cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject svn commit: r1438472 - in /cxf/trunk/rt/rs/security/oauth-parent/oauth2/src: main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/ test/java/org/apache/cxf/rs/security/oauth2/token/mac/
Date Fri, 25 Jan 2013 12:42:03 GMT
Author: sergeyb
Date: Fri Jan 25 12:42:02 2013
New Revision: 1438472

URL: http://svn.apache.org/viewvc?rev=1438472&view=rev
Log:
[CXF-4783] NonceVerifier implementation, patch from Sasi M applied with very minor updates

Added:
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceHistory.java
  (with props)
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceStore.java
  (with props)
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifierImpl.java
  (with props)
    cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/token/mac/NonceVerifierImplTest.java
  (with props)

Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceHistory.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceHistory.java?rev=1438472&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceHistory.java
(added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceHistory.java
Fri Jan 25 12:42:02 2013
@@ -0,0 +1,60 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.tokens.mac;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+public class NonceHistory implements Serializable {
+
+    private static final long serialVersionUID = -6404833046910698956L;
+
+    private final long requestTimeDelta;
+    private final List<Nonce> nonceList = new ArrayList<Nonce>();
+
+    public NonceHistory(long requestTimeDelta, Nonce nonce) {
+        this.requestTimeDelta = requestTimeDelta;
+        nonceList.add(nonce);
+    }
+
+    public void addNonce(Nonce nonce) {
+        nonceList.add(nonce);
+    }
+
+    public long getRequestTimeDelta() {
+        return requestTimeDelta;
+    }
+
+    public List<Nonce> getNonceList() {
+        return nonceList;
+    }
+
+    public Collection<Nonce> findMatchingNonces(String nonceString, long ts) {
+        List<Nonce> nonceMatches = new ArrayList<Nonce>();
+        for (Nonce nonce : getNonceList()) {
+            if (nonce.getNonceString().equals(nonceString) && nonce.getTs() == ts)
{
+                nonceMatches.add(nonce);
+            }
+        }
+        return nonceMatches;
+    }
+
+}
\ No newline at end of file

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceHistory.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceHistory.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceStore.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceStore.java?rev=1438472&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceStore.java
(added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceStore.java
Fri Jan 25 12:42:02 2013
@@ -0,0 +1,26 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.tokens.mac;
+
+public interface NonceStore {
+
+    void storeNonce(String tokenKey, Nonce nonce, long requestTimeDelta);
+
+    NonceHistory getNonceHistory(String tokenKey);
+}
\ No newline at end of file

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceStore.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceStore.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifierImpl.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifierImpl.java?rev=1438472&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifierImpl.java
(added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifierImpl.java
Fri Jan 25 12:42:02 2013
@@ -0,0 +1,75 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.tokens.mac;
+
+import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+
+public class NonceVerifierImpl implements NonceVerifier {
+    private NonceStore nonceStore;
+    private long allowedWindow; // 2000 ms
+
+    public void verifyNonce(String tokenKey, String clientNonceString, String clientTimestampString)

+        throws OAuthServiceException {
+        
+        if (StringUtils.isEmpty(clientNonceString)
+            || StringUtils.isEmpty(clientTimestampString)) {
+            throw new OAuthServiceException("Nonce or timestamp is not available");
+        }
+        
+        long serverClock = System.currentTimeMillis();
+        NonceHistory nonceHistory = nonceStore.getNonceHistory(tokenKey);
+        boolean firstTimeRequest = false;
+        if (nonceHistory == null) {
+            firstTimeRequest = true;
+        }
+        long clientTimestamp = Long.valueOf(clientTimestampString);
+        if (firstTimeRequest) {
+            long requestTimeDelta = serverClock - clientTimestamp;
+            Nonce nonce = new Nonce(clientNonceString, clientTimestamp);
+            nonceStore.storeNonce(tokenKey, nonce, requestTimeDelta);
+        } else {
+            checkAdjustedRequestTime(serverClock, clientTimestamp, nonceHistory);
+            checkNonceHistory(nonceHistory, clientNonceString, clientTimestamp);
+        }
+    }
+
+    private static void checkNonceHistory(NonceHistory nonceHistory, final String clientNonceString,
+                                          final long ts) throws OAuthServiceException {
+        if (!nonceHistory.findMatchingNonces(clientNonceString, ts).isEmpty()) {
+            throw new OAuthServiceException("Duplicate nonce");
+        }
+    }
+
+    private void checkAdjustedRequestTime(long serverClock, long clientTimestamp, NonceHistory
nonceHistory) {
+        long adjustedRequestTime = clientTimestamp + nonceHistory.getRequestTimeDelta();
+        long requestDelta = Math.abs(serverClock - adjustedRequestTime);
+        if (requestDelta > allowedWindow) {
+            throw new OAuthServiceException("Timestamp is invalid");
+        }
+    }
+
+    public void setAllowedWindow(long allowedWindow) {
+        this.allowedWindow = allowedWindow;
+    }
+
+    public void setNonceStore(NonceStore nonceStore) {
+        this.nonceStore = nonceStore;
+    }
+}
\ No newline at end of file

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifierImpl.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/mac/NonceVerifierImpl.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date

Added: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/token/mac/NonceVerifierImplTest.java
URL: http://svn.apache.org/viewvc/cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/token/mac/NonceVerifierImplTest.java?rev=1438472&view=auto
==============================================================================
--- cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/token/mac/NonceVerifierImplTest.java
(added)
+++ cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/token/mac/NonceVerifierImplTest.java
Fri Jan 25 12:42:02 2013
@@ -0,0 +1,96 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.oauth2.token.mac;
+
+import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
+import org.apache.cxf.rs.security.oauth2.tokens.mac.Nonce;
+import org.apache.cxf.rs.security.oauth2.tokens.mac.NonceHistory;
+import org.apache.cxf.rs.security.oauth2.tokens.mac.NonceStore;
+import org.apache.cxf.rs.security.oauth2.tokens.mac.NonceVerifierImpl;
+import org.easymock.EasyMock;
+
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+public class NonceVerifierImplTest extends Assert {
+
+    private NonceVerifierImpl nonceVerifier;
+    private NonceStore nonceStore = EasyMock.createMock(NonceStore.class);
+
+    @Before
+    public void setUp() {
+        nonceVerifier = new NonceVerifierImpl();
+        nonceVerifier.setNonceStore(nonceStore);
+    }
+
+    @Test
+    public void testVerifyNonce() {
+        long now = System.currentTimeMillis();
+        Nonce nonce1 = new Nonce("nonce1", now - 2000); // first request 2 seconds back
+        Nonce nonce2 = new Nonce("nonce2", now - 1000); // second request 1 second back
+        NonceHistory nonceHistory = new NonceHistory(200, nonce1); // first request time
delta is 200ms
+        nonceHistory.addNonce(nonce2);
+
+        EasyMock.expect(nonceStore.getNonceHistory("testTokenKey")).andReturn(nonceHistory);
+        EasyMock.replay(nonceStore);
+        nonceVerifier.setAllowedWindow(2000); // allowed window is 2 seconds
+        nonceVerifier.verifyNonce("testTokenKey", "nonce3", Long.toString(now - 500));
+        EasyMock.verify(nonceStore);
+    }
+
+    @Test
+    public void testVerifyNonceDuplicateNonce() {
+        long now = System.currentTimeMillis();
+        Nonce nonce1 = new Nonce("nonce1", now - 2000); // first request 2 seconds back
+        Nonce nonce2 = new Nonce("nonce2", now - 1000); // second request 1 second back
+        NonceHistory nonceHistory = new NonceHistory(200, nonce1); // first request time
delta is 200ms
+        nonceHistory.addNonce(nonce2);
+
+        EasyMock.expect(nonceStore.getNonceHistory("testTokenKey")).andReturn(nonceHistory);
+        EasyMock.replay(nonceStore);
+        nonceVerifier.setAllowedWindow(2000); // allowed window is 2 seconds
+        try {
+            nonceVerifier.verifyNonce("testTokenKey", "nonce2", Long.toString(now - 1000));
+            fail("Exception expected");
+        } catch (OAuthServiceException ex) {
+            assertEquals("Duplicate nonce", ex.getMessage());
+        }
+    }
+
+    @Test
+    public void testVerifyNonceInvalidTimestamp() {
+        long now = System.currentTimeMillis();
+        Nonce nonce1 = new Nonce("nonce1", now - 2000); // first request 2 seconds back
+        Nonce nonce2 = new Nonce("nonce2", now - 1000); // second request 1 second back
+        NonceHistory nonceHistory = new NonceHistory(200, nonce1); // first request time
delta is 200ms
+        nonceHistory.addNonce(nonce2);
+
+        EasyMock.expect(nonceStore.getNonceHistory("testTokenKey")).andReturn(nonceHistory);
+        EasyMock.replay(nonceStore);
+        nonceVerifier.setAllowedWindow(2000); // allowed window is 2 seconds
+        try {
+            nonceVerifier.verifyNonce("testTokenKey", "nonce3", Long.toString(now - 5000));
// very old timestamp
+            fail("Exception expected");
+        } catch (OAuthServiceException ex) {
+            assertEquals("Timestamp is invalid", ex.getMessage());
+        }
+    }
+
+}
\ No newline at end of file

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/token/mac/NonceVerifierImplTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: cxf/trunk/rt/rs/security/oauth-parent/oauth2/src/test/java/org/apache/cxf/rs/security/oauth2/token/mac/NonceVerifierImplTest.java
------------------------------------------------------------------------------
    svn:keywords = Rev Date



Mime
View raw message