Coverage Report - org.kuali.rice.ksb.messaging.KSBHttpInvokerRequestExecutor
 
Classes in this File Line Coverage Branch Coverage Complexity
KSBHttpInvokerRequestExecutor
0%
0/55
0%
0/26
2.583
 
 1  
 /**
 2  
  * Copyright 2005-2011 The Kuali Foundation
 3  
  *
 4  
  * Licensed under the Educational Community License, Version 2.0 (the "License");
 5  
  * you may not use this file except in compliance with the License.
 6  
  * You may obtain a copy of the License at
 7  
  *
 8  
  * http://www.opensource.org/licenses/ecl2.php
 9  
  *
 10  
  * Unless required by applicable law or agreed to in writing, software
 11  
  * distributed under the License is distributed on an "AS IS" BASIS,
 12  
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13  
  * See the License for the specific language governing permissions and
 14  
  * limitations under the License.
 15  
  */
 16  
 package org.kuali.rice.ksb.messaging;
 17  
 
 18  
 import java.io.ByteArrayInputStream;
 19  
 import java.io.ByteArrayOutputStream;
 20  
 import java.io.IOException;
 21  
 import java.io.InputStream;
 22  
 import java.security.GeneralSecurityException;
 23  
 import java.security.Signature;
 24  
 import java.security.cert.CertificateFactory;
 25  
 
 26  
 import org.apache.commons.codec.binary.Base64;
 27  
 import org.apache.commons.httpclient.Header;
 28  
 import org.apache.commons.httpclient.HttpClient;
 29  
 import org.apache.commons.httpclient.methods.PostMethod;
 30  
 import org.apache.commons.lang.StringUtils;
 31  
 import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
 32  
 import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
 33  
 import org.kuali.rice.ksb.security.HttpClientHeaderDigitalSigner;
 34  
 import org.kuali.rice.ksb.security.SignatureVerifyingInputStream;
 35  
 import org.kuali.rice.ksb.security.admin.service.JavaSecurityManagementService;
 36  
 import org.kuali.rice.ksb.security.service.DigitalSignatureService;
 37  
 import org.kuali.rice.ksb.util.KSBConstants;
 38  
 import org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor;
 39  
 import org.springframework.remoting.httpinvoker.HttpInvokerClientConfiguration;
 40  
 
 41  
 
 42  
 /**
 43  
  * At HttpInvokerRequestExecutor which is capable of digitally signing and verifying messages.  It's capabilities
 44  
  * to execute the signing and verification can be turned on or off via an application constant.
 45  
  * 
 46  
  * @author Kuali Rice Team (rice.collab@kuali.org)
 47  
  */
 48  
 public class KSBHttpInvokerRequestExecutor extends CommonsHttpInvokerRequestExecutor {
 49  
         
 50  0
         private Boolean secure = Boolean.TRUE;
 51  
         
 52  
         public KSBHttpInvokerRequestExecutor() {
 53  0
                 super();
 54  0
         }
 55  
         
 56  
         public KSBHttpInvokerRequestExecutor(Boolean secure) {
 57  0
                 super();
 58  0
                 this.secure = secure;
 59  0
         }
 60  
 
 61  
         public KSBHttpInvokerRequestExecutor(HttpClient httpClient) {
 62  0
                 super(httpClient);
 63  0
         }
 64  
         
 65  
         /**
 66  
          * Signs the outgoing request by generating a digital signature from the bytes in the ByteArrayOutputStream and attaching the
 67  
          * signature and our alias to the headers of the PostMethod.
 68  
          */
 69  
         @Override
 70  
         protected void setRequestBody(HttpInvokerClientConfiguration config, PostMethod postMethod, ByteArrayOutputStream baos) throws IOException {
 71  0
                 if (isSecure()) {
 72  
                         try {
 73  0
                                 signRequest(postMethod, baos);        
 74  0
                         } catch (Exception e) {
 75  0
                                 throw new RuntimeException("Failed to sign the outgoing message.", e);
 76  0
                         }
 77  
                 }
 78  0
                 super.setRequestBody(config, postMethod, baos);
 79  0
         }
 80  
         
