refactored Verifier type to be an interface backed by a DefaultVerifier to allow for remote calls and other such things

Author: adamcin

api/src/main/java/net/adamcin/httpsig/api/Authorization.java

@@ -29,7 +29,6 @@
 
 import java.io.Serializable;
 import java.util.ArrayList;
-import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;

api/src/main/java/net/adamcin/httpsig/api/Constants.java

@@ -113,7 +113,7 @@ public final class Constants {
      */
     public static final Pattern RFC2617_PARAM = Pattern.compile("(\\w+)=\"([^\"]*)\"");
 
-    public static final List<String> parseTokens(String tokens) {
+    public static List<String> parseTokens(String tokens) {
         if (tokens == null || tokens.trim().isEmpty()) {
             return Collections.emptyList();
         } else {
@@ -126,7 +126,7 @@ public static final List<String> parseTokens(String tokens) {
         }
     }
 
-    public static final String constructTokensString(List<String> tokens) {
+    public static String constructTokensString(List<String> tokens) {
         StringBuilder sb = new StringBuilder();
         if (tokens != null) {
             for (String token : tokens) {
@@ -136,7 +136,7 @@ public static final String constructTokensString(List<String> tokens) {
         return sb.toString();
     }
 
-    public static final Map<String, String> parseRFC2617(String header) {
+    public static Map<String, String> parseRFC2617(String header) {
         Map<String, String> params = new HashMap<String, String>();
         if (header != null && header.toLowerCase().startsWith(Constants.SCHEME.toLowerCase())) {
             final Matcher matcher = RFC2617_PARAM.matcher(header.substring(Constants.SCHEME.length() + 1));
@@ -147,7 +147,7 @@ public static final Map<String, String> parseRFC2617(String header) {
         return Collections.unmodifiableMap(params);
     }
 
-    public static final String constructRFC2617(Map<String, String> params) {
+    public static String constructRFC2617(Map<String, String> params) {
         StringBuilder sb = new StringBuilder(SCHEME);
         if (params != null && !params.isEmpty()) {
             for (Map.Entry<String, String> param : params.entrySet()) {

api/src/main/java/net/adamcin/httpsig/api/DefaultKeychain.java

@@ -169,12 +169,20 @@ public Keychain filterAlgorithms(Collection<Algorithm> algorithms) {
     }
 
     public Map<String, Key> toMap(KeyId keyIdentifier) {
-        KeyId identifier = keyIdentifier != null ? keyIdentifier : Constants.DEFAULT_KEY_IDENTIFIER;
         LinkedHashMap<String, Key> map = new LinkedHashMap<String, Key>(this.size());
-        for (Key key : this) {
-            String keyId = identifier.getId(key);
-            if (keyId != null) {
-                map.put(keyId, key);
+        if (keyIdentifier == null) {
+            for (Key key : this) {
+                String keyId = Constants.DEFAULT_KEY_IDENTIFIER.getId(key);
+                if (keyId != null) {
+                    map.put(keyId, key);
+                }
+            }
+        } else {
+            for (Key key : this) {
+                String keyId = keyIdentifier.getId(key);
+                if (keyId != null) {
+                    map.put(keyId, key);
+                }
             }
         }
         return Collections.unmodifiableMap(map);

