1 /* 2 * Copyright (c) 2002-2022, City of Paris 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright notice 10 * and the following disclaimer. 11 * 12 * 2. Redistributions in binary form must reproduce the above copyright notice 13 * and the following disclaimer in the documentation and/or other materials 14 * provided with the distribution. 15 * 16 * 3. Neither the name of 'Mairie de Paris' nor 'Lutece' nor the names of its 17 * contributors may be used to endorse or promote products derived from 18 * this software without specific prior written permission. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE 24 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 * POSSIBILITY OF SUCH DAMAGE. 31 * 32 * License 1.0 33 */ 34 package fr.paris.lutece.plugins.dansmarue.modules.rest.service; 35 36 import javax.servlet.http.HttpServletRequest; 37 38 import org.apache.commons.lang.StringUtils; 39 40 import fr.paris.lutece.plugins.dansmarue.modules.rest.util.constants.SiraRestConstants; 41 import fr.paris.lutece.portal.service.util.AppPropertiesService; 42 import fr.paris.lutece.util.signrequest.security.Sha1HashService; 43 44 /** 45 * SiraRequestService. 46 */ 47 public class SiraRequestService 48 { 49 50 /** The sha 1 hash service. */ 51 private static Sha1HashService _sha1HashService; 52 53 /** 54 * setter. 55 * 56 * @param sha1HashService 57 * the service 58 */ 59 public static void setSha1HashService( Sha1HashService sha1HashService ) 60 { 61 _sha1HashService = sha1HashService; 62 } 63 64 /** 65 * Check if Request is authenticated. 66 * 67 * @param request 68 * the request 69 * @param strJSONStream 70 * the json stream 71 * @return true if request is authenticated 72 */ 73 public boolean isRequestAuthenticated( HttpServletRequest request, String strJSONStream ) 74 { 75 int nSignRequestActived = AppPropertiesService.getPropertyInt( SiraRestConstants.PROPERTY_ACTIVATION_SIGNREQUEST, 0 ); 76 77 if ( nSignRequestActived == 1 ) 78 { 79 String strHash1 = request.getHeader( SiraRestConstants.HEADER_X_APP_REQUEST_SIGNATURE ); 80 81 // no signature 82 if ( StringUtils.isBlank( strHash1 ) ) 83 { 84 return false; 85 } 86 87 String strHash2 = buildSignature( request, strJSONStream ); 88 89 return strHash1.equals( strHash2 ); 90 } 91 else 92 { 93 return true; 94 } 95 } 96 97 /** 98 * Create a signature. 99 * 100 * @param request 101 * The http request 102 * @param strJSONStream 103 * the json stream 104 * @return A signature as an Hexadecimal Hash 105 */ 106 public String buildSignature( HttpServletRequest request, String strJSONStream ) 107 { 108 StringBuilder sb = new StringBuilder( ); 109 sb.append( AppPropertiesService.getProperty( SiraRestConstants.PROPERTY_PRIVATE_KEY_ANDROID_API ) ); 110 111 if ( StringUtils.isNotBlank( strJSONStream ) ) 112 { 113 sb.append( strJSONStream ); 114 } 115 116 return _sha1HashService.getHash( sb.toString( ) ); 117 } 118 }