View Javadoc
1   /*
2    * This file is part of Waarp Project (named also Waarp or GG).
3    *
4    *  Copyright (c) 2019, Waarp SAS, and individual contributors by the @author
5    *  tags. See the COPYRIGHT.txt in the distribution for a full listing of
6    * individual contributors.
7    *
8    *  All Waarp Project is free software: you can redistribute it and/or
9    * modify it under the terms of the GNU General Public License as published by
10   * the Free Software Foundation, either version 3 of the License, or (at your
11   * option) any later version.
12   *
13   * Waarp is distributed in the hope that it will be useful, but WITHOUT ANY
14   * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
15   * A PARTICULAR PURPOSE. See the GNU General Public License for more details.
16   *
17   *  You should have received a copy of the GNU General Public License along with
18   * Waarp . If not, see <http://www.gnu.org/licenses/>.
19   */
20  
21  package org.waarp.openr66.protocol.http.restv2.resthandlers;
22  
23  import io.netty.channel.ChannelHandlerContext;
24  import io.netty.channel.SimpleChannelInboundHandler;
25  import io.netty.handler.codec.http.DefaultFullHttpResponse;
26  import io.netty.handler.codec.http.FullHttpRequest;
27  import io.netty.handler.codec.http.FullHttpResponse;
28  import org.waarp.common.crypto.HmacSha256;
29  import org.waarp.common.logging.WaarpLogger;
30  import org.waarp.common.logging.WaarpLoggerFactory;
31  import org.waarp.openr66.protocol.http.restv2.dbhandlers.AbstractRestDbHandler;
32  
33  import static io.netty.channel.ChannelFutureListener.*;
34  import static io.netty.handler.codec.http.HttpResponseStatus.*;
35  import static io.netty.handler.codec.http.HttpVersion.*;
36  import static javax.ws.rs.core.HttpHeaders.*;
37  import static org.waarp.openr66.protocol.http.restv2.RestConstants.*;
38  
39  /**
40   * Handler checking the REST request signature when signature checking is
41   * enabled.
42   */
43  public class RestSignatureHandler
44      extends SimpleChannelInboundHandler<FullHttpRequest> {
45  
46    /**
47     * The logger for all events during the execution.
48     */
49    private final WaarpLogger logger = WaarpLoggerFactory.getLogger(getClass());
50  
51    /**
52     * The HMAC key used to create the request's signature.
53     */
54    private final HmacSha256 hmac;
55  
56    /**
57     * Initializes the handler with the given HMAC key.
58     *
59     * @param hmac The REST HMAC signing key.
60     */
61    public RestSignatureHandler(final HmacSha256 hmac) {
62      this.hmac = hmac;
63    }
64  
65    /**
66     * Checks if the request given as parameter by the channel pipeline is
67     * properly signed or not. If the
68     * signature is valid, the request is forwarded to the corresponding {@link
69     * AbstractRestDbHandler}, otherwise
70     * a reply is directly sent stating that the request needs to be signed. If
71     * an unexpected error occurs during
72     * the execution, an error 500 HTTP status is sent instead.
73     *
74     * @param ctx The context of the Netty channel handler.
75     * @param request The original HTTP request.
76     */
77    @Override
78    protected void channelRead0(final ChannelHandlerContext ctx,
79                                final FullHttpRequest request) {
80  
81      // If the request does not have a body, skip the signature checking.
82      if (!request.content().isReadable()) {
83        ctx.fireChannelRead(request.retain());
84        return;
85      }
86  
87      final String authent = request.headers().get(AUTHORIZATION);
88      final String body = request.content().toString(UTF8_CHARSET);
89      final String URI = request.uri();
90      final String method = request.method().toString();
91      final String sign = request.headers().get(AUTH_SIGNATURE);
92  
93      final FullHttpResponse response;
94  
95      if (authent == null || sign == null) {
96        response = new DefaultFullHttpResponse(HTTP_1_1, UNAUTHORIZED);
97        ctx.channel().writeAndFlush(response).addListener(CLOSE);
98        return;
99      }
100 
101     final String computedHash;
102     try {
103       computedHash = hmac.cryptToHex(authent + body + URI + method);
104     } catch (final Exception e) {
105       logger.error(e);
106       response = new DefaultFullHttpResponse(HTTP_1_1, INTERNAL_SERVER_ERROR);
107       ctx.channel().writeAndFlush(response).addListener(CLOSE);
108       return;
109     }
110 
111     if (!computedHash.equals(sign)) {
112       response = new DefaultFullHttpResponse(HTTP_1_1, UNAUTHORIZED);
113       ctx.channel().writeAndFlush(response).addListener(CLOSE);
114     }
115 
116     ctx.fireChannelRead(request.retain());
117   }
118 
119 }