AuthInterceptor.java

/*
    This file is part of Cyclos (www.cyclos.org).
    A project of the Social Trade Organisation (www.socialtrade.org).

    Cyclos is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    Cyclos is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with Cyclos; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

 */
package nl.strohalm.cyclos.webservices.interceptor;

import java.lang.reflect.Method;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;

import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.xml.namespace.QName;

import nl.strohalm.cyclos.entities.exceptions.EntityNotFoundException;
import nl.strohalm.cyclos.entities.services.ServiceClient;
import nl.strohalm.cyclos.entities.services.ServiceOperation;
import nl.strohalm.cyclos.services.application.ApplicationServiceLocal;
import nl.strohalm.cyclos.services.services.ServiceClientServiceLocal;
import nl.strohalm.cyclos.utils.access.LoggedUser;
import nl.strohalm.cyclos.webservices.CyclosWebServicesClientFactory;
import nl.strohalm.cyclos.webservices.Permission;
import nl.strohalm.cyclos.webservices.WebServiceContext;
import nl.strohalm.cyclos.webservices.WebServiceContext.ContextType;
import nl.strohalm.cyclos.webservices.WebServiceFaultsEnum;
import nl.strohalm.cyclos.webservices.utils.WebServiceHelper;

import org.apache.commons.lang.StringUtils;
import org.apache.cxf.binding.soap.SoapFault;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.binding.soap.interceptor.AbstractSoapInterceptor;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.service.model.MessageInfo;
import org.apache.cxf.service.model.OperationInfo;
import org.apache.cxf.transport.http.AbstractHTTPDestination;

/**
 * A CXF interceptor that will process authentication & authorization for web services
 * 
 * @author luis
 */
public class AuthInterceptor extends AbstractSoapInterceptor {

    private static final String[]                BLANK_CREDENTIALS = { "", "" };

    private ServiceClientServiceLocal            serviceClientServiceLocal;
    private ApplicationServiceLocal              applicationServiceLocal;

    private final Map<QName, ServiceOperation[]> cachedOperations  = new HashMap<QName, ServiceOperation[]>();

    public AuthInterceptor() {
        super(Phase.PRE_INVOKE);
    }

    @Override
    public void handleMessage(final SoapMessage message) throws Fault {
        final HttpServletRequest request = WebServiceHelper.requestOf(message);
        request.setAttribute(ContextType.class.getName(), ContextType.SERVICE_CLIENT);
        ServiceClient client = null;
        final ServletContext servletContext = servletContextOf(message);
        try {
            if (!applicationServiceLocal.isOnline()) {
                throw WebServiceHelper.fault(WebServiceFaultsEnum.APPLICATION_OFFLINE);
            }

            // Check non-secure access when HTTP is enabled
            if (Boolean.TRUE.equals(servletContext.getAttribute("cyclos.httpEnabled"))) {
                final String protocol = StringUtils.split(request.getRequestURL().toString(), "://")[0];
                if (!"https".equalsIgnoreCase(protocol)) {
                    throw WebServiceHelper.fault(WebServiceFaultsEnum.SECURE_ACCESS_REQUIRED);
                }
            }

            boolean allowed = false;
            // Find the service client
            client = resolveClient(request);
            if (client != null) {
                // Find the requested operation
                final ServiceOperation[] operations = resolveOperations(message);
                if (operations.length == 0) {
                    // When there are no operations, access is granted to anyone
                    allowed = true;
                } else {
                    // Check whether the client has access to the requested operation
                    final Set<ServiceOperation> permissions = client.getPermissions();
                    for (final ServiceOperation serviceOperation : operations) {
                        if (permissions.contains(serviceOperation)) {
                            allowed = true;
                            break;
                        }
                    }
                }
            }
            if (!allowed) {
                throw WebServiceHelper.fault(WebServiceFaultsEnum.UNAUTHORIZED_ACCESS);
            }

            // Initialize the logged user
            LoggedUser.init(client, request.getRemoteAddr(), null);

            // Initialize the context
            WebServiceContext.set(client, servletContext, request, message);
        } catch (Exception e) {
            WebServiceHelper.initializeContext(message);
            if (e instanceof SoapFault) {
                throw (SoapFault) e;
            } else {
                throw WebServiceHelper.fault(e);
            }
        }
    }

    public void setApplicationServiceLocal(final ApplicationServiceLocal applicationService) {
        applicationServiceLocal = applicationService;
    }

    public void setServiceClientServiceLocal(final ServiceClientServiceLocal serviceClientService) {
        serviceClientServiceLocal = serviceClientService;
    }

    /**
     * Find a matching {@link ServiceClient} for the given request
     */
    private ServiceClient resolveClient(final HttpServletRequest request) {
        final String address = request.getRemoteAddr();
        String[] credentials = WebServiceHelper.getCredentials(request);
        if (credentials == null) {
            credentials = BLANK_CREDENTIALS;
        }
        try {
            return serviceClientServiceLocal.findByAddressAndCredentials(address, credentials[0], credentials[1]);
        } catch (final EntityNotFoundException e) {
            return null;
        }
    }

    /**
     * Resolve the possible operations for the current request
     */
    private ServiceOperation[] resolveOperations(final SoapMessage message) {
        final MessageInfo messageInfo = message.get(MessageInfo.class);
        final OperationInfo operation = messageInfo.getOperation();
        final QName operationQName = operation.getName();
        // Try to find the operations in the cache
        ServiceOperation[] operations = cachedOperations.get(operationQName);
        if (operations == null) {
            // Cache miss... find the interface method
            final String operationName = operationQName.getLocalPart();
            final String serviceName = operation.getInterface().getService().getName().getLocalPart();
            final Class<?> serviceInterface = CyclosWebServicesClientFactory.serviceInterfaceForName(serviceName);
            for (final Method m : serviceInterface.getMethods()) {
                if (m.getName().equals(operationName)) {
                    final Permission permission = m.getAnnotation(Permission.class);
                    operations = permission == null ? new ServiceOperation[0] : permission.value();
                    break;
                }
            }
            // Store the operations on the cache for further access
            cachedOperations.put(operationQName, operations);
        }
        return operations;
    }

    /**
     * Returns the SessionContext instance for the given SOAP message
     */
    private ServletContext servletContextOf(final SoapMessage message) {
        return (ServletContext) message.get(AbstractHTTPDestination.HTTP_CONTEXT);
    }
}