GH-1359: Create Authorizer for Bootstrap server

eclipse-leshan · Dec 1, 2022 · 05dbddb · 05dbddb
1 parent 7547de5
commit 05dbddb
Show file tree

Hide file tree

Showing 5 changed files with 113 additions and 30 deletions.
diff --git a/...c/test/java/org/eclipse/leshan/integration/tests/util/BootstrapIntegrationTestHelper.java b/...c/test/java/org/eclipse/leshan/integration/tests/util/BootstrapIntegrationTestHelper.java
@@ -74,14 +74,14 @@
 import org.eclipse.leshan.server.bootstrap.BootstrapFailureCause;
 import org.eclipse.leshan.server.bootstrap.BootstrapSession;
 import org.eclipse.leshan.server.bootstrap.BootstrapTaskProvider;
+import org.eclipse.leshan.server.bootstrap.DefaultBootstrapAuthorizer;
 import org.eclipse.leshan.server.bootstrap.DefaultBootstrapSession;
 import org.eclipse.leshan.server.bootstrap.DefaultBootstrapSessionManager;
 import org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServer;
 import org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServerBuilder;
 import org.eclipse.leshan.server.model.StandardBootstrapModelProvider;
 import org.eclipse.leshan.server.security.BootstrapSecurityStore;
 import org.eclipse.leshan.server.security.EditableSecurityStore;
-import org.eclipse.leshan.server.security.SecurityChecker;
 import org.eclipse.leshan.server.security.SecurityInfo;
 
 /**
@@ -106,12 +106,11 @@ private class TestBootstrapSessionManager extends DefaultBootstrapSessionManager
 
         public TestBootstrapSessionManager(BootstrapSecurityStore bsSecurityStore,
                 BootstrapTaskProvider tasksProvider) {
-            super(bsSecurityStore, new SecurityChecker(), tasksProvider, new StandardBootstrapModelProvider());
+            super(tasksProvider, new StandardBootstrapModelProvider(), new DefaultBootstrapAuthorizer(bsSecurityStore));
         }
 
         public TestBootstrapSessionManager(BootstrapSecurityStore bsSecurityStore, BootstrapConfigStore configStore) {
-            super(bsSecurityStore, new SecurityChecker(), new BootstrapConfigStoreTaskProvider(configStore),
-                    new StandardBootstrapModelProvider());
+            super(bsSecurityStore, configStore);
         }
 
         @Override

diff --git a/...in/java/org/eclipse/leshan/server/californium/bootstrap/LeshanBootstrapServerBuilder.java b/...in/java/org/eclipse/leshan/server/californium/bootstrap/LeshanBootstrapServerBuilder.java
@@ -59,12 +59,14 @@
 import org.eclipse.leshan.server.bootstrap.BootstrapHandlerFactory;
 import org.eclipse.leshan.server.bootstrap.BootstrapSessionListener;
 import org.eclipse.leshan.server.bootstrap.BootstrapSessionManager;
+import org.eclipse.leshