You should have received a copy of hipergate License with this code; if not, visit http://www.hipergate.org or mail to info@hipergate.org */ package com.knowgate.acl; import java.io.InputStream; import java.sql.SQLException; import java.sql.CallableStatement; import java.sql.PreparedStatement; import java.sql.ResultSet; import java.util.Date; import java.util.Properties; import com.knowgate.debug.DebugFile; import com.knowgate.jdc.JDCConnection; import com.knowgate.misc.MD5; import com.knowgate.misc.Base64Encoder; import com.knowgate.misc.Base64Decoder; /** * * <p>Top Level User Authentication and Access Control List Functions.</p> * @author Sergio Montoro Ten * @version 4.0 */ public final class ACL { /** * Default Constructor */ public ACL() { } /** * <p>Check if a captcha matches its signature and it has not expired</p> * @param lTimestamp Timestamp (in miliseconds) when sPlainCaptcha was generated * @param lTimemout Number of miliseconds after which sPlainCaptcha expires * @param sPlainCaptcha Captcha plain text * @param sPlainCaptchaMD5 Precomputed MD5 hash for String sPlainCaptcha+ACL.getRC4key() * @return * <ul> * <li> 0 (zero) means that the given key correspond to the captcha text and that it has not expired * <li>ACL.CAPTCHA_MISMATCH The computed MD5 hash for sPlainCaptcha+lTimestamp does not match sTimeCaptchaMD5 * <li>ACL.CAPTCHA_TIMEOUT lTimestamp+lTimeout is before current datetime * </ul> * @since 4.0 */ public static short checkCaptcha(long lTimestamp, long lTimeout, String sPlainCaptcha, String sPlainCaptchaMD5) { short iRetVal; long lNow = new Date().getTime(); if (lTimestamp+lTimeout<lNow) { iRetVal = CAPTCHA_TIMEOUT; } else { MD5 oCaptchaMd5 = new MD5(sPlainCaptcha+ACL.getRC4key()); if (sPlainCaptchaMD5.equalsIgnoreCase(oCaptchaMd5.asHex())) iRetVal = (short) 0; else iRetVal = CAPTCHA_MISMATCH; } // fi (lTimestamp+lCaptchaTimeout<lNow) return iRetVal; } // checkCaptcha /** * <p>Checks whether or not password is valid for given user.</p> * <p>This method calls k_sp_autenticate stored procedure witch looks up tx_pwd field at k_users table and see if it is the same as sAuthStr parameter.</p> * @param oConn Opened Database Connection * @param sUserId User GUID * @param sAuthStr Authentication String (password) * @param iFlags Authentication String Flags * <ul> * <li>ACL.PWD_CLEAR_TEXT Authentication String is passed as clear text (no encryption) * <li>ACL.PWD_DTIP_RC4 Authentication String is given encrypted using RC4 algorithm * <li>ACL.PWD_DTIP_RC4_64 Authentication String is given encrypted using RC4 algorithm and base64 encoded * </ul> * @return * <ul> * <li>ACL.USER_NOT_FOUND sUserId not found at gu_user field from k_users table * <li>ACL.INVALID_PASSWORD sAuthStr parameter does not match tx_pwd field from k_users for sUserId * <li>ACL.PASSWORD_EXPIRED Password has expired (dt_pwd_expires field value is before current date) * <li>ACL.ACCOUNT_DEACTIVATED User account as been deactivated (field bo_active from k_users table set to zero) * <li>ACL.ACCOUNT_CANCELLED User account as been cancelled (field dt_cancel from k_users table set to date before now) * <li>ACL.INTERNAL_ERROR Internal error while trying to autenticate user * </ul> * @throws SQLException * @throws UnsupportedOperationException If k_sp_autenticate stored procedure is not found */ public static short autenticate (JDCConnection oConn, String sUserId, String sAuthStr, int iFlags) throws SQLException, UnsupportedOperationException { short iStatus; CallableStatement oCall; PreparedStatement oStmt; ResultSet oRSet; String sPassword; if (DebugFile.trace) { DebugFile.writeln("Begin ACL.autenticate([Connection], " + sUserId + "," + sAuthStr + "," + iFlags + ")" ); DebugFile.incIdent(); } sPassword = decript(sAuthStr, iFlags); switch (oConn.getDataBaseProduct()) { case JDCConnection.DBMS_ORACLE: if (DebugFile.trace) DebugFile.writeln(" Connection.prepareCall({ call k_sp_autenticate (" + sUserId + "," + sPassword + ",?)