/**
* Copyright French Prime minister Office/SGMAP/DINSIC/Vitam Program (2015-2019)
*
* contact.vitam@culture.gouv.fr
*
* This software is a computer program whose purpose is to implement a digital archiving back-office system managing
* high volumetry securely and efficiently.
*
* This software is governed by the CeCILL 2.1 license under French law and abiding by the rules of distribution of free
* software. You can use, modify and/ or redistribute the software under the terms of the CeCILL 2.1 license as
* circulated by CEA, CNRS and INRIA at the following URL "http://www.cecill.info".
*
* As a counterpart to the access to the source code and rights to copy, modify and redistribute granted by the license,
* users are provided only with a limited warranty and the software's author, the holder of the economic rights, and the
* successive licensors have only limited liability.
*
* In this respect, the user's attention is drawn to the risks associated with loading, using, modifying and/or
* developing or reproducing the software by the user in light of its specific status of free software, that may mean
* that it is complicated to manipulate, and that also therefore means that it is reserved for developers and
* experienced professionals having in-depth computer knowledge. Users are therefore encouraged to load and test the
* software's suitability as regards their requirements in conditions enabling the security of their systems and/or data
* to be ensured and, more generally, to use and operate it in the same conditions as regards security.
*
* The fact that you are presently reading this means that you have had knowledge of the CeCILL 2.1 license and that you
* accept its terms.
*/
package fr.gouv.vitam.common.security.filter;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URLDecoder;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import com.google.common.base.Strings;
import fr.gouv.vitam.common.CharsetUtils;
import fr.gouv.vitam.common.GlobalDataRest;
import fr.gouv.vitam.common.ParametersChecker;
import fr.gouv.vitam.common.VitamConfiguration;
import fr.gouv.vitam.common.logging.VitamLogger;
import fr.gouv.vitam.common.logging.VitamLoggerFactory;
import fr.gouv.vitam.common.security.codec.URLCodec;
/**
* Authorization Wrapper
*/
public class AuthorizationWrapper extends HttpServletRequestWrapper {
private static final VitamLogger LOGGER = VitamLoggerFactory.getInstance(AuthorizationWrapper.class);
private static final String ARGUMENT_MUST_NOT_BE_NULL = "Argument must not be null";
/**
* @param request
*/
public AuthorizationWrapper(HttpServletRequest request) {
super(request);
}
/**
* check Headers X-Platform-Id and X-Timestamp
*
* @return boolean
*/
public boolean checkAutorizationHeaders() {
if (getRequestURI().startsWith(VitamConfiguration.ADMIN_PATH) ||
getRequestURI().endsWith(VitamConfiguration.STATUS_URL)) {
return true;
}
if (!Strings.isNullOrEmpty(VitamConfiguration.getSecret())) {
final Enumeration<String> headerNames = getHeaderNames();
final Map<String, String> headersValues = new HashMap<>();
if (headerNames != null) {
headersValues.put(GlobalDataRest.X_PLATFORM_ID, getHeader(GlobalDataRest.X_PLATFORM_ID));
headersValues.put(GlobalDataRest.X_TIMESTAMP, getHeader(GlobalDataRest.X_TIMESTAMP));
return checkHeadersValues(headersValues);
}
}
return false;
}
/**
* @param headersValues
* @return
*/
private boolean checkHeadersValues(Map<String, String> headersValues) {
ParametersChecker.checkParameter(ARGUMENT_MUST_NOT_BE_NULL, headersValues);
final String platformId = headersValues.get(GlobalDataRest.X_PLATFORM_ID);
final String timestamp = headersValues.get(GlobalDataRest.X_TIMESTAMP);
if (Strings.isNullOrEmpty(platformId) || Strings.isNullOrEmpty(timestamp)) {
return false;
} else {
return checkTimestamp(timestamp) && checkPlatformId(platformId, timestamp);
}
}
/**
* @param timestamp
* @return True if timestamp is conformed
*/
private boolean checkTimestamp(String timestamp) {
ParametersChecker.checkParameter(ARGUMENT_MUST_NOT_BE_NULL, timestamp);
final long currentEpoch = System.currentTimeMillis() / 1000;
final long requestEpoch = Long.parseLong(timestamp);
if (Math.abs(currentEpoch - requestEpoch) <= VitamConfiguration.getAcceptableRequestTime()) {
return true;
}
LOGGER.error("Timestamp check failed");
return false;
}
/**
* @param platformId
* @param timestamp
* @return True if platformId is conformed
*/
private boolean checkPlatformId(String platformId, String timestamp) {
ParametersChecker.checkParameter(ARGUMENT_MUST_NOT_BE_NULL, platformId, timestamp);
String uri = getRequestURI();
try {
uri = URLDecoder.decode(uri, CharsetUtils.UTF_8);
} catch (UnsupportedEncodingException e) {
LOGGER.error("UnsupportedEncodingException ", e);
return false;
}
final String httpMethod = getMethod();
final String code = URLCodec.encodeURL(httpMethod, uri, timestamp, VitamConfiguration.getSecret(),
VitamConfiguration.getSecurityDigestType());
if (code.equals(platformId)) {
return true;
}
LOGGER.error("PlatformId check failed");
return false;
}
}