Added cookie validation

malaqueueit · malaqueueit · commit 72b194eb932b · 2014-01-28T11:18:54.000+01:00
diff --git a/QueueIT.Security/build.xml b/QueueIT.Security/build.xml
@@ -72,6 +72,6 @@
 
     -->
     <target name="-post-jar">
-        <copy file="${dist.jar}" todir="../QueueIT.Security.Examples.Java/web/WEB-INF/lib"/>
+        <copy file="${dist.jar}" todir="../QueueIT.Security.Examples/web/WEB-INF/lib"/>
     </target>
 </project>
diff --git a/QueueIT.Security/src/queueit/security/CookieValidateResultRepository.java b/QueueIT.Security/src/queueit/security/CookieValidateResultRepository.java
@@ -0,0 +1,151 @@
+package queueit.security;
+
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.net.URI;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.util.Date;
+import java.util.Properties;
+import java.util.UUID;
+import java.util.concurrent.Callable;
+import javax.servlet.http.*;
+import javax.xml.bind.DatatypeConverter;
+
+public class CookieValidateResultRepository extends ValidateResultRepositoryBase {
+
+    static String defaultCookieDomain;
+    
+    static {       
+        loadConfiguration();
+    }
+    
+    private static void loadConfiguration()
+    {
+        try {
+            // Load the properties
+            Properties props = new Properties();
+            ClassLoader classLoader = CookieValidateResultRepository.class.getClassLoader();     
+            InputStream configFile = classLoader.getResourceAsStream("queueit.properties");
+            if (configFile != null) {
+                props.load(configFile);
+                defaultCookieDomain = props.getProperty("cookieDomain", null);
+            }
+        } catch (Exception e) {
+            // no need to handle exception
+        }      
+    }
+    @Override
+    public IValidateResult getValidationResult(IQueue queue) {
+        
+        String key = generateKey(queue.getCustomerId(), queue.getEventId());
+        HttpServletRequest request = RequestContext.getCurrentInstance().getRequest();
+        
+        String queueId = null;
+        String originalUrl = null;
+        String encryptedPlaceInQueue = null;
+        String redirectType = null;
+        String timeStamp = null;
+        String actualHash = null;
+        Integer placeInQueue = 0;
+        
+        Cookie[] cookies = request.getCookies();
+        for (int i = 0; i < cookies.length; i++)
+        {
+            if (cookies[i].getName().equals(key + "-QueueId"))
+                queueId = cookies[i].getValue();
+            if (cookies[i].getName().equals(key + "-OriginalUrl"))
+                originalUrl = cookies[i].getValue();
+            if (cookies[i].getName().equals(key + "-PlaceInQueue"))
+                encryptedPlaceInQueue = cookies[i].getValue();
+            if (cookies[i].getName().equals(key + "-RedirectType"))
+                redirectType = cookies[i].getValue();
+            if (cookies[i].getName().equals(key + "-TimeStamp"))
+                timeStamp = cookies[i].getValue();
+            if (cookies[i].getName().equals(key + "-Hash"))
+                actualHash = cookies[i].getValue();
+        }
+        
+        if (queueId == null || originalUrl == null || encryptedPlaceInQueue == null || redirectType == null || timeStamp == null)
+            return null;
+        
+        try
+        {
+            placeInQueue = Hashing.decryptPlaceInQueue(encryptedPlaceInQueue);
+        } catch (InvalidKnownUserUrlException ex) {
+            return null;
+        }
+            
+        String expectedHash = generateHash(queueId, originalUrl, placeInQueue.toString(), redirectType, timeStamp);
+        
+        if (!expectedHash.equals(actualHash))
+            return null;
+        
+        return new AcceptedConfirmedResult(
+                queue, 
+                new Md5KnownUser(
+                    UUID.fromString(queueId),
+                    placeInQueue, 
+                    new Date(Integer.parseInt(timeStamp)), 
+                    queue.getCustomerId(), 
+                    queue.getEventId(), 
+                    RedirectType.valueOf(redirectType), 
+                    URI.create(originalUrl)), 
+                false);
+    }
+
+    @Override
+    public void setValidationResult(IQueue queue, IValidateResult validationResult) {
+        
+        if (validationResult instanceof AcceptedConfirmedResult)
+        {   
+            AcceptedConfirmedResult confirmedResult = (AcceptedConfirmedResult)validationResult;
+            
+            String key = generateKey(queue.getCustomerId(), queue.getEventId());
+            HttpServletResponse response = RequestContext.getCurrentInstance().getResponse();
+            
+            String queueId = confirmedResult.getKnownUser().getQueueId().toString();
+            String originalUrl = confirmedResult.getKnownUser().getOriginalUrl().toString();
+            Integer placeInQueue = confirmedResult.getKnownUser().getPlaceInQueue();
+            String redirectType = confirmedResult.getKnownUser().getRedirectType().toString();
+            Long timeStamp = confirmedResult.getKnownUser().getTimeStamp().getTime() / 1000;
+            
+            String hash = generateHash(queueId, originalUrl, placeInQueue.toString(), redirectType, timeStamp.toString());
+
+            addCookie(new Cookie(key + "-QueueId", queueId), response);
+            addCookie(new Cookie(key + "-OriginalUrl", originalUrl), response);
+            addCookie(new Cookie(key + "-PlaceInQueue", Hashing.encryptPlaceInQueue(placeInQueue)), response);
+            addCookie(new Cookie(key + "-RedirectType", redirectType), response);
+            addCookie(new Cookie(key + "-TimeStamp", timeStamp.toString()), response);
+            addCookie(new Cookie(key + "-Hash", hash), response);           
+        }                
+    }
+    
+    private void addCookie(Cookie cookie, HttpServletResponse response)
+    {
+        cookie.setHttpOnly(true);      
+        if (defaultCookieDomain != null)
+            cookie.setDomain(defaultCookieDomain);
+        
+        response.addCookie(cookie);
+    }
+
+    private String generateHash(String queueId, String originalUrl, String placeInQueue, String redirectType, String timeStamp) {
+        try {
+            StringBuilder sb = new StringBuilder();
+            sb.append(queueId).append(originalUrl).append(placeInQueue).append(redirectType).append(timeStamp).append(KnownUserFactory.getSecretKey());
+                    
+            MessageDigest digest = MessageDigest.getInstance("SHA-256");
+            byte[] hash = digest.digest(sb.toString().getBytes("UTF-8"));
+            
+            return DatatypeConverter.printHexBinary(hash).toLowerCase();
+            
+        } catch (NoSuchAlgorithmException ex) {
+            // No such exception
+            return null;
+        } catch (UnsupportedEncodingException ex) {
+            // No such exception
+            return null;
+        }
+    }
+}
diff --git a/QueueIT.Security/src/queueit/security/Hashing.java b/QueueIT.Security/src/queueit/security/Hashing.java
@@ -2,6 +2,7 @@
 