 81  
         /**
 82  
          * Returns a wrapped InputStream which is responsible for verifying the digital signature on the response after all
 83  
          * data has been read.
 84  
          */
 85  
         @Override
 86  
         protected InputStream getResponseBody(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
 87  0
                 if (isSecure()) {
 88  
                         // extract and validate the headers
 89  0
                         Header digitalSignatureHeader = postMethod.getResponseHeader(KSBConstants.DIGITAL_SIGNATURE_HEADER);
 90  0
                         Header keyStoreAliasHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_ALIAS_HEADER);
 91  0
                         Header certificateHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
 92  0
                         if (digitalSignatureHeader == null || StringUtils.isEmpty(digitalSignatureHeader.getValue())) {
 93  0
                                 throw new RuntimeException("A digital signature header was required on the response but none was found.");
 94  
                         }
 95  0
                         boolean foundValidKeystoreAlias = (keyStoreAliasHeader != null && StringUtils.isNotBlank(keyStoreAliasHeader.getValue()));
 96  0
                         boolean foundValidCertificate = (certificateHeader != null && StringUtils.isNotBlank(certificateHeader.getValue()));
 97  0
                         if (!foundValidCertificate && !foundValidKeystoreAlias) {
 98  0
                 throw new RuntimeException("Either a key store alias header or a certificate header was required on the response but neither were found.");
 99  
                         }
 100  
                         // decode the digital signature from the header into binary
 101  0
                         byte[] digitalSignature = Base64.decodeBase64(digitalSignatureHeader.getValue().getBytes("UTF-8"));
 102  0
                         String errorQualifier = "General Security Error";
 103  
                         try {
 104  0
                             Signature signature = null;
 105  0
                             if (foundValidCertificate) {
 106  0
                     errorQualifier = "Error with given certificate";
 107  
                         // get the Signature for verification based on the alias that was sent to us
 108  0
                                 byte[] encodedCertificate = Base64.decodeBase64(certificateHeader.getValue().getBytes("UTF-8"));
 109  0
                             CertificateFactory cf = CertificateFactory.getInstance("X.509");
 110  0
                         signature = getDigitalSignatureService().getSignatureForVerification(cf.generateCertificate(new ByteArrayInputStream(encodedCertificate)));
 111  0
                             } else if (foundValidKeystoreAlias) {
 112  
                         // get the Signature for verification based on the alias that was sent to us
 113  0
                                 String keystoreAlias = keyStoreAliasHeader.getValue();
 114  0
                                 errorQualifier = "Error with given alias " + keystoreAlias;
 115  0
                         signature = getDigitalSignatureService().getSignatureForVerification(keystoreAlias);
 116  
                             }
 117  
                             
 118  
                                 // wrap the InputStream in an input stream that will verify the signature
 119  0
                                 return new SignatureVerifyingInputStream(digitalSignature, signature, super.getResponseBody(config, postMethod));
 120  0
                         } catch (GeneralSecurityException e) {
 121  0
                                 throw new RuntimeException("Problem verifying signature: " + errorQualifier,e);
 122  
                         }
 123  
                 }
 124  0
                 return super.getResponseBody(config, postMethod);
 125  
         }
 126  
 
 127  
         
 128  
         
 129  
         @Override
 130  
         protected void validateResponse(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
 131  0
                 if (postMethod.getStatusCode() >= 300) {
 132  0
                         throw new HttpException(postMethod.getStatusCode(), "Did not receive successful HTTP response: status code = " + postMethod.getStatusCode() +
 133  
                                         ", status message = [" + postMethod.getStatusText() + "]");
 134  
                 }
 135  0
         }
 136  
 
 137  
         /**
 138  
          * Signs the request by adding headers to the PostMethod.
 139  
          */
 140  
         protected void signRequest(PostMethod postMethod, ByteArrayOutputStream baos) throws Exception {
 141  0
                 Signature signature = getDigitalSignatureService().getSignatureForSigning();
 142  0
                 HttpClientHeaderDigitalSigner signer = new HttpClientHeaderDigitalSigner(signature, postMethod, getJavaSecurityManagementService().getModuleKeyStoreAlias());
 143  0
                 signer.getSignature().update(baos.toByteArray());
 144  0
                 signer.sign();
 145  0
         }
 146  
         
 147  
         protected boolean isSecure() {
 148  0
                 return getSecure();// && Utilities.getBooleanConstant(KewApiConstants.SECURITY_HTTP_INVOKER_SIGN_MESSAGES, false);
 149  
         }
 150  
 
 151  
         public Boolean getSecure() {
 152  0
                 return this.secure;
 153  
         }
 154  
 
 155  
         public void setSecure(Boolean secure) {
 156  0
                 this.secure = secure;
 157  0
         }
 158  
         
 159  
         protected DigitalSignatureService getDigitalSignatureService() {
 160  0
                 return (DigitalSignatureService) GlobalResourceLoader.getService(KSBConstants.ServiceNames.DIGITAL_SIGNATURE_SERVICE);
 161  
         }
 162  
         
 163  
         protected JavaSecurityManagementService getJavaSecurityManagementService() {
 164  0
                 return (JavaSecurityManagementService)GlobalResourceLoader.getService(KSBConstants.ServiceNames.JAVA_SECURITY_MANAGEMENT_SERVICE);
 165  
         }
 166  
         
 167  
 }