@Override public final DigestId generateMAC(byte[] message) throws InvalidKeyException { KeyIdentifier signingKey = currentKey; byte[] digest = generateMAC(signingKey.getKey(), message); return new DigestId(signingKey.getKeyId(), digest); }
@Override public KeyManager get() { return new FileBasedKeyManager(cConf, keyIdentifierCodec); } }
@Override public KeyManager get() { return new DistributedKeyManager(cConf, keyCodec, zkClient); } }
@Override public int hashCode() { return Objects.hashCode(getUsername(), getGroups(), getIssueTimestamp(), getExpireTimestamp()); }
/** * Given an {@link AccessToken} instance, checks that the token has not yet expired and that the digest matches * the expected value. To validate the token digest, we recompute the digest value, based on the asserted identity * and our own view of the secret keys. * @param token The token instance to validate. * @throws InvalidTokenException If the provided token instance is expired or the digest does not match the * recomputed value. */ public void validateSecret(AccessToken token) throws InvalidTokenException { long now = System.currentTimeMillis(); if (token.getIdentifier().getExpireTimestamp() < now) { throw new InvalidTokenException(TokenState.EXPIRED, "Token is expired."); } try { keyManager.validateMAC(identifierCodec, token); } catch (InvalidDigestException ide) { throw new InvalidTokenException(TokenState.INVALID, "Token signature is not valid!"); } catch (InvalidKeyException ike) { throw new InvalidTokenException(TokenState.INTERNAL, "Invalid key for token.", ike); } } }
@Override public final <T> void validateMAC(Codec<T> codec, Signed<T> signedMessage) throws InvalidDigestException, InvalidKeyException { try { byte[] newDigest = generateMAC(signedMessage.getKeyId(), codec.encode(signedMessage.getMessage())); if (!Bytes.equals(signedMessage.getDigestBytes(), newDigest)) { throw new InvalidDigestException("Token signature is not valid!"); } } catch (IOException ioe) { throw Throwables.propagate(ioe); } }
@Override protected ImmutablePair<TokenManager, Codec<AccessToken>> getTokenManagerAndCodec() throws Exception { DistributedKeyManager keyManager = getKeyManager(injector1, true); TokenManager tokenManager = new TokenManager(keyManager, injector1.getInstance(AccessTokenIdentifierCodec.class)); tokenManager.startAndWait(); return new ImmutablePair<TokenManager, Codec<AccessToken>>(tokenManager, injector1.getInstance(AccessTokenCodec.class)); }
@Override public synchronized void onResourceUpdate(String name, KeyIdentifier instance) { LOG.debug("SharedResourceCache triggered update: leader={}, resource key={}", leader, name); if (currentKey == null || instance.getExpiration() > currentKey.getExpiration()) { currentKey = instance; LOG.debug("Set current key: leader={}, key={}", leader, currentKey.getKeyId()); } }
/** * Computes a digest for the given input message, using the key identified by the given ID. * @param keyId Identifier of the secret key to use. * @param message The data over which we should generate a digest. * @return The computed digest. * @throws InvalidKeyException If the input {@code keyId} does not match a known key or the key is not accepted * by the internal {@code Mac} implementation. */ protected final byte[] generateMAC(int keyId, byte[] message) throws InvalidKeyException { KeyIdentifier key = getKey(keyId); if (key == null) { throw new InvalidKeyException("No key found for ID " + keyId); } return generateMAC(key.getKey(), message); }
@Override protected void startUp() throws Exception { tokenManager.startAndWait(); }
@Override protected void shutDown() throws Exception { tokenManager.stopAndWait(); }
public DistributedKeyManager(CConfiguration conf, Codec<KeyIdentifier> codec, ZKClient zookeeper) { this(conf, codec, zookeeper, getACLs(conf)); }
/** * Initialize the TokenManager. */ public void init() { tokenManager.start(); }
/** * Stop the TokenManager. */ public void destroy() { tokenManager.stop(); }
@Override public KeyManager get() { return new InMemoryKeyManager(cConf); } }
@Override public void shutDown() { this.keyManager.stopAndWait(); }
@Override public void doInit() throws IOException { generateKey(); }
@Override public void startUp() { this.keyManager.startAndWait(); }
public KeyIdentifier getCurrentKey() { if (keyManager instanceof WaitableDistributedKeyManager) { return ((WaitableDistributedKeyManager) keyManager).getCurrentKey(); } return null; }
public boolean hasKey(int keyId) { return super.hasKey(keyId); } }