})"); oCall = oConn.prepareCall("{ call k_sp_autenticate (?,?,?)}"); oCall.setString(1,sUserId); oCall.setString(2,sPassword); oCall.registerOutParameter(3, java.sql.Types.DECIMAL); if (DebugFile.trace) DebugFile.writeln(" java.sql.Connection.execute()"); oCall.execute(); iStatus = Short.parseShort(oCall.getBigDecimal(3).toString()); oCall.close(); break; case JDCConnection.DBMS_MSSQL: case JDCConnection.DBMS_MYSQL: if (DebugFile.trace) DebugFile.writeln(" Connection.prepareCall({ call k_sp_autenticate (" + sUserId + "," + sPassword + ",?)})"); oCall = oConn.prepareCall("{ call k_sp_autenticate (?,?,?)}"); oCall.setString(1,sUserId); oCall.setString(2,sPassword); oCall.registerOutParameter(3, java.sql.Types.SMALLINT); if (DebugFile.trace) DebugFile.writeln(" java.sql.Connection.execute()"); oCall.execute(); iStatus = oCall.getShort(3); oCall.close(); break; case JDCConnection.DBMS_POSTGRESQL: oStmt = oConn.prepareStatement("SELECT k_sp_autenticate(?,?)", ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_READ_ONLY); if (DebugFile.trace) DebugFile.writeln(" Statement.executeQuery(SELECT k_sp_autenticate('" + sUserId + "', '" + sPassword + "', ...))"); oStmt.setString(1, sUserId); oStmt.setString(2, sPassword); oRSet = oStmt.executeQuery(); oRSet.next(); iStatus = oRSet.getShort(1); oRSet.close(); oStmt.close(); break; default: throw new UnsupportedOperationException("k_sp_autenticate procedure not found"); } if (DebugFile.trace) { DebugFile.decIdent(); DebugFile.writeln("End ACL.autenticate() : " + iStatus); } return iStatus; } // autenticate /** * <p>Checks password and captcha for a given user </p> * <p>This method calls k_sp_autenticate stored procedure witch looks up tx_pwd field at k_users table and see if it is the same as sAuthStr parameter.</p> * <p>Also it checks that the given captcha text corresponds to its signature and that it has not expired.</p> * @param oConn Opened Database Connection * @param sUserId User GUID * @param sAuthStr Authentication String (password) * @param iFlags Authentication String Flags * @param lTimestamp Timestamp (in miliseconds) when sPlainCaptcha was generated * @param lTimemout Number of miliseconds after which sPlainCaptcha expires * @param sPlainCaptcha Captcha plain text * @param sPlainCaptchaMD5 Precomputed MD5 hash for String sPlainCaptcha+ACL.getRC4key() * @return This method returns the same values as autenticate(JDCConnection,String,String,int) and also * <ul> * <li>ACL.CAPTCHA_MISMATCH The computed MD5 hash for sPlainCaptcha+lTimestamp does not match sTimeCaptchaMD5 * <li>ACL.CAPTCHA_TIMEOUT lTimestamp+lTimeout is before current datetime * </ul> * @throws SQLException * @throws UnsupportedOperationException If k_sp_autenticate stored procedure is not found * @since 2.2 */ public static short autenticate (JDCConnection oConn, String sUserId, String sAuthStr, int iFlags, long lTimestamp, long lTimeout, String sPlainCaptcha, String sPlainCaptchaMD5) throws SQLException, UnsupportedOperationException { short iRetVal = autenticate(oConn, sUserId, sAuthStr, iFlags); if (iRetVal>=(short)0) { iRetVal = checkCaptcha(lTimestamp,lTimeout,sPlainCaptcha,sPlainCaptchaMD5); } return iRetVal; } // autenticate /** * <p>Decrypt String</p> * @param sStr Base64 encoded string to be decriptted * @param iFlags Encryption flags * <ul> * <li>ACL.PWD_CLEAR_TEXT Do not encrypt sStr (return as it is given) * <li>ACL.PWD_DTIP_RC4 Encrypt using RC4 algorithm * <li>ACL.PWD_DTIP_RC4_64 Decrypt by decoding base64 input and then using RC4 algorithm * </ul> * @return Decrypted string * @throws NullPointerException if sStr is <b>null</b> * @throws IllegalArgumentException if iFlags!