001    package org.cumulus4j.keymanager.api.internal.remote;
002    
003    import java.io.IOException;
004    import java.io.InputStreamReader;
005    import java.io.Reader;
006    import java.nio.charset.Charset;
007    import java.util.Collections;
008    import java.util.HashMap;
009    import java.util.Map;
010    
011    import javax.ws.rs.core.MediaType;
012    import javax.ws.rs.core.Response.Status;
013    
014    import org.cumulus4j.keymanager.api.AuthenticationException;
015    import org.cumulus4j.keymanager.api.CannotDeleteLastUserException;
016    import org.cumulus4j.keymanager.api.CryptoSession;
017    import org.cumulus4j.keymanager.api.DateDependentKeyStrategyInitParam;
018    import org.cumulus4j.keymanager.api.DateDependentKeyStrategyInitResult;
019    import org.cumulus4j.keymanager.api.KeyManagerAPIConfiguration;
020    import org.cumulus4j.keymanager.api.KeyManagerAPIInstantiationException;
021    import org.cumulus4j.keymanager.api.KeyStoreNotEmptyException;
022    import org.cumulus4j.keymanager.api.internal.AbstractKeyManagerAPI;
023    import org.cumulus4j.keymanager.front.shared.AcquireCryptoSessionResponse;
024    import org.cumulus4j.keymanager.front.shared.AppServer;
025    import org.cumulus4j.keymanager.front.shared.Error;
026    import org.cumulus4j.keymanager.front.shared.PutAppServerResponse;
027    import org.cumulus4j.keymanager.front.shared.UserWithPassword;
028    
029    import com.sun.jersey.api.client.Client;
030    import com.sun.jersey.api.client.ClientHandlerException;
031    import com.sun.jersey.api.client.ClientResponse;
032    import com.sun.jersey.api.client.UniformInterfaceException;
033    import com.sun.jersey.api.client.filter.HTTPBasicAuthFilter;
034    
035    /**
036     * @author Marco หงุ่ยตระกูล-Schulze - marco at nightlabs dot de
037     */
038    public class RemoteKeyManagerAPI extends AbstractKeyManagerAPI
039    {
040            private Map<String, AppServer> appServerBaseURL2appServer = Collections.synchronizedMap(new HashMap<String, AppServer>());
041    
042            public RemoteKeyManagerAPI()
043            throws KeyManagerAPIInstantiationException
044            {
045                    // We test here, whether the AcquireCryptoSessionResponse and some other classes are accessible. If they are not, it means the remote stuff is not deployed
046                    // and it should not be possible to instantiate a RemoteKeyManagerAPI.
047                    try {
048                            AcquireCryptoSessionResponse.class.getConstructors();
049                    } catch (NoClassDefFoundError x) {
050                            throw new KeyManagerAPIInstantiationException("The RemoteKeyManagerAPI could not be instantiated! If you really want to use a key-server, make sure all required libs are deployed. If you want to use a local key-store instead of a key-server, you must specify different arguments. It seems, the module 'org.cumulus4j.keymanager.front.shared' is missing! " + x, x);
051                    }
052    
053                    try {
054                            com.sun.jersey.core.header.AcceptableMediaType.class.getConstructors();
055                    } catch (NoClassDefFoundError x) {
056                            throw new KeyManagerAPIInstantiationException("The RemoteKeyManagerAPI could not be instantiated! If you really want to use a key-server, make sure all required libs are deployed. If you want to use a local key-store instead of a key-server, you must specify different arguments. It seems, the module 'jersey-core' is missing! " + x, x);
057                    }
058    
059                    try {
060                            Client.class.getConstructors();
061                    } catch (NoClassDefFoundError x) {
062                            throw new KeyManagerAPIInstantiationException("The RemoteKeyManagerAPI could not be instantiated! If you really want to use a key-server, make sure all required libs are deployed. If you want to use a local key-store instead of a key-server, you must specify different arguments. It seems, the module 'jersey-client' is missing! " + x, x);
063                    }
064            }
065    
066            @Override
067            public void setConfiguration(KeyManagerAPIConfiguration configuration) throws IllegalArgumentException, KeyManagerAPIInstantiationException
068            {
069                    super.setConfiguration(configuration);
070                    appServerBaseURL2appServer.clear();
071            }
072    
073            protected static final String appendFinalSlash(String url)
074            {
075                    if (url.endsWith("/"))
076                            return url;
077                    else
078                            return url + '/';
079            }
080    
081            private Client client;
082    
083            protected synchronized Client getClient()
084            {
085                    // A client is thread-safe except for configuration changes (but we don't change the configuration of the returned client anymore).
086                    if (client == null) {
087                            Client client = new Client();
088                            client.addFilter(
089                                            new HTTPBasicAuthFilter(getAuthUserName(), new String(getAuthPassword()))
090                            );
091                            this.client = client;
092                    }
093                    return client;
094            }
095    
096            @Override
097            public DateDependentKeyStrategyInitResult initDateDependentKeyStrategy(DateDependentKeyStrategyInitParam param) throws KeyStoreNotEmptyException, IOException
098            {
099                    org.cumulus4j.keymanager.front.shared.DateDependentKeyStrategyInitParam ksInitParam = new org.cumulus4j.keymanager.front.shared.DateDependentKeyStrategyInitParam();
100                    ksInitParam.setKeyActivityPeriodMSec(param.getKeyActivityPeriodMSec());
101                    ksInitParam.setKeyStorePeriodMSec(param.getKeyStorePeriodMSec());
102    
103                    org.cumulus4j.keymanager.front.shared.DateDependentKeyStrategyInitResult r;
104                    try {
105                            r = getClient().resource(appendFinalSlash(getKeyManagerBaseURL()) + "DateDependentKeyStrategy/" + getKeyStoreID() + "/init")
106                            .type(MediaType.APPLICATION_XML_TYPE)
107                            .post(org.cumulus4j.keymanager.front.shared.DateDependentKeyStrategyInitResult.class, ksInitParam);
108                    } catch (UniformInterfaceException x) {
109                            RemoteKeyManagerAPI.throwUniformInterfaceExceptionAsKeyStoreNotEmptyException(x);
110                            RemoteKeyManagerAPI.throwUniformInterfaceExceptionAsIOException(x);
111                            throw new IOException(x);
112                    }
113    
114                    DateDependentKeyStrategyInitResult result = new DateDependentKeyStrategyInitResult();
115                    result.setGeneratedKeyCount(r.getGeneratedKeyCount());
116                    return result;
117            }
118    
119            @Override
120            public void putUser(String userName, char[] password) throws AuthenticationException, IOException
121            {
122                    try {
123                            UserWithPassword userWithPassword = new UserWithPassword();
124                            userWithPassword.setUserName(userName);
125                            userWithPassword.setPassword(password);
126    
127                            getClient().resource(appendFinalSlash(getKeyManagerBaseURL()) + "User/" + getKeyStoreID())
128                            .type(MediaType.APPLICATION_XML_TYPE)
129                            .put(userWithPassword);
130                    } catch (UniformInterfaceException x) {
131                            RemoteKeyManagerAPI.throwUniformInterfaceExceptionAsAuthenticationException(x);
132                            RemoteKeyManagerAPI.throwUniformInterfaceExceptionAsIOException(x);
133                            throw new IOException(x);
134    //              } catch (IOException x) {
135    //                      throw x;
136                    }
137    
138                    // If we changed the current user's password, we automatically re-configure this API instance.
139                    KeyManagerAPIConfiguration conf = getConf();
140                    if (conf.getAuthUserName() != null && conf.getAuthUserName().equals(userName)) {
141                            KeyManagerAPIConfiguration newConf = new KeyManagerAPIConfiguration(conf);
142                            newConf.setAuthPassword(password);
143                            try {
144                                    setConfiguration(newConf);
145                            } catch (KeyManagerAPIInstantiationException e) {
146                                    throw new RuntimeException(e); // Shouldn't happen, because we copied the old configuration.
147                            }
148                    }
149            }
150    
151            @Override
152            public void deleteUser(String userName) throws AuthenticationException, CannotDeleteLastUserException, IOException
153            {
154                    try {
155                            getClient().resource(appendFinalSlash(getKeyManagerBaseURL()) + "User/" + getKeyStoreID() + '/' + userName)
156                            .type(MediaType.APPLICATION_XML_TYPE)
157                            .delete();
158                    } catch (UniformInterfaceException x) {
159                            RemoteKeyManagerAPI.throwUniformInterfaceExceptionAsAuthenticationException(x);
160                            RemoteKeyManagerAPI.throwUniformInterfaceExceptionAsIOException(x);
161                            throw new IOException(x);
162    //              } catch (IOException x) {
163    //                      throw x;
164                    }
165            }
166    
167            @Override
168            public CryptoSession getCryptoSession(String appServerBaseURL) throws IOException, AuthenticationException
169            {
170                    try {
171                            AppServer appServer = appServerBaseURL2appServer.get(appServerBaseURL);
172                            if (appServer == null) {
173                                    // Even if multiple threads run into this clause, the key-server will return
174                                    // the same appServerID for all of them.
