBHttpInvokerRequestExecutor(HttpClient httpClient) {
                 super(httpClient);
         }
         
         /**
          * Signs the outgoing request by generating a digital signature from the bytes in the ByteArrayOutputStream and attaching the
          * signature and our alias to the headers of the PostMethod.
          */
         @Override
         protected void setRequestBody(HttpInvokerClientConfiguration config, PostMethod postMethod, ByteArrayOutputStream baos) throws IOException {
                 if (isSecure()) {
                         try {
                                 signRequest(postMethod, baos);        
                         } catch (Exception e) {
                                 throw new RuntimeException("Failed to sign the outgoing message.", e);
                         }
                 }
                 super.setRequestBody(config, postMethod, baos);
         }
         
         /**
          * Returns a wrapped InputStream which is responsible for verifying the digital signature on the response after all
          * data has been read.
          */
         @Override
         protected InputStream getResponseBody(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
                 if (isSecure()) {
                         // extract and validate the headers
                         Header digitalSignatureHeader = postMethod.getResponseHeader(KSBConstants.DIGITAL_SIGNATURE_HEADER);
                         Header keyStoreAliasHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_ALIAS_HEADER);
                         Header certificateHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
                         if (digitalSignatureHeader == null || StringUtils.isEmpty(digitalSignatureHeader.getValue())) {
                                 throw new RuntimeException("A digital signature header was required on the response but none was found.");
                         }
                         boolean foundValidKeystoreAlias = (keyStoreAliasHeader != null && StringUtils.isNotBlank(keyStoreAliasHeader.getValue()));
                         boolean foundValidCertificate = (certificateHeader != null && StringUtils.isNotBlank(certificateHeader.getValue()));
                         if (!foundValidCertificate && !foundValidKeystoreAlias) {
                 throw new RuntimeException("Either a key store alias header or a certificate header was required on the response but neither were found.");
                         }
                         // decode the digital signature from the header into binary
                         byte[] digitalSignature = Base64.decodeBase64(digitalSignatureHeader.getValue().getBytes("UTF-8"));
                         String errorQualifier = "General Security Error";
                         try {
                             Signature signature = null;
                             if (foundValidCertificate) {
                     errorQualifier = "Error with given certificate";
                         // get the Signature for verification based on the alias that was sent to us
                                 byte[] encodedCertificate = Base64.decodeBase64(certificateHeader.getValue().getBytes("UTF-8"));
                             CertificateFactory cf = CertificateFactory.getInstance("X.509");
                         signature = getDigitalSignatureService().getSignatureForVerification(cf.generateCertificate(new ByteArrayInputStream(encodedCertificate)));
                             } else if (foundValidKeystoreAlias) {
                         // get the Signature for verification based on the alias that was sent to us
                                 String keystoreAlias = keyStoreAliasHeader.getValue();
                                 errorQualifier = "Error with given alias " + keystoreAlias;
                         signature = getDigitalSignatureService().getSignatureForVerification(keystoreAlias);
                             }
                             
                                 // wrap the InputStream in an input stream that will verify the signature
                                 return new SignatureVerifyingInputStream(digitalSignature, signature, super.getResponseBody(config, postMethod));
                         } catch (GeneralSecurityException e) {
                                 throw new RuntimeException("Problem verifying signature: " + errorQualifier,e);
                         }
                 }
                 return super.getResponseBody(config, postMethod);
         }
 
         
         
         @Override
         protected void validateResponse(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
                 if (postMethod.getStatusCode() >= 300) {
                         throw new HttpException(postMethod.getStatusCode(), "Did not receive successful HTTP response: status code = " + postMethod.getStatusCode() +
                                         ", status message = [" + postMethod.getStatusText() + "]");
                 }
         }
 
