/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

  * You may obtain a copy of the License at

  *

  *     http://www.apache.org/licenses/LICENSE-2.0

  *

  * Unless required by applicable law or agreed to in writing, software

  * distributed under the License is distributed on an "AS IS" BASIS,

  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  * See the License for the specific language governing permissions and

  * limitations under the License.

  */

 package org.acegisecurity.ui.digestauth;

 import org.acegisecurity.AcegiMessageSource;

 import org.acegisecurity.AuthenticationException;

 import org.acegisecurity.AuthenticationServiceException;

 import org.acegisecurity.BadCredentialsException;

 import org.acegisecurity.context.SecurityContextHolder;

 import org.acegisecurity.providers.UsernamePasswordAuthenticationToken;

 import org.acegisecurity.providers.dao.UserCache;

 import org.acegisecurity.providers.dao.cache.NullUserCache;

 import org.acegisecurity.ui.AuthenticationDetailsSource;

 import org.acegisecurity.ui.AuthenticationDetailsSourceImpl;

 import org.acegisecurity.userdetails.UserDetails;

 import org.acegisecurity.userdetails.UserDetailsService;

 import org.acegisecurity.userdetails.UsernameNotFoundException;

 import org.acegisecurity.util.StringSplitUtils;

 import org.apache.commons.codec.binary.Base64;

 import org.apache.commons.codec.digest.DigestUtils;

 import org.apache.commons.logging.Log;

 import org.apache.commons.logging.LogFactory;

 import org.springframework.beans.factory.InitializingBean;

 import org.springframework.context.MessageSource;

 import org.springframework.context.MessageSourceAware;

 import org.springframework.context.support.MessageSourceAccessor;

 import org.springframework.util.Assert;

 import org.springframework.util.StringUtils;

 import java.io.IOException;

 import java.util.Map;

 import javax.servlet.Filter;

 import javax.servlet.FilterChain;

 import javax.servlet.FilterConfig;

 import javax.servlet.ServletException;

 import javax.servlet.ServletRequest;

 import javax.servlet.ServletResponse;

 import javax.servlet.http.HttpServletRequest;

 import javax.servlet.http.HttpServletResponse;

 /**

  * Processes a HTTP request's Digest authorization headers, putting the result into the

  * <code>SecurityContextHolder</code>.<p>For a detailed background on what this filter is designed to process,

  * refer to <a href="http://www.ietf.org/rfc/rfc2617.txt">RFC 2617</a> (which superseded RFC 2069, although this

  * filter support clients that implement either RFC 2617 or RFC 2069).</p>

  * <p>This filter can be used to provide Digest authentication services to both remoting protocol clients (such as

  * Hessian and SOAP) as well as standard user agents (such as Internet Explorer and FireFox).</p>

  * <p>This Digest implementation has been designed to avoid needing to store session state between invocations.

  * All session management information is stored in the "nonce" that is sent to the client by the {@link

  * DigestProcessingFilterEntryPoint}.</p>

  * <P>If authentication is successful, the resulting {@link org.acegisecurity.Authentication Authentication}

  * object will be placed into the <code>SecurityContextHolder</code>.</p>

  * <p>If authentication fails, an {@link org.acegisecurity.ui.AuthenticationEntryPoint AuthenticationEntryPoint}

  * implementation is called. This must always be {@link DigestProcessingFilterEntryPoint}, which will prompt the user

  * to authenticate again via Digest authentication.</p>

  * <p>Note there are limitations to Digest authentication, although it is a more comprehensive and secure solution

  * than Basic authentication. Please see RFC 2617 section 4 for a full discussion on the advantages of Digest

  * authentication over Basic authentication, including commentary on the limitations that it still imposes.</p>

  * <p><b>Do not use this class directly.</b> Instead configure <code>web.xml</code> to use the {@link

  * org.acegisecurity.util.FilterToBeanProxy}.</p>

  */

 public class DigestProcessingFilter implements Filter, InitializingBean, MessageSourceAware {

     //~ Static fields/initializers =====================================================================================

     private static final Log logger = LogFactory.getLog(DigestProcessingFilter.class);

