/**
* Compute the signature or MAC value over the supplied input.
*
* <p>It is up to the caller to ensure that the specified algorithm URI is consistent with the
* type of signing key supplied in the signing credential.
*
* @param signingCredential the credential containing the signing key
* @param algorithmURI the algorithm URI to use
* @param input the input over which to compute the signature
* @return the computed signature or MAC value
* @throws SecurityException throw if the computation process results in an error
*/
public static byte[] signWithURI(Credential signingCredential, String algorithmURI, byte[] input)
throws SecurityException {
String jcaAlgorithmID = SecurityHelper.getAlgorithmIDFromURI(algorithmURI);
if (jcaAlgorithmID == null) {
throw new SecurityException("Could not derive JCA algorithm identifier from algorithm URI");
}
boolean isHMAC = SecurityHelper.isHMAC(algorithmURI);
return sign(signingCredential, jcaAlgorithmID, isHMAC, input);
}
/**
* Compute the signature or MAC value over the supplied input.
*
* <p>It is up to the caller to ensure that the specified algorithm ID and isMAC flag are
* consistent with the type of signing key supplied in the signing credential.
*
* @param signingCredential the credential containing the signing key
* @param jcaAlgorithmID the Java JCA algorithm ID to use
* @param isMAC flag indicating whether the operation to be performed is a signature or MAC
* computation
* @param input the input over which to compute the signature
* @return the computed signature or MAC value
* @throws SecurityException throw if the computation process results in an error
*/
public static byte[] sign(
Credential signingCredential, String jcaAlgorithmID, boolean isMAC, byte[] input)
throws SecurityException {
Key signingKey = SecurityHelper.extractSigningKey(signingCredential);
if (signingKey == null) {
log.error("No signing key supplied in signing credential for signature computation");
throw new SecurityException("No signing key supplied in signing credential");
}
if (isMAC) {
return signMAC(signingKey, jcaAlgorithmID, input);
} else if (signingKey instanceof PrivateKey) {
return sign((PrivateKey) signingKey, jcaAlgorithmID, input);
} else {
log.error("No PrivateKey present in signing credential for signature computation");
throw new SecurityException("No PrivateKey supplied for signing");
}
}
/**
* Verify the signature value computed over the supplied input against the supplied signature
* value.
*
* <p>It is up to the caller to ensure that the specified algorithm ID and isMAC flag are
* consistent with the type of verification credential supplied.
*
* @param verificationCredential the credential containing the verification key
* @param jcaAlgorithmID the Java JCA algorithm ID to use
* @param isMAC flag indicating whether the operation to be performed is a signature or MAC
* computation
* @param signature the computed signature value received from the signer
* @param input the input over which the signature is computed and verified
* @return true if the signature value computed over the input using the supplied key and
* algorithm ID is identical to the supplied signature value
* @throws SecurityException thrown if the signature computation or verification process results
* in an error
*/
public static boolean verify(
Credential verificationCredential,
String jcaAlgorithmID,
boolean isMAC,
byte[] signature,
byte[] input)
throws SecurityException {
Key verificationKey = SecurityHelper.extractVerificationKey(verificationCredential);
if (verificationKey == null) {
log.error(
"No verification key supplied in verification credential for signature verification");
throw new SecurityException("No verification key supplied in verification credential");
}
if (isMAC) {
return verifyMAC(verificationKey, jcaAlgorithmID, signature, input);
} else if (verificationKey instanceof PublicKey) {
return verify((PublicKey) verificationKey, jcaAlgorithmID, signature, input);
} else {
log.error("No PublicKey present in verification credential for signature verification");
throw new SecurityException("No PublicKey supplied for signature verification");
}
}
@Override
public Set<String> resolve(final Annotation[] annotations) {
return SecurityHelper.getFilteringScopes(securityContext, annotations);
}
@Override
public void actionPerformed(FormEvent event) {
// the Role for which the rights are to be set
int roleId = -1;
// array of ints, ids of Layers (SecuredObjects) for which
// the Role has access rights
int[] layers = null;
// corresponding maps of key (PropertyName) / value-pairs that
// constitute access constraints
Map<String, Object>[] layerConstraints = null;
SecurityAccessManager manager = null;
