use of org.opencastproject.urlsigning.common.ResourceRequest in project opencast by opencast.
the class ResourceRequestUtil method policyToResourceRequestQueryString.
/**
* Transform a {@link Policy} into a {@link ResourceRequest} query string.
*
* @param policy
* The {@link Policy} to use in the {@link ResourceRequest}
* @param encryptionKeyId
* The id of the encryption key.
* @param encryptionKey
* The actual encryption key.
* @return A query string created from the policy.
* @throws Exception
* Thrown if there is a problem encoding or encrypting the policy.
*/
public static String policyToResourceRequestQueryString(Policy policy, String encryptionKeyId, String encryptionKey) throws Exception {
ResourceRequest resourceRequest = new ResourceRequest();
resourceRequest.setEncodedPolicy(PolicyUtils.toBase64EncodedPolicy(policy));
resourceRequest.setEncryptionKeyId(encryptionKeyId);
resourceRequest.setSignature(PolicyUtils.getPolicySignature(policy, encryptionKey));
return resourceRequestToQueryString(resourceRequest);
}
use of org.opencastproject.urlsigning.common.ResourceRequest in project opencast by opencast.
the class ResourceRequestUtil method createResourceRequest.
/**
* Create a {@link ResourceRequest} from the necessary data encoded policy, encryptionKeyId and signature.
*
* @param encodedPolicy
* The policy Base64 encoded.
* @param encryptionKeyId
* The id of the encryption key used.
* @param signature
* The policy encrypted using the key attached to the encryptionKeyId
* @return A new {@link ResourceRequest} filled with the parameter data.
*/
public static ResourceRequest createResourceRequest(String encodedPolicy, String encryptionKeyId, String signature) {
ResourceRequest resourceRequest = new ResourceRequest();
resourceRequest.setEncodedPolicy(encodedPolicy);
resourceRequest.setEncryptionKeyId(encryptionKeyId);
resourceRequest.setSignature(signature);
return resourceRequest;
}
use of org.opencastproject.urlsigning.common.ResourceRequest in project opencast by opencast.
the class UrlSigningFilterTest method testDeniedOnGone.
@Test
public void testDeniedOnGone() throws Exception {
String encryptionKeyId = "theKey";
String acceptedUrl = "http://accepted.com";
String acceptedKey = "ThisIsTheKey";
String acceptedIp = "10.0.0.1";
DateTime future = new DateTime(4749125399000L);
Policy policy = Policy.mkSimplePolicy(acceptedUrl, future);
String acceptedQueryString = ResourceRequestUtil.policyToResourceRequestQueryString(policy, encryptionKeyId, acceptedKey);
ResourceRequest acceptedRequest = new ResourceRequest();
acceptedRequest.setStatus(Status.Gone);
// Setup the Mock Url Signing Service
UrlSigningVerifier urlSigningVerifier = EasyMock.createMock(UrlSigningVerifier.class);
EasyMock.expect(urlSigningVerifier.verify(acceptedQueryString, acceptedIp, acceptedUrl, true)).andReturn(acceptedRequest);
EasyMock.replay(urlSigningVerifier);
UrlSigningFilter filter = new UrlSigningFilter();
filter.updated(matchAllProperties);
filter.setUrlSigningVerifier(urlSigningVerifier);
// Setup the Mock Request
HttpServletRequest request = EasyMock.createMock(HttpServletRequest.class);
EasyMock.expect(request.getMethod()).andStubReturn("GET");
EasyMock.expect(request.getRequestURL()).andStubReturn(new StringBuffer(acceptedUrl));
EasyMock.expect(request.getQueryString()).andStubReturn(acceptedQueryString);
EasyMock.expect(request.getRemoteAddr()).andStubReturn(acceptedIp);
EasyMock.replay(request);
HttpServletResponse response = EasyMock.createMock(HttpServletResponse.class);
// Setup the mock filter chain.
FilterChain chain = EasyMock.createMock(FilterChain.class);
EasyMock.replay(chain);
filter.doFilter(request, response, chain);
EasyMock.verify(chain);
}
use of org.opencastproject.urlsigning.common.ResourceRequest in project opencast by opencast.
the class ResourceRequestUtil method resourceRequestFromQueryString.
/**
* @param queryString
* The query string for this request to determine its validity.