         /**
          * Signs the request by adding headers to the PostMethod.
          */
         protected void signRequest(PostMethod postMethod, ByteArrayOutputStream baos) throws Exception {
                 Signature signature = getDigitalSignatureService().getSignatureForSigning();
                 HttpClientHeaderDigitalSigner signer = new HttpClientHeaderDigitalSigner(signature, postMethod, getJavaSecurityManagementService().getModuleKeyStoreAlias());
                 signer.getSignature().update(baos.toByteArray());
                 signer.sign();
         }
         
         protected boolean isSecure() {
                 return getSecure();// && Utilities.getBooleanConstant(KEWConstants.SECURITY_HTTP_INVOKER_SIGN_MESSAGES, false);
         }
 
         public Boolean getSecure() {
                 return this.secure;
         }
 
         public void setSecure(Boolean secure) {
                 this.secure = secure;
         }
         
         protected DigitalSignatureService getDigitalSignatureService() {
                 return (DigitalSignatureService)GlobalResourceLoader.getService(KSBConstants.ServiceNames.DIGITAL_SIGNATURE_SERVICE);
         }
         
         protected JavaSecurityManagementService getJavaSecurityManagementService() {
                 return (JavaSecurityManagementService)GlobalResourceLoader.getService(KSBConstants.ServiceNames.JAVA_SECURITY_MANAGEMENT_SERVICE);
         }
         
 }

1		/*
2		* Copyright 2007 The Kuali Foundation
3		*
4		* Licensed under the Educational Community License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.opensource.org/licenses/ecl2.php
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16		package org.kuali.rice.ksb.messaging;
17
18		import java.io.ByteArrayInputStream;
19		import java.io.ByteArrayOutputStream;
20		import java.io.IOException;
21		import java.io.InputStream;
22		import java.security.GeneralSecurityException;
23		import java.security.Signature;
24		import java.security.cert.CertificateFactory;
25
26		import org.apache.commons.codec.binary.Base64;
27		import org.apache.commons.httpclient.Header;
28		import org.apache.commons.httpclient.HttpClient;
29		import org.apache.commons.httpclient.methods.PostMethod;
30		import org.apache.commons.lang.StringUtils;
31		import org.kuali.rice.core.resourceloader.GlobalResourceLoader;
32		import org.kuali.rice.ksb.security.HttpClientHeaderDigitalSigner;
33		import org.kuali.rice.ksb.security.SignatureVerifyingInputStream;
34		import org.kuali.rice.ksb.security.admin.service.JavaSecurityManagementService;
35		import org.kuali.rice.ksb.security.service.DigitalSignatureService;
36		import org.kuali.rice.ksb.util.KSBConstants;
37		import org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor;
38		import org.springframework.remoting.httpinvoker.HttpInvokerClientConfiguration;
39
40
41		/**
42		* At HttpInvokerRequestExecutor which is capable of digitally signing and verifying messages. It's capabilities
43		* to execute the signing and verification can be turned on or off via an application constant.
44		*
45		* @author Kuali Rice Team (rice.collab@kuali.org)
46		*/
47		public class KSBHttpInvokerRequestExecutor extends CommonsHttpInvokerRequestExecutor {
48
49	0	private Boolean secure = Boolean.TRUE;
50
51		public KSBHttpInvokerRequestExecutor() {
52	0	super();
53	0	}
54
55		public KSBHttpInvokerRequestExecutor(Boolean secure) {
56	0	super();
57	0	this.secure = secure;
58	0	}
59
60		public KSBHttpInvokerRequestExecutor(HttpClient httpClient) {
61	0	super(httpClient);
62	0	}
63
64		/**
65		* Signs the outgoing request by generating a digital signature from the bytes in the ByteArrayOutputStream and attaching the
66		* signature and our alias to the headers of the PostMethod.
67		*/
68		@Override
69		protected void setRequestBody(HttpInvokerClientConfiguration config, PostMethod postMethod, ByteArrayOutputStream baos) throws IOException {
70	0	if (isSecure()) {
71		try {
72	0	signRequest(postMethod, baos);
73	0	} catch (Exception e) {
74	0	throw new RuntimeException("Failed to sign the outgoing message.", e);
75	0	}
76		}
77	0	super.setRequestBody(config, postMethod, baos);
78	0	}
79
80		/**
81		* Returns a wrapped InputStream which is responsible for verifying the digital signature on the response after all
82		* data has been read.
83		*/
84		@Override
85		protected InputStream getResponseBody(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
86	0	if (isSecure()) {
87		// extract and validate the headers
88	0	Header digitalSignatureHeader = postMethod.getResponseHeader(KSBConstants.DIGITAL_SIGNATURE_HEADER);
89	0	Header keyStoreAliasHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_ALIAS_HEADER);
90	0	Header certificateHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
91	0	if (digitalSignatureHeader == null \|\| StringUtils.isEmpty(digitalSignatureHeader.getValue())) {
92	0	throw new RuntimeException("A digital signature header was required on the response but none was found.");
93		}
94	0	boolean foundValidKeystoreAlias = (keyStoreAliasHeader != null && StringUtils.isNotBlank(keyStoreAliasHeader.getValue()));
95	0	boolean foundValidCertificate = (certificateHeader != null && StringUtils.isNotBlank(certificateHeader.getValue()));
96	0	if (!foundValidCertificate && !foundValidKeystoreAlias) {
97	0	throw new RuntimeException("Either a key store alias header or a certificate header was required on the response but neither were found.");
98		}
99		// decode the digital signature from the header into binary
100	0	byte[] digitalSignature = Base64.decodeBase64(digitalSignatureHeader.getValue().getBytes("UTF-8"));
101	0	String errorQualifier = "General Security Error";
102		try {
103	0	Signature signature = null;
104	0	if (foundValidCertificate) {
105	0	errorQualifier = "Error with given certificate";
106		// get the Signature for verification based on the alias that was sent to us
107	0	byte[] encodedCertificate = Base64.decodeBase64(certificateHeader.getValue().getBytes("UTF-8"));
108	0	CertificateFactory cf = CertificateFactory.getInstance("X.509");
109	0	signature = getDigitalSignatureService().getSignatureForVerification(cf.generateCertificate(new ByteArrayInputStream(encodedCertificate)));
110	0	} else if (foundValidKeystoreAlias) {
111		// get the Signature for verification based on the alias that was sent to us
112	0	String keystoreAlias = keyStoreAliasHeader.getValue();
113	0	errorQualifier = "Error with given alias " + keystoreAlias;
114	0	signature = getDigitalSignatureService().getSignatureForVerification(keystoreAlias);
115		}
116
117		// wrap the InputStream in an input stream that will verify the signature
118	0	return new SignatureVerifyingInputStream(digitalSignature, signature, super.getResponseBody(config, postMethod));
119	0	} catch (GeneralSecurityException e) {
120	0	throw new RuntimeException("Problem verifying signature: " + errorQualifier,e);
121		}
122		}
123	0	return super.getResponseBody(config, postMethod);
124		}
125
126
127
128		@Override
129		protected void validateResponse(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
130	0	if (postMethod.getStatusCode() >= 300) {
131	0	throw new HttpException(postMethod.getStatusCode(), "Did not receive successful HTTP response: status code = " + postMethod.getStatusCode() +
132		", status message = [" + postMethod.getStatusText() + "]");
133		}
134	0	}
135
136		/**
137		* Signs the request by adding headers to the PostMethod.
138		*/
139		protected void signRequest(PostMethod postMethod, ByteArrayOutputStream baos) throws Exception {
140	0	Signature signature = getDigitalSignatureService().getSignatureForSigning();
141	0	HttpClientHeaderDigitalSigner signer = new HttpClientHeaderDigitalSigner(signature, postMethod, getJavaSecurityManagementService().getModuleKeyStoreAlias());
142	0	signer.getSignature().update(baos.toByteArray());
143	0	signer.sign();
144	0	}
145
146		protected boolean isSecure() {
147	0	return getSecure();// && Utilities.getBooleanConstant(KEWConstants.SECURITY_HTTP_INVOKER_SIGN_MESSAGES, false);
148		}
149
150		public Boolean getSecure() {
151	0	return this.secure;
152		}
153
154		public void setSecure(Boolean secure) {
155	0	this.secure = secure;
156	0	}
157
158		protected DigitalSignatureService getDigitalSignatureService() {
159	0	return (DigitalSignatureService)GlobalResourceLoader.getService(KSBConstants.ServiceNames.DIGITAL_SIGNATURE_SERVICE);
160		}
161
162		protected JavaSecurityManagementService getJavaSecurityManagementService() {
163	0	return (JavaSecurityManagementService)GlobalResourceLoader.getService(KSBConstants.ServiceNames.JAVA_SECURITY_MANAGEMENT_SERVICE);
164		}
165
166		}