/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. The ASF licenses this file to You
* under the Apache License, Version 2.0 (the "License"); you may not
* use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License. For additional information regarding
* copyright in this work, please see the NOTICE file in the top level
* directory of this distribution.
*/
package org.apache.abdera.ext.oauth;
import java.io.UnsupportedEncodingException;
import java.net.URLEncoder;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.util.Date;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.Mac;
import org.apache.abdera.protocol.client.AbderaClient;
import org.apache.abdera.protocol.client.util.MethodHelper;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.httpclient.Credentials;
import org.apache.commons.httpclient.HttpMethod;
import org.apache.commons.httpclient.URIException;
import org.apache.commons.httpclient.auth.AuthScheme;
import org.apache.commons.httpclient.auth.AuthenticationException;
import org.apache.commons.httpclient.auth.RFC2617Scheme;
import org.apache.commons.httpclient.methods.DeleteMethod;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.httpclient.methods.HeadMethod;
import org.apache.commons.httpclient.methods.OptionsMethod;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.methods.PutMethod;
/**
* OAuth Scheme implementation for use with HTTP Commons AbderaClient
*
* @see http://oauth.org
* @see http://oauth.googlecode.com/svn/spec/branches/1.0/drafts/7/spec.html
* @author David Calavera
*/
public class OAuthScheme extends RFC2617Scheme implements AuthScheme {
private enum OAUTH_KEYS {
OAUTH_CONSUMER_KEY, OAUTH_TOKEN, OAUTH_SIGNATURE_METHOD, OAUTH_TIMESTAMP, OAUTH_NONCE, OAUTH_VERSION, OAUTH_SIGNATURE;
public String toLowerCase() {
return this.toString().toLowerCase();
}
}
private final int NONCE_LENGTH = 16;
public static void register(AbderaClient abderaClient, boolean exclusive) {
AbderaClient.registerScheme("OAuth", OAuthScheme.class);
if (exclusive)
((AbderaClient)abderaClient).setAuthenticationSchemePriority("OAuth");
else
((AbderaClient)abderaClient).setAuthenticationSchemeDefaults();
}
public String authenticate(Credentials credentials, String method, String uri) throws AuthenticationException {
return authenticate(credentials, resolveMethod(method, uri));
}
public String authenticate(Credentials credentials, HttpMethod method) throws AuthenticationException {
if (credentials instanceof OAuthCredentials) {
OAuthCredentials oauthCredentials = (OAuthCredentials)credentials;
String nonce = generateNonce();
long timestamp = new Date().getTime() / 1000;
String signature = generateSignature(oauthCredentials, method, nonce, timestamp);
return "OAuth realm=\"" + oauthCredentials.getRealm()
+ "\", "
+ OAUTH_KEYS.OAUTH_CONSUMER_KEY.toLowerCase()
+ "=\""
+ oauthCredentials.getConsumerKey()
+ "\", "
+ OAUTH_KEYS.OAUTH_TOKEN.toLowerCase()
+ "=\""
+ oauthCredentials.getToken()
+ "\", "
+ OAUTH_KEYS.OAUTH_SIGNATURE_METHOD.toLowerCase()
+ "=\""
+ oauthCredentials.getSignatureMethod()
+ "\", "
+ OAUTH_KEYS.OAUTH_SIGNATURE.toLowerCase()
+ "=\""
+ signature
+ "\", "
+ OAUTH_KEYS.OAUTH_TIMESTAMP.toLowerCase()
+ "=\""
+ timestamp
+ "\", "
+ OAUTH_KEYS.OAUTH_NONCE.toLowerCase()
+ "=\""
+ nonce
+ "\", "
+ OAUTH_KEYS.OAUTH_VERSION.toLowerCase()
+ "=\""
+ oauthCredentials.getVersion()
+ "\"";
} else {
return null;
}
}
private HttpMethod resolveMethod(String method, String uri) throws AuthenticationException {
