Author: scottbw
Date: Wed Feb 19 10:52:55 2014
New Revision: 1569678
URL: http://svn.apache.org/r1569678
Log:
Changed structure of API key from "id, value, email" to "key, secret" following
the HMAC authz scheme
Modified:
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/helpers/ApiKeyHelper.java
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKey.java
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKeys.java
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/Hmac.java
wookie/trunk/wookie-server/src/main/resources/keys
wookie/trunk/wookie-server/src/test/java/org/apache/wookie/auth/AuthTokenUtilsTest.java
Modified:
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/helpers/ApiKeyHelper.java
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/main/java/org/apache/wookie/helpers/ApiKeyHelper.java?rev=1569678&r1=1569677&r2=1569678&view=diff
==============================================================================
---
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/helpers/ApiKeyHelper.java
(original)
+++
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/helpers/ApiKeyHelper.java
Wed Feb 19 10:52:55 2014
@@ -44,9 +44,7 @@ public class ApiKeyHelper {
for(ApiKey key: keys){
Element keyElement = new Element("key");
- keyElement.setAttribute("id", String.valueOf(key.getId()));
- keyElement.setAttribute("value", key.getValue());
- keyElement.setAttribute("email", key.getEmail());
+ keyElement.setText(key.getValue());
keysElement.addContent(keyElement);
}
document.setRootElement(keysElement);
@@ -64,9 +62,7 @@ public class ApiKeyHelper {
for(ApiKey key: keys){
JSONObject jsonKey = new JSONObject();
try {
- jsonKey.put("id", key.getId());
- jsonKey.put("value", key.getValue());
- jsonKey.put("email", key.getEmail());
+ jsonKey.put("key", key.getValue());
} catch (JSONException e) {
logger.error("Problem rendering json for ApiKey object", e);
}
Modified:
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKey.java
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKey.java?rev=1569678&r1=1569677&r2=1569678&view=diff
==============================================================================
---
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKey.java
(original)
+++
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKey.java
Wed Feb 19 10:52:55 2014
@@ -22,25 +22,15 @@ package org.apache.wookie.server.securit
*/
public class ApiKey {
- private Object id;
private String value;
- private String email;
+ private String secret;
public ApiKey(){
}
- public ApiKey(String key, String email){
+ public ApiKey(String key, String secret){
setValue(key);
- setEmail(email);
- this.id = key;
- }
-
- /**
- * Get the id of the key
- * @return
- */
- public Object getId() {
- return id;
+ setSecret(secret);
}
/**
@@ -63,16 +53,16 @@ public class ApiKey {
* Get contact email associated with this key
* @return
*/
- public String getEmail() {
- return email;
+ public String getSecret() {
+ return secret;
}
/**
* Set the contact email address
* @param email
*/
- public void setEmail(String email) {
- this.email = email;
+ public void setSecret(String secret) {
+ this.secret = secret;
}
}
Modified:
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKeys.java
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKeys.java?rev=1569678&r1=1569677&r2=1569678&view=diff
==============================================================================
---
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKeys.java
(original)
+++
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/ApiKeys.java
Wed Feb 19 10:52:55 2014
@@ -161,12 +161,11 @@ public class ApiKeys {
private boolean addKeyToCollection(String key, String email) throws
ConfigurationException{
ApiKey apiKey = new ApiKey(key, email);
if (keys.containsKey(apiKey.getValue())){
- logger.debug("Duplicate key submitted for "+email);
+ logger.debug("Duplicate key submitted for "+apiKey.getValue());
return false;
} else {
// Add
keys.put(apiKey.getValue(), apiKey);
- logger.debug("Key added for "+apiKey.getEmail());
return true;
}
}
Modified:
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/Hmac.java
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/Hmac.java?rev=1569678&r1=1569677&r2=1569678&view=diff
==============================================================================
---
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/Hmac.java
(original)
+++
wookie/trunk/wookie-server/src/main/java/org/apache/wookie/server/security/Hmac.java
Wed Feb 19 10:52:55 2014
@@ -100,7 +100,7 @@ public class Hmac {
// Get the header
//
String auth = request.getHeader("Authorization");
-
+
//
// If no auth header, not valid.