SecurityTransaction transaction = null;
try {
RPCWebEvent ev = (RPCWebEvent) event;
RPCMethodCall rpcCall = ev.getRPCMethodCall();
RPCParameter[] params = rpcCall.getParameters();
// validates the incomming method call and extracts the roleID
roleId = validate(params);
RPCParameter[] layerParams = (RPCParameter[]) params[1].getValue();
layers = new int[layerParams.length];
layerConstraints = new Map[layerParams.length];
extractLayerValues(layers, layerConstraints, layerParams);
// extract FeatureType rights
if (!(params[2].getValue() instanceof RPCParameter[])) {
throw new RPCException(Messages.getMessage("IGEO_STD_STORERIGHTS_THIRD_PARAM"));
}
// array of ints, ids of FeatureTypes (SecuredObjects) for which
// the Role has access rights
FeatureTypeRight[] featureTypes = extractFeatureTypeValues(params);
transaction = SecurityHelper.acquireTransaction(this);
SecurityHelper.checkForAdminRole(transaction);
manager = SecurityAccessManager.getInstance();
User user = transaction.getUser();
Role role = transaction.getRoleById(roleId);
// perform access check
if (!user.hasRight(transaction, "update", role)) {
getRequest().setAttribute("SOURCE", this.getClass().getName());
String s = Messages.getMessage("IGEO_STD_STORERIGHTS_MISSING_RIGHTS", role.getName());
getRequest().setAttribute("MESSAGE", s);
setNextPage("error.jsp");
return;
}
// set/delete access rights for Layers
SecuredObject[] presentLayers = transaction.getAllSecuredObjects(ClientHelper.TYPE_LAYER);
setAccessRightsForLayers(layers, layerConstraints, transaction, role, presentLayers);
// set/delete access rights for FeatureTypes
SecuredObject[] presentFeatureTypes =
transaction.getAllSecuredObjects(ClientHelper.TYPE_FEATURETYPE);
setAccessRightsForFeatureTypes(featureTypes, transaction, role, presentFeatureTypes);
manager.commitTransaction(transaction);
transaction = null;
String s = Messages.getMessage("IGEO_STD_STORERIGHTS_SUCCESS", role.getID());
getRequest().setAttribute("MESSAGE", s);
} catch (RPCException e) {
getRequest().setAttribute("SOURCE", this.getClass().getName());
String s = Messages.getMessage("IGEO_STD_STORERIGHTS_INVALID_REQ", e.getMessage());
getRequest().setAttribute("MESSAGE", s);
setNextPage("error.jsp");
LOG.logDebug(e.getMessage(), e);
} catch (GeneralSecurityException e) {
getRequest().setAttribute("SOURCE", this.getClass().getName());
String s = Messages.getMessage("IGEO_STD_STORERIGHTS_ERROR", e.getMessage());
getRequest().setAttribute("MESSAGE", s);
setNextPage("error.jsp");
LOG.logDebug(e.getMessage(), e);
} finally {
if (manager != null && transaction != null) {
try {
manager.abortTransaction(transaction);
} catch (GeneralSecurityException e) {
LOG.logDebug(e.getMessage(), e);
}
}
}
}
/**
* Creates a new instance of SymmetricKeyInfo.
*
* @param aesKey
* @param iv
* @param sequence
* @param keyID
*/
public SymmetricKeyInfo(String keyID) {
this.aesKey = SymmetricCryptographyHelper.generateAESKey();
this.iv = SymmetricCryptographyHelper.generateIV();
this.sequence = SecurityHelper.createLongSequenceBase();
this.keyID = keyID;
}
/**
* Creates a new instance of SymmetricKeyInfo.
*
* @param aesKey
* @param iv
*/
public SymmetricKeyInfo(SecretKey aesKey, byte[] iv) {
this.aesKey = aesKey;
this.iv = iv;
this.sequence = SecurityHelper.createLongSequenceBase();
this.keyID = null;
}
@Override
public void visit(State state, Properties props) throws Exception {
boolean userExists = SecurityHelper.getTabUserExists(state);
Connector conn;
try {
conn =
state
.getInstance()
.getConnector(
SecurityHelper.getTabUserName(state), SecurityHelper.getTabUserPass(state));
} catch (AccumuloSecurityException ae) {
if (ae.getErrorCode().equals(SecurityErrorCode.BAD_CREDENTIALS)) {
if (userExists)
throw new AccumuloException(
"User didn't exist when they should (or worse- password mismatch)", ae);
else return;
}
throw new AccumuloException("Unexpected exception!", ae);
}
String action = props.getProperty("action", "_random");
TablePermission tp;
if ("_random".equalsIgnoreCase(action)) {
Random r = new Random();
tp = TablePermission.values()[r.nextInt(TablePermission.values().length)];
} else {
tp = TablePermission.valueOf(action);
}
boolean tableExists = SecurityHelper.getTableExists(state);
boolean hasPerm = SecurityHelper.getTabPerm(state, SecurityHelper.getTabUserName(state), tp);
String tableName = state.getString("secTableName");
switch (tp) {
case READ:
Authorizations auths =
SecurityHelper.getUserAuths(state, SecurityHelper.getTabUserName(state));
boolean canRead =
SecurityHelper.getTabPerm(
state, SecurityHelper.getTabUserName(state), TablePermission.READ);
try {
Scanner scan =
conn.createScanner(
tableName,
conn.securityOperations()
