diff --git a/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala b/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala index 16ebcc64d..f8d641180 100644 --- a/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala +++ b/content-api/content-actors/src/main/scala/org/sunbird/content/actors/ContentActor.scala @@ -5,13 +5,15 @@ import java.util.concurrent.CompletionException import java.io.File import org.apache.commons.io.FilenameUtils import javax.inject.Inject +import org.apache.commons.lang3.ObjectUtils import org.apache.commons.lang3.StringUtils +import org.apache.commons.collections4.{CollectionUtils, MapUtils} import org.sunbird.`object`.importer.{ImportConfig, ImportManager} import org.sunbird.actor.core.BaseActor import org.sunbird.cache.impl.RedisCache import org.sunbird.content.util.{AcceptFlagManager, ContentConstants, CopyManager, DiscardManager, FlagManager, RetireManager} import org.sunbird.cloudstore.StorageService -import org.sunbird.common.{ContentParams, Platform, Slug} +import org.sunbird.common.{ContentParams, JsonUtils, Platform, Slug} import org.sunbird.common.dto.{Request, Response, ResponseHandler} import org.sunbird.common.exception.ClientException import org.sunbird.content.dial.DIALManager @@ -73,19 +75,35 @@ class ContentActor @Inject() (implicit oec: OntologyEngineContext, ss: StorageSe DataNode.read(request).map(node => { val metadata: util.Map[String, AnyRef] = NodeUtil.serialize(node, fields, node.getObjectType.toLowerCase.replace("image", ""), request.getContext.get("version").asInstanceOf[String]) metadata.put("identifier", node.getIdentifier.replace(".img", "")) - val response: Response = ResponseHandler.OK - if (responseSchemaName.isEmpty) { - response.put("content", metadata) - } - else { - response.put(responseSchemaName, metadata) - } - if(!StringUtils.equalsIgnoreCase(metadata.get("visibility").asInstanceOf[String],"Private")) { - response - } - else { + if (StringUtils.equalsIgnoreCase(metadata.get("visibility").asInstanceOf[String],"Private")) { throw new ClientException("ERR_ACCESS_DENIED", "content visibility is private, hence access denied") } + var sa = metadata.get("secureSettings") + var securityAttribute : util.Map[String, AnyRef] = new util.HashMap[String, AnyRef] + if(sa.isInstanceOf[String]) { + securityAttribute = JsonUtils.deserialize(sa.asInstanceOf[String], classOf[java.util.Map[String, AnyRef]]) + metadata.put("secureSettings", securityAttribute) + } else if (sa.isInstanceOf[util.Map[String, AnyRef]]) { + securityAttribute = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + } + //var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + if (MapUtils.isNotEmpty(securityAttribute)) { + var orgList : util.ArrayList[String] = securityAttribute.getOrDefault("organisation", new util.ArrayList[String]).asInstanceOf[util.ArrayList[String]] + if (!CollectionUtils.isEmpty(orgList)) { + //Content should be read by unique org users only. + var userChannelId : String = request.getRequest.getOrDefault("x-user-channel-id", "").asInstanceOf[String] + if (!orgList.contains(userChannelId)) { + throw new ClientException("ERR_ACCESS_DENIED", "User is not allowed to read this content.") + } + } + } + val response: Response = ResponseHandler.OK + if (responseSchemaName.isEmpty) { + response.put("content", metadata) + } else { + response.put(responseSchemaName, metadata) + } + response }) } diff --git a/content-api/content-service/app/controllers/BaseController.scala b/content-api/content-service/app/controllers/BaseController.scala index 3b7125e19..f915e9240 100644 --- a/content-api/content-service/app/controllers/BaseController.scala +++ b/content-api/content-service/app/controllers/BaseController.scala @@ -209,4 +209,19 @@ abstract class BaseController(protected val cc: ControllerComponents)(implicit e Future(BadRequest(JavaJsonUtils.serialize(result)).as("application/json")) } + def commonReadHeaders(ignoreHeaders: Option[List[String]] = Option(List()))(implicit request: Request[AnyContent]): java.util.Map[String, Object] = { + val customHeaders = Map("x-authenticated-user-orgid" -> "x-user-channel-id", "x-channel-id" -> "channel", "X-Consumer-ID" -> "consumerId", "X-App-Id" -> "appId").filterKeys(key => !ignoreHeaders.getOrElse(List()).contains(key)) + customHeaders.map(ch => { + val value = request.headers.get(ch._1) + if (value.isDefined && !value.isEmpty) { + collection.mutable.HashMap[String, Object](ch._2 -> value.get).asJava + } else { + collection.mutable.HashMap[String, Object]().asJava + } + }).reduce((a, b) => { + a.putAll(b) + return a + }) + } + } diff --git a/content-api/content-service/app/controllers/v3/ContentController.scala b/content-api/content-service/app/controllers/v3/ContentController.scala index 05c5b2470..a5c73c51a 100644 --- a/content-api/content-service/app/controllers/v3/ContentController.scala +++ b/content-api/content-service/app/controllers/v3/ContentController.scala @@ -43,7 +43,7 @@ class ContentController @Inject()(@Named(ActorNames.CONTENT_ACTOR) contentActor: * @return */ def read(identifier: String, mode: Option[String], fields: Option[String]) = Action.async { implicit request => - val headers = commonHeaders() + val headers = commonReadHeaders() val content = new java.util.HashMap().asInstanceOf[java.util.Map[String, Object]] content.putAll(headers) content.putAll(Map("identifier" -> identifier, "mode" -> mode.getOrElse("read"), "fields" -> fields.getOrElse("")).asJava) @@ -94,7 +94,7 @@ class ContentController @Inject()(@Named(ActorNames.CONTENT_ACTOR) contentActor: } def getHierarchy(identifier: String, mode: Option[String]) = Action.async { implicit request => - val headers = commonHeaders() + val headers = commonReadHeaders() val content = new java.util.HashMap().asInstanceOf[java.util.Map[String, Object]] content.putAll(headers) content.putAll(Map("rootId" -> identifier, "mode" -> mode.getOrElse("")).asJava) diff --git a/content-api/hierarchy-manager/pom.xml b/content-api/hierarchy-manager/pom.xml index 828dac9fc..3ef8d21c8 100644 --- a/content-api/hierarchy-manager/pom.xml +++ b/content-api/hierarchy-manager/pom.xml @@ -12,6 +12,11 @@ hierarchy-manager + + org.sunbird + auth-verifier + 1.0-SNAPSHOT + org.sunbird graph-engine_2.11 diff --git a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala index 186232d39..1019d0fc4 100644 --- a/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala +++ b/content-api/hierarchy-manager/src/main/scala/org/sunbird/managers/HierarchyManager.scala @@ -4,6 +4,7 @@ import java.util import java.util.concurrent.CompletionException import com.fasterxml.jackson.databind.ObjectMapper import org.apache.commons.lang3.StringUtils +import org.sunbird.auth.verifier.JWTUtil import org.sunbird.cache.impl.RedisCache import org.sunbird.common.dto.{Request, Response, ResponseHandler, ResponseParams} import org.sunbird.common.exception.