@Test public void testNullValues() throws Exception { for (BasicBlobCrypter crypter: crypters) { BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(CONTAINER, DOMAIN, null, null); String token = t.getContainer() + ":" + crypter.wrap(t.toMap()); assertTrue("should start with container: " + token, token.startsWith("container:")); String[] fields = StringUtils.split(token, ':'); BlobCrypterSecurityToken t2 = new BlobCrypterSecurityToken(CONTAINER, DOMAIN, null, crypter.unwrap(fields[1])); assertNull(t2.getAppId(), t2.getAppId()); assertNull(t2.getAppUrl(), t2.getAppUrl()); assertEquals(DOMAIN, t2.getDomain()); assertEquals(0, t2.getModuleId()); assertNull(t2.getOwnerId(), t2.getOwnerId()); assertNull(t2.getViewerId(), t2.getViewerId()); assertNull(t2.getTrustedJson(), t2.getTrustedJson()); assertNull(t2.getUpdatedToken(), t2.getUpdatedToken()); assertEquals(CONTAINER, t2.getContainer()); assertNull(t2.getActiveUrl(), t2.getActiveUrl()); } }
@Test public void testRealValues() throws Exception { BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(crypter, CONTAINER, DOMAIN); t.setAppUrl("http://www.example.com/gadget.xml"); t.setModuleId(12345L); t.setOwnerId("owner"); t.setViewerId("viewer"); t.setTrustedJson("trusted"); String token = t.encrypt(); assertTrue("should start with container: " + token, token.startsWith("container:")); String[] fields = StringUtils.split(token, ':'); BlobCrypterSecurityToken t2 = BlobCrypterSecurityToken.decrypt(crypter, CONTAINER, DOMAIN, fields[1], "active"); assertEquals("http://www.example.com/gadget.xml", t2.getAppId()); assertEquals("http://www.example.com/gadget.xml", t2.getAppUrl()); assertEquals(DOMAIN, t2.getDomain()); assertEquals(12345L, t2.getModuleId()); assertEquals("owner", t2.getOwnerId()); assertEquals("viewer", t2.getViewerId()); assertEquals("trusted", t2.getTrustedJson()); assertEquals(CONTAINER, t2.getContainer()); assertEquals("active", t2.getActiveUrl()); }
/** * Decrypt and verify a token. Note this is not public, use BlobCrypterSecurityTokenCodec * instead. * * @param crypter crypter to use for decryption * @param container container that minted the token * @param domain oauth_consumer_key to use for signed fetch with default key * @param token the encrypted token (just the portion after the first ":") * @return the decrypted, verified token. * * @throws BlobCrypterException */ static BlobCrypterSecurityToken decrypt(BlobCrypter crypter, String container, String domain, String token, String activeUrl) throws BlobCrypterException { Map<String, String> values = crypter.unwrap(token, MAX_TOKEN_LIFETIME_SECS); BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(crypter, container, domain); setTokenValues(t, values); t.setActiveUrl(activeUrl); return t; }
@Test(expected=BlobExpiredException.class) public void testExpired() throws Exception { BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(crypter, CONTAINER, DOMAIN); String token = t.encrypt(); // one hour plus clock skew timeSource.incrementSeconds(3600 + 181); String[] fields = StringUtils.split(token, ':'); // expect an exception BlobCrypterSecurityToken.decrypt(crypter, CONTAINER, DOMAIN, fields[1], "active"); } }
@Test(expected=UnsupportedOperationException.class) public void testNullValues() throws Exception { BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(crypter, CONTAINER, DOMAIN); String token = t.encrypt(); assertTrue("should start with container: " + token, token.startsWith("container:")); String[] fields = StringUtils.split(token, ':'); BlobCrypterSecurityToken t2 = BlobCrypterSecurityToken.decrypt(crypter, CONTAINER, DOMAIN, fields[1], null); assertNull(t2.getAppId(), t2.getAppId()); assertNull(t2.getAppUrl(), t2.getAppUrl()); assertEquals(DOMAIN, t2.getDomain()); assertEquals(0, t2.getModuleId()); assertNull(t2.getOwnerId(), t2.getOwnerId()); assertNull(t2.getViewerId(), t2.getViewerId()); assertNull(t2.getTrustedJson(), t2.getTrustedJson()); assertNull(t2.getUpdatedToken(), t2.getUpdatedToken()); assertEquals(CONTAINER, t2.getContainer()); // expect an exception t2.getActiveUrl(); }
@Test public void testUnknownContainer() throws Exception { BlobCrypterSecurityToken t = new BlobCrypterSecurityToken( getBlobCrypter(getContainerKey("container")), "container", null); t.setAppUrl("http://www.example.com/gadget.xml"); t.setModuleId(12345L); t.setOwnerId("owner"); t.setViewerId("viewer"); t.setTrustedJson("trusted"); String encrypted = t.encrypt(); encrypted = encrypted.replace("container:", "other:"); try { codec.createToken(ImmutableMap.of(SecurityTokenCodec.SECURITY_TOKEN_NAME, encrypted)); fail("should have reported that container was unknown"); } catch (SecurityTokenException e) { assertTrue(e.getMessage(), e.getMessage().contains("Unknown container")); } }
@Test public void testUnknownContainer() throws Exception { Map<String, String> values = new HashMap<String, String>(); values.put(Keys.APP_URL.getKey(), "http://www.example.com/gadget.xml"); values.put(Keys.MODULE_ID.getKey(), Long.toString(12345L, 10)); values.put(Keys.OWNER.getKey(), "owner"); values.put(Keys.VIEWER.getKey(), "viewer"); values.put(Keys.TRUSTED_JSON.getKey(), "trusted"); BlobCrypterSecurityToken t = new BlobCrypterSecurityToken("container", null, null, values); String encrypted = t.getContainer() + ":" + getBlobCrypter(getContainerKey("container")).wrap(t.toMap()); encrypted = encrypted.replace("container:", "other:"); try { codec.createToken(ImmutableMap.of(SecurityTokenCodec.SECURITY_TOKEN_NAME, encrypted)); fail("should have reported that container was unknown"); } catch (SecurityTokenException e) { assertTrue(e.getMessage(), e.getMessage().contains("Unknown container")); } }
public static BlobCrypterSecurityToken fromToken(SecurityToken token) { BlobCrypterSecurityToken interpretedToken = new BlobCrypterSecurityToken(token.getContainer(), token.getDomain(), token.getActiveUrl(), null); interpretedToken .setAppId(token.getAppId()) .setAppUrl(token.getAppUrl()) .setExpiresAt(token.getExpiresAt()) .setModuleId(token.getModuleId()) .setOwnerId(token.getOwnerId()) .setTrustedJson(token.getTrustedJson()) .setViewerId(token.getViewerId()); return interpretedToken; } }
@Test public void testExpired() throws Exception { Map<String, String> values = new HashMap<String, String>(); values.put(Keys.APP_URL.getKey(), "http://www.example.com/gadget.xml"); values.put(Keys.MODULE_ID.getKey(), Long.toString(12345L, 10)); values.put(Keys.OWNER.getKey(), "owner"); values.put(Keys.VIEWER.getKey(), "viewer"); values.put(Keys.TRUSTED_JSON.getKey(), "trusted"); BlobCrypterSecurityToken token = new BlobCrypterSecurityToken("container", null, null, values); token.setTimeSource(timeSource); timeSource.incrementSeconds(-1 * (codec.getTokenTimeToLive("container") + 181)); // one hour plus clock skew String encrypted = codec.encodeToken(token); try { codec.createToken(ImmutableMap.of(SecurityTokenCodec.SECURITY_TOKEN_NAME, encrypted)); fail("should have expired"); } catch (SecurityTokenException e) { assertTrue(e.getMessage(), e.getMessage().contains("Blob expired")); } }