.getUserAuthorizations(SecurityHelper.getTabUserName(state)));
int seen = 0;
Iterator<Entry<Key, Value>> iter = scan.iterator();
while (iter.hasNext()) {
Entry<Key, Value> entry = iter.next();
Key k = entry.getKey();
seen++;
if (!auths.contains(k.getColumnVisibilityData()))
throw new AccumuloException(
"Got data I should not be capable of seeing: " + k + " table " + tableName);
}
if (!canRead)
throw new AccumuloException(
"Was able to read when I shouldn't have had the perm with connection user "
+ conn.whoami()
+ " table "
+ tableName);
for (Entry<String, Integer> entry : SecurityHelper.getAuthsMap(state).entrySet()) {
if (auths.contains(entry.getKey().getBytes())) seen = seen - entry.getValue();
}
if (seen != 0) throw new AccumuloException("Got mismatched amounts of data");
} catch (TableNotFoundException tnfe) {
if (tableExists)
throw new AccumuloException(
"Accumulo and test suite out of sync: table " + tableName, tnfe);
return;
} catch (AccumuloSecurityException ae) {
if (ae.getErrorCode().equals(SecurityErrorCode.PERMISSION_DENIED)) {
if (canRead)
throw new AccumuloException(
"Table read permission out of sync with Accumulo: table " + tableName, ae);
else return;
}
throw new AccumuloException("Unexpected exception!", ae);
} catch (RuntimeException re) {
if (re.getCause() instanceof AccumuloSecurityException
&& ((AccumuloSecurityException) re.getCause())
.getErrorCode()
.equals(SecurityErrorCode.PERMISSION_DENIED)) {
if (canRead)
throw new AccumuloException(
"Table read permission out of sync with Accumulo: table " + tableName,
re.getCause());
else return;
}
throw new AccumuloException("Unexpected exception!", re);
}
break;
case WRITE:
String key = SecurityHelper.getLastKey(state) + "1";
Mutation m = new Mutation(new Text(key));
for (String s : SecurityHelper.getAuthsArray()) {
m.put(new Text(), new Text(), new ColumnVisibility(s), new Value("value".getBytes()));
}
BatchWriter writer;
try {
writer = conn.createBatchWriter(tableName, 9000l, 0l, 1);
} catch (TableNotFoundException tnfe) {
if (tableExists)
throw new AccumuloException("Table didn't exist when it should have: " + tableName);
return;
}
boolean works = true;
try {
writer.addMutation(m);
} catch (MutationsRejectedException mre) {
throw new AccumuloException("Mutation exception!", mre);
}
if (works)
for (String s : SecurityHelper.getAuthsArray())
SecurityHelper.increaseAuthMap(state, s, 1);
break;
case BULK_IMPORT:
key = SecurityHelper.getLastKey(state) + "1";
SortedSet<Key> keys = new TreeSet<Key>();
for (String s : SecurityHelper.getAuthsArray()) {
Key k = new Key(key, "", "", s);
keys.add(k);
}
Path dir = new Path("/tmp", "bulk_" + UUID.randomUUID().toString());
Path fail = new Path(dir.toString() + "_fail");
FileSystem fs = SecurityHelper.getFs(state);
FileSKVWriter f =
FileOperations.getInstance()
.openWriter(
dir + "/securityBulk." + RFile.EXTENSION,
fs,
fs.getConf(),
AccumuloConfiguration.getDefaultConfiguration());
f.startDefaultLocalityGroup();
fs.mkdirs(fail);
for (Key k : keys) f.append(k, new Value("Value".getBytes()));
f.close();
try {
conn.tableOperations().importDirectory(tableName, dir.toString(), fail.toString(), true);
} catch (TableNotFoundException tnfe) {
if (tableExists)
throw new AccumuloException("Table didn't exist when it should have: " + tableName);
return;
} catch (AccumuloSecurityException ae) {
if (ae.getErrorCode().equals(SecurityErrorCode.PERMISSION_DENIED)) {
if (hasPerm)
throw new AccumuloException(
"Bulk Import failed when it should have worked: " + tableName);
return;
}
throw new AccumuloException("Unexpected exception!", ae);
}
for (String s : SecurityHelper.getAuthsArray()) SecurityHelper.increaseAuthMap(state, s, 1);
fs.delete(dir, true);
fs.delete(fail, true);
if (!hasPerm)
throw new AccumuloException(
"Bulk Import succeeded when it should have failed: " + dir + " table " + tableName);
break;
case ALTER_TABLE:
AlterTable.renameTable(conn, state, tableName, tableName + "plus", hasPerm, tableExists);
break;
case GRANT:
props.setProperty("task", "grant");
props.setProperty("perm", "random");
props.setProperty("source", "table");
props.setProperty("target", "system");
AlterTablePerm.alter(state, props);
break;
case DROP_TABLE:
props.setProperty("source", "table");
DropTable.dropTable(state, props);
break;
}
}
/**
* Build Java private key from base64 encoding. The key should have no password.
*
* @param base64EncodedKey base64-encoded private key
* @return a native Java PrivateKey
* @throws KeyException thrown if there is an error constructing key
*/
public static PrivateKey buildJavaPrivateKey(String base64EncodedKey) throws KeyException {
return SecurityHelper.decodePrivateKey(Base64.decode(base64EncodedKey), null);
}
