Ejemplo n.º 1
0
  /**
   * Compute the signature or MAC value over the supplied input.
   *
   * <p>It is up to the caller to ensure that the specified algorithm URI is consistent with the
   * type of signing key supplied in the signing credential.
   *
   * @param signingCredential the credential containing the signing key
   * @param algorithmURI the algorithm URI to use
   * @param input the input over which to compute the signature
   * @return the computed signature or MAC value
   * @throws SecurityException throw if the computation process results in an error
   */
  public static byte[] signWithURI(Credential signingCredential, String algorithmURI, byte[] input)
      throws SecurityException {

    String jcaAlgorithmID = SecurityHelper.getAlgorithmIDFromURI(algorithmURI);
    if (jcaAlgorithmID == null) {
      throw new SecurityException("Could not derive JCA algorithm identifier from algorithm URI");
    }

    boolean isHMAC = SecurityHelper.isHMAC(algorithmURI);

    return sign(signingCredential, jcaAlgorithmID, isHMAC, input);
  }
Ejemplo n.º 2
0
  /**
   * Compute the signature or MAC value over the supplied input.
   *
   * <p>It is up to the caller to ensure that the specified algorithm ID and isMAC flag are
   * consistent with the type of signing key supplied in the signing credential.
   *
   * @param signingCredential the credential containing the signing key
   * @param jcaAlgorithmID the Java JCA algorithm ID to use
   * @param isMAC flag indicating whether the operation to be performed is a signature or MAC
   *     computation
   * @param input the input over which to compute the signature
   * @return the computed signature or MAC value
   * @throws SecurityException throw if the computation process results in an error
   */
  public static byte[] sign(
      Credential signingCredential, String jcaAlgorithmID, boolean isMAC, byte[] input)
      throws SecurityException {

    Key signingKey = SecurityHelper.extractSigningKey(signingCredential);
    if (signingKey == null) {
      log.error("No signing key supplied in signing credential for signature computation");
      throw new SecurityException("No signing key supplied in signing credential");
    }

    if (isMAC) {
      return signMAC(signingKey, jcaAlgorithmID, input);
    } else if (signingKey instanceof PrivateKey) {
      return sign((PrivateKey) signingKey, jcaAlgorithmID, input);
    } else {
      log.error("No PrivateKey present in signing credential for signature computation");
      throw new SecurityException("No PrivateKey supplied for signing");
    }
  }
Ejemplo n.º 3
0
  /**
   * Verify the signature value computed over the supplied input against the supplied signature
   * value.
   *
   * <p>It is up to the caller to ensure that the specified algorithm ID and isMAC flag are
   * consistent with the type of verification credential supplied.
   *
   * @param verificationCredential the credential containing the verification key
   * @param jcaAlgorithmID the Java JCA algorithm ID to use
   * @param isMAC flag indicating whether the operation to be performed is a signature or MAC
   *     computation
   * @param signature the computed signature value received from the signer
   * @param input the input over which the signature is computed and verified
   * @return true if the signature value computed over the input using the supplied key and
   *     algorithm ID is identical to the supplied signature value
   * @throws SecurityException thrown if the signature computation or verification process results
   *     in an error
   */
  public static boolean verify(
      Credential verificationCredential,
      String jcaAlgorithmID,
      boolean isMAC,
      byte[] signature,
      byte[] input)
      throws SecurityException {

    Key verificationKey = SecurityHelper.extractVerificationKey(verificationCredential);
    if (verificationKey == null) {
      log.error(
          "No verification key supplied in verification credential for signature verification");
      throw new SecurityException("No verification key supplied in verification credential");
    }

    if (isMAC) {
      return verifyMAC(verificationKey, jcaAlgorithmID, signature, input);
    } else if (verificationKey instanceof PublicKey) {
      return verify((PublicKey) verificationKey, jcaAlgorithmID, signature, input);
    } else {
      log.error("No PublicKey present in verification credential for signature verification");
      throw new SecurityException("No PublicKey supplied for signature verification");
    }
  }
 @Override
 public Set<String> resolve(final Annotation[] annotations) {
   return SecurityHelper.getFilteringScopes(securityContext, annotations);
 }
  @Override
  public void actionPerformed(FormEvent event) {