     //~ Instance fields ================================================================================================

     private AuthenticationDetailsSource authenticationDetailsSource = new AuthenticationDetailsSourceImpl();

     private DigestProcessingFilterEntryPoint authenticationEntryPoint;

     protected MessageSourceAccessor messages = AcegiMessageSource.getAccessor();

     private UserCache userCache = new NullUserCache();

     private UserDetailsService userDetailsService;

     private boolean passwordAlreadyEncoded = false;

     //~ Methods ========================================================================================================

     public void afterPropertiesSet() throws Exception {

         Assert.notNull(userDetailsService, "A UserDetailsService is required");

         Assert.notNull(authenticationEntryPoint, "A DigestProcessingFilterEntryPoint is required");

     }

     public void destroy() {

     }

     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)

             throws IOException, ServletException {

         if (!(request instanceof HttpServletRequest)) {

             throw new ServletException("Can only process HttpServletRequest");

         }

         if (!(response instanceof HttpServletResponse)) {

             throw new ServletException("Can only process HttpServletResponse");

         }

         HttpServletRequest httpRequest = (HttpServletRequest) request;

         String header = httpRequest.getHeader("Authorization");

         if (logger.isDebugEnabled()) {

             logger.debug("Authorization header received from user agent: " + header);

         }

         if ((header != null) && header.startsWith("Digest ")) {

             String section212response = header.substring(7);

             String[] headerEntries = StringSplitUtils.splitIgnoringQuotes(section212response, ',');

             Map headerMap = StringSplitUtils.splitEachArrayElementAndCreateMap(headerEntries, "=", "\"");

             String username = (String) headerMap.get("username");

             String realm = (String) headerMap.get("realm");

             String nonce = (String) headerMap.get("nonce");

             String uri = (String) headerMap.get("uri");

             String responseDigest = (String) headerMap.get("response");

             String qop = (String) headerMap.get("qop"); // RFC 2617 extension

             String nc = (String) headerMap.get("nc"); // RFC 2617 extension

             String cnonce = (String) headerMap.get("cnonce"); // RFC 2617 extension

             // Check all required parameters were supplied (ie RFC 2069)

             if ((username == null) || (realm == null) || (nonce == null) || (uri == null) || (response == null)) {

                 if (logger.isDebugEnabled()) {

                     logger.debug("extracted username: '" + username + "'; realm: '" + username + "'; nonce: '"

                             + username + "'; uri: '" + username + "'; response: '" + username + "'");

                 }

                 fail(request, response,

                         new BadCredentialsException(messages.getMessage("DigestProcessingFilter.missingMandatory",

                                 new Object[]{section212response}, "Missing mandatory digest value; received header {0}")));

                 return;

             }

             // Check all required parameters for an "auth" qop were supplied (ie RFC 2617)

             if ("auth".equals(qop)) {

                 if ((nc == null) || (cnonce == null)) {

                     if (logger.isDebugEnabled()) {

                         logger.debug("extracted nc: '" + nc + "'; cnonce: '" + cnonce + "'");

                     }

                     fail(request, response,

                             new BadCredentialsException(messages.getMessage("DigestProcessingFilter.missingAuth",

                                     new Object[]{section212response}, "Missing mandatory digest value; received header {0}")));

                     return;

                 }

             }

             // Check realm name equals what we expected

             if (!this.getAuthenticationEntryPoint().getRealmName().equals(realm)) {

                 fail(request, response,

                         new BadCredentialsException(messages.getMessage("DigestProcessingFilter.incorrectRealm",

                                 new Object[]{realm, this.getAuthenticationEntryPoint().getRealmName()},

                                 "Response realm name '{0}' does not match system realm name of '{1}'")));

                 return;

             }

             // Check nonce was a Base64 encoded (as sent by DigestProcessingFilterEntryPoint)

             if (!Base64.isArrayByteBase64(nonce.getBytes())) {

                 fail(request, response,

                         new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceEncoding",

                                 new Object[]{nonce}, "Nonce is not encoded in Base64; received nonce {0}")));

                 return;

             }

             // Decode nonce from Base64

             // format of nonce is:

             //   base64(expirationTime + ":" + md5Hex(expirationTime + ":" + key))

             String nonceAsPlainText = new String(Base64.decodeBase64(nonce.getBytes()));

             String[] nonceTokens = StringUtils.delimitedListToStringArray(nonceAsPlainText, ":");

             if (nonceTokens.length != 2) {

                 fail(request, response,

                         new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceNotTwoTokens",

                                 new Object[]{nonceAsPlainText}, "Nonce should have yielded two tokens but was {0}")));

                 return;

             }

             // Extract expiry time from nonce

             long nonceExpiryTime;

             try {

                 nonceExpiryTime = new Long(nonceTokens[0]).longValue();

             } catch (NumberFormatException nfe) {

                 fail(request, response,

                         new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceNotNumeric",

                                 new Object[]{nonceAsPlainText},

                                 "Nonce token should have yielded a numeric first token, but was {0}")));

                 return;

             }

             // Check signature of nonce matches this expiry time

             String expectedNonceSignature = DigestUtils.md5Hex(nonceExpiryTime + ":"

                     + this.getAuthenticationEntryPoint().getKey());

             if (!expectedNonceSignature.equals(nonceTokens[1])) {

                 fail(request, response,

                         new BadCredentialsException(messages.getMessage("DigestProcessingFilter.nonceCompromised",

                                 new Object[]{nonceAsPlainText}, "Nonce token compromised {0}")));

                 return;

             }

             // Lookup password for presented username

             // NB: DAO-provided password MUST be clear text - not encoded/salted

             // (unless this instance's passwordAlreadyEncoded property is 'false')

             boolean loadedFromDao = false;

             UserDetails user = userCache.getUserFromCache(username);

             if (user == null) {

                 loadedFromDao = true;

                 try {

                     user = userDetailsService.loadUserByUsername(username);

                 } catch (UsernameNotFoundException notFound) {

                     fail(request, response,

                             new BadCredentialsException(messages.getMessage("DigestProcessingFilter.usernameNotFound",

                                     new Object[]{username}, "Username {0} not found")));

                     return;

                 }

                 if (user == null) {

                     throw new AuthenticationServiceException(

                             "AuthenticationDao returned null, which is an interface contract violation");

                 }

                 userCache.putUserInCache(user);

             }

             // Compute the expected response-digest (will be in hex form)

             String serverDigestMd5;

             // Don't catch IllegalArgumentException (already checked validity)

             serverDigestMd5 = generateDigest(passwordAlreadyEncoded, username, realm, user.getPassword(),

                     ((HttpServletRequest) request).getMethod(), uri, qop, nonce, nc, cnonce);

             // If digest is incorrect, try refreshing from backend and recomputing

             if (!serverDigestMd5.equals(responseDigest) && !loadedFromDao) {

                 if (logger.isDebugEnabled()) {

                     logger.debug(

                             "Digest comparison failure; trying to refresh user from DAO in case password had changed");

                 }

                 try {

                     user = userDetailsService.loadUserByUsername(username);

                 } catch (UsernameNotFoundException notFound) {

                     // Would very rarely happen, as user existed earlier

                     fail(request, response,

                             new BadCredentialsException(messages.getMessage("DigestProcessingFilter.usernameNotFound",

                                     new Object[]{username}, "Username {0} not found")));

                 }

                 userCache.putUserInCache(user);

                 // Don't catch IllegalArgumentException (already checked validity)

                 serverDigestMd5 = generateDigest(passwordAlreadyEncoded, username, realm, user.getPassword(),

                         ((HttpServletRequest) request).getMethod(), uri, qop, nonce, nc, cnonce);

             }

             // If digest is still incorrect, definitely reject authentication attempt

             if (!serverDigestMd5.equals(responseDigest)) {

                 if (logger.isDebugEnabled()) {

                     logger.debug("Expected response: '" + serverDigestMd5 + "' but received: '" + responseDigest

                             + "'; is AuthenticationDao returning clear text passwords?");

                 }

                 fail(request, response,

                         new BadCredentialsException(messages.getMessage("DigestProcessingFilter.incorrectResponse",

                                 "Incorrect response")));

                 return;

             }

             // To get this far, the digest must have been valid

             // Check the nonce has not expired

             // We do this last so we can direct the user agent its nonce is stale

             // but the request was otherwise appearing to be valid

             if (nonceExpiryTime < System.currentTimeMillis()) {

                 fail(request, response,

                         new NonceExpiredException(messages.getMessage("DigestProcessingFilter.nonceExpired",

                                 "Nonce has expired/timed out")));

                 return;

             }

             if (logger.isDebugEnabled()) {

                 logger.debug("Authentication success for user: '" + username + "' with response: '" + responseDigest

