Examples with TokenKeysBundle com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle used on opensource projects

Example 6 with TokenKeysBundle

use of com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle in project coprhd-controller by CoprHD.

the class InterVDCTokenCacheHelper method getForeignSecretKey.

/**
 * Reads local cache to find the key for the passed in vdcid. If not found in cache,
 * causes a re-read from ZK and updates the cache.
 *
 * @param vdcID
 * @param keyId
 * @return
 */
public SecretKey getForeignSecretKey(String vdcID, String keyId) {
    SecretKey toReturn = null;
    // try to get the bundle from cached map
    TokenKeysBundle bundle = foreignTokenKeysMap.get(vdcID);
    if (bundle != null) {
        toReturn = bundle.getKey(keyId);
    }
    // still nothing, try to reread from zk.
    if (toReturn == null) {
        try {
            bundle = readTokenKeysBundle(vdcID);
        } catch (Exception e) {
            log.error("Exception while reading foreign key bundle for vdcid {}", vdcID);
        }
        if (bundle != null) {
            toReturn = bundle.getKey(keyId);
        }
    }
    return toReturn;
}

Example 7 with TokenKeysBundle

use of com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle in project coprhd-controller by CoprHD.

the class InterVDCTokenCacheHelper method readTokenKeysBundle.

/**
 * Reads from zk to get a TokenKeyBundle for the passed in vdc id.
 * Updates the local cache map if found.
 *
 * @param vdcID
 * @return
 * @throws Exception
 */
private TokenKeysBundle readTokenKeysBundle(String vdcID) throws Exception {
    Configuration config = coordinator.queryConfiguration(FOREIGN_TOKEN_KEYS_BUNDLE_CONFIG, FOREIGN_TOKEN_KEYS_BUNDLE_KEYID);
    if (config == null || config.getConfig(vdcID) == null) {
        log.info("Foreign token keys bundle not found for vdcid {}", vdcID);
        return null;
    }
    String serializedBundle = config.getConfig(vdcID);
    log.debug("Got foreign token keys bundle from coordinator: {}", vdcID);
    TokenKeysBundle bundle = (TokenKeysBundle) SerializerUtils.deserialize(serializedBundle);
    foreignTokenKeysMap.put(vdcID, bundle);
    return bundle;
}

Example 8 with TokenKeysBundle

use of com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle in project coprhd-controller by CoprHD.

the class TokenResponseBuilder method parseTokenResponse.

/**
 * Creates a TokenResponseArtifacts holder for items retrieved in a TokenResponse.
 * Today, Token and StorageOSUserDAO objects
 *
 * @param response
 * @return
 */
public static TokenResponseArtifacts parseTokenResponse(TokenResponse response) {
    String userEncoded = response.getUserDAO();
    String tokenEncoded = response.getToken();
    String tokenKeysBundleEncoded = response.getTokenKeysBundle();
    StorageOSUserDAO user = null;
    Token token = null;
    TokenKeysBundle tokenKeysBundle = null;
    if (StringUtils.isNotBlank(userEncoded)) {
        try {
            user = (StorageOSUserDAO) SerializerUtils.deserialize(userEncoded);
        } catch (UnsupportedEncodingException e) {
            log.error("Could not decode user: ", e);
        } catch (Exception e) {
            log.error("Could not deserialize user: ", e);
        }
    }
    if (StringUtils.isNotBlank(tokenEncoded)) {
        try {
            token = (Token) SerializerUtils.deserialize(tokenEncoded);
        } catch (UnsupportedEncodingException e) {
            log.error("Could not decode token: ", e);
        } catch (Exception e) {
            log.error("Could not deserialize token: ", e);
        }
    }
    if (StringUtils.isNotBlank(tokenKeysBundleEncoded)) {
        try {
            tokenKeysBundle = (TokenKeysBundle) SerializerUtils.deserialize(tokenKeysBundleEncoded);
        } catch (UnsupportedEncodingException e) {
            log.error("Could not decode token keys bundle: ", e);
        } catch (Exception e) {
            log.error("Could not deserialize token keys bundle: ", e);
        }
    }
    return new TokenResponseBuilder.TokenResponseArtifacts(user, token, tokenKeysBundle);
}

Example 9 with TokenKeysBundle

use of com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle in project coprhd-controller by CoprHD.

the class Base64TokenEncoder method getForeignKey.

