View Javadoc
1   /*
2    * Copyright (c) 2002-2021, City of Paris
3    * All rights reserved.
4    *
5    * Redistribution and use in source and binary forms, with or without
6    * modification, are permitted provided that the following conditions
7    * are met:
8    *
9    *  1. Redistributions of source code must retain the above copyright notice
10   *     and the following disclaimer.
11   *
12   *  2. Redistributions in binary form must reproduce the above copyright notice
13   *     and the following disclaimer in the documentation and/or other materials
14   *     provided with the distribution.
15   *
16   *  3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its
17   *     contributors may be used to endorse or promote products derived from
18   *     this software without specific prior written permission.
19   *
20   * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21   * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22   * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23   * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE
24   * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25   * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26   * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27   * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28   * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30   * POSSIBILITY OF SUCH DAMAGE.
31   *
32   * License 1.0
33   */
34  package fr.paris.lutece.util.signrequest;
35  
36  import java.util.Date;
37  import java.util.List;
38  
39  import org.apache.logging.log4j.LogManager;
40  import org.apache.logging.log4j.Logger;
41  
42  import fr.paris.lutece.util.signrequest.security.HashService;
43  
44  /**
45   * AbstractAuthenticator
46   */
47  public abstract class AbstractAuthenticator implements RequestAuthenticator
48  {
49      protected static final Logger LOGGER = LogManager.getLogger( "lutece.security.signrequest" );
50      private static HashService _serviceHash;
51      private List<String> _listSignatureElements;
52      protected long _lValidityTimePeriod;
53  
54      /**
55       * Sets the list of signature elements
56       * 
57       * @param list
58       *            The list
59       */
60      public void setSignatureElements( List<String> list )
61      {
62          _listSignatureElements = list;
63      }
64  
65      /**
66       * Returns the list of signature elements
67       * 
68       * @return The list of elements
69       */
70      protected List<String> getSignatureElements( )
71      {
72          return _listSignatureElements;
73      }
74  
75      /**
76       * Sets the Hash service
77       * 
78       * @param service
79       *            The Hash service
80       */
81      public void setHashService( HashService service )
82      {
83          _serviceHash = service;
84      }
85  
86      /**
87       * Sets validity time period (in seconds) between the timestamp in the request and the server timestamp
88       * 
89       * @param lPeriod
90       *            The validity time period
91       */
92      public void setValidityTimePeriod( long lPeriod )
93      {
94          _lValidityTimePeriod = lPeriod;
95      }
96  
97      /**
98       * Get validity time period (in seconds) between the timestamp in the request and the server timestamp
99       * 
100      * @return the validity time period
101      */
102     public long getValidityTimePeriod( )
103     {
104         return _lValidityTimePeriod;
105     }
106 
107     /**
108      * Create a signature
109      * 
110      * @param listElements
111      *            The list of elements that part of the hash
112      * @param strTimestamp
113      *            The timestamp
114      * @param strSecret
115      *            The secret
116      * @return A signature as an Hexadecimal Hash
117      */
118     public String buildSignature( List<String> listElements, String strTimestamp, String strSecret )
119     {
120         StringBuilder sbSignature = new StringBuilder( );
121 
122         if ( listElements != null )
123         {
124             for ( String strElement : listElements )
125             {
126                 sbSignature.append( strElement );
127             }
128         }
129 
130         sbSignature.append( strSecret ).append( strTimestamp );
131 
132         return _serviceHash.getHash( sbSignature.toString( ) );
133     }
134 
135     /**
136      * This method checks the date of the request
137      * 
138      * @param strTimestamp
139      *            The timestamp
140      * @return true if the timestamp is valid, otherwise false
141      */
142     protected boolean isValidTimestamp( String strTimestamp )
143     {
144         if ( _lValidityTimePeriod != 0L )
145         {
146             try
147             {
148                 long lTimeRequest = Long.parseLong( strTimestamp );
149                 long lTimeCurrent = new Date( ).getTime( );
150                 boolean bValid = ( ( ( lTimeCurrent - lTimeRequest ) / 1000L ) < _lValidityTimePeriod );
151 
152                 if ( !bValid )
153                 {
154                     LOGGER.info( "SignRequest - Timestamp expired : " + strTimestamp );
155                 }
156 
157                 return bValid;
158             }
159             catch( NumberFormatException e )
160             {
161                 // Invalid Timestamp
162                 LOGGER.error( "SignRequest - Invalid timestamp : " + strTimestamp );
163 
164                 return false;
165             }
166         }
167 
168         // Period = 0 no check
169         return true;
170     }
171 }