{ClientException, ErrorCodes, ResourceNotFoundException, ResponseCode, ServerException} @@ -132,7 +133,9 @@ object HierarchyManager { } val bookmarkId = request.get("bookmarkId").asInstanceOf[String] var metadata: util.Map[String, AnyRef] = NodeUtil.serialize(rootNode, new util.ArrayList[String](), request.getContext.get("schemaName").asInstanceOf[String], request.getContext.get("version").asInstanceOf[String]) - + if (!validateContentSecurity(request, metadata)) { + Future(ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "User can't read content with Id: " + request.get("rootId"))) + } fetchRelationalMetadata(request, rootNode.getIdentifier).map(collRelationalMetadata => { val hierarchy = fetchHierarchy(request, rootNode.getIdentifier) @@ -211,15 +214,24 @@ object HierarchyManager { if (!result.isEmpty) { val bookmarkId = request.get("bookmarkId").asInstanceOf[String] val rootHierarchy = result.get("content").asInstanceOf[util.Map[String, AnyRef]] - if (StringUtils.isEmpty(bookmarkId)) { - ResponseHandler.OK.put("content", rootHierarchy) + if (!validateContentSecurity(request, rootHierarchy)) { + ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "User can't read content with Id: " + request.get("rootId")) } else { - val children = rootHierarchy.getOrElse("children", new util.ArrayList[util.Map[String, AnyRef]]()).asInstanceOf[util.List[util.Map[String, AnyRef]]] - val bookmarkHierarchy = filterBookmarkHierarchy(children, bookmarkId) - if (MapUtils.isEmpty(bookmarkHierarchy)) { - ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "bookmarkId " + bookmarkId + " does not exist") + if (isSecureContent(rootHierarchy)) { + val csToken = generateCSToken(rootHierarchy.get("childNodes").asInstanceOf[util.List[String]]) + rootHierarchy.put("cstoken", csToken) + } + + if (StringUtils.isEmpty(bookmarkId)) { + ResponseHandler.OK.put("content", rootHierarchy) } else { - ResponseHandler.OK.put("content", bookmarkHierarchy) + val children = rootHierarchy.getOrElse("children", new util.ArrayList[util.Map[String, AnyRef]]()).asInstanceOf[util.List[util.Map[String, AnyRef]]] + val bookmarkHierarchy = filterBookmarkHierarchy(children, bookmarkId) + if (MapUtils.isEmpty(bookmarkHierarchy)) { + ResponseHandler.ERROR(ResponseCode.RESOURCE_NOT_FOUND, ResponseCode.RESOURCE_NOT_FOUND.name(), "bookmarkId " + bookmarkId + " does not exist") + } else { + ResponseHandler.OK.put("content", bookmarkHierarchy) + } } } } else @@ -713,4 +725,40 @@ object HierarchyManager { if(configObjTypes.nonEmpty && !configObjTypes.contains(childNode.getOrDefault("objectType", "").asInstanceOf[String])) throw new ClientException("ERR_INVALID_CHILDREN", "Invalid Children objectType "+childNode.get("objectType")+" found for : "+childNode.get("identifier") + "| Please provide children having one of the objectType from "+ configObjTypes.asJava) } + + def isSecureContent (metadata: util.Map[String, AnyRef])(implicit ec: ExecutionContext): Boolean = { + var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + var isSecureContent = false + if (MapUtils.isNotEmpty(securityAttribute)) { + var orgList : util.ArrayList[String] = securityAttribute.getOrDefault("organisation", new util.ArrayList[String]).asInstanceOf[util.ArrayList[String]] + if (!CollectionUtils.isEmpty(orgList)) { + isSecureContent = true + } + } + isSecureContent + } + + def validateContentSecurity(request: Request, metadata: util.Map[String, AnyRef])(implicit ec: ExecutionContext): Boolean = { + var securityAttribute : util.Map[String, AnyRef] = metadata.getOrDefault("secureSettings", new util.HashMap[String, AnyRef]).asInstanceOf[util.Map[String, AnyRef]] + var isUserAllowedToRead = true + if (MapUtils.isNotEmpty(securityAttribute)) { + var orgList : util.ArrayList[String] = securityAttribute.getOrDefault("organisation", new util.ArrayList[String]).asInstanceOf[util.ArrayList[String]] + if (!CollectionUtils.isEmpty(orgList)) { + //Content should be read by unique org users only. + var userChannelId : String = request.getRequest.getOrDefault("x-user-channel-id", "").asInstanceOf[String] + if (!orgList.contains(userChannelId)) { + isUserAllowedToRead = false + } + } + } + isUserAllowedToRead + } + + def generateCSToken(children: util.List[String])(implicit ec: ExecutionContext): String = { + var csToken = ""; + var claimsMap : util.Map[String, AnyRef] = new util.HashMap[String, AnyRef] + claimsMap.put("contentIdentifier", children) + csToken = JWTUtil.createHS256Token(claimsMap) + csToken + } } diff --git a/ontology-engine/graph-dac-api/src/main/java/org/sunbird/graph/service/util/BaseQueryGenerationUtil.java b/ontology-engine/graph-dac-api/src/main/java/org/sunbird/graph/service/util/BaseQueryGenerationUtil.java index df732461d..09fabece2 100644 --- a/ontology-engine/graph-dac-api/src/main/java/org/sunbird/graph/service/util/BaseQueryGenerationUtil.java +++ b/ontology-engine/graph-dac-api/src/main/java/org/sunbird/graph/service/util/BaseQueryGenerationUtil.java @@ -172,6 +172,9 @@ protected static Map getSystemPropertyQueryMap(Node node, String if (StringUtils.isBlank(node.getIdentifier())) node.setIdentifier(Identifier.getIdentifier(node.getGraphId(), Identifier.getUniqueIdFromTimestamp())); + if (node.getMetadata().containsKey("secureSettings")) { + node.setIdentifier(node.getIdentifier() + "_rc"); + } // Adding 'IL_UNIQUE_ID' Property query.append( SystemProperties.IL_UNIQUE_ID.name() + ": { SP_" + SystemProperties.IL_UNIQUE_ID.name() + " }, "); diff --git a/platform-core/auth-verifier/pom.xml b/platform-core/auth-verifier/pom.xml new file mode 100644 index 000000000..196b91bde --- /dev/null +++ b/platform-core/auth-verifier/pom.xml @@ -0,0 +1,93 @@ + + + + platform-core + org.sunbird + 1.0-SNAPSHOT + + 4.0.0 + + auth-verifier + + + + com.fasterxml.jackson.core + jackson-core + ${fasterxml.jackson.version} + + + org.sunbird + common-util + 0.0.1-SNAPSHOT + + + org.sunbird + platform-telemetry + 1.0-SNAPSHOT + jar + + + org.mockito + mockito-core + ${mockito.core.version} + test + + + org.powermock + powermock-api-mockito2 + ${powermock.api.mockito2.version} + test + + + org.powermock + powermock-module-junit4 + ${powermock.module.junit4.version} + test + + + ch.qos.logback + logback-classic + 1.2.3 + + + net.logstash.logback + logstash-logback-encoder + 6.3 + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.8.1 + + 11 + + + + org.jacoco + jacoco-maven-plugin + 0.8.5 + + + default-prepare-agent + + prepare-agent + + + + default-report + prepare-package + + report + + + + + + + \ No newline at end of file diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/Base64Util.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/Base64Util.java new file mode 100644 index 000000000..619330d24 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/Base64Util.java @@ -0,0 +1,741 @@ +package org.sunbird.auth.verifier; + +/* + * Copyright (C) 2010 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +import java.io.UnsupportedEncodingException; + +/** + * Utilities for encoding and decoding the Base64 representation of + * binary data. See RFCs 2045 and 3548. + */ +public class Base64Util { + /** + * Default values for encoder/decoder flags. + */ + public static final int DEFAULT = 0; + + /** + * Encoder flag bit to omit the padding '=' characters at the end + * of the output (if any). + */ + public static final int NO_PADDING = 1; + + /** + * Encoder flag bit to omit all line terminators (i.e., the output + * will be on one long line). + */ + public static final int NO_WRAP = 2; + + /** + * Encoder flag bit to indicate lines should be terminated with a + * CRLF pair instead of just an LF. Has no effect if {@code + * NO_WRAP} is specified as well. + */ + public static final int CRLF = 4; + + /** + * Encoder/decoder flag bit to indicate using the "URL and + * filename safe" variant of Base64 (see RFC 3548 section 4) where + * {@code -} and {@code _} are used in place of {@code +} and + * {@code /}. + */ + public static final int URL_SAFE = 8; + + /** + * Flag to pass to {Base64OutputStream} to indicate that it + * should not close the output stream it is wrapping when it + * itself is closed. + */ + public static final int NO_CLOSE = 16; + + // -------------------------------------------------------- + // shared code + // -------------------------------------------------------- + + private Base64Util() { + } // don't instantiate + + // -------------------------------------------------------- + // decoding + // -------------------------------------------------------- + + /** + * Decode the Base64-encoded data in input and return the data in + * a new byte array. + *