/** * Decrypt and verify the provided security token. */ public SecurityToken createToken(Map<String, String> tokenParameters) throws SecurityTokenException { String token = tokenParameters.get(SecurityTokenCodec.SECURITY_TOKEN_NAME); if (StringUtils.isBlank(token)) { // No token is present, assume anonymous access return new AnonymousSecurityToken(); } String[] fields = StringUtils.split(token, ':'); if (fields.length != 2) { throw new SecurityTokenException("Invalid security token " + token); } String container = fields[0]; BlobCrypter crypter = crypters.get(container); if (crypter == null) { throw new SecurityTokenException("Unknown container " + token); } String domain = domains.get(container); String activeUrl = tokenParameters.get(SecurityTokenCodec.ACTIVE_URL_NAME); String crypted = fields[1]; try { BlobCrypterSecurityToken st = new BlobCrypterSecurityToken(container, domain, activeUrl, crypter.unwrap(crypted)); return st.enforceNotExpired(); } catch (BlobCrypterException e) { throw new SecurityTokenException(e); } }
@Override public SecurityToken decryptSecurityToken(String encryptedSecurityToken) throws SecurityTokenException { SecurityToken securityToken; try { if (logger.isTraceEnabled()) { logger.trace("Decrypting security token: " + encryptedSecurityToken); } //Remove the header container string and : encryptedSecurityToken = encryptedSecurityToken.substring((container + ":").length()); //Decrypt Map<String, String> values = blobCrypter.unwrap(encryptedSecurityToken); securityToken = new BlobCrypterSecurityToken(container, domain, null, values); } catch (Exception e) { throw new SecurityTokenException("Error creating security token from encrypted string: " + encryptedSecurityToken, e); } return securityToken; }
@Override public String getAppId() { return getAppUrl(); }
public String encodeToken(SecurityToken token) throws SecurityTokenException { if (! (token instanceof BlobCrypterSecurityToken)) { throw new SecurityTokenException("Can only encode BlogCrypterSecurityTokens"); } BlobCrypterSecurityToken t = (BlobCrypterSecurityToken)token; try { return t.encrypt(); } catch (BlobCrypterException e) { throw new SecurityTokenException(e); } } }
/** * Decrypt and verify the provided security token. */ public SecurityToken createToken(Map<String, String> tokenParameters) throws SecurityTokenException { String token = tokenParameters.get(SecurityTokenCodec.SECURITY_TOKEN_NAME); if (StringUtils.isBlank(token)) { // No token is present, assume anonymous access return new AnonymousSecurityToken(); } String[] fields = StringUtils.split(token, ':'); if (fields.length != 2) { throw new SecurityTokenException("Invalid security token " + token); } String container = fields[0]; BlobCrypter crypter = crypters.get(container); if (crypter == null) { throw new SecurityTokenException("Unknown container " + token); } String domain = domains.get(container); String activeUrl = tokenParameters.get(SecurityTokenCodec.ACTIVE_URL_NAME); String crypted = fields[1]; try { return BlobCrypterSecurityToken.decrypt(crypter, container, domain, crypted, activeUrl); } catch (BlobCrypterException e) { throw new SecurityTokenException(e); } }
@Test public void testWrongContainer() throws Exception { BlobCrypterSecurityToken t = new BlobCrypterSecurityToken( getBlobCrypter(getContainerKey("container")), "container", null); t.setAppUrl("http://www.example.com/gadget.xml"); t.setModuleId(12345L); t.setOwnerId("owner"); t.setViewerId("viewer"); t.setTrustedJson("trusted"); String encrypted = t.encrypt(); encrypted = encrypted.replace("container:", "example:"); try { codec.createToken(ImmutableMap.of(SecurityTokenCodec.SECURITY_TOKEN_NAME, encrypted)); fail("should have tried to decrypt with wrong key"); } catch (SecurityTokenException e) { assertTrue(e.getMessage(), e.getMessage().contains("Invalid token signature")); } }
