Add cloud demo server.

Signed-off-by: Achim Kraus <achim.kraus@cloudcoap.net>

demo-apps/cf-cloud-demo-server/README.md

@@ -0,0 +1,115 @@
+![Californium logo](../../cf_64.png)
+
+# Californium (Cf) - Cloud Demo Server
+
+!!! Under construction !!!
+
+Simple cloud demo server, sets up only coaps/DTLS endpoints.
+
+Supports an optional, very simple HTTPS server to read the last CoAP POSTs to resource "devices" or resource "echo" with query-parameter "keep".
+
+## General Usage
+
+Start the cf-cloud-demo-server-3.8.0.jar with:
+
+```sh
+java -jar cf-cloud-demo-server-3.8.0.jar -h
+
+Usage: CloudDemoServer [-h] [--trust-all] [--client-auth=<clientAuth>]
+                       [--https-credentials=<httpsCredentials>]
+                       [--https-port=<httpsPort>] [--wildcard-interface | [[--
+                       [no-]loopback] [--[no-]external] [--[no-]ipv4] [--[no-]
+                       ipv6] [--interfaces-pattern=<interfacePatterns>[,
+                       <interfacePatterns>...]]...]] [--psk-file=<file>
+                       [--psk-file-password64=<password64>]
+                       [--psk-file-export=<exportFile>]
+                       [--psk-file-export-password64=<exportPassword64>]]
+                       [--store-file=<file> --store-max-age=<maxAge>
+                       [--store-password64=<password64>]]
+      --client-auth=<clientAuth>
+                             client authentication. Values NONE, WANTED, NEEDED.
+  -h, --help                 display a help message
+      --https-credentials=<httpsCredentials>
+                             Folder to https credentials.
+      --https-port=<httpsPort>
+                             Port of https service.
+      --interfaces-pattern=<interfacePatterns>[,<interfacePatterns>...]
+                             interface regex patterns for endpoints.
+      --[no-]external        enable endpoints on external network.
+      --[no-]ipv4            enable endpoints for ipv4.
+      --[no-]ipv6            enable endpoints for ipv6.
+      --[no-]loopback        enable endpoints on loopback network.
+      --psk-file=<file>      File name of PSK store.
+      --psk-file-export=<exportFile>
+                             File name for export PSK store. Defaults to
+                               --psk-file, if --psk-file-export-password64 is
+                               provided.
+      --psk-file-export-password64=<exportPassword64>
+                             Password for export PSK store. Base 64 encoded.
+      --psk-file-password64=<password64>
+                             Password for PSK store. Base 64 encoded.
+      --store-file=<file>    file store dtls state.
+      --store-max-age=<maxAge>
+                             maximum age of connections in hours.
+      --store-password64=<password64>
+                             password to store dtls state. Base 64 encoded.
+      --trust-all            trust all valid certificates.
+      --wildcard-interface   Use wildcard-address for local network interfaces.
+
+Examples:
+  DemoServer --no-loopback
+    (DemoServer listening only on external network interfaces.)
+
+  DemoServer --psk-file device.psk --store-file dtls.bin --store-max-age 168 \
+             --store-password64 ZVhiRW5pdkx1RUs2dmVoZg==
+    (DemoServer with PSK credentials from file and dtls-graceful restart.
+     Devices/sessions with no exchange for more then a week (168 hours)
+     are skipped when saving.)
+
+  DemoServer --psk-file device.psk \
+             --psk-file-export-password64 V3plQUdkTnFLQjRnZWtSeg==
+    (DemoServer encrypts plain PSK credentials file (in place).
+     Exits afterwards.)
+```
+
+To see the set of options and arguments.
+
+## DTLS Graceful Restart
+
+The cloud demo server supports to save the DTLS connection state and load it again. With this feature, it's possible to restart the server without losing the DTLS connection state. Provide the arguments `--store-file` (filename to save and load the DTLS connection state), `--store-password64` (base64 encoded password to save and load the DTLS connection state), and `--store-max-age` (maximum age of connections to be stored. Value in hours) are provided.
+
+Stop the server and start it again using the same `--store-file` and `--store-password64` as before and also provide the `--store-max-age`.
+
+Note: if it takes too long between stopping and restart, the clients will detect a timeout and trigger new handshakes. So just pause a small couple of seconds!
+
+Note: only the DTLS state is persisted. To use this feature, the client is intended to use mainly CON request and the server the use piggybacked responses. Neither DTLS handshakes, separate responses, observe/notifies, nor blockwise transfers are supported.
+
+## HTTPS x509 certificate
+
+One x509 provider is [letsencrypt.org](https://letsencrypt.org/). Install `certbot` and request a x509 http server certificate.
+
+```
+sudo certbot certonly --standalone --key-type ecdsa --elliptic-curve secp256r1 -d <domain>
+```
+
+Usually the received credentials are stored in `/etc/letsencrypt/live/<domain>` and you must add a group as reader for the private key (see instructions of [certbot](https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates)).
+
+## Systemd service
+
+The server runs as [systemd service](service/cali.service). Please adapt the DOMAIN.
+Copy the edited `cali.service` into `/etc/systemd/system` 
+
+## HTTPS forwarding
+
+The server runs as user and therefore required to forward TCP:443 to a user service port (8080). Copy [iptables service](service/iptables.service) into `/etc/systemd/system` and [iptables-firewall.sh](service/iptables-firewall.sh) into `sbin` and make that file executable.
+
+
+## Missing
+
+- cloudinit setup
+- user/group setup
+- fail2ban setup
+
+See for now [cf-unix-setup](https://github.com/eclipse/californium/tree/main/demo-apps/cf-unix-setup).
+
+!!! Under construction !!!