+ *

The padding '=' characters at the end are considered optional, but + * if any are present, there must be the correct number of them. + * + * @param str the input String to decode, which is converted to + * bytes using the default charset + * @param flags controls certain features of the decoded output. + * Pass {@code DEFAULT} to decode standard Base64. + * @throws IllegalArgumentException if the input contains + * incorrect padding + */ + public static byte[] decode(String str, int flags) { + return decode(str.getBytes(), flags); + } + + /** + * Decode the Base64-encoded data in input and return the data in + * a new byte array. + *

+ *

The padding '=' characters at the end are considered optional, but + * if any are present, there must be the correct number of them. + * + * @param input the input array to decode + * @param flags controls certain features of the decoded output. + * Pass {@code DEFAULT} to decode standard Base64. + * @throws IllegalArgumentException if the input contains + * incorrect padding + */ + public static byte[] decode(byte[] input, int flags) { + return decode(input, 0, input.length, flags); + } + + /** + * Decode the Base64-encoded data in input and return the data in + * a new byte array. + *

+ *

The padding '=' characters at the end are considered optional, but + * if any are present, there must be the correct number of them. + * + * @param input the data to decode + * @param offset the position within the input array at which to start + * @param len the number of bytes of input to decode + * @param flags controls certain features of the decoded output. + * Pass {@code DEFAULT} to decode standard Base64. + * @throws IllegalArgumentException if the input contains + * incorrect padding + */ + public static byte[] decode(byte[] input, int offset, int len, int flags) { + // Allocate space for the most data the input could represent. + // (It could contain less if it contains whitespace, etc.) + Decoder decoder = new Decoder(flags, new byte[len * 3 / 4]); + + if (!decoder.process(input, offset, len, true)) { + throw new IllegalArgumentException("bad base-64"); + } + + // Maybe we got lucky and allocated exactly enough output space. + if (decoder.op == decoder.output.length) { + return decoder.output; + } + + // Need to shorten the array, so allocate a new one of the + // right size and copy. + byte[] temp = new byte[decoder.op]; + System.arraycopy(decoder.output, 0, temp, 0, decoder.op); + return temp; + } + + /** + * Base64-encode the given data and return a newly allocated + * String with the result. + * + * @param input the data to encode + * @param flags controls certain features of the encoded output. + * Passing {@code DEFAULT} results in output that + * adheres to RFC 2045. + */ + public static String encodeToString(byte[] input, int flags) { + try { + return new String(encode(input, flags), "US-ASCII"); + } catch (UnsupportedEncodingException e) { + // US-ASCII is guaranteed to be available. + throw new AssertionError(e); + } + } + + // -------------------------------------------------------- + // encoding + // -------------------------------------------------------- + + /** + * Base64-encode the given data and return a newly allocated + * String with the result. + * + * @param input the data to encode + * @param offset the position within the input array at which to + * start + * @param len the number of bytes of input to encode + * @param flags controls certain features of the encoded output. + * Passing {@code DEFAULT} results in output that + * adheres to RFC 2045. + */ + public static String encodeToString(byte[] input, int offset, int len, int flags) { + try { + return new String(encode(input, offset, len, flags), "US-ASCII"); + } catch (UnsupportedEncodingException e) { + // US-ASCII is guaranteed to be available. + throw new AssertionError(e); + } + } + + /** + * Base64-encode the given data and return a newly allocated + * byte[] with the result. + * + * @param input the data to encode + * @param flags controls certain features of the encoded output. + * Passing {@code DEFAULT} results in output that + * adheres to RFC 2045. + */ + public static byte[] encode(byte[] input, int flags) { + return encode(input, 0, input.length, flags); + } + + /** + * Base64-encode the given data and return a newly allocated + * byte[] with the result. + * + * @param input the data to encode + * @param offset the position within the input array at which to + * start + * @param len the number of bytes of input to encode + * @param flags controls certain features of the encoded output. + * Passing {@code DEFAULT} results in output that + * adheres to RFC 2045. + */ + public static byte[] encode(byte[] input, int offset, int len, int flags) { + Encoder encoder = new Encoder(flags, null); + + // Compute the exact length of the array we will produce. + int output_len = len / 3 * 4; + + // Account for the tail of the data and the padding bytes, if any. + if (encoder.do_padding) { + if (len % 3 > 0) { + output_len += 4; + } + } else { + switch (len % 3) { + case 0: + break; + case 1: + output_len += 2; + break; + case 2: + output_len += 3; + break; + } + } + + // Account for the newlines, if any. + if (encoder.do_newline && len > 0) { + output_len += (((len - 1) / (3 * Encoder.LINE_GROUPS)) + 1) * + (encoder.do_cr ? 2 : 1); + } + + encoder.output = new byte[output_len]; + encoder.process(input, offset, len, true); + + assert encoder.op == output_len; + + return encoder.output; + } + + /* package */ static abstract class Coder { + public byte[] output; + public int op; + + /** + * Encode/decode another block of input data. this.output is + * provided by the caller, and must be big enough to hold all + * the coded data. On exit, this.opwill be set to the length + * of the coded data. + * + * @param finish true if this is the final call to process for + * this object. Will finalize the coder state and + * include any final bytes in the output. + * @return true if the input so far is good; false if some + * error has been detected in the input stream.. + */ + public abstract boolean process(byte[] input, int offset, int len, boolean finish); + + /** + * @return the maximum number of bytes a call to process() + * could produce for the given number of input bytes. This may + * be an overestimate. + */ + public abstract int maxOutputSize(int len); + } + + /* package */ static class Decoder extends Coder { + /** + * Lookup table for turning bytes into their position in the + * Base64 alphabet. + */ + private static final int