//
@@ -114,17 +114,17 @@ public class Hmac {
String apiKey = getPublicKey(request);
String signature = getSignature(request);
if (apiKey == null || signature == null) return false;
-
+
//
// Validate the api public key exists
//
if (!ApiKeys.getInstance().validate(apiKey)) return false;
-
+
//
// Get the API key secret
//
- String secret =
ApiKeys.getInstance().getApiKey(apiKey).getEmail();
-
+ String secret =
ApiKeys.getInstance().getApiKey(apiKey).getSecret();
+
//
// Check the timestamp. If no timestamp is
// provided, the request is not valid
@@ -142,7 +142,6 @@ public class Hmac {
} catch (ParseException e1) {
return false;
}
-
//
// Compute the window of validity for the timestamp,
// equivalent to now minus an allowance for clock
@@ -158,7 +157,7 @@ public class Hmac {
if ((timestampDate.getTime()) < window){
return false;
}
-
+
//
// Get the nonce used. If there is no nonce, the
// request is not valid
@@ -170,7 +169,7 @@ public class Hmac {
// Check the nonce hasn't been reused lately
//
if (!NonceCache.getInstance().isValid(nonce)) return false;
-
+
//
// Get the canonical request string to validate
//
Modified: wookie/trunk/wookie-server/src/main/resources/keys
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/main/resources/keys?rev=1569678&r1=1569677&r2=1569678&view=diff
==============================================================================
--- wookie/trunk/wookie-server/src/main/resources/keys (original)
+++ wookie/trunk/wookie-server/src/main/resources/keys Wed Feb 19 10:52:55 2014
@@ -3,14 +3,21 @@
##
## This file is dynamically loaded by Wookie and configures
## API keys for accessing Wookie. Each application that will
-## request widget instances must have its own API key.
+## interact with the Wookie REST API will need its own key
+## and secret
##
-## The format of entries is key = contact email address
+## The format of entries is key = secret
##
+## The key is sent over plaintext in API requests, however
+## the secret is only shared once with the application
+## and then used privately to generate secure hashes.
+##
+## If a secret is compromised, it can be changed here without
+## affecting existing data.
##
## Example:
##
-## mykey = [email protected]
+## mykey = somerandomvalue
##
[email protected]
\ No newline at end of file
Modified:
wookie/trunk/wookie-server/src/test/java/org/apache/wookie/auth/AuthTokenUtilsTest.java
URL:
http://svn.apache.org/viewvc/wookie/trunk/wookie-server/src/test/java/org/apache/wookie/auth/AuthTokenUtilsTest.java?rev=1569678&r1=1569677&r2=1569678&view=diff
==============================================================================
---
wookie/trunk/wookie-server/src/test/java/org/apache/wookie/auth/AuthTokenUtilsTest.java
(original)
+++
wookie/trunk/wookie-server/src/test/java/org/apache/wookie/auth/AuthTokenUtilsTest.java
Wed Feb 19 10:52:55 2014
@@ -43,7 +43,7 @@ public class AuthTokenUtilsTest{
public void encrypt() throws Exception{
ApiKey apiKey = new ApiKey();
apiKey.setValue("ENC_TEST");
- apiKey.setEmail("[email protected]");
+ apiKey.setSecret("[email protected]");
AuthToken authToken = new AuthToken();
authToken.setApiKey(apiKey);
@@ -67,7 +67,7 @@ public class AuthTokenUtilsTest{
public void validate() throws Exception{
ApiKey apiKey = new ApiKey();
apiKey.setValue("ENC_TEST");
- apiKey.setEmail("[email protected]");
+ apiKey.setSecret("[email protected]");
AuthToken authToken = new AuthToken();
authToken.setApiKey(apiKey);
@@ -91,7 +91,7 @@ public class AuthTokenUtilsTest{
public void encryptExpiry() throws Exception{
ApiKey apiKey = new ApiKey();
apiKey.setValue("ENC_TEST");
- apiKey.setEmail("[email protected]");
+ apiKey.setSecret("[email protected]");
AuthToken authToken = new AuthToken();
authToken.setApiKey(apiKey);
@@ -121,7 +121,7 @@ public class AuthTokenUtilsTest{
public void encryptExpiryWithValidation() throws Exception{
ApiKey apiKey = new ApiKey();
apiKey.setValue("ENC_TEST");
- apiKey.setEmail("[email protected]");
+ apiKey.setSecret("[email protected]");
AuthToken authToken = new AuthToken();
authToken.setApiKey(apiKey);
@@ -151,7 +151,7 @@ public class AuthTokenUtilsTest{
public void encryptExpirySkew() throws Exception{
ApiKey apiKey = new ApiKey();
apiKey.setValue("ENC_TEST");
- apiKey.setEmail("[email protected]");
+ apiKey.setSecret("[email protected]");
AuthToken authToken = new AuthToken();
authToken.setApiKey(apiKey);
@@ -178,7 +178,7 @@ public class AuthTokenUtilsTest{
public void encryptBadApiKey(){
ApiKey apiKey = new ApiKey();
apiKey.setValue("ENC_TEST_BAD");
- apiKey.setEmail("[email protected]");
+ apiKey.setSecret("[email protected]");
AuthToken authToken = new AuthToken();
authToken.setApiKey(apiKey);
