Coverage Report

Coverage Report - org.kuali.rice.ksb.messaging.KSBHttpInvokerRequestExecutor

Classes in this File

Line Coverage

Branch Coverage

Complexity

KSBHttpInvokerRequestExecutor

0/55

0/26

2.583

 /*
  * Copyright 2007 The Kuali Foundation
  *
  * Licensed under the Educational Community License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  * http://www.opensource.org/licenses/ecl2.php
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 package org.kuali.rice.ksb.messaging;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.GeneralSecurityException;
 import java.security.Signature;
 import java.security.cert.CertificateFactory;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.commons.httpclient.Header;
 import org.apache.commons.httpclient.HttpClient;
 import org.apache.commons.httpclient.methods.PostMethod;
 import org.apache.commons.lang.StringUtils;
 import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
 import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
 import org.kuali.rice.ksb.security.HttpClientHeaderDigitalSigner;
 import org.kuali.rice.ksb.security.SignatureVerifyingInputStream;
 import org.kuali.rice.ksb.security.admin.service.JavaSecurityManagementService;
 import org.kuali.rice.ksb.security.service.DigitalSignatureService;
 import org.kuali.rice.ksb.util.KSBConstants;
 import org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor;
 import org.springframework.remoting.httpinvoker.HttpInvokerClientConfiguration;
 
 
 /**
  * At HttpInvokerRequestExecutor which is capable of digitally signing and verifying messages.  It's capabilities
  * to execute the signing and verification can be turned on or off via an application constant.
  * 
  * @author Kuali Rice Team (rice.collab@kuali.org)
  */
 public class KSBHttpInvokerRequestExecutor extends CommonsHttpInvokerRequestExecutor {
         
         private Boolean secure = Boolean.TRUE;
         
         public KSBHttpInvokerRequestExecutor() {
                 super();
         }
         
         public KSBHttpInvokerRequestExecutor(Boolean secure) {
                 super();
                 this.secure = secure;
         }
 
         public KSBHttpInvokerRequestExecutor(HttpClient httpClient) {
                 super(httpClient);
         }
         
         /**
          * Signs the outgoing request by generating a digital signature from the bytes in the ByteArrayOutputStream and attaching the
          * signature and our alias to the headers of the PostMethod.
          */
         @Override
         protected void setRequestBody(HttpInvokerClientConfiguration config, PostMethod postMethod, ByteArrayOutputStream baos) throws IOException {
                 if (isSecure()) {
                         try {
                                 signRequest(postMethod, baos);        
                         } catch (Exception e) {
                                 throw new RuntimeException("Failed to sign the outgoing message.", e);
                         }
                 }
                 super.setRequestBody(config, postMethod, baos);
         }
         
         /**
          * Returns a wrapped InputStream which is responsible for verifying the digital signature on the response after all
          * data has been read.
          */
         @Override
         protected InputStream getResponseBody(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
                 if (isSecure()) {
                         // extract and validate the headers
                         Header digitalSignatureHeader = postMethod.getResponseHeader(KSBConstants.DIGITAL_SIGNATURE_HEADER);
                         Header keyStoreAliasHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_ALIAS_HEADER);
                         Header certificateHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
                         if (digitalSignatureHeader == null || StringUtils.isEmpty(digitalSignatureHeader.getValue())) {
                                 throw new RuntimeException("A digital signature header was required on the response but none was found.");
                         }
                         boolean foundValidKeystoreAlias = (keyStoreAliasHeader != null && StringUtils.isNotBlank(keyStoreAliasHeader.getValue()));
                         boolean foundValidCertificate = (certificateHeader != null && StringUtils.isNotBlank(certificateHeader.getValue()));
                         if (!foundValidCertificate && !foundValidKeystoreAlias) {
                 throw new RuntimeException("Either a key store alias header or a certificate header was required on the response but neither were found.");
                         }
                         // decode the digital signature from the header into binary
                         byte[] digitalSignature = Base64.decodeBase64(digitalSignatureHeader.getValue().getBytes("UTF-8"));
                         String errorQualifier = "General Security Error";
                         try {
                             Signature signature = null;
                             if (foundValidCertificate) {
                     errorQualifier = "Error with given certificate";
                         // get the Signature for verification based on the alias that was sent to us
                                 byte[] encodedCertificate = Base64.decodeBase64(certificateHeader.getValue().getBytes("UTF-8"));
                             CertificateFactory cf = CertificateFactory.getInstance("X.509");
                         signature = getDigitalSignatureService().getSignatureForVerification(cf.generateCertificate(new ByteArrayInputStream(encodedCertificate)));
                             } else if (foundValidKeystoreAlias) {
                         // get the Signature for verification based on the alias that was sent to us
                                 String keystoreAlias = keyStoreAliasHeader.getValue();
                                 errorQualifier = "Error with given alias " + keystoreAlias;
                         signature = getDigitalSignatureService().getSignatureForVerification(keystoreAlias);
                             }
                             