demo-apps/cf-cloud-demo-server/demo.psk

@@ -0,0 +1,3 @@
+# PSK store for Cloud Demo
+Client_identity=c2VjcmV0UFNL
+

demo-apps/cf-cloud-demo-server/pom.xml

@@ -0,0 +1,68 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>org.eclipse.californium</groupId>
+		<artifactId>demo-apps</artifactId>
+		<version>3.8.0-SNAPSHOT</version>
+	</parent>
+	<artifactId>cf-cloud-demo-server</artifactId>
+	<packaging>jar</packaging>
+
+	<name>Cf-CloudDemoServer</name>
+	<description>Californium (Cf) Cloud Demo server</description>
+
+	<properties>
+		<assembly.mainClass>org.eclipse.californium.cloud.DemoServer</assembly.mainClass>
+		<skipNexusStagingDeployMojo>false</skipNexusStagingDeployMojo>
+		<skipStaging>false</skipStaging>
+		<maven.javadoc.skip>false</maven.javadoc.skip>
+	</properties>
+
+	<dependencies>
+		<dependency>
+			<groupId>${project.groupId}</groupId>
+			<artifactId>californium-core</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>${project.groupId}</groupId>
+			<artifactId>scandium</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>${project.groupId}</groupId>
+			<artifactId>cf-unix-health</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+		<dependency>
+			<groupId>info.picocli</groupId>
+			<artifactId>picocli</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.upokecenter</groupId>
+			<artifactId>cbor</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.google.code.gson</groupId>
+			<artifactId>gson</artifactId>
+		</dependency>
+
+		<!-- runtime dependencies -->
+		<dependency>
+			<groupId>${project.groupId}</groupId>
+			<artifactId>demo-certs</artifactId>
+			<scope>runtime</scope>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<artifactId>maven-assembly-plugin</artifactId>
+				<!-- inherit configuration from parent POM -->
+			</plugin>
+		</plugins>
+	</build>
+
+</project>

