-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes the HMAC Authentication of RESTv2
Two problems prevented the authentication: - the password deciphering expected a string and not an hex string (as returned by the database), which caused padding exceptions - the HMAC sum comparison was done in bytes instead of strings, which somehow returned false
- Loading branch information
1 parent
90ddc15
commit 4d2d9e4
Showing
5 changed files
with
129 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
70 changes: 70 additions & 0 deletions
70
...rc/test/java/org/waarp/openr66/protocol/http/restv2/resthandlers/RestHandlerHookTest.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
package org.waarp.openr66.protocol.http.restv2.resthandlers; | ||
|
||
import org.junit.Test; | ||
import org.waarp.common.crypto.Des; | ||
import org.waarp.common.crypto.DynamicKeyObject; | ||
import org.waarp.common.crypto.HmacSha256; | ||
import org.waarp.openr66.pojo.Host; | ||
import org.waarp.openr66.protocol.configuration.Configuration; | ||
|
||
import static org.junit.Assert.fail; | ||
|
||
import java.text.SimpleDateFormat; | ||
import java.util.Date; | ||
|
||
import javax.ws.rs.InternalServerErrorException; | ||
|
||
/** | ||
* RestHandlerHook | ||
*/ | ||
public class RestHandlerHookTest { | ||
|
||
public static final class RestHandlerHookForTest extends RestHandlerHook { | ||
public RestHandlerHookForTest(final boolean authenticated, | ||
final HmacSha256 hmac, final long delay) { | ||
super(authenticated, hmac, delay); | ||
} | ||
|
||
public void testValidateHMACredentials(Host host, String authDate, | ||
String authUser, String authKey) | ||
throws InternalServerErrorException { | ||
validateHMACCredentials(host, authDate, authUser, authKey); | ||
} | ||
} | ||
|
||
@Test | ||
public void testCheckCredentialsWithHMAC() throws Exception{ | ||
final HmacSha256 hmac = new HmacSha256(); | ||
hmac.generateKey(); | ||
|
||
final Des dyn = new Des(); | ||
dyn.generateKey(); | ||
Des oldKey = Configuration.configuration.getCryptoKey(); | ||
Configuration.configuration.setCryptoKey(dyn); | ||
|
||
final String user = "user"; | ||
final String password = "mypassword"; | ||
final String timestamp = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ssXX").format(new Date()); | ||
|
||
try { | ||
|
||
final String hostkey = dyn.cryptToHex(password); | ||
final String sig = hmac.cryptToHex(timestamp + user + password); | ||
|
||
final RestHandlerHookForTest hook = new RestHandlerHookForTest(true, hmac, 10000); | ||
|
||
try { | ||
final Host host = new Host(user, "127.0.0.1", 1, hostkey.getBytes(), false, true); | ||
|
||
hook.testValidateHMACredentials(host, timestamp, user, sig); | ||
} catch (InternalServerErrorException e) { | ||
System.out.println(e); | ||
fail("credentials validation failed, it should have succeeded"); | ||
} | ||
|
||
} finally { | ||
Configuration.configuration.setCryptoKey(oldKey); | ||
} | ||
|
||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters