/*
* JBoss, Home of Professional Open Source.
* Copyright 2016, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.wildfly.iiop.openjdk.csiv2;
import org.jboss.metadata.ejb.jboss.IORSecurityConfigMetaData;
import org.omg.CORBA.Any;
import org.omg.CORBA.BAD_PARAM;
import org.omg.CORBA.LocalObject;
import org.omg.CORBA.ORB;
import org.omg.CSIIOP.DetectMisordering;
import org.omg.CSIIOP.DetectReplay;
import org.omg.CSIIOP.Integrity;
import org.omg.IOP.Codec;
import org.omg.IOP.TAG_INTERNET_IOP;
import org.omg.IOP.TaggedComponent;
import org.omg.IOP.CodecPackage.InvalidTypeForEncoding;
import org.omg.PortableInterceptor.IORInfo;
import org.omg.PortableInterceptor.IORInterceptor;
import org.omg.SSLIOP.SSL;
import org.omg.SSLIOP.SSLHelper;
import org.omg.SSLIOP.TAG_SSL_SEC_TRANS;
import org.wildfly.iiop.openjdk.Constants;
import org.wildfly.iiop.openjdk.logging.IIOPLogger;
import org.wildfly.iiop.openjdk.service.CorbaORBService;
import org.wildfly.iiop.openjdk.service.IORSecConfigMetaDataService;
/**
* <p>
* Implements an {@code org.omg.PortableInterceptor.IORInterceptor} that inserts CSIv2 info into an IOR.
* </p>
*
* @author <a href="mailto:reverbel@ime.usp.br">Francisco Reverbel</a>
* @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
*/
public class CSIv2IORInterceptor extends LocalObject implements IORInterceptor {
// The minimum set of security options supported by the SSL mechanism (These options cannot be turned off, so they are always supported).
private static final int MIN_SSL_OPTIONS = Integrity.value | DetectReplay.value | DetectMisordering.value;
private TaggedComponent defaultSSLComponent;
private TaggedComponent defaultCSIComponent;
/**
* <p>
* Creates an instance of {@code CSIv2IORInterceptor} with the specified codec.
* </p>
*
* @param codec the {@code Codec} used to encode the IOR security components.
*/
public CSIv2IORInterceptor(Codec codec) {
String sslPortString = CorbaORBService.getORBProperty(Constants.ORB_SSL_PORT);
int sslPort = sslPortString == null ? 0 : Integer.parseInt(sslPortString);
try {
SSL ssl = new SSL((short) 0,
(short) MIN_SSL_OPTIONS, /* required options */
(short) sslPort);
ORB orb = ORB.init();
Any any = orb.create_any();
SSLHelper.insert(any, ssl);
byte[] componentData = codec.encode_value(any);
defaultSSLComponent = new TaggedComponent(TAG_SSL_SEC_TRANS.value, componentData);
IORSecurityConfigMetaData iorSecurityConfigMetaData = IORSecConfigMetaDataService.getCurrent();
if (iorSecurityConfigMetaData == null)
iorSecurityConfigMetaData = new IORSecurityConfigMetaData();
defaultCSIComponent = CSIv2Util.createSecurityTaggedComponent(iorSecurityConfigMetaData, codec, sslPort, orb);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
@Override
public void destroy() {
}
@Override
public void establish_components(IORInfo info) {
// check if CSIv2 policy is in effect for this IOR.
CSIv2Policy csiv2Policy = null;
try {
csiv2Policy = (CSIv2Policy) info.get_effective_policy(CSIv2Policy.TYPE);
} catch (BAD_PARAM e) {
IIOPLogger.ROOT_LOGGER.debug("CSIv2Policy not found in IORInfo");
} catch (Exception e) {
IIOPLogger.ROOT_LOGGER.failedToFetchCSIv2Policy(e);
}
if (csiv2Policy != null) {
// if csiv2Policy effective, stuff a copy of the TaggedComponents already created by the CSIv2Policy into the IOR's IIOP profile.
TaggedComponent sslComponent = csiv2Policy.getSSLTaggedComponent();
// if interop with IONA ASP is on, don't add the SSL component to the IOR.
if (sslComponent != null) {
info.add_ior_component_to_profile(sslComponent, TAG_INTERNET_IOP.value);
}
TaggedComponent csiv2Component = csiv2Policy.getSecurityTaggedComponent();
if (csiv2Component != null) {
info.add_ior_component_to_profile(csiv2Component, TAG_INTERNET_IOP.value);
}
} else {
if (defaultSSLComponent != null) {
// otherwise stuff the default SSL component (with the minimum set of SSL options) into the IOR's IIOP profile.
info.add_ior_component_to_profile(defaultSSLComponent, TAG_INTERNET_IOP.value);
}
if (defaultCSIComponent != null) {
// and stuff the default CSI component (with the minimum set of CSI options) into the IOR's IIOP profile.
info.add_ior_component_to_profile(defaultCSIComponent, TAG_INTERNET_IOP.value);
}
}
}
@Override
public String name() {
return CSIv2IORInterceptor.class.getName();
}
}