    // the Role for which the rights are to be set
    int roleId = -1;
    // array of ints, ids of Layers (SecuredObjects) for which
    // the Role has access rights
    int[] layers = null;
    // corresponding maps of key (PropertyName) / value-pairs that
    // constitute access constraints
    Map<String, Object>[] layerConstraints = null;

    SecurityAccessManager manager = null;
    SecurityTransaction transaction = null;

    try {
      RPCWebEvent ev = (RPCWebEvent) event;
      RPCMethodCall rpcCall = ev.getRPCMethodCall();
      RPCParameter[] params = rpcCall.getParameters();

      // validates the incomming method call and extracts the roleID
      roleId = validate(params);

      RPCParameter[] layerParams = (RPCParameter[]) params[1].getValue();
      layers = new int[layerParams.length];
      layerConstraints = new Map[layerParams.length];
      extractLayerValues(layers, layerConstraints, layerParams);

      // extract FeatureType rights
      if (!(params[2].getValue() instanceof RPCParameter[])) {
        throw new RPCException(Messages.getMessage("IGEO_STD_STORERIGHTS_THIRD_PARAM"));
      }

      // array of ints, ids of FeatureTypes (SecuredObjects) for which
      // the Role has access rights
      FeatureTypeRight[] featureTypes = extractFeatureTypeValues(params);

      transaction = SecurityHelper.acquireTransaction(this);
      SecurityHelper.checkForAdminRole(transaction);

      manager = SecurityAccessManager.getInstance();
      User user = transaction.getUser();
      Role role = transaction.getRoleById(roleId);

      // perform access check
      if (!user.hasRight(transaction, "update", role)) {
        getRequest().setAttribute("SOURCE", this.getClass().getName());
        String s = Messages.getMessage("IGEO_STD_STORERIGHTS_MISSING_RIGHTS", role.getName());
        getRequest().setAttribute("MESSAGE", s);
        setNextPage("error.jsp");
        return;
      }

      // set/delete access rights for Layers
      SecuredObject[] presentLayers = transaction.getAllSecuredObjects(ClientHelper.TYPE_LAYER);
      setAccessRightsForLayers(layers, layerConstraints, transaction, role, presentLayers);

      // set/delete access rights for FeatureTypes
      SecuredObject[] presentFeatureTypes =
          transaction.getAllSecuredObjects(ClientHelper.TYPE_FEATURETYPE);
      setAccessRightsForFeatureTypes(featureTypes, transaction, role, presentFeatureTypes);