api/src/main/java/net/adamcin/httpsig/api/DefaultVerifier.java

@@ -0,0 +1,203 @@
+/*
+ * This is free and unencumbered software released into the public domain.
+ *
+ * Anyone is free to copy, modify, publish, use, compile, sell, or
+ * distribute this software, either in source code form or as a compiled
+ * binary, for any purpose, commercial or non-commercial, and by any
+ * means.
+ *
+ * In jurisdictions that recognize copyright laws, the author or authors
+ * of this software dedicate any and all copyright interest in the
+ * software to the public domain. We make this dedication for the benefit
+ * of the public at large and to the detriment of our heirs and
+ * successors. We intend this dedication to be an overt act of
+ * relinquishment in perpetuity of all present and future rights to this
+ * software under copyright law.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * For more information, please refer to <http://unlicense.org/>
+ */
+
+package net.adamcin.httpsig.api;
+
+import java.util.Collection;
+import java.util.Date;
+import java.util.GregorianCalendar;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+import java.util.TimeZone;
+
+/**
+ * The Server-Side component of the protocol which verifies {@link Authorization} headers using SSH Public Keys
+ */
+public final class DefaultVerifier implements Verifier {
+    public static final long DEFAULT_SKEW = 300000L;
+
+    private final Keychain keychain;
+    private final KeyId keyId;
+    private final long skew;
+
+    public DefaultVerifier(Keychain keychain) {
+        this(keychain, null, DEFAULT_SKEW);
+    }
+
+    public DefaultVerifier(Keychain keychain, KeyId keyId) {
+        this(keychain, keyId, DEFAULT_SKEW);
+    }
+
+    public DefaultVerifier(Keychain keychain, KeyId keyId, long skew) {
+        this.keychain = keychain != null ? new KeychainGuard(keychain) : new KeychainGuard(new DefaultKeychain());
+        this.keyId = new CanVerifyId(keyId != null ? keyId : Constants.DEFAULT_KEY_IDENTIFIER);
+        this.skew = skew;
+    }
+
+    public Keychain getKeychain() {
+        return keychain;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public long getSkew() {
+        return skew;
+    }
+
+    /**
+     * @deprecated will remove to make the class immutable. use constructor overload instead.
+     * @param skew new server skew in milliseconds
+     */
+    public void setSkew(long skew) {
+        // this is now a no-op.
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public Key selectKey(Authorization authorization) {
+        return keychain.toMap(this.keyId).get(authorization.getKeyId());
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public boolean verify(Challenge challenge, RequestContent requestContent, Authorization authorization) {
+        return verifyWithResult(challenge, requestContent, authorization) == VerifyResult.SUCCESS;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public VerifyResult verifyWithResult(Challenge challenge, RequestContent requestContent, Authorization authorization) {
+        if (challenge == null) {
+            throw new IllegalArgumentException("challenge cannot be null");
+        }
+
+        if (requestContent == null) {
+            throw new IllegalArgumentException("requestContent cannot be null");
+        }
+
+        if (authorization == null) {
+            throw new IllegalArgumentException("authorization cannot be null");
+        }
+
+        // verify that all headers required by the challenge are declared by the authorization
+        for (String header : challenge.getHeaders()) {
+            if (!header.startsWith(":") && !authorization.getHeaders().contains(header)) {
+                return VerifyResult.CHALLENGE_NOT_SATISFIED;
+            }
+        }
+
+        // verify that all headers declared by the authorization are present in the request
+        for (String header : authorization.getHeaders()) {
+            if (requestContent.getHeaderValues(header).isEmpty()) {
+                return VerifyResult.INCOMPLETE_REQUEST;
+            }
+        }
+
+        // if date is declared by the authorization, verify that its value is within $skew of the current time
+        if (authorization.getHeaders().contains(Constants.HEADER_DATE) && skew >= 0) {
+            Date requestTime = requestContent.getDateGMT();
+            Date currentTime = new GregorianCalendar(TimeZone.getTimeZone("UTC")).getTime();
+            Date past = new Date(currentTime.getTime() - skew);
+            Date future = new Date(currentTime.getTime() + skew);
+            if (requestTime.before(past) || requestTime.after(future)) {
+                return VerifyResult.EXPIRED_DATE_HEADER;
+            }
+        }
+
+        Key key = selectKey(authorization);
+        if (key == null) {
+            return VerifyResult.KEY_NOT_FOUND;
+        }
+
+        if (key.verify(authorization.getAlgorithm(),
+                                      requestContent.getContent(authorization.getHeaders(), Constants.CHARSET),
+                                      authorization.getSignatureBytes())) {
+            return VerifyResult.SUCCESS;
+        } else {
+            return VerifyResult.FAILED_KEY_VERIFY;
+        }
+    }
+
+    private static class CanVerifyId implements KeyId {
+        private KeyId delegatee;
+
+        private CanVerifyId(KeyId delegatee) {
+            this.delegatee = delegatee;
+        }
+
+        public String getId(Key key) {
+            if (key != null && key.canVerify()) {
+                return delegatee.getId(key);
+            }
+            return null;
+        }
+    }
+
+    /**
+     * Guards a Keychain from modification via reflection (not enough for JAAS?)
+     */
+    private static class KeychainGuard implements Keychain {
+        private final Keychain keychain;
+
+        private KeychainGuard(Keychain keychain) {
+            this.keychain = keychain;
+        }
+
+        public Set<Algorithm> getAlgorithms() {
+            return keychain.getAlgorithms();
+        }
+
+        public Keychain filterAlgorithms(Collection<Algorithm> algorithms) {
+            return new KeychainGuard(keychain.filterAlgorithms(algorithms));
+        }
+
+        public Keychain discard() {
+            return new KeychainGuard(keychain.discard());
+        }
+
+        public Key currentKey() {
+            return keychain.currentKey();
+        }
+
+        public Map<String, Key> toMap(KeyId keyId) {
+            return keychain.toMap(keyId);
+        }
+
+        public boolean isEmpty() {
+            return keychain.isEmpty();
+        }
+
+        public Iterator<Key> iterator() {
+            return keychain.iterator();
+        }
+    }
+}

api/src/main/java/net/adamcin/httpsig/api/UserKey.java

@@ -0,0 +1,41 @@
+/*
+ * This is free and unencumbered software released into the public domain.
+ *
+ * Anyone is free to copy, modify, publish, use, compile, sell, or
+ * distribute this software, either in source code form or as a compiled
+ * binary, for any purpose, commercial or non-commercial, and by any
+ * means.
+ *
+ * In jurisdictions that recognize copyright laws, the author or authors
+ * of this software dedicate any and all copyright interest in the
+ * software to the public domain. We make this dedication for the benefit
+ * of the public at large and to the detriment of our heirs and
+ * successors. We intend this dedication to be an overt act of
+ * relinquishment in perpetuity of all present and future rights to this
+ * software under copyright law.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ * OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * For more information, please refer to <http://unlicense.org/>
+ */
+
+package net.adamcin.httpsig.api;
+
+/**
+ * Extends the base {@link Key} interface to add a userId field, which is a common use case for authentication.
+ * @since 1.0.8
+ */
+public interface UserKey extends Key {
+
+    /**
+     * Get the associated userId
+     * @return the associated userId
+     */
+    String getUserId();
+}