                         + "'");

             }

             UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(user,

                     user.getPassword());

             authRequest.setDetails(authenticationDetailsSource.buildDetails((HttpServletRequest) request));

             SecurityContextHolder.getContext().setAuthentication(authRequest);

         }

         chain.doFilter(request, response);

     }

     public static String encodePasswordInA1Format(String username, String realm, String password) {

         String a1 = username + ":" + realm + ":" + password;

         String a1Md5 = new String(DigestUtils.md5Hex(a1));

         return a1Md5;

     }

     private void fail(ServletRequest request, ServletResponse response, AuthenticationException failed)

             throws IOException, ServletException {

         SecurityContextHolder.getContext().setAuthentication(null);

         if (logger.isDebugEnabled()) {

             logger.debug(failed);

         }

         authenticationEntryPoint.commence(request, response, failed);

     }

     /**

      * Computes the <code>response</code> portion of a Digest authentication header. Both the server and user

      * agent should compute the <code>response</code> independently. Provided as a static method to simplify the

      * coding of user agents.

      *

      * @param passwordAlreadyEncoded true if the password argument is already encoded in the correct format. False if

      *                               it is plain text.

      * @param username               the user's login name.

      * @param realm                  the name of the realm.

      * @param password               the user's password in plaintext or ready-encoded.

      * @param httpMethod             the HTTP request method (GET, POST etc.)

      * @param uri                    the request URI.

      * @param qop                    the qop directive, or null if not set.

      * @param nonce                  the nonce supplied by the server

      * @param nc                     the "nonce-count" as defined in RFC 2617.

      * @param cnonce                 opaque string supplied by the client when qop is set.

      * @return the MD5 of the digest authentication response, encoded in hex

      * @throws IllegalArgumentException if the supplied qop value is unsupported.

      */

     public static String generateDigest(boolean passwordAlreadyEncoded, String username, String realm, String password,

                                         String httpMethod, String uri, String qop, String nonce, String nc, String cnonce)

             throws IllegalArgumentException {

         String a1Md5 = null;

         String a2 = httpMethod + ":" + uri;

         String a2Md5 = new String(DigestUtils.md5Hex(a2));

         if (passwordAlreadyEncoded) {

             a1Md5 = password;

         } else {

             a1Md5 = encodePasswordInA1Format(username, realm, password);

         }

         String digest;

         if (qop == null) {

             // as per RFC 2069 compliant clients (also reaffirmed by RFC 2617)

             digest = a1Md5 + ":" + nonce + ":" + a2Md5;

         } else if ("auth".equals(qop)) {

             // As per RFC 2617 compliant clients

             digest = a1Md5 + ":" + nonce + ":" + nc + ":" + cnonce + ":" + qop + ":" + a2Md5;

         } else {

             throw new IllegalArgumentException("This method does not support a qop: '" + qop + "'");

         }

         String digestMd5 = new String(DigestUtils.md5Hex(digest));

         return digestMd5;

     }

     public DigestProcessingFilterEntryPoint getAuthenticationEntryPoint() {

         return authenticationEntryPoint;

     }

     public UserCache getUserCache() {

         return userCache;

     }

     public UserDetailsService getUserDetailsService() {

         return userDetailsService;

     }

     public void init(FilterConfig ignored) throws ServletException {

     }

     public void setAuthenticationDetailsSource(AuthenticationDetailsSource authenticationDetailsSource) {

         Assert.notNull(authenticationDetailsSource, "AuthenticationDetailsSource required");

         this.authenticationDetailsSource = authenticationDetailsSource;

     }

     public void setAuthenticationEntryPoint(DigestProcessingFilterEntryPoint authenticationEntryPoint) {

         this.authenticationEntryPoint = authenticationEntryPoint;

     }

     public void setMessageSource(MessageSource messageSource) {

         this.messages = new MessageSourceAccessor(messageSource);

     }

     public void setPasswordAlreadyEncoded(boolean passwordAlreadyEncoded) {

         this.passwordAlreadyEncoded = passwordAlreadyEncoded;

     }

     public void setUserCache(UserCache userCache) {

         this.userCache = userCache;

     }

     public void setUserDetailsService(UserDetailsService userDetailsService) {

         this.userDetailsService = userDetailsService;

     }

 }