175                                    appServer = new AppServer();
176                                    appServer.setAppServerBaseURL(appServerBaseURL);
177    
178                                    PutAppServerResponse putAppServerResponse = getClient().resource(appendFinalSlash(getKeyManagerBaseURL()) + "AppServer/" + getKeyStoreID())
179                                    .accept(MediaType.APPLICATION_XML_TYPE)
180                                    .type(MediaType.APPLICATION_XML_TYPE)
181                                    .put(PutAppServerResponse.class, appServer);
182    
183                                    if (putAppServerResponse == null)
184                                            throw new IOException("Key server returned null instead of a PutAppServerResponse when putting an AppServer instance!");
185    
186                                    if (putAppServerResponse.getAppServerID() == null)
187                                            throw new IOException("Key server returned a PutAppServerResponse with property appServerID being null!");
188    
189                                    appServer.setAppServerID(putAppServerResponse.getAppServerID());
190                                    appServerBaseURL2appServer.put(appServerBaseURL, appServer);
191                            }
192    
193                            RemoteCryptoSession session = new RemoteCryptoSession(this, appServer);
194    
195    //                      // Try to open the session already now, so that we know already here, whether this works (but lock it immediately, again).
196    //                      session.acquire();
197    //                      session.release();
198    
199                            return session;
200                    } catch (UniformInterfaceException x) {
201                            RemoteKeyManagerAPI.throwUniformInterfaceExceptionAsAuthenticationException(x);
202                            RemoteKeyManagerAPI.throwUniformInterfaceExceptionAsIOException(x);
203                            throw new IOException(x);
204                    } catch (IOException x) {
205                            throw x;
206                    }
207            }
208    
209            protected static void throwUniformInterfaceExceptionAsAuthenticationException(UniformInterfaceException x)
210            throws AuthenticationException
211            {
212                    if (x.getResponse().getStatus() != Status.FORBIDDEN.getStatusCode())
213                            return;
214    
215                    x.getResponse().bufferEntity();
216                    if (x.getResponse().hasEntity())
217                    {
218                            try {
219                                    Error error = x.getResponse().getEntity(Error.class);
220                                    if (
221                                                    AuthenticationException.class.getName().equals(error.getType()) ||
222                                                    org.cumulus4j.keystore.AuthenticationException.class.getName().equals(error.getType())
223                                    )
224                                            throw new AuthenticationException(error.getMessage());
225                            } catch (ClientHandlerException e) {
226                                    //parsing the result failed => returning it as a String
227                                    String message = getClientResponseEntityAsString(x.getResponse());
228                                    throw new AuthenticationException("URL=\"" + x.getResponse().getLocation() + "\": Server replied with error code " + x.getResponse().getStatus() + " and message: " + message);
229                            }
230                    }
231    
232                    throw new AuthenticationException("URL=\"" + x.getResponse().getLocation() + "\": Server replied with error code " + x.getResponse().getStatus() + "!");
233            }
234    
235            private static String getClientResponseEntityAsString(ClientResponse response)
236            {
237                    Reader reader = new InputStreamReader(response.getEntityInputStream(), Charset.forName("UTF-8"));
238                    StringBuilder sb = new StringBuilder();
239                    char[] cb = new char[1024];
240                    int bytesRead;
241                    try {
242                            while (0 <= (bytesRead = reader.read(cb))) {
243                                    sb.append(cb, 0, bytesRead);
244                            }
245                    } catch (IOException x) { // this comes from the Reader API and should be safe to ignore, because we buffer the entity and should thus not encounter any socket-read-error here.
246                            throw new RuntimeException(x);
247                    }
248                    return sb.toString();
249            }
250    
251            protected static void throwUniformInterfaceExceptionAsIOException(UniformInterfaceException x)
252            throws IOException
253            {
254                    x.getResponse().bufferEntity();
255                    if (x.getResponse().hasEntity()) {
256                            try {
257                                    Error error = x.getResponse().getEntity(Error.class);
258                                    throw new IOException(error.getMessage());
259                            } catch (ClientHandlerException e) {
260                                    //parsing the result failed => returning it as a String
261                                    String message = getClientResponseEntityAsString(x.getResponse());
262                                    throw new IOException("URL=\"" + x.getResponse().getLocation() + "\": Server replied with error code " + x.getResponse().getStatus() + " and message: " + message);
263                            }
264                    }
265    
266                    if (x.getResponse().getStatus() >= 400)
267                            throw new IOException("URL=\"" + x.getResponse().getLocation() + "\": Server replied with error code " + x.getResponse().getStatus() + "!");
268            }
269    
270            private static void throwUniformInterfaceExceptionAsKeyStoreNotEmptyException(UniformInterfaceException x)
271            throws KeyStoreNotEmptyException
272            {
273                    if (x.getResponse().getStatus() < 400) // Every code < 400 means success => return without trying to read an Error.
274                            return;
275    
276                    x.getResponse().bufferEntity();
277                    if (x.getResponse().hasEntity())
278                    {
279                            try {
280                                    Error error = x.getResponse().getEntity(Error.class);
281                                    if (org.cumulus4j.keystore.KeyStoreNotEmptyException.class.getName().equals(error.getType()))
282                                            throw new KeyStoreNotEmptyException(error.getMessage());
283                            } catch (ClientHandlerException e) {
284                                    //parsing the result failed => ignore it silently
285                                    doNothing();
286                            }
287                    }
288            }
289    
290            private static final void doNothing() { }
291    }