if (method.equalsIgnoreCase("get")) {
return new GetMethod(uri);
} else if (method.equalsIgnoreCase("post")) {
return new PostMethod(uri);
} else if (method.equalsIgnoreCase("put")) {
return new PutMethod(uri);
} else if (method.equalsIgnoreCase("delete")) {
return new DeleteMethod(uri);
} else if (method.equalsIgnoreCase("head")) {
return new HeadMethod(uri);
} else if (method.equalsIgnoreCase("options")) {
return new OptionsMethod(uri);
} else {
// throw new AuthenticationException("unsupported http method : " + method);
return new MethodHelper.ExtensionMethod(method, uri);
}
}
private String generateSignature(OAuthCredentials credentials, HttpMethod method, String nonce, long timestamp)
throws AuthenticationException {
try {
String baseString =
method.getName().toUpperCase() + method.getURI().toString()
+ OAUTH_KEYS.OAUTH_CONSUMER_KEY.toLowerCase()
+ "="
+ credentials.getConsumerKey()
+ OAUTH_KEYS.OAUTH_TOKEN.toLowerCase()
+ "="
+ credentials.getToken()
+ OAUTH_KEYS.OAUTH_SIGNATURE_METHOD.toLowerCase()
+ "="
+ credentials.getSignatureMethod()
+ OAUTH_KEYS.OAUTH_TIMESTAMP.toLowerCase()
+ "="
+ timestamp
+ OAUTH_KEYS.OAUTH_NONCE.toLowerCase()
+ "="
+ nonce
+ OAUTH_KEYS.OAUTH_VERSION.toLowerCase()
+ "="
+ credentials.getVersion();
return sign(credentials.getSignatureMethod(), URLEncoder.encode(baseString, "UTF-8"), credentials.getCert());
} catch (URIException e) {
throw new AuthenticationException(e.getMessage(), e);
} catch (UnsupportedEncodingException e) {
throw new AuthenticationException(e.getMessage(), e);
}
}
private String generateNonce() throws AuthenticationException {
try {
SecureRandom sr = SecureRandom.getInstance("SHA1PRNG");
byte[] temp = new byte[NONCE_LENGTH];
sr.nextBytes(temp);
String n = new String(Hex.encodeHex(temp));
return n;
} catch (Exception e) {
throw new AuthenticationException(e.getMessage(), e);
}
}
private String sign(String method, String baseString, Certificate cert) throws AuthenticationException {
if (method.equalsIgnoreCase("HMAC-MD5") || method.equalsIgnoreCase("HMAC-SHA1")) {
try {
String[] tokens = method.split("-");
String methodName =
tokens[0].substring(0, 1).toUpperCase() + tokens[0].substring(1).toLowerCase() + tokens[1];
KeyGenerator kg = KeyGenerator.getInstance(methodName);
Mac mac = Mac.getInstance(kg.getAlgorithm());
mac.init(kg.generateKey());
byte[] result = mac.doFinal(baseString.getBytes());
return new String(Base64.encodeBase64(result));
} catch (Exception e) {
throw new AuthenticationException(e.getMessage(), e);
}
} else if (method.equalsIgnoreCase("md5")) {
return new String(Base64.encodeBase64(DigestUtils.md5(baseString)));
} else if (method.equalsIgnoreCase("sha1")) {
return new String(Base64.encodeBase64(DigestUtils.sha(baseString)));
} else if (method.equalsIgnoreCase("RSA-SHA1")) {
if (cert == null) {
throw new AuthenticationException("a cert is mandatory to use SHA1 with RSA");
}
try {
Cipher cipher = Cipher.getInstance("SHA1withRSA");
cipher.init(Cipher.ENCRYPT_MODE, cert);
byte[] result = cipher.doFinal(baseString.getBytes());
return new String(Base64.encodeBase64(result));
} catch (Exception e) {
throw new AuthenticationException(e.getMessage(), e);
}
} else {
throw new AuthenticationException("unsupported algorithm method: " + method);
}
}
public String getSchemeName() {
return "OAuth";
}
public boolean isComplete() {
return true;
}
public boolean isConnectionBased() {
return true;
}
}