      manager.commitTransaction(transaction);
      transaction = null;
      String s = Messages.getMessage("IGEO_STD_STORERIGHTS_SUCCESS", role.getID());
      getRequest().setAttribute("MESSAGE", s);
    } catch (RPCException e) {
      getRequest().setAttribute("SOURCE", this.getClass().getName());
      String s = Messages.getMessage("IGEO_STD_STORERIGHTS_INVALID_REQ", e.getMessage());
      getRequest().setAttribute("MESSAGE", s);
      setNextPage("error.jsp");
      LOG.logDebug(e.getMessage(), e);
    } catch (GeneralSecurityException e) {
      getRequest().setAttribute("SOURCE", this.getClass().getName());
      String s = Messages.getMessage("IGEO_STD_STORERIGHTS_ERROR", e.getMessage());
      getRequest().setAttribute("MESSAGE", s);
      setNextPage("error.jsp");
      LOG.logDebug(e.getMessage(), e);
    } finally {
      if (manager != null && transaction != null) {
        try {
          manager.abortTransaction(transaction);
        } catch (GeneralSecurityException e) {
          LOG.logDebug(e.getMessage(), e);
        }
      }
    }
  }
 /**
  * Creates a new instance of SymmetricKeyInfo.
  *
  * @param aesKey
  * @param iv
  * @param sequence
  * @param keyID
  */
 public SymmetricKeyInfo(String keyID) {
   this.aesKey = SymmetricCryptographyHelper.generateAESKey();
   this.iv = SymmetricCryptographyHelper.generateIV();
   this.sequence = SecurityHelper.createLongSequenceBase();
   this.keyID = keyID;
 }
 /**
  * Creates a new instance of SymmetricKeyInfo.
  *
  * @param aesKey
  * @param iv
  */
 public SymmetricKeyInfo(SecretKey aesKey, byte[] iv) {
   this.aesKey = aesKey;
   this.iv = iv;
   this.sequence = SecurityHelper.createLongSequenceBase();
   this.keyID = null;
 }
Ejemplo n.º 8
0
  @Override
  public void visit(State state, Properties props) throws Exception {
    boolean userExists = SecurityHelper.getTabUserExists(state);
    Connector conn;
    try {
      conn =
          state
              .getInstance()
              .getConnector(
                  SecurityHelper.getTabUserName(state), SecurityHelper.getTabUserPass(state));
    } catch (AccumuloSecurityException ae) {
      if (ae.getErrorCode().equals(SecurityErrorCode.BAD_CREDENTIALS)) {
        if (userExists)
          throw new AccumuloException(
              "User didn't exist when they should (or worse- password mismatch)", ae);
        else return;
      }
      throw new AccumuloException("Unexpected exception!", ae);
    }
    String action = props.getProperty("action", "_random");
    TablePermission tp;
    if ("_random".equalsIgnoreCase(action)) {
      Random r = new Random();
      tp = TablePermission.values()[r.nextInt(TablePermission.values().length)];
    } else {
      tp = TablePermission.valueOf(action);
    }

    boolean tableExists = SecurityHelper.getTableExists(state);
    boolean hasPerm = SecurityHelper.getTabPerm(state, SecurityHelper.getTabUserName(state), tp);

    String tableName = state.getString("secTableName");

    switch (tp) {
      case READ:
        Authorizations auths =
            SecurityHelper.getUserAuths(state, SecurityHelper.getTabUserName(state));
        boolean canRead =
            SecurityHelper.getTabPerm(
                state, SecurityHelper.getTabUserName(state), TablePermission.READ);
        try {
          Scanner scan =
              conn.createScanner(
                  tableName,
                  conn.securityOperations()
                      .getUserAuthorizations(SecurityHelper.getTabUserName(state)));
          int seen = 0;
          Iterator<Entry<Key, Value>> iter = scan.iterator();
          while (iter.hasNext()) {
            Entry<Key, Value> entry = iter.next();
            Key k = entry.getKey();
            seen++;
            if (!auths.contains(k.getColumnVisibilityData()))
              throw new AccumuloException(
                  "Got data I should not be capable of seeing: " + k + " table " + tableName);
          }
          if (!canRead)
            throw new AccumuloException(
                "Was able to read when I shouldn't have had the perm with connection user "
                    + conn.whoami()
                    + " table "
                    + tableName);
          for (Entry<String, Integer> entry : SecurityHelper.getAuthsMap(state).entrySet()) {
            if (auths.contains(entry.getKey().getBytes())) seen = seen - entry.getValue();
          }
          if (seen != 0) throw new AccumuloException("Got mismatched amounts of data");
        } catch (TableNotFoundException tnfe) {
          if (tableExists)
            throw new AccumuloException(
                "Accumulo and test suite out of sync: table " + tableName, tnfe);
          return;
        } catch (AccumuloSecurityException ae) {
          if (ae.getErrorCode().equals(SecurityErrorCode.PERMISSION_DENIED)) {
            if (canRead)
              throw new AccumuloException(
                  "Table read permission out of sync with Accumulo: table " + tableName, ae);
            else return;
          }
          throw new AccumuloException("Unexpected exception!", ae);
        } catch (RuntimeException re) {
          if (re.getCause() instanceof AccumuloSecurityException
              && ((AccumuloSecurityException) re.getCause())
                  .getErrorCode()
                  .equals(SecurityErrorCode.PERMISSION_DENIED)) {
            if (canRead)
              throw new AccumuloException(
                  "Table read permission out of sync with Accumulo: table " + tableName,
                  re.getCause());
            else return;
          }
          throw new AccumuloException("Unexpected exception!", re);
        }

