Source Code of com.cloud.bridge.auth.ec2.AuthenticationHandler

/*
 * Copyright (C) 2011 Citrix Systems, Inc.  All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package com.cloud.bridge.auth.ec2;

import org.apache.axiom.soap.SOAPEnvelope;
import org.apache.log4j.Logger;
import org.apache.axis2.context.MessageContext;
import org.apache.axis2.engine.Handler;
import org.apache.axis2.AxisFault;
import org.apache.axis2.description.HandlerDescription;
import org.apache.axis2.description.Parameter;
import org.apache.commons.codec.binary.Base64;

import org.w3c.dom.Document;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;

import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.io.ByteArrayInputStream;
import java.io.InputStream;

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;

import com.cloud.bridge.model.UserCredentials;
import com.cloud.bridge.persist.dao.UserCredentialsDao;
import com.cloud.bridge.service.UserContext;
import com.cloud.bridge.util.AuthenticationUtils;


public class AuthenticationHandler implements Handler {
     protected final static Logger logger = Logger.getLogger(AuthenticationHandler.class);

     private DocumentBuilderFactory dbf = null;

   protected HandlerDescription handlerDesc = new HandlerDescription( "EC2AuthenticationHandler" );
     private String name = "EC2AuthenticationHandler";

     public void init( HandlerDescription handlerdesc )
     {
      dbf = DocumentBuilderFactory.newInstance();
     dbf.setNamespaceAware( true );

          this.handlerDesc = handlerdesc;
     }

     public String getName()
     {
          return name;
     }

     public String toString()
     {
       return (name != null) ? name.toString() : null;
     }

     public HandlerDescription getHandlerDesc()
     {
          return handlerDesc;
     }

     public Parameter getParameter( String name )
     {
       return handlerDesc.getParameter( name );
     }


     /**
      * For EC2 SOAP calls this function's goal is to extract the X509 certificate that is
      * part of the WS-Security wrapped SOAP request.   We need the cert in order to
      * map it to the user's Cloud API key and Cloud Secret Key.
      */
     public InvocationResponse invoke(MessageContext msgContext) throws AxisFault
     {
       // -> the certificate we want is embedded into the soap header
       try
       {  SOAPEnvelope soapEnvelope = msgContext.getEnvelope();
            String       xmlHeader    = soapEnvelope.toString();
            //System.out.println( "entire request: " + xmlHeader );

        InputStream is = new ByteArrayInputStream( xmlHeader.getBytes("UTF-8"));
        DocumentBuilder db = dbf.newDocumentBuilder();
        Document request = db.parse( is );
        NodeList certs   = request.getElementsByTagNameNS( "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "BinarySecurityToken" );
          if (0 < certs.getLength()) {
            Node item = certs.item(0);
            String result = new String( item.getFirstChild().getNodeValue());
            byte[] certBytes = Base64.decodeBase64( result.getBytes());

            Certificate userCert  = null;
            CertificateFactory cf = CertificateFactory.getInstance( "X.509" );
            ByteArrayInputStream bs = new ByteArrayInputStream( certBytes );
            while (bs.available() > 0) userCert = cf.generateCertificate(bs);
                //System.out.println( "cert: " + userCert.toString());
                String uniqueId = AuthenticationUtils.X509CertUniqueId( userCert );
                logger.debug( "X509 cert's uniqueId: " + uniqueId );

                // -> find the Cloud API key and the secret key from the cert's uniqueId
             UserCredentialsDao credentialDao = new UserCredentialsDao();
             UserCredentials cloudKeys = credentialDao.getByCertUniqueId( uniqueId );
             if ( null == cloudKeys ) {
                 logger.error( "Cert does not map to Cloud API keys: " + uniqueId );
              throw new AxisFault( "User not properly registered: Certificate does not map to Cloud API Keys", "Client.Blocked" );
             }
             else UserContext.current().initContext( cloudKeys.getAccessKey(), cloudKeys.getSecretKey(), cloudKeys.getAccessKey(), "SOAP Request", null );
                //System.out.println( "end of cert match: " + UserContext.current().getSecretKey());
          }
      }
      catch (AxisFault e) {
        throw e;
      }
      catch( Exception e ) {
            logger.error("EC2 Authentication Handler: ", e);
        throw new AxisFault( "An unknown error occurred.", "Server.InternalError" );
      }
        return InvocationResponse.CONTINUE;
     }


     public void revoke(MessageContext msgContext)
     {
         logger.info(msgContext.getEnvelope().toString());
     }

     public void setName(String name)
     {
         this.name = name;
     }

    @Override
   public void cleanup()
   {
   }

   @Override
   public void flowComplete( MessageContext arg0 )
   {
   }
}