 import java.math.BigInteger;
 import java.security.MessageDigest;
+import java.util.UUID;
 
 public class Hashing {
 
@@ -18,6 +19,22 @@ public static Integer decryptPlaceInQueue(String encryptedPlaceInQueue) {
         String p = e.substring(30, 31) + e.substring(3, 4) + e.substring(11, 12) + e.substring(20, 21) + e.substring(7, 8) + e.substring(26, 27) + e.substring(9, 10);
         return Integer.parseInt(p);
     }
+    
+    public static String encryptPlaceInQueue(Integer placeInQueue) {
+        
+        char[] placeInQueueChars = String.format("%07d", placeInQueue).toCharArray();
+        
+        char[] encryptedPlaceInQueue = UUID.randomUUID().toString().toCharArray();
+        encryptedPlaceInQueue[9] = placeInQueueChars[6];
+        encryptedPlaceInQueue[26] = placeInQueueChars[5];
+        encryptedPlaceInQueue[7] = placeInQueueChars[4];
+        encryptedPlaceInQueue[20] = placeInQueueChars[3];
+        encryptedPlaceInQueue[11] = placeInQueueChars[2];
+        encryptedPlaceInQueue[3] = placeInQueueChars[1];
+        encryptedPlaceInQueue[30] = placeInQueueChars[0];
+
+        return new String(encryptedPlaceInQueue);
+    }
 