        break;
      case WRITE:
        String key = SecurityHelper.getLastKey(state) + "1";
        Mutation m = new Mutation(new Text(key));
        for (String s : SecurityHelper.getAuthsArray()) {
          m.put(new Text(), new Text(), new ColumnVisibility(s), new Value("value".getBytes()));
        }
        BatchWriter writer;
        try {
          writer = conn.createBatchWriter(tableName, 9000l, 0l, 1);
        } catch (TableNotFoundException tnfe) {
          if (tableExists)
            throw new AccumuloException("Table didn't exist when it should have: " + tableName);
          return;
        }
        boolean works = true;
        try {
          writer.addMutation(m);
        } catch (MutationsRejectedException mre) {
          throw new AccumuloException("Mutation exception!", mre);
        }
        if (works)
          for (String s : SecurityHelper.getAuthsArray())
            SecurityHelper.increaseAuthMap(state, s, 1);
        break;
      case BULK_IMPORT:
        key = SecurityHelper.getLastKey(state) + "1";
        SortedSet<Key> keys = new TreeSet<Key>();
        for (String s : SecurityHelper.getAuthsArray()) {
          Key k = new Key(key, "", "", s);
          keys.add(k);
        }
        Path dir = new Path("/tmp", "bulk_" + UUID.randomUUID().toString());
        Path fail = new Path(dir.toString() + "_fail");
        FileSystem fs = SecurityHelper.getFs(state);
        FileSKVWriter f =
            FileOperations.getInstance()
                .openWriter(
                    dir + "/securityBulk." + RFile.EXTENSION,
                    fs,
                    fs.getConf(),
                    AccumuloConfiguration.getDefaultConfiguration());
        f.startDefaultLocalityGroup();
        fs.mkdirs(fail);
        for (Key k : keys) f.append(k, new Value("Value".getBytes()));
        f.close();
        try {
          conn.tableOperations().importDirectory(tableName, dir.toString(), fail.toString(), true);
        } catch (TableNotFoundException tnfe) {
          if (tableExists)
            throw new AccumuloException("Table didn't exist when it should have: " + tableName);
          return;
        } catch (AccumuloSecurityException ae) {
          if (ae.getErrorCode().equals(SecurityErrorCode.PERMISSION_DENIED)) {
            if (hasPerm)
              throw new AccumuloException(
                  "Bulk Import failed when it should have worked: " + tableName);
            return;
          }
          throw new AccumuloException("Unexpected exception!", ae);
        }
        for (String s : SecurityHelper.getAuthsArray()) SecurityHelper.increaseAuthMap(state, s, 1);
        fs.delete(dir, true);
        fs.delete(fail, true);

        if (!hasPerm)
          throw new AccumuloException(
              "Bulk Import succeeded when it should have failed: " + dir + " table " + tableName);
        break;
      case ALTER_TABLE:
        AlterTable.renameTable(conn, state, tableName, tableName + "plus", hasPerm, tableExists);
        break;

      case GRANT:
        props.setProperty("task", "grant");
        props.setProperty("perm", "random");
        props.setProperty("source", "table");
        props.setProperty("target", "system");
        AlterTablePerm.alter(state, props);
        break;

      case DROP_TABLE:
        props.setProperty("source", "table");
        DropTable.dropTable(state, props);
        break;
    }
  }
Ejemplo n.º 9
0
 /**
  * Build Java private key from base64 encoding. The key should have no password.
  *
  * @param base64EncodedKey base64-encoded private key
  * @return a native Java PrivateKey
  * @throws KeyException thrown if there is an error constructing key
  */
 public static PrivateKey buildJavaPrivateKey(String base64EncodedKey) throws KeyException {
   return SecurityHelper.decodePrivateKey(Base64.decode(base64EncodedKey), null);
 }