DECODE[] = { + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, + 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -2, -1, -1, + -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, + 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, + -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, + 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + }; + + /** + * Decode lookup table for the "web safe" variant (RFC 3548 + * sec. 4) where - and _ replace + and /. + */ + private static final int DECODE_WEBSAFE[] = { + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, + 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -2, -1, -1, + -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, + 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, + -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, + 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + }; + + /** + * Non-data values in the DECODE arrays. + */ + private static final int SKIP = -1; + private static final int EQUALS = -2; + final private int[] alphabet; + /** + * States 0-3 are reading through the next input tuple. + * State 4 is having read one '=' and expecting exactly + * one more. + * State 5 is expecting no more data or padding characters + * in the input. + * State 6 is the error state; an error has been detected + * in the input and no future input can "fix" it. + */ + private int state; // state number (0 to 6) + private int value; + + public Decoder(int flags, byte[] output) { + this.output = output; + + alphabet = ((flags & URL_SAFE) == 0) ? DECODE : DECODE_WEBSAFE; + state = 0; + value = 0; + } + + /** + * @return an overestimate for the number of bytes {@code + * len} bytes could decode to. + */ + public int maxOutputSize(int len) { + return len * 3 / 4 + 10; + } + + /** + * Decode another block of input data. + * + * @return true if the state machine is still healthy. false if + * bad base-64 data has been detected in the input stream. + */ + public boolean process(byte[] input, int offset, int len, boolean finish) { + if (this.state == 6) return false; + + int p = offset; + len += offset; + + // Using local variables makes the decoder about 12% + // faster than if we manipulate the member variables in + // the loop. (Even alphabet makes a measurable + // difference, which is somewhat surprising to me since + // the member variable is final.) + int state = this.state; + int value = this.value; + int op = 0; + final byte[] output = this.output; + final int[] alphabet = this.alphabet; + + while (p < len) { + // Try the fast path: we're starting a new tuple and the + // next four bytes of the input stream are all data + // bytes. This corresponds to going through states + // 0-1-2-3-0. We expect to use this method for most of + // the data. + // + // If any of the next four bytes of input are non-data + // (whitespace, etc.), value will end up negative. (All + // the non-data values in decode are small negative + // numbers, so shifting any of them up and or'ing them + // together will result in a value with its top bit set.) + // + // You can remove this whole block and the output should + // be the same, just slower. + if (state == 0) { + while (p + 4 <= len && + (value = ((alphabet[input[p] & 0xff] << 18) | + (alphabet[input[p + 1] & 0xff] << 12) | + (alphabet[input[p + 2] & 0xff] << 6) | + (alphabet[input[p + 3] & 0xff]))) >= 0) { + output[op + 2] = (byte) value; + output[op + 1] = (byte) (value >> 8); + output[op] = (byte) (value >> 16); + op += 3; + p += 4; + } + if (p >= len) break; + } + + // The fast path isn't available -- either we've read a + // partial tuple, or the next four input bytes aren't all + // data, or whatever. Fall back to the slower state + // machine implementation. + + int d = alphabet[input[p++] & 0xff]; + + switch (state) { + case 0: + if (d >= 0) { + value = d; + ++state; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 1: + if (d >= 0) { + value = (value << 6) | d; + ++state; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 2: + if (d >= 0) { + value = (value << 6) | d; + ++state; + } else if (d == EQUALS) { + // Emit the last (partial) output tuple; + // expect exactly one more padding character. + output[op++] = (byte) (value >> 4); + state = 4; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 3: + if (d >= 0) { + // Emit the output triple and return to state 0. + value = (value << 6) | d; + output[op + 2] = (byte) value; + output[op + 1] = (byte) (value >> 8); + output[op] = (byte) (value >> 16); + op += 3; + state = 0; + } else if (d == EQUALS) { + // Emit the last (partial) output tuple; + // expect no further data or padding characters. + output[op + 1] = (byte) (value >> 2); + output[op] = (byte) (value >> 10); + op += 2; + state = 5; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 4: + if (d == EQUALS) { + ++state; + } else if (d != SKIP) { + this.state = 6; + return false; + } + break; + + case 5: + if (d != SKIP) { + this.state = 6; + return false; + } + break; + } + } + + if (!finish) { + // We're out of input, but a future call could provide + // more. + this.state = state; + this.value = value; + this.op = op; + return true; + } + + // Done reading input. Now figure out where we are left in + // the state machine and finish up. + + switch (state) { + case 0: + // Output length is a multiple of three. Fine. + break; + case 1: + // Read one extra input byte, which isn't enough to + // make another output byte. Illegal. + this.state = 6; + return false; + case 2: + // Read two extra input bytes, enough to emit 1 more + // output byte. Fine. + output[op++] = (byte) (value >> 4); + break; + case 3: + // Read three extra input bytes, enough to emit 2 more + // output bytes. Fine. + output[op++] = (byte) (value >> 10); + output[op++] = (byte) (value >> 2); + break; + case 4: + // Read one padding '=' when we expected 2. Illegal. + this.state = 6; + return false; + case 5: + // Read all the padding '='s we expected and no more. + // Fine. + break; + } + + this.state = state; + this.op = op; + return true; + } + } + + /* package */ static class Encoder extends Coder { + /** + * Emit a new line every this many output tuples. Corresponds to + * a 76-character line length (the maximum allowable according to + * RFC 2045). + */ + public static final int LINE_GROUPS = 19; + + /** + * Lookup table for turning Base64 alphabet positions (6 bits) + * into output bytes. + */ + private static final byte ENCODE[] = { + 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', + 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', + 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', + 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '+', '/', + }; + + /** + * Lookup table for turning Base64 alphabet positions (6 bits) + * into output bytes. + */ + private static final byte ENCODE_WEBSAFE[] = { + 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', + 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', + 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', + 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '-', '_', + }; + final public boolean do_padding; + final public boolean do_newline; + final public boolean do_cr; + final private byte[] tail; + final private byte[] alphabet; + /* package */ int tailLen; + private int count; + + public Encoder(int flags, byte[] output) { + this.output = output; + + do_padding = (flags & NO_PADDING) == 0; + do_newline = (flags & NO_WRAP) == 0; + do_cr = (flags & CRLF) != 0; + alphabet = ((flags & URL_SAFE) == 0) ? ENCODE : ENCODE_WEBSAFE; + + tail = new byte[2]; + tailLen = 0; + + count = do_newline ? LINE_GROUPS : -1; + } + + /** + * @return an overestimate for the number of bytes {@code + * len} bytes could encode to. + */ + public int maxOutputSize(int len) { + return len * 8 / 5 + 10; + } + + public boolean process(byte[] input, int offset, int len, boolean finish) { + // Using local variables makes the encoder about 9% faster. + final byte[] alphabet = this.alphabet; + final byte[] output = this.output; + int op = 0; + int count = this.count; + + int p = offset; + len += offset; + int v = -1; + + // First we need to concatenate the tail of the previous call + // with any input bytes available now and see if we can empty + // the tail. + + switch (tailLen) { + case 0: + // There was no tail. + break; + + case 1: + if (p + 2 <= len) { + // A 1-byte tail with at least 2 bytes of + // input available now. + v = ((tail[0] & 0xff) << 16) | + ((input[p++] & 0xff) << 8) | + (input[p++] & 0xff); + tailLen = 0; + } + ; + break; + + case 2: + if (p + 1 <= len) { + // A 2-byte tail with at least 1 byte of input. + v = ((tail[0] & 0xff) << 16) | + ((tail[1] & 0xff) << 8) | + (input[p++] & 0xff); + tailLen = 0; + } + break; + } + + if (v != -1) { + output[op++] = alphabet[(v >> 18) & 0x3f]; + output[op++] = alphabet[(v >> 12) & 0x3f]; + output[op++] = alphabet[(v >> 6) & 0x3f]; + output[op++] = alphabet[v & 0x3f]; + if (--count == 0) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + count = LINE_GROUPS; + } + } + + // At this point either there is no tail, or there are fewer + // than 3 bytes of input available. + + // The main loop, turning 3 input bytes into 4 output bytes on + // each iteration. + while (p + 3 <= len) { + v = ((input[p] & 0xff) << 16) | + ((input[p + 1] & 0xff) << 8) | + (input[p + 2] & 0xff); + output[op] = alphabet[(v >> 18) & 0x3f]; + output[op + 1] = alphabet[(v >> 12) & 0x3f]; + output[op + 2] = alphabet[(v >> 6) & 0x3f]; + output[op + 3] = alphabet[v & 0x3f]; + p += 3; + op += 4; + if (--count == 0) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + count = LINE_GROUPS; + } + } + + if (finish) { + // Finish up the tail of the input. Note that we need to + // consume any bytes in tail before any bytes + // remaining in input; there should be at most two bytes + // total. + + if (p - tailLen == len - 1) { + int t = 0; + v = ((tailLen > 0 ? tail[t++] : input[p++]) & 0xff) << 4; + tailLen -= t; + output[op++] = alphabet[(v >> 6) & 0x3f]; + output[op++] = alphabet[v & 0x3f]; + if (do_padding) { + output[op++] = '='; + output[op++] = '='; + } + if (do_newline) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + } + } else if (p - tailLen == len - 2) { + int t = 0; + v = (((tailLen > 1 ? tail[t++] : input[p++]) & 0xff) << 10) | + (((tailLen > 0 ? tail[t++] : input[p++]) & 0xff) << 2); + tailLen -= t; + output[op++] = alphabet[(v >> 12) & 0x3f]; + output[op++] = alphabet[(v >> 6) & 0x3f]; + output[op++] = alphabet[v & 0x3f]; + if (do_padding) { + output[op++] = '='; + } + if (do_newline) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + } + } else if (do_newline && op > 0 && count != LINE_GROUPS) { + if (do_cr) output[op++] = '\r'; + output[op++] = '\n'; + } + + assert tailLen == 0; + assert p == len; + } else { + // Save the leftovers in tail to be consumed on the next + // call to encodeInternal. + + if (p == len - 1) { + tail[tailLen++] = input[p]; + } else if (p == len - 2) { + tail[tailLen++] = input[p]; + tail[tailLen++] = input[p + 1]; + } + } + + this.op = op; + this.count = count; + + return true; + } + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java new file mode 100644 index 000000000..2f83d55b6 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/CryptoUtil.java @@ -0,0 +1,59 @@ +package org.sunbird.auth.verifier; + +import java.nio.charset.Charset; +import java.security.*; + +import javax.crypto.Mac; +import javax.crypto.spec.SecretKeySpec; + +import org.sunbird.telemetry.logger.TelemetryManager; + + +public class CryptoUtil { + private static final Charset US_ASCII = Charset.forName("US-ASCII"); + + public static boolean verifyRSASign(String payLoad, byte[] signature, PublicKey key, String algorithm) { + Signature sign; + try { + sign = Signature.getInstance(algorithm); + sign.initVerify(key); + sign.update(payLoad.getBytes(US_ASCII)); + return sign.verify(signature); + } catch (NoSuchAlgorithmException e) { + return false; + } catch (InvalidKeyException e){ + return false; + } catch (SignatureException e){ + return false; + } + } + + public static byte[] generateHMAC(String payLoad, String secretKey, String algorithm) { + Mac mac; + byte[] signature; + try { + mac = Mac.getInstance(algorithm); + mac.init(new SecretKeySpec(secretKey.getBytes(), algorithm)); + signature = mac.doFinal(payLoad.getBytes(US_ASCII)); + } catch (NoSuchAlgorithmException | InvalidKeyException e) { + TelemetryManager.error("CryptoUtil:generateHMAC :: failed to generate signature. Exception: ", e); + return null; + } + return signature; + } + + public static byte[] generateRSASign(String payLoad, PrivateKey key, String algorithm) { + Signature sign; + byte[] signature; + try { + sign = Signature.getInstance(algorithm); + sign.initSign(key); + sign.update(payLoad.getBytes(US_ASCII)); + signature = sign.sign(); + } catch (NoSuchAlgorithmException | InvalidKeyException | SignatureException e) { + TelemetryManager.error("CryptoUtil:generateRSASign :: failed to generate signature. Exception: ", e); + return null; + } + return signature; + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java new file mode 100644 index 000000000..b382ae3d3 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTUtil.java @@ -0,0 +1,77 @@ +package org.sunbird.auth.verifier; + +import org.sunbird.common.JsonUtils; +import org.sunbird.common.Platform; +import org.sunbird.telemetry.logger.TelemetryManager; + +import java.util.HashMap; +import java.util.Map; + +public class JWTUtil { + private static String SEPARATOR = "."; + + public static String JWT_SECRET_STRING = Platform.config.hasPath("content.security.jwt.secret") ? + Platform.config.getString("content.security.jwt.secret"): "sunbird"; + + public static String createHS256Token(Map claimsMap) { + String token = ""; + JWTokenType tokenType = JWTokenType.HS256; + try { + Map headerOptions = new HashMap(); + String payLoad = createHeader(tokenType, headerOptions) + SEPARATOR + createClaimsMap(claimsMap); + String signature = encodeToBase64Uri( + CryptoUtil.generateHMAC(payLoad, JWT_SECRET_STRING, tokenType.getAlgorithmName())); + token = payLoad + SEPARATOR + signature; + } catch (Exception e) { + TelemetryManager.error("JWTUtil.createHS256Token :: Failed to create RS256 token. Exception: ", e); + } + return token; + } + + public static String createRS256Token(Map claimsMap) { + String token = ""; + JWTokenType tokenType = JWTokenType.RS256; + try { + KeyData keyData = KeyManager.getRandomKey(); + if (keyData != null) { + Map headerOptions = createHeaderOptions(keyData.getKeyId()); + String payLoad = createHeader(tokenType, headerOptions) + SEPARATOR + createClaimsMap(claimsMap); + String signature = encodeToBase64Uri( + CryptoUtil.generateRSASign(payLoad, keyData.getPrivateKey(), tokenType.getAlgorithmName())); + token = payLoad + SEPARATOR + signature; + } else { + TelemetryManager.error("JWTUtil.createRS256Token :: KeyManager is not initialized properly."); + } + } catch (Exception e) { + TelemetryManager.error("JWTUtil.createRS256Token :: Failed to create RS256 token. Exception: ", e); + } + return token; + } + + private static String createHeader(JWTokenType tokenType, Map headerOptions) throws Exception { + Map headerData = new HashMap<>(); + if (headerOptions != null) + headerData.putAll(headerOptions); + headerData.put("alg", tokenType.getTokenType()); + headerData.put("typ", "JWT"); + return encodeToBase64Uri(JsonUtils.serialize(headerData).getBytes()); + } + + private static Map createHeaderOptions(String keyId) { + Map headers = new HashMap<>(); + headers.put("kid", keyId); + return headers; + } + + private static String createClaimsMap(Map claimsMap) throws Exception { + Map payloadData = new HashMap<>(); + if (claimsMap != null && claimsMap.size() > 0) { + payloadData.putAll(claimsMap); + } + return encodeToBase64Uri(JsonUtils.serialize(payloadData).getBytes()); + } + + private static String encodeToBase64Uri(byte[] data) { + return Base64Util.encodeToString(data, 11); + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTokenType.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTokenType.java new file mode 100644 index 000000000..0632e084d --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/JWTokenType.java @@ -0,0 +1,22 @@ +package org.sunbird.auth.verifier; + +public enum JWTokenType { + HS256("HS256", "HmacSHA256"), + RS256("RS256", "SHA256withRSA"); + + private String algorithmName; + private String tokenType; + + JWTokenType(String tokenType, String algorithmName) { + this.algorithmName = algorithmName; + this.tokenType = tokenType; + } + + public String getAlgorithmName() { + return algorithmName; + } + + public String getTokenType() { + return tokenType; + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyData.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyData.java new file mode 100644 index 000000000..6028025f7 --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyData.java @@ -0,0 +1,40 @@ +package org.sunbird.auth.verifier; + +import java.security.PrivateKey; +import java.security.PublicKey; + +public class KeyData { + private String keyId; + private PrivateKey privateKey; + private PublicKey publicKey; + + public KeyData(String keyId, PublicKey publicKey, PrivateKey privateKey) { + this.keyId = keyId; + this.publicKey = publicKey; + this.privateKey = privateKey; + } + + public String getKeyId() { + return keyId; + } + + public void setKeyId(String keyId) { + this.keyId = keyId; + } + + public PublicKey getPublicKey() { + return publicKey; + } + + public void setPublicKey(PublicKey publicKey) { + this.publicKey = publicKey; + } + + public PrivateKey getPrivateKey() { + return privateKey; + } + + public void setPrivateKey(PrivateKey privateKey) { + this.privateKey = privateKey; + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java new file mode 100644 index 000000000..a55ccb4ab --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/KeyManager.java @@ -0,0 +1,97 @@ +package org.sunbird.auth.verifier; + +import java.util.Map; +import org.sunbird.telemetry.logger.TelemetryManager; + +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.security.KeyFactory; +import java.security.PublicKey; +import java.security.PrivateKey; +import java.security.spec.PKCS8EncodedKeySpec; +import java.security.spec.X509EncodedKeySpec; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Random; +import java.util.Map; +import java.util.stream.Collectors; +import java.util.stream.Stream; + +public class KeyManager { + public static final String ACCESS_TOKEN_PUBLICKEY_BASEPATH = "accesstoken_privatekey_basepath"; + + private static PropertiesCache propertiesCache = PropertiesCache.getInstance(); + private static Map keyMap = new HashMap(); + + public static void init() { + TelemetryManager.info("KeyManager:init :: Starting initialization..."); + String basePath = propertiesCache.getProperty(ACCESS_TOKEN_PUBLICKEY_BASEPATH); + try (Stream walk = Files.walk(Paths.get(basePath))) { + List result = + walk.filter(Files::isRegularFile).map(x -> x.toString()).collect(Collectors.toList()); + result.forEach( + file -> { + try { + StringBuilder contentBuilder = new StringBuilder(); + Path path = Paths.get(file); + Files.lines(path, StandardCharsets.UTF_8) + .forEach( + x -> { + contentBuilder.append(x); + }); + KeyData keyData = + new KeyData( + path.getFileName().toString(), null, loadPrivateKey(contentBuilder.toString())); + keyMap.put(path.getFileName().toString(), keyData); + } catch (Exception e) { + TelemetryManager.error("KeyManager:init: exception in reading public keys ", e); + } + }); + } catch (Exception e) { + TelemetryManager.error("KeyManager:init: exception in loading publickeys ", e); + } + } + + public static KeyData getRandomKey() { + if (keyMap.size() == 0) { + init(); + } + if (keyMap.size() > 0) { + Random random = new Random(); + List keys = new ArrayList(keyMap.keySet()); + String randomKey = keys.get(random.nextInt(keys.size())); + return keyMap.get(randomKey); + } + return null; + } + + public static PublicKey loadPublicKey(String key) throws Exception { + String publicKey = new String(key.getBytes(), StandardCharsets.UTF_8); + publicKey = publicKey.replaceAll("(-+BEGIN PUBLIC KEY-+)", ""); + publicKey = publicKey.replaceAll("(-+END PUBLIC KEY-+)", ""); + publicKey = publicKey.replaceAll("[\\r\\n]+", ""); + byte[] keyBytes = Base64Util.decode(publicKey.getBytes("UTF-8"), Base64Util.DEFAULT); + + X509EncodedKeySpec X509publicKey = new X509EncodedKeySpec(keyBytes); + KeyFactory kf = KeyFactory.getInstance("RSA"); + return kf.generatePublic(X509publicKey); + } + + public static PrivateKey loadPrivateKey(String key) throws Exception { + String privateKey = new String(key.getBytes(), StandardCharsets.UTF_8); + privateKey = privateKey.replaceAll("(-+BEGIN RSA PRIVATE KEY-+)", ""); + privateKey = privateKey.replaceAll("(-+END RSA PRIVATE KEY-+)", ""); + privateKey = privateKey.replaceAll("(-+BEGIN PRIVATE KEY-+)", ""); + privateKey = privateKey.replaceAll("(-+END PRIVATE KEY-+)", ""); + privateKey = privateKey.replaceAll("[\\r\\n]+", ""); + byte[] keyBytes = Base64Util.decode(privateKey.getBytes("UTF-8"), Base64Util.DEFAULT); + + // generate private key + PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes); + KeyFactory keyFactory = KeyFactory.getInstance("RSA"); + return keyFactory.generatePrivate(spec); + } +} diff --git a/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/PropertiesCache.java b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/PropertiesCache.java new file mode 100644 index 000000000..79d143f6a --- /dev/null +++ b/platform-core/auth-verifier/src/main/java/org/sunbird/auth/verifier/PropertiesCache.java @@ -0,0 +1,97 @@ +package org.sunbird.auth.verifier; + +import java.io.IOException; +import java.io.InputStream; +import java.util.Map; +import java.util.Properties; +import java.util.concurrent.ConcurrentHashMap; +import org.apache.commons.lang3.StringUtils; + +import org.sunbird.telemetry.logger.TelemetryManager; + + +/* + * @author Amit Kumar + * + * this class is used for reading properties file + */ +public