@Test(expected=UnsupportedOperationException.class) public void testNullValues() throws Exception { BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(crypter, CONTAINER, DOMAIN); String token = t.encrypt(); assertTrue("should start with container: " + token, token.startsWith("container:")); String[] fields = StringUtils.split(token, ':'); BlobCrypterSecurityToken t2 = BlobCrypterSecurityToken.decrypt(crypter, CONTAINER, DOMAIN, fields[1], null); assertNull(t2.getAppId(), t2.getAppId()); assertNull(t2.getAppUrl(), t2.getAppUrl()); assertEquals(DOMAIN, t2.getDomain()); assertEquals(0, t2.getModuleId()); assertNull(t2.getOwnerId(), t2.getOwnerId()); assertNull(t2.getViewerId(), t2.getViewerId()); assertNull(t2.getTrustedJson(), t2.getTrustedJson()); assertNull(t2.getUpdatedToken(), t2.getUpdatedToken()); assertEquals(CONTAINER, t2.getContainer()); // expect an exception t2.getActiveUrl(); }
@Test public void testWrongContainer() throws Exception { Map<String, String> values = new HashMap<String, String>(); values.put(Keys.APP_URL.getKey(), "http://www.example.com/gadget.xml"); values.put(Keys.MODULE_ID.getKey(), Long.toString(12345L, 10)); values.put(Keys.OWNER.getKey(), "owner"); values.put(Keys.VIEWER.getKey(), "viewer"); values.put(Keys.TRUSTED_JSON.getKey(), "trusted"); BlobCrypterSecurityToken t = new BlobCrypterSecurityToken("container", null, null, values); String encrypted = t.getContainer() + ":" + getBlobCrypter(getContainerKey("container")).wrap(t.toMap()); encrypted = encrypted.replace("container:", "example:"); try { codec.createToken(ImmutableMap.of(SecurityTokenCodec.SECURITY_TOKEN_NAME, encrypted)); fail("should have tried to decrypt with wrong key"); } catch (SecurityTokenException e) { assertTrue(e.getMessage(), e.getMessage().contains("Invalid token signature")); } }
@Test(expected=BlobExpiredException.class) public void testExpired() throws Exception { BlobCrypterSecurityToken t = new BlobCrypterSecurityToken(crypter, CONTAINER, DOMAIN); String token = t.encrypt(); // one hour plus clock skew timeSource.incrementSeconds(3600 + 181); String[] fields = StringUtils.split(token, ':'); // expect an exception BlobCrypterSecurityToken.decrypt(crypter, CONTAINER, DOMAIN, fields[1], "active"); } }
public static BlobCrypterSecurityToken fromToken(SecurityToken token) { BlobCrypterSecurityToken interpretedToken = new BlobCrypterSecurityToken(token.getContainer(), token.getDomain(), token.getActiveUrl(), null); interpretedToken .setAppId(token.getAppId()) .setAppUrl(token.getAppUrl()) .setExpiresAt(token.getExpiresAt()) .setModuleId(token.getModuleId()) .setOwnerId(token.getOwnerId()) .setTrustedJson(token.getTrustedJson()) .setViewerId(token.getViewerId()); return interpretedToken; } }
@Test public void testExpired() throws Exception { Map<String, String> values = new HashMap<String, String>(); values.put(Keys.APP_URL.getKey(), "http://www.example.com/gadget.xml"); values.put(Keys.MODULE_ID.getKey(), Long.toString(12345L, 10)); values.put(Keys.OWNER.getKey(), "owner"); values.put(Keys.VIEWER.getKey(), "viewer"); values.put(Keys.TRUSTED_JSON.getKey(), "trusted"); BlobCrypterSecurityToken token = new BlobCrypterSecurityToken("container", null, null, values); token.setTimeSource(timeSource); timeSource.incrementSeconds(-1 * (codec.getTokenTimeToLive("container") + 181)); // one hour plus clock skew String encrypted = codec.encodeToken(token); try { codec.createToken(ImmutableMap.of(SecurityTokenCodec.SECURITY_TOKEN_NAME, encrypted)); fail("should have expired"); } catch (SecurityTokenException e) { assertTrue(e.getMessage(), e.getMessage().contains("Blob expired")); } }