     static String getMd5Hash(String stringToHash) {
         try {
diff --git a/QueueIT.Security/src/queueit/security/IValidateResultRepository.java b/QueueIT.Security/src/queueit/security/IValidateResultRepository.java
@@ -1,6 +1,6 @@
 package queueit.security;
 
 public interface IValidateResultRepository {
-    IValidateResult GetValidationResult(IQueue queue);
-    void SetValidationResult(IQueue queue, IValidateResult validationResult);
+    IValidateResult getValidationResult(IQueue queue);
+    void setValidationResult(IQueue queue, IValidateResult validationResult);
 }
diff --git a/QueueIT.Security/src/queueit/security/KnownUserFactory.java b/QueueIT.Security/src/queueit/security/KnownUserFactory.java
@@ -14,6 +14,9 @@ public class KnownUserFactory {
     private static String defaultSecretKey;
     private static String defaultQuerystringPrefix;
     private static Callable<IKnownUserUrlProvider> defaultUrlProviderFactory;
+    public static String getSecretKey() {
+        return defaultSecretKey;
+    }
     
     static {
         defaultUrlProviderFactory = new Callable<IKnownUserUrlProvider>() {
diff --git a/QueueIT.Security/src/queueit/security/RequestContext.java b/QueueIT.Security/src/queueit/security/RequestContext.java
@@ -1,21 +1,24 @@
 package queueit.security;
 
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 public class RequestContext {
     private static ThreadLocal<RequestContext> instance = new ThreadLocal<RequestContext>();
     private HttpServletRequest request;
+    private HttpServletResponse response;
 
-    private RequestContext(HttpServletRequest request) {
+    private RequestContext(HttpServletRequest request, HttpServletResponse response) {
         this.request = request;
+        this.response = response;                
     }
 
     public static RequestContext getCurrentInstance() {
         return instance.get();
     }
 
-    public static RequestContext newInstance(HttpServletRequest request) {
-        RequestContext context = new RequestContext(request);
+    public static RequestContext newInstance(HttpServletRequest request, HttpServletResponse response) {
+        RequestContext context = new RequestContext(request, response);
         instance.set(context);
         return context;
     }
@@ -27,4 +30,8 @@ public void release() {
     public HttpServletRequest getRequest() {
         return request;
     }
+    
+    public HttpServletResponse getResponse() {
+        return response;
+    }
 }
diff --git a/QueueIT.Security/src/queueit/security/RequestContextFilter.java b/QueueIT.Security/src/queueit/security/RequestContextFilter.java
@@ -8,6 +8,7 @@
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 public class RequestContextFilter implements Filter {
 
@@ -18,7 +19,7 @@ public void init(FilterConfig fc) throws ServletException {
 
     @Override
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
-        RequestContext context = RequestContext.newInstance((HttpServletRequest) request);
+        RequestContext context = RequestContext.newInstance((HttpServletRequest) request, (HttpServletResponse)response);
         try {
            chain.doFilter(request, response);
         } finally {
diff --git a/QueueIT.Security/src/queueit/security/SessionValidateResultRepository.java b/QueueIT.Security/src/queueit/security/SessionValidateResultRepository.java
@@ -3,11 +3,11 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpSession;
 
-public class SessionValidateResultRepository implements IValidateResultRepository {
-    private static String SessionQueueId = "QueueITAccepted-SDFrts345E-";
+public class SessionValidateResultRepository extends ValidateResultRepositoryBase {
+    
         
     @Override
-    public IValidateResult GetValidationResult(IQueue queue) {
+    public IValidateResult getValidationResult(IQueue queue) {
         HttpServletRequest request = RequestContext.getCurrentInstance().getRequest();
         HttpSession session = request.getSession(true);
         
@@ -16,16 +16,11 @@ public IValidateResult GetValidationResult(IQueue queue) {
     }
 
     @Override
-    public void SetValidationResult(IQueue queue, IValidateResult validationResult) {
+    public void setValidationResult(IQueue queue, IValidateResult validationResult) {
         HttpServletRequest request = RequestContext.getCurrentInstance().getRequest();
         HttpSession session = request.getSession(true);
         
         String key = generateKey(queue.getCustomerId(), queue.getEventId());
         session.setAttribute(key, validationResult);
-    }
-    
-    private static String generateKey(String customerId, String eventId)
-    {
-        return SessionQueueId + customerId + "-" + eventId;
-    }
+    }       
 }
diff --git a/QueueIT.Security/src/queueit/security/SessionValidationController.java b/QueueIT.Security/src/queueit/security/SessionValidationController.java
@@ -10,7 +10,7 @@
 public class SessionValidationController {
 
     private static int defaultTicketExpiration = 0;
-    private static IValidateResultRepository defaultValidationResultRepository = new SessionValidateResultRepository();
+    private static IValidateResultRepository defaultValidationResultRepository = new CookieValidateResultRepository();
     private static Callable<IValidateResultRepository> defaultValidationResultProviderFactory = new Callable<IValidateResultRepository>() {
         public IValidateResultRepository call() {
             return defaultValidationResultRepository;
@@ -319,7 +319,7 @@ private static IValidateResult validateRequest(
             String layoutName) {
         IValidateResult sessionObject = null;
         try {
-            sessionObject = defaultValidationResultProviderFactory.call().GetValidationResult(queue);
+            sessionObject = defaultValidationResultProviderFactory.call().getValidationResult(queue);
         } catch (Exception ex) {
             // ignore
         }
@@ -357,7 +357,7 @@ private static IValidateResult validateRequest(
 
             AcceptedConfirmedResult result = new AcceptedConfirmedResult(queue, knownUser, true);
             try {
-                defaultValidationResultProviderFactory.call().SetValidationResult(queue, result);
+                defaultValidationResultProviderFactory.call().setValidationResult(queue, result);
             } catch (Exception ex) {
                 //ignore
             }
diff --git a/QueueIT.Security/src/queueit/security/ValidateResultRepositoryBase.java b/QueueIT.Security/src/queueit/security/ValidateResultRepositoryBase.java
@@ -0,0 +1,15 @@
+package queueit.security;
+
+public abstract class ValidateResultRepositoryBase implements IValidateResultRepository{
+    private static String SessionQueueId = "QueueITAccepted-SDFrts345E-";
+    
+    @Override
+    public abstract IValidateResult getValidationResult(IQueue queue);
+    @Override
+    public abstract void setValidationResult(IQueue queue, IValidateResult validationResult);
+    
+    protected static String generateKey(String customerId, String eventId)
+    {
+        return SessionQueueId + customerId + "-" + eventId;
+    }
+}
diff --git a/QueueIT.Security/test/queueit/security/DefaultKnownUserUrlProviderTest.java b/QueueIT.Security/test/queueit/security/DefaultKnownUserUrlProviderTest.java

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`package queueit.security;`
`2`	`2`
`3`	`3`	`public interface IValidateResultRepository {`
`4`		`- IValidateResult GetValidationResult(IQueue queue);`
`5`		`- void SetValidationResult(IQueue queue, IValidateResult validationResult);`
	`4`	`+ IValidateResult getValidationResult(IQueue queue);`
	`5`	`+ void setValidationResult(IQueue queue, IValidateResult validationResult);`
`6`	`6`	`}`