class PropertiesCache { + + private final String[] fileName = { + "externalresource.properties" + }; + private final Properties configProp = new Properties(); + public final Map attributePercentageMap = new ConcurrentHashMap<>(); + private static PropertiesCache propertiesCache = null; + + /** private default constructor */ + private PropertiesCache() { + for (String file : fileName) { + InputStream in = this.getClass().getClassLoader().getResourceAsStream(file); + try { + configProp.load(in); + } catch (IOException e) { + TelemetryManager.error("Error in properties cache", e); + } + } + loadWeighted(); + } + + public static PropertiesCache getInstance() { + + // change the lazy holder implementation to simple singleton implementation ... + if (null == propertiesCache) { + synchronized (PropertiesCache.class) { + if (null == propertiesCache) { + propertiesCache = new PropertiesCache(); + } + } + } + + return propertiesCache; + } + + public void saveConfigProperty(String key, String value) { + configProp.setProperty(key, value); + } + + public String getProperty(String key) { + String value = System.getenv(key); + if (StringUtils.isNotBlank(value)) return value; + return configProp.getProperty(key) != null ? configProp.getProperty(key) : key; + } + + private void loadWeighted() { + String key = configProp.getProperty("user.profile.attribute"); + String value = configProp.getProperty("user.profile.weighted"); + if (StringUtils.isBlank(key)) { + TelemetryManager.info("Profile completeness value is not set"); + } else { + String keys[] = key.split(","); + String values[] = value.split(","); + if (keys.length == value.length()) { + // then take the value from user + TelemetryManager.log("weighted value is provided by user."); + for (int i = 0; i < keys.length; i++) + attributePercentageMap.put(keys[i], new Float(values[i])); + } else { + // equally divide all the provided field. + TelemetryManager.log("weighted value is not provided by user."); + float perc = (float) 100.0 / keys.length; + for (int i = 0; i < keys.length; i++) attributePercentageMap.put(keys[i], perc); + } + } + } + + /** + * Method to read value from resource file . + * + * @param key + * @return + */ + public String readProperty(String key) { + String value = System.getenv(key); + if (StringUtils.isNotBlank(value)) return value; + return configProp.getProperty(key); + } +} \ No newline at end of file diff --git a/platform-core/auth-verifier/src/test/java/org/sunbird/auth/verifier/KeyManagerTest.java b/platform-core/auth-verifier/src/test/java/org/sunbird/auth/verifier/KeyManagerTest.java new file mode 100644 index 000000000..245fa563c --- /dev/null +++ b/platform-core/auth-verifier/src/test/java/org/sunbird/auth/verifier/KeyManagerTest.java @@ -0,0 +1,26 @@ +package org.sunbird.auth.verifier; + +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; + +import java.security.PublicKey; +import org.junit.Test; +import org.junit.runner.RunWith; +import org.powermock.core.classloader.annotations.PowerMockIgnore; +import org.powermock.core.classloader.annotations.PrepareForTest; +import org.powermock.modules.junit4.PowerMockRunner; +import org.sunbird.common.models.util.PropertiesCache; + +@RunWith(PowerMockRunner.class) +@PrepareForTest({PropertiesCache.class}) +@PowerMockIgnore({"javax.management.*"}) +public class KeyManagerTest { + + @Test + public void testLoadPublicKey() throws Exception { + PublicKey key = + KeyManager.loadPublicKey( + "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAysH/wWtg0IjBL1JZZDYvUJC42JCxVobalckr2/3d3eEiWkk7Zh/4DAPYOs4UPjAevTs5VMUjq9EZu/u4H5hNzoVmYNvhtxbhWNY3n4mxpA4Lgt4sNGiGYNNGrN34ML+7+TR3Z1dlrhA271PiuanHI11YymskQRPhBfuwK923Kl/lgI4rS9OQ4GnkvwkUPvMUIRfNt8wL9uTbWm3V9p8VTcmQbW+pPw9QhO9v95NOgXQrLnT8xwnzQE6UCTY2al3B0fc3ULmcxvK+7P1R3/0w1qJLEKSiHl0xnv4WNEfS+2UmN+8jfdSCfoyVIglQl5/tb05j89nfZZp8k24AWLxIJQIDAQAB"); + assertNotNull(key); + } +} diff --git a/platform-core/pom.xml b/platform-core/pom.xml index 915ae188d..f8f4799e1 100755 --- a/platform-core/pom.xml +++ b/platform-core/pom.xml @@ -14,6 +14,7 @@ platform-common platform-telemetry actor-core + auth-verifier schema-validator platform-cache cassandra-connector diff --git a/pom.xml b/pom.xml index f3f14193a..f3b94a318 100644 --- a/pom.xml +++ b/pom.xml @@ -16,6 +16,9 @@ 2.11.12 3.0.8 2.9.8 + 2.22.0 + 2.0.7 + 2.0.0-beta.5 platform-core diff --git a/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java b/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java index 68f175363..136b52454 100644 --- a/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java +++ b/search-api/search-actors/src/main/java/org/sunbird/actors/SearchActor.java @@ -95,6 +95,12 @@ private SearchDTO getSearchDTO(Request request) throws Exception { SearchDTO searchObj = new SearchDTO(); try { Map req = request.getRequest(); + if (req.get("secureSettings") != null) { + searchObj.setSecureSettings((Boolean) req.get("secureSettings")); + } else { + searchObj.setSecureSettings(false); + } + searchObj.setUserOrgId((String) request.getContext().get("x-user-channel-id")); TelemetryManager.log("Search Request: ", req); String queryString = (String) req.get(SearchConstants.query); int limit = getIntValue(req.get(SearchConstants.limit)); diff --git a/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java b/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java index 6fa3d15a9..328d45212 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/dto/SearchDTO.java @@ -16,6 +16,8 @@ public class SearchDTO { private int limit; private int offset; boolean fuzzySearch = false; + boolean secureSettings = false; + String userOrgId = ""; private Map additionalProperties = new HashMap(); private Map softConstraints = new HashMap(); private List> aggregations = new ArrayList<>(); @@ -65,13 +67,20 @@ public Map getSortBy() { public void setSortBy(Map sortBy) { this.sortBy = sortBy; } - public boolean isFuzzySearch() { return fuzzySearch; } public void setFuzzySearch(boolean fuzzySearch) { this.fuzzySearch = fuzzySearch; } + public boolean isSecureSettings() { + return secureSettings; + } + public void setSecureSettings(boolean secureSettings) { + this.secureSettings = secureSettings; + } + public String getUserOrgId() {return userOrgId;} + public void setUserOrgId(String userOrgId) {this.userOrgId = userOrgId;} public Map getAdditionalProperties() { return additionalProperties; } diff --git a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java index c95fc4f24..58a734a5a 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/processor/SearchProcessor.java @@ -5,6 +5,7 @@ import com.fasterxml.jackson.databind.ObjectMapper; import org.apache.commons.collections.CollectionUtils; import org.apache.commons.lang.StringUtils; +import org.apache.lucene.search.join.ScoreMode; import org.elasticsearch.action.search.SearchResponse; import org.elasticsearch.index.query.