/**
 * Attempts to get a secret key from the provided tokenonwire.
 * First attempts from cache, then makes a call to originator vdc if not
 * found in cache.
 *
 * @param tw
 * @param encodedToken
 * @return
 */
private SecretKey getForeignKey(TokenOnWire tw, String encodedToken) {
    String vdcId = URIUtil.parseVdcIdFromURI(tw.getTokenId());
    _log.info("Token received from another VDC: {}.  Looking in cache for keys", vdcId);
    SecretKey foreignKey = interVDCTokenCacheHelper.getForeignSecretKey(vdcId, tw.getEncryptionKeyId());
    if (foreignKey == null) {
        TokenKeysBundle bundle = interVDCTokenCacheHelper.getTokenKeysBundle(vdcId);
        try {
            // check if the requested key id falls within reasonable range
            if (bundle != null && !interVDCTokenCacheHelper.sanitizeRequestedKeyIds(bundle, tw.getEncryptionKeyId())) {
                return null;
            }
            TokenResponse response = geoClientCacheMgt.getGeoClient(vdcId).getToken(encodedToken, bundle == null ? "0" : bundle.getKeyEntries().get(0), bundle == null ? "0" : bundle.getKeyEntries().size() == 2 ? bundle.getKeyEntries().get(1) : null);
            if (response != null) {
                TokenResponseArtifacts artifacts = TokenResponseBuilder.parseTokenResponse(response);
                interVDCTokenCacheHelper.cacheForeignTokenAndKeys(artifacts, vdcId);
                return interVDCTokenCacheHelper.getForeignSecretKey(vdcId, tw.getEncryptionKeyId());
            } else {
                _log.error("Null response from getForeignToken call.  It's possible remote vdc is not reachable.");
            }
        } catch (Exception e) {
            _log.error("Could not validate foreign token ", e);
        }
    } else {
        _log.info("Key found in cache");
    }
    return foreignKey;
}

Example 10 with TokenKeysBundle

use of com.emc.storageos.security.authentication.TokenKeyGenerator.TokenKeysBundle in project coprhd-controller by CoprHD.

the class TokenService method getToken.

/**
 * Retrieves Token and UserDAO records from a passed in auth token (header)
 * TokenKeysRequest can also contain key ids to look at. If they don't match the local
 * TokenKeysBundle, send the updated bundle in the response
 *
 * @param httpRequest
 * @return TokenResponse with token and userDAO records populated.
 */
@POST
@Consumes(MediaType.APPLICATION_XML)
@Produces(MediaType.APPLICATION_XML)
public TokenResponse getToken(@Context HttpServletRequest httpRequest, TokenKeysRequest req) {
    String rawToken = httpRequest.getHeader(RequestProcessingUtils.AUTH_TOKEN_HEADER);
    String firstKey = req.getFirstKeyId();
    String secondKey = req.getSecondKeyId();
    Token token = null;
    StorageOSUserDAO user = null;
    TokenKeysBundle updatedBundle = null;
    // validate token if provided
    if (StringUtils.isNotBlank(rawToken)) {
        token = (Token) tokenValidator.verifyToken(rawToken);
        if (token != null) {
            user = tokenValidator.resolveUser(token);
        }
        if (user == null || token == null) {
            throw APIException.unauthorized.noTokenFoundForUserFromForeignVDC();
        }
        if (user.getIsLocal()) {
            throw APIException.forbidden.localUsersNotAllowedForSingleSignOn(user.getUserName());
        }
    }
    // not has been a rotation yet.
    if (StringUtils.isNotBlank(firstKey)) {
        try {
            updatedBundle = tokenKeyGenerator.readBundle();
        } catch (Exception ex) {
            log.error("Could not look at local token keys bundle");
        }
        if (updatedBundle != null) {
            // if we found a bundle
            log.debug("Read the local key bundle");
            // look at its key ids
            List<String> keyIds = updatedBundle.getKeyEntries();
            if ((firstKey.equals(keyIds.get(0)) && secondKey == null && keyIds.size() == 1) || (firstKey.equals(keyIds.get(0)) && secondKey != null && secondKey.equals(keyIds.get(1)))) {
                log.info("Key id match.  Not returning a bundle");
                // if they both match what was passed in, make the bundle null and
                // return that. Caller has updated keys and does not need them.
                updatedBundle = null;
            } else {
                log.info("Key ids do not match.  Returning updated bundle");
            }
        }
    }
    if (token != null) {
        tokenMapHelper.addOrRemoveRequestingVDC(Operation.ADD_VDC, token.getId().toString(), req.getRequestingVDC());
        // update idle time on original token. Since it is being borrowed by another vdc,
        // it just got accessed.
        token.setLastAccessTime(CassandraTokenValidator.getCurrentTimeInMins());
        try {
            dbClient.persistObject(token);
        } catch (DatabaseException ex) {
            log.error("failed updating last access time for borrowed token {}", token.getId());
        }
    }
    return TokenResponseBuilder.buildTokenResponse(token, user, updatedBundle);
}