demo-apps/cf-cloud-demo-server/service/cali.service

@@ -0,0 +1,59 @@
+#/*******************************************************************************
+# * Copyright (c) 2022 Contributors to the Eclipse Foundation.
+# * 
+# * All rights reserved. This program and the accompanying materials
+# * are made available under the terms of the Eclipse Public License v2.0
+# * and Eclipse Distribution License v1.0 which accompany this distribution.
+# * 
+# * The Eclipse Public License is available at
+# *    http://www.eclipse.org/legal/epl-v20.html
+# * and the Eclipse Distribution License is available at
+# *    http://www.eclipse.org/org/documents/edl-v10.html.
+# * 
+# ******************************************************************************/
+#
+# To install, cp <file> to /etc/systemd/system
+#
+# The value of "TasksMax" is increasing with the numbers of connectors 
+# according the used networkconfig.
+#
+# Use
+#   top -H
+#
+# to see the number of threads
+#
+# In order to update the service, cp the new .jar to
+# /home/cali/cf-cloud-demo-server-update.jar
+#
+# on 
+#  systemctl restart cali
+#
+# that file is copied to cf-cloud-demo-server.jar and executed.
+# If cf-cloud-demo-server.jar is updated inplace when running,
+# that my cause unintended exceptions, which prevents Californium 
+# from successfully gracefull-restart of the dtls state. 
+# 
+
+[Unit]
+Description=Californium Cloud Demo Server
+BindsTo=network-online.target
+After=network-online.target
+RequiresMountsFor=/home
+
+[Service]
+Type=simple
+TasksMax=256
+User=cali
+WorkingDirectory=/home/cali
+Environment="JAR=cf-cloud-demo-server.jar"
+Environment="ARGS=--no-loopback --store-file=connections.bin --store-max-age=72 --store-password64=TDNLOmJTWi13JUs/YGdvNA== --psk-file demo.psk --https-credentials /etc/letsencrypt/live/cloudcoap.io --https-port 8080"
+Environment="S3_ARGS=--s3-endpoint https://??? --s3-access-key ??? --s3-secret ??? --s3-bucket devices --s3-acl public-read --s3-device-list list --s3-concurrency 400"
+Environment="OPTS=-XX:MaxRAMPercentage=75 -Dlogback.configurationFile=./logback.xml"
+ExecStartPre=/bin/cp -u cf-cloud-demo-server-update.jar cf-cloud-demo-server.jar
+ExecStart=/usr/bin/java $OPTS -jar ${JAR} $ARGS $S3_ARGS
+RestartSec=10
+Restart=always
+OOMPolicy=stop
+
+[Install]
+WantedBy=multi-user.target

demo-apps/cf-cloud-demo-server/service/iptables-firewall.sh

@@ -0,0 +1,48 @@
+#!/bin/sh
+
+#/*******************************************************************************
+# * Copyright (c) 2022 Contributors to the Eclipse Foundation.
+# * 
+# * All rights reserved. This program and the accompanying materials
+# * are made available under the terms of the Eclipse Public License v2.0
+# * and Eclipse Distribution License v1.0 which accompany this distribution.
+# * 
+# * The Eclipse Public License is available at
+# *    http://www.eclipse.org/legal/epl-v20.html
+# * and the Eclipse Distribution License is available at
+# *    http://www.eclipse.org/org/documents/edl-v10.html.
+# * 
+# ******************************************************************************/
+#
+# To install, cp <file> to /sbin/iptables-firewall.sh
+
+
+# Limit PATH
+PATH="/sbin:/usr/sbin:/bin:/usr/bin"
+
+# iptables configuration
+firewall_start() {
+  # Define https forward
+  iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080
+  ip6tables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080
+}
+
+# clear iptables configuration
+firewall_stop() {
+  # Define https forward
+  iptables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080
+  ip6tables -t nat -D PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8080
+}
+
+# execute action
+case "$1" in
+  start|restart)
+    echo "Starting firewall"
+    firewall_stop
+    firewall_start
+    ;;
+  stop)
+    echo "Stopping firewall"
+    firewall_stop
+    ;;
+esac

demo-apps/cf-cloud-demo-server/service/iptables.service

@@ -0,0 +1,32 @@
+#/*******************************************************************************
+# * Copyright (c) 2022 Contributors to the Eclipse Foundation.
+# * 
+# * All rights reserved. This program and the accompanying materials
+# * are made available under the terms of the Eclipse Public License v2.0
+# * and Eclipse Distribution License v1.0 which accompany this distribution.
+# * 
+# * The Eclipse Public License is available at
+# *    http://www.eclipse.org/legal/epl-v20.html
+# * and the Eclipse Distribution License is available at
+# *    http://www.eclipse.org/org/documents/edl-v10.html.
+# * 
+# ******************************************************************************/
+#
+# To install, cp <file> to /etc/systemd/system
+#
+# Requires /sbin/iptables-firewall.sh
+
+[Unit]
+Description=iptables firewall service
+After=network.target
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/iptables-firewall.sh start
+RemainAfterExit=true
+ExecStop=/sbin/iptables-firewall.sh stop
+StandardOutput=journal
+
+[Install]
+WantedBy=multi-user.target
+