*; import org.elasticsearch.index.query.MultiMatchQueryBuilder.Type; @@ -43,7 +44,7 @@ public SearchProcessor() { ElasticSearchUtil.initialiseESClient(SearchConstants.COMPOSITE_SEARCH_INDEX, Platform.config.getString("search.es_conn_info")); } - + public SearchProcessor(String indexName) { } @@ -112,7 +113,7 @@ public Map processCount(SearchDTO searchDTO) throws Exception { /** * Returns the list of words which are synonyms of the synsetIds passed in the * request - * + * * @param synsetIds * @return * @throws Exception @@ -177,7 +178,7 @@ public Map multiWordDocSearch(List synsetIds) throws Exc /** * Returns list of synsetsIds which has valid documents in composite index - * + * * @param synsetIds * @return * @throws Exception @@ -327,11 +328,17 @@ private QueryBuilder prepareSearchQuery(SearchDTO searchDTO) { QueryBuilder queryBuilder = null; String totalOperation = searchDTO.getOperation(); List properties = searchDTO.getProperties(); - formQuery(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch()); - if(searchDTO.getMultiFilterProperties() != null) { - formQuery(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, SearchConstants.SEARCH_OPERATION_OR, searchDTO.isFuzzySearch()); + if (searchDTO.isSecureSettings() == false) + formQuery(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch()); + else + formQueryImpl(properties, queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); + if (searchDTO.getMultiFilterProperties() != null) { + if (searchDTO.isSecureSettings() == false) + formQuery(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, SearchConstants.SEARCH_OPERATION_OR, searchDTO.isFuzzySearch()); + else { + formQueryImpl(searchDTO.getMultiFilterProperties(), queryBuilder, boolQuery, totalOperation, searchDTO.isFuzzySearch(), searchDTO); + } } - Map softConstraints = searchDTO.getSoftConstraints(); if (null != softConstraints && !softConstraints.isEmpty()) { boolQuery.should(getSoftConstraintQuery(softConstraints)); @@ -342,6 +349,13 @@ private QueryBuilder prepareSearchQuery(SearchDTO searchDTO) { } private void formQuery(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy) { + formQueryImpl(properties, queryBuilder, boolQuery, operation, fuzzy, null); + } + + private void formQueryImpl(List properties, QueryBuilder queryBuilder, BoolQueryBuilder boolQuery, String operation, Boolean fuzzy, SearchDTO searchDTO) { + boolean enableSecureSettings = false; + if (searchDTO != null) + enableSecureSettings = searchDTO.isSecureSettings(); for (Map property : properties) { String opertation = (String) property.get("operation"); @@ -359,6 +373,11 @@ private void formQuery(List properties, QueryBuilder queryBuilder, BoolQuer relevanceSort = true; propertyName = "all_fields"; queryBuilder = getAllFieldsPropertyQuery(values, fuzzy); + if (enableSecureSettings) { + boolQuery.must(getSecureSettingsSearchQuery(searchDTO.getUserOrgId())); + } else { + boolQuery.mustNot(getSecureSettingsSearchDefaultQuery()); + } boolQuery.must(queryBuilder); continue; } @@ -447,6 +466,11 @@ private void formQuery(List properties, QueryBuilder queryBuilder, BoolQuer } } if (operation.equalsIgnoreCase(AND)) { + if (enableSecureSettings) { + boolQuery.must(getSecureSettingsSearchQuery(searchDTO.getUserOrgId())); + } else { + boolQuery.mustNot(getSecureSettingsSearchDefaultQuery()); + } boolQuery.must(queryBuilder); } else { boolQuery.should(queryBuilder); @@ -515,10 +539,26 @@ private QueryBuilder getAllFieldsPropertyQuery(List values, Boolean fuzz .operator(Operator.AND).type(Type.CROSS_FIELDS).fuzzyTranspositions(false).lenient(true)); } } - return queryBuilder; } + private QueryBuilder getSecureSettingsSearchDefaultQuery() { + + QueryBuilder firstNestedQuery =new NestedQueryBuilder("secureSettings", + QueryBuilders.boolQuery() .mustNot(new ExistsQueryBuilder("organisation")), org.apache.lucene.search.join.ScoreMode.None); + QueryBuilder secondNestedQuery= new NestedQueryBuilder("secureSettings", QueryBuilders.boolQuery() + .filter(new RangeQueryBuilder("organisation" + ".length").lte(0)) , org.apache.lucene.search.join.ScoreMode.None); + QueryBuilder query = QueryBuilders.boolQuery() .should(firstNestedQuery).should (secondNestedQuery); + + return query; + } + + private QueryBuilder getSecureSettingsSearchQuery(String org_id) { + QueryBuilder query = new NestedQueryBuilder("secureSettings", + QueryBuilders.boolQuery().must(new ExistsQueryBuilder("secureSettings.organisation")).must(QueryBuilders.termQuery("secureSettings.organisation", org_id)), org.apache.lucene.search.join.ScoreMode.None); + + return query; + } /** * @param softConstraints * @return @@ -732,7 +772,7 @@ public Future> processSearchQuery(SearchDTO searchDTO, boolean incl SearchSourceBuilder query = processSearchQuery(searchDTO, groupByFinalList, sort); TelemetryManager.log(" search query: " + query); Future searchResponse = ElasticSearchUtil.search(index, query); - + return searchResponse.map(new Mapper>() { public List apply(SearchResponse searchResult) { List response = new ArrayList(); @@ -746,7 +786,7 @@ public List apply(SearchResponse searchResult) { return response; } }, ExecutionContext.Implicits$.MODULE$.global()); - + } public Future processSearchQueryWithSearchResult(SearchDTO searchDTO, boolean includeResults, diff --git a/search-api/search-core/src/main/java/org/sunbird/search/util/SearchConstants.java b/search-api/search-core/src/main/java/org/sunbird/search/util/SearchConstants.java index 27b68a8ba..66d276168 100644 --- a/search-api/search-core/src/main/java/org/sunbird/search/util/SearchConstants.java +++ b/search-api/search-core/src/main/java/org/sunbird/search/util/SearchConstants.java @@ -114,4 +114,5 @@ public class SearchConstants { public static final String softConstraints = "softConstraints"; public static final String setDefaultVisibility = "setDefaultVisibility"; public static String soft = "soft"; + public static String secureSettings = "secureSettings"; } diff --git a/search-api/search-service/app/controllers/SearchBaseController.scala b/search-api/search-service/app/controllers/SearchBaseController.scala index 9e1735b35..5938c93ac 100644 --- a/search-api/search-service/app/controllers/SearchBaseController.scala +++ b/search-api/search-service/app/controllers/SearchBaseController.scala @@ -25,7 +25,7 @@ abstract class SearchBaseController(protected val cc: ControllerComponents)(impl } def commonHeaders()(implicit request: Request[AnyContent]): java.util.Map[String, Object] = { - val customHeaders = Map("x-channel-id" -> "CHANNEL_ID", "x-consumer-id" -> "CONSUMER_ID", "x-app-id" -> "APP_ID", "x-session-id" -> "SESSION_ID", "x-device-id" -> "DEVICE_ID") + val customHeaders = Map("x-authenticated-user-orgid" -> "x-user-channel-id","x-channel-id" -> "CHANNEL_ID", "x-consumer-id" -> "CONSUMER_ID", "x-app-id" -> "APP_ID", "x-session-id" -> "SESSION_ID", "x-device-id" -> "DEVICE_ID") val headers = request.headers.headers.groupBy(_._1).mapValues(_.map(_._2)) val appHeaders = headers.filter(header => customHeaders.keySet.contains(header._1.toLowerCase)) .map(entry => (customHeaders.get(entry._1.toLowerCase()).get, entry._2.head)) diff --git a/search-api/search-service/conf/application.conf b/search-api/search-service/conf/application.conf index 0b038102c..b39c0e2b5 100644 --- a/search-api/search-service/conf/application.conf +++ b/search-api/search-service/conf/application.conf @@ -315,4 +315,7 @@ content.tagging.property=["subject","medium"] search.payload.log_enable=true #Folling configuration would enable the fuzzy search when there are no matches found for given query. -search.fields.enable.fuzzy.when.noresult=false \ No newline at end of file +search.fields.enable.fuzzy.when.noresult=false + +#Following configuration would enable the secureSettings search +search.fields.enable.secureSettings=false \ No newline at end of file