* @param clientIp
* The IP of the client requesting the resource.
* @param resourceUri
* The base uri for the resource.
* @param encryptionKeys
* The available encryption key ids and their keys.
* @param strict
* If false it will only compare the path to the resource instead of the entire URL including scheme,
* hostname, port etc.
* @return ResourceRequest
*/
public static ResourceRequest resourceRequestFromQueryString(String queryString, String clientIp, String resourceUri, Properties encryptionKeys, boolean strict) {
ResourceRequest resourceRequest = new ResourceRequest();
List<NameValuePair> queryParameters = parseQueryString(queryString);
if (!getQueryStringParameters(resourceRequest, queryParameters)) {
return resourceRequest;
}
// Get the encryption key by its id.
String encryptionKey = encryptionKeys.getProperty(resourceRequest.getEncryptionKeyId());
if (StringUtils.isBlank(encryptionKey)) {
resourceRequest.setStatus(Status.Forbidden);
resourceRequest.setRejectionReason(String.format("Forbidden because unable to find an encryption key with ID '%s'.", resourceRequest.getEncryptionKeyId()));
return resourceRequest;
}
// Get Policy
Policy policy = PolicyUtils.fromBase64EncodedPolicy(resourceRequest.getEncodedPolicy());
resourceRequest.setPolicy(policy);
// return a Forbidden 403.
if (!policyMatchesSignature(policy, resourceRequest.getSignature(), encryptionKey)) {
resourceRequest.setStatus(Status.Forbidden);
try {
String policySignature = PolicyUtils.getPolicySignature(policy, encryptionKey);
resourceRequest.setRejectionReason(String.format("Forbidden because policy and signature do not match. Policy: '%s' created Signature from this policy '%s' and query string Signature: '%s'.", PolicyUtils.toJson(resourceRequest.getPolicy()).toJSONString(), policySignature, resourceRequest.getSignature()));
} catch (Exception e) {
resourceRequest.setRejectionReason(String.format("Forbidden because policy and signature do not match. Policy: '%s' and query string Signature: '%s'. Unable to sign policy because: %s", PolicyUtils.toJson(resourceRequest.getPolicy()).toJSONString(), resourceRequest.getSignature(), ExceptionUtils.getStackTrace(e)));
}
return resourceRequest;
}
// If the IP address is specified, check it against the requestor's ip, if it doesn't match return a Forbidden 403.
if (policy.getClientIpAddress().isPresent() && !policy.getClientIpAddress().get().getHostAddress().equalsIgnoreCase(clientIp)) {
resourceRequest.setStatus(Status.Forbidden);
resourceRequest.setRejectionReason(String.format("Forbidden because client trying to access the resource '%s' doesn't match the policy client '%s'", clientIp, resourceRequest.getPolicy().getClientIpAddress()));
return resourceRequest;
}
// If the resource value in the policy doesn't match the requested resource return a Forbidden 403.
if (strict && !policy.getResource().equals(resourceUri)) {
resourceRequest.setStatus(Status.Forbidden);
resourceRequest.setRejectionReason(String.format("Forbidden because resource trying to be accessed '%s' doesn't match policy resource '%s'", resourceUri, resourceRequest.getPolicy().getBaseUrl()));
return resourceRequest;
} else if (!strict) {
try {
String requestedPath = new URI(resourceUri).getPath();
String policyPath = new URI(policy.getResource()).getPath();
if (!policyPath.endsWith(requestedPath)) {
resourceRequest.setStatus(Status.Forbidden);
resourceRequest.setRejectionReason(String.format("Forbidden because resource trying to be accessed '%s' doesn't match policy resource '%s'", resourceUri, resourceRequest.getPolicy().getBaseUrl()));
return resourceRequest;
}
} catch (URISyntaxException e) {
resourceRequest.setStatus(Status.Forbidden);
resourceRequest.setRejectionReason(String.format("Forbidden because either the policy or requested URI cannot be parsed. Policy Path: '%s' and Request Path: '%s'. Unable to sign policy because: %s", policy.getResource(), resourceUri, ExceptionUtils.getStackTrace(e)));
return resourceRequest;
}
}
// value of 410.
if (new DateTime(DateTimeZone.UTC).isAfter(policy.getValidUntil().getMillis())) {
resourceRequest.setStatus(Status.Gone);
resourceRequest.setRejectionReason(String.format("The resource is gone because now '%s' is after the expiry time of '%s'", humanReadableFormat.print(new DateTime(DateTimeZone.UTC)), humanReadableFormat.print(new DateTime(policy.getValidUntil().getMillis(), DateTimeZone.UTC))));
return resourceRequest;
}
if (policy.getValidFrom().isPresent() && new DateTime(DateTimeZone.UTC).isBefore(policy.getValidFrom().get().getMillis())) {
resourceRequest.setStatus(Status.Gone);
resourceRequest.setRejectionReason(String.format("The resource is gone because now '%s' is before the available time of ", humanReadableFormat.print(new DateTime(DateTimeZone.UTC)), humanReadableFormat.print(policy.getValidFrom().get())));
return resourceRequest;
}
// If all of the above conditions pass, then allow the video to be played.
resourceRequest.setStatus(Status.Ok);
return resourceRequest;
}
use of org.opencastproject.urlsigning.common.ResourceRequest in project opencast by opencast.
the class UrlSigningVerifierImplTest method testVerifiesWithSigningProviders.
@Test
public void testVerifiesWithSigningProviders() throws Exception {
String keyId = "theKeyId";
String key = "TheKeyIsThis";
DateTime future = new DateTime(4749125399000L);
Policy policy = Policy.mkSimplePolicy(URL, future);
String queryString = ResourceRequestUtil.policyToResourceRequestQueryString(policy, keyId, key);
// Test with no configured keys
UrlSigningVerifierImpl urlSigningVerifierImpl = new UrlSigningVerifierImpl();
ResourceRequest result = urlSigningVerifierImpl.verify(queryString, CLIENT_IP, URL, true);
assertEquals(Status.Forbidden, result.getStatus());
// Test no matching key
urlSigningVerifierImpl = new UrlSigningVerifierImpl();
Properties keys = new Properties();
keys.put(UrlSigningVerifierImpl.ID_PREFIX + ".1", "otherKey");
keys.put(UrlSigningVerifierImpl.KEY_PREFIX + ".1", "ThisIsTheOtherKey");
urlSigningVerifierImpl.updated(keys);
result = urlSigningVerifierImpl.verify(queryString, CLIENT_IP, URL, true);
assertEquals(Status.Forbidden, result.getStatus());
// Test only matching keys
urlSigningVerifierImpl = new UrlSigningVerifierImpl();
keys = new Properties();
keys.put(UrlSigningVerifierImpl.ID_PREFIX + ".1", keyId);
keys.put(UrlSigningVerifierImpl.KEY_PREFIX + ".1", key);
urlSigningVerifierImpl.updated(keys);
result = urlSigningVerifierImpl.verify(queryString, CLIENT_IP, URL, true);
assertEquals(Status.Ok, result.getStatus());
// Test matching and non-matching keys
urlSigningVerifierImpl = new UrlSigningVerifierImpl();
keys = new Properties();
keys.put(UrlSigningVerifierImpl.ID_PREFIX + ".1", "otherKey");
keys.put(UrlSigningVerifierImpl.KEY_PREFIX + ".1", "ThisIsTheOtherKey");
keys.put(UrlSigningVerifierImpl.ID_PREFIX + ".2", keyId);
keys.put(UrlSigningVerifierImpl.KEY_PREFIX + ".2", key);
urlSigningVerifierImpl.updated(keys);
result = urlSigningVerifierImpl.verify(queryString, CLIENT_IP, URL, true);
assertEquals(Status.Ok, result.getStatus());
// Test correct key id and wrong key
urlSigningVerifierImpl = new UrlSigningVerifierImpl();
keys = new Properties();
keys.put(UrlSigningVerifierImpl.ID_PREFIX + ".1", "otherKey");
keys.put(UrlSigningVerifierImpl.KEY_PREFIX + ".1", "ThisIsTheOtherKey");
keys.put(UrlSigningVerifierImpl.ID_PREFIX + ".2", keyId);
keys.put(UrlSigningVerifierImpl.KEY_PREFIX + ".2", "The Wrong Key");
urlSigningVerifierImpl.updated(keys);
result = urlSigningVerifierImpl.verify(queryString, CLIENT_IP, URL, true);
assertEquals(Status.Forbidden, result.getStatus());
}
Aggregations