=PWD_CLEAR_TEXT AND iFlags!=PWD_DTIP_RC4 AND iFlags!=PWD_DTIP_RC4_64 * @since 4.0 */ public static String decript (String sStr, int iFlags) throws IllegalArgumentException, NullPointerException { String sDecrypted; if (iFlags!=PWD_CLEAR_TEXT && iFlags!=PWD_DTIP_RC4 && iFlags!=PWD_DTIP_RC4_64) throw new IllegalArgumentException("ACL.encript() encryption algorithm must be either PWD_CLEAR_TEXT or PWD_DTIP_RC4"); if (DebugFile.trace) { DebugFile.writeln("Begin ACL.decript(...," + String.valueOf(iFlags) + ")" ); DebugFile.incIdent(); } if ((iFlags & ACL.PWD_DTIP_RC4)!=0) { RC4 oRc4 = new RC4(getRC4key()); // Clear Txt -RC-> Byte Array -Base64Encode-> Encryp TXT -Base64Decode-> Byte Array -RC4-> Clear TXT if ((iFlags&ACL.PWD_DTIP_RC4_64)!=0) sDecrypted = new String(oRc4.rc4(Base64Decoder.decode(sStr))); else sDecrypted = new String(oRc4.rc4(sStr)); } else { sDecrypted = sStr; } if (DebugFile.trace) { DebugFile.decIdent(); DebugFile.writeln("End ACL.decript()"); } return sDecrypted; } // decript /** * <p>Encrypt String</p> * @param sStr String to be encrypted * @param iFlags Encryption flags * <ul> * <li>ACL.PWD_CLEAR_TEXT Do not encrypt sStr (return as it is given) * <li>ACL.PWD_DTIP_RC4 Encrypt using RC4 algorithm * <li>ACL.PWD_DTIP_RC4_64 Encrypt using RC4 algorithm and then base64 encoding * </ul> * @return Encrypted string * @throws NullPointerException if sStr is <b>null</b> * @throws IllegalArgumentException if iFlags!=PWD_CLEAR_TEXT AND iFlags!=PWD_DTIP_RC4 */ public static String encript (String sStr, int iFlags) throws IllegalArgumentException, NullPointerException { byte[] byEncrypted = null; String sEncrypted; if (iFlags!=PWD_CLEAR_TEXT && iFlags!=PWD_DTIP_RC4 && iFlags!=PWD_DTIP_RC4_64) throw new IllegalArgumentException("ACL.encript() encryption algorithm must be either PWD_CLEAR_TEXT or PWD_DTIP_RC4"); if (DebugFile.trace) { DebugFile.writeln("Begin ACL.encript(...," + String.valueOf(iFlags) + ")" ); DebugFile.incIdent(); } if ((iFlags & ACL.PWD_DTIP_RC4)!=0) { RC4 oRc4 = new RC4(getRC4key()); byEncrypted = oRc4.rc4(sStr); if ((iFlags&ACL.PWD_DTIP_RC4_64)!=0) { sEncrypted = Base64Encoder.encode(byEncrypted); } else { sEncrypted = new String(byEncrypted); } } else { sEncrypted = sStr; } if (DebugFile.trace) { DebugFile.decIdent(); DebugFile.writeln("End ACL.encript()"); } return sEncrypted; } // encript /** * <p>Get user unique id given its nickname.</p> * <p>Calls k_get_user_from_nick stored procedure and gets gu_user field from tx_nickname field</p> * @param oConn Database Connection * @param sNickName User nickname (tx_nickname from k_users table) * @param iDomain Domain Identifier (id_domain from k_users table) * @return User Unique Identifier (gu_user from k_users table) * @throws SQLException */ public static String getUserIdFromNick (JDCConnection oConn, String sNickName, int iDomain) throws SQLException { String sUserId; if (oConn.getDataBaseProduct()==JDCConnection.DBMS_POSTGRESQL) { PreparedStatement oStmt = oConn.prepareStatement( "SELECT gu_user FROM k_users WHERE id_domain=? AND tx_nickname=?", ResultSet.TYPE_FORWARD_ONLY, ResultSet.CONCUR_READ_ONLY); oStmt.setInt(1, iDomain); oStmt.setString(2, sNickName); ResultSet oRSet = oStmt.executeQuery(); if (oRSet.next()) sUserId = oRSet.getString(1); else sUserId = null; oRSet.close(); oStmt.close(); } else { CallableStatement oCall = oConn.prepareCall("{ call k_get_user_from_nick (?,?,?)