                                 // wrap the InputStream in an input stream that will verify the signature
                                 return new SignatureVerifyingInputStream(digitalSignature, signature, super.getResponseBody(config, postMethod));
                         } catch (GeneralSecurityException e) {
                                 throw new RuntimeException("Problem verifying signature: " + errorQualifier,e);
                         }
                 }
                 return super.getResponseBody(config, postMethod);
         }
 
         
         
         @Override
         protected void validateResponse(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
                 if (postMethod.getStatusCode() >= 300) {
                         throw new HttpException(postMethod.getStatusCode(), "Did not receive successful HTTP response: status code = " + postMethod.getStatusCode() +
                                         ", status message = [" + postMethod.getStatusText() + "]");
                 }
         }
 
         /**
          * Signs the request by adding headers to the PostMethod.
          */
         protected void signRequest(PostMethod postMethod, ByteArrayOutputStream baos) throws Exception {
                 Signature signature = getDigitalSignatureService().getSignatureForSigning();
                 HttpClientHeaderDigitalSigner signer = new HttpClientHeaderDigitalSigner(signature, postMethod, getJavaSecurityManagementService().getModuleKeyStoreAlias());
                 signer.getSignature().update(baos.toByteArray());
                 signer.sign();
         }
         
         protected boolean isSecure() {
                 return getSecure();// && Utilities.getBooleanConstant(KEWConstants.SECURITY_HTTP_INVOKER_SIGN_MESSAGES, false);
         }
 
         public Boolean getSecure() {
                 return this.secure;
         }
 
         public void setSecure(Boolean secure) {
                 this.secure = secure;
         }
         
         protected DigitalSignatureService getDigitalSignatureService() {
                 return (DigitalSignatureService) GlobalResourceLoader.getService(KSBConstants.ServiceNames.DIGITAL_SIGNATURE_SERVICE);
         }
         
         protected JavaSecurityManagementService getJavaSecurityManagementService() {
                 return (JavaSecurityManagementService)GlobalResourceLoader.getService(KSBConstants.ServiceNames.JAVA_SECURITY_MANAGEMENT_SERVICE);
         }
         
 }

1		/*
2		* Copyright 2007 The Kuali Foundation
3		*
4		* Licensed under the Educational Community License, Version 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		*
8		* http://www.opensource.org/licenses/ecl2.php
9		*
10		* Unless required by applicable law or agreed to in writing, software
11		* distributed under the License is distributed on an "AS IS" BASIS,
12		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13		* See the License for the specific language governing permissions and
14		* limitations under the License.
15		*/
16		package org.kuali.rice.ksb.messaging;
17
18		import java.io.ByteArrayInputStream;
19		import java.io.ByteArrayOutputStream;
20		import java.io.IOException;
21		import java.io.InputStream;
22		import java.security.GeneralSecurityException;
23		import java.security.Signature;
24		import java.security.cert.CertificateFactory;
25
26		import org.apache.commons.codec.binary.Base64;
27		import org.apache.commons.httpclient.Header;
28		import org.apache.commons.httpclient.HttpClient;
29		import org.apache.commons.httpclient.methods.PostMethod;
30		import org.apache.commons.lang.StringUtils;
31		import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
32		import org.kuali.rice.core.api.resourceloader.GlobalResourceLoader;
33		import org.kuali.rice.ksb.security.HttpClientHeaderDigitalSigner;
34		import org.kuali.rice.ksb.security.SignatureVerifyingInputStream;
35		import org.kuali.rice.ksb.security.admin.service.JavaSecurityManagementService;
36		import org.kuali.rice.ksb.security.service.DigitalSignatureService;
37		import org.kuali.rice.ksb.util.KSBConstants;
38		import org.springframework.remoting.httpinvoker.CommonsHttpInvokerRequestExecutor;
39		import org.springframework.remoting.httpinvoker.HttpInvokerClientConfiguration;
40
41
42		/**
43		* At HttpInvokerRequestExecutor which is capable of digitally signing and verifying messages. It's capabilities
44		* to execute the signing and verification can be turned on or off via an application constant.
45		*
46		* @author Kuali Rice Team (rice.collab@kuali.org)
47		*/
48		public class KSBHttpInvokerRequestExecutor extends CommonsHttpInvokerRequestExecutor {
49
50	0	private Boolean secure = Boolean.TRUE;
51
52		public KSBHttpInvokerRequestExecutor() {
53	0	super();
54	0	}
55
56		public KSBHttpInvokerRequestExecutor(Boolean secure) {
57	0	super();
58	0	this.secure = secure;
59	0	}
60
61		public KSBHttpInvokerRequestExecutor(HttpClient httpClient) {
62	0	super(httpClient);
63	0	}
64
65		/**
66		* Signs the outgoing request by generating a digital signature from the bytes in the ByteArrayOutputStream and attaching the
67		* signature and our alias to the headers of the PostMethod.
68		*/
69		@Override
70		protected void setRequestBody(HttpInvokerClientConfiguration config, PostMethod postMethod, ByteArrayOutputStream baos) throws IOException {
71	0	if (isSecure()) {
72		try {
73	0	signRequest(postMethod, baos);
74	0	} catch (Exception e) {
75	0	throw new RuntimeException("Failed to sign the outgoing message.", e);
76	0	}
77		}
78	0	super.setRequestBody(config, postMethod, baos);
79	0	}
80
81		/**
82		* Returns a wrapped InputStream which is responsible for verifying the digital signature on the response after all
83		* data has been read.
84		*/
85		@Override
86		protected InputStream getResponseBody(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
87	0	if (isSecure()) {
88		// extract and validate the headers
89	0	Header digitalSignatureHeader = postMethod.getResponseHeader(KSBConstants.DIGITAL_SIGNATURE_HEADER);
90	0	Header keyStoreAliasHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_ALIAS_HEADER);
91	0	Header certificateHeader = postMethod.getResponseHeader(KSBConstants.KEYSTORE_CERTIFICATE_HEADER);
92	0	if (digitalSignatureHeader == null \|\| StringUtils.isEmpty(digitalSignatureHeader.getValue())) {
93	0	throw new RuntimeException("A digital signature header was required on the response but none was found.");
94		}
95	0	boolean foundValidKeystoreAlias = (keyStoreAliasHeader != null && StringUtils.isNotBlank(keyStoreAliasHeader.getValue()));
96	0	boolean foundValidCertificate = (certificateHeader != null && StringUtils.isNotBlank(certificateHeader.getValue()));
97	0	if (!foundValidCertificate && !foundValidKeystoreAlias) {
98	0	throw new RuntimeException("Either a key store alias header or a certificate header was required on the response but neither were found.");
99		}
100		// decode the digital signature from the header into binary
101	0	byte[] digitalSignature = Base64.decodeBase64(digitalSignatureHeader.getValue().getBytes("UTF-8"));
102	0	String errorQualifier = "General Security Error";
103		try {
104	0	Signature signature = null;
105	0	if (foundValidCertificate) {
106	0	errorQualifier = "Error with given certificate";
107		// get the Signature for verification based on the alias that was sent to us
108	0	byte[] encodedCertificate = Base64.decodeBase64(certificateHeader.getValue().getBytes("UTF-8"));
109	0	CertificateFactory cf = CertificateFactory.getInstance("X.509");
110	0	signature = getDigitalSignatureService().getSignatureForVerification(cf.generateCertificate(new ByteArrayInputStream(encodedCertificate)));
111	0	} else if (foundValidKeystoreAlias) {
112		// get the Signature for verification based on the alias that was sent to us
113	0	String keystoreAlias = keyStoreAliasHeader.getValue();
114	0	errorQualifier = "Error with given alias " + keystoreAlias;
115	0	signature = getDigitalSignatureService().getSignatureForVerification(keystoreAlias);
116		}
117
118		// wrap the InputStream in an input stream that will verify the signature
119	0	return new SignatureVerifyingInputStream(digitalSignature, signature, super.getResponseBody(config, postMethod));
120	0	} catch (GeneralSecurityException e) {
121	0	throw new RuntimeException("Problem verifying signature: " + errorQualifier,e);
122		}
123		}
124	0	return super.getResponseBody(config, postMethod);
125		}
126
127
128
129		@Override
130		protected void validateResponse(HttpInvokerClientConfiguration config, PostMethod postMethod) throws IOException {
131	0	if (postMethod.getStatusCode() >= 300) {
132	0	throw new HttpException(postMethod.getStatusCode(), "Did not receive successful HTTP response: status code = " + postMethod.getStatusCode() +
133		", status message = [" + postMethod.getStatusText() + "]");
134		}
135	0	}
136
137		/**
138		* Signs the request by adding headers to the PostMethod.
139		*/
140		protected void signRequest(PostMethod postMethod, ByteArrayOutputStream baos) throws Exception {
141	0	Signature signature = getDigitalSignatureService().getSignatureForSigning();
142	0	HttpClientHeaderDigitalSigner signer = new HttpClientHeaderDigitalSigner(signature, postMethod, getJavaSecurityManagementService().getModuleKeyStoreAlias());
143	0	signer.getSignature().update(baos.toByteArray());
144	0	signer.sign();
145	0	}
146
147		protected boolean isSecure() {
148	0	return getSecure();// && Utilities.getBooleanConstant(KEWConstants.SECURITY_HTTP_INVOKER_SIGN_MESSAGES, false);
149		}
150
151		public Boolean getSecure() {
152	0	return this.secure;
153		}
154
155		public void setSecure(Boolean secure) {
156	0	this.secure = secure;
157	0	}
158
159		protected DigitalSignatureService getDigitalSignatureService() {
160	0	return (DigitalSignatureService) GlobalResourceLoader.getService(KSBConstants.ServiceNames.DIGITAL_SIGNATURE_SERVICE);
161		}
162
163		protected JavaSecurityManagementService getJavaSecurityManagementService() {
164	0	return (JavaSecurityManagementService)GlobalResourceLoader.getService(KSBConstants.ServiceNames.JAVA_SECURITY_MANAGEMENT_SERVICE);
165		}
166
167		}