}"); oCall.setInt(1, iDomain); oCall.setString(2, sNickName); oCall.registerOutParameter(3, java.sql.Types.CHAR); oCall.execute(); if (JDCConnection.DBMS_ORACLE==oConn.getDataBaseProduct()) { sUserId = oCall.getString(3); if (null!=sUserId) sUserId = sUserId.trim(); } else sUserId = oCall.getString(3); oCall.close(); } return sUserId; } // getUserIdFromNick // --------------------------------------------------------------------------- /** * <p>Get RC4 default key for encryption</p> * Since version 4.0, the RC4 key may be readed from file acl.cnf * instead of being just hardwired inside ACL Java class as a * private static variable. * @return The value of property RC4PWD from acl.cnf file * or a default key if acl.cnf is not found or does not * contain a RC4PWD property. If RC4PWD has been changed by * calling setRC4key() then the new value is returned until * the class is reloaded. */ public static String getRC4key() { if (null==RC4PWD){ try { InputStream oIoStrm = new ACL().getClass().getResourceAsStream("acl.cnf"); if (oIoStrm!=null) { Properties oProps = new Properties(); oProps.load(oIoStrm); RC4PWD = oProps.getProperty("RC4PWD"); if (null==RC4PWD) { if (DebugFile.trace) DebugFile.writeln("Warning: Cannot find property RC4PWD at file acl.cnf, setting signature key to default value"); } } else { if (DebugFile.trace) DebugFile.writeln("Warning: Cannot load file acl.cnf, setting signature key to default value"); } } catch (Exception xcpt) { if (DebugFile.trace) DebugFile.writeln("Warning: "+xcpt.getClass().getName()+" "+xcpt.getMessage()+" Cannot load RC4PWD property from acl.cnf file, setting signature key to default value"); } finally { if (null==RC4PWD) RC4PWD = "LindtExcellence%70Degustation"; } } return RC4PWD; } // getRC4key /** * Set RC4 default key for encryption * @param sKey */ public static void setRC4key(String sKey) { RC4PWD = sKey; } /** * <p>Encrypt text using RC4 algorithm and a default encryption key</p> * @param sTxt Text to be encrypted * @return String Encrypted text * @throws NullPointerException if sTxt is null * @see {@link http://www.clarenceho.net:8123/blog/articles/2005/11/21/rc4-encryption-in-java-april-2003} */ public static String RC4EnDeCrypt(String sTxt) throws NullPointerException { RC4 oRc4 = new RC4(getRC4key()); return new String(oRc4.rc4(sTxt)); } /** * <p>Encrypt text using RC4 algorithm</p> * @param sTxt Text to be encrypted * @param sKey Encryption key * @see {@link http://www.clarenceho.net:8123/blog/articles/2005/11/21/rc4-encryption-in-java-april-2003} */ public static String RC4EnDeCrypt(String sTxt, String sKey) { RC4 oRc4 = new RC4(sKey); return new String(oRc4.rc4(sTxt)); } // RC4EnDeCrypt /** * <p>Gets permissions mask descriptive name for given language</p> * @param iACLMask Permissions Mask, any combination of ACL.PERMISSION_ constants * @param sLanguage Language for localized string {"en", "es"} * @return */ public static String getLocalizedMaskName(int iACLMask, String sLanguage) throws IllegalArgumentException { int iName; String es[] = { "Desconocido", "Listar", "Leer", "Añadir", "Añadir y Leer", "Moderar", "Modificar", "Control Total"}; String en[] = { "Unknown", "List", "Read", "Add", "Add & Read", "Moderate", "Modify", "Full Control"}; if (PERMISSION_LIST==iACLMask) iName = 1; else if (PERMISSION_READ==iACLMask || (PERMISSION_LIST|PERMISSION_READ)==iACLMask) iName = 2; else if (PERMISSION_ADD==iACLMask || (PERMISSION_LIST|PERMISSION_ADD)==iACLMask) iName = 3; else if ((PERMISSION_ADD|PERMISSION_READ)==iACLMask || (PERMISSION_LIST|PERMISSION_ADD|PERMISSION_READ)==iACLMask) iName = 4; else if ((PERMISSION_MODERATE)==iACLMask || (PERMISSION_READ|PERMISSION_MODERATE)==iACLMask || (PERMISSION_LIST|PERMISSION_READ|PERMISSION_MODERATE)==iACLMask || (PERMISSION_LIST|PERMISSION_READ|PERMISSION_ADD|PERMISSION_MODERATE)==iACLMask) iName = 5; else if ((PERMISSION_MODIFY&iACLMask)!=0 && iACLMask!=2147483647) iName = 6; else if (iACLMask>=255) iName = 7; else iName = 0; if (sLanguage.compareToIgnoreCase("es")==0) return es[iName]; else if (sLanguage.compareToIgnoreCase("en")==0) return en[iName]; else throw new IllegalArgumentException ("language must be \"en\" or \"es\""); } // getLocalizedMaskName // --------------------------------------------------------------------------- public static String getErrorMessage(short iErrCode) { if (iErrCode<0) { switch (iErrCode) { case USER_NOT_FOUND: return "User not found"; case INVALID_PASSWORD: return "Invalid password"; case ACCOUNT_DEACTIVATED: return "Account deactivated"; case SESSION_EXPIRED: return "Session expired"; case DOMAIN_NOT_FOUND: return "Domain not found"; case WORKAREA_NOT_FOUND: return "WorkArea not found"; case WORKAREA_NOT_SET: return "WorkArea not set"; case WORKAREA_ACCESS_DENIED: return "WorkArea access denied"; case ACCOUNT_CANCELLED: return "Account cancelled"; case PASSWORD_EXPIRED: return "Password expired"; case CAPTCHA_MISMATCH: return "Captcha mismatch"; case CAPTCHA_TIMEOUT: return "Captcha mismatch"; case INTERNAL_ERROR: return "Internal error"; default: return "Undefined error"; } } else return ""; } // getErrorMessage // --------------------------------------------------------------------------- // just a random string for RC4 algorithm, change for your own implementation private static String RC4PWD = null; public static final int PERMISSION_LIST = 1; public static final int PERMISSION_READ = 2; public static final int PERMISSION_ADD = 4; public static final int PERMISSION_DELETE = 8; public static final int PERMISSION_MODIFY = 16; public static final int PERMISSION_MODERATE = 32; public static final int PERMISSION_SEND = 64; public static final int PERMISSION_GRANT = 128; public static final int PERMISSION_FULL_CONTROL = 2147483647; public static final int ROLE_NONE = 0; public static final int ROLE_ADMIN = 1; public static final int ROLE_POWERUSER = 2; public static final int ROLE_USER = 4; public static final int ROLE_GUEST = 4; public static final int PWD_CLEAR_TEXT = 0; public static final int PWD_DTIP_RC4 = 1; public static final int PWD_DTIP_RC4_64 = 3; public static final short USER_NOT_FOUND = -1; public static final short INVALID_PASSWORD = -2; public static final short ACCOUNT_DEACTIVATED = -3; public static final short SESSION_EXPIRED = -4; public static final short DOMAIN_NOT_FOUND = -5; public static final short WORKAREA_NOT_FOUND = -6; public static final short WORKAREA_NOT_SET = -7; public static final short ACCOUNT_CANCELLED = -8; public static final short PASSWORD_EXPIRED = -9; public static final short CAPTCHA_MISMATCH = -10; public static final short CAPTCHA_TIMEOUT = -11; public static final short WORKAREA_ACCESS_DENIED = -12; public static final short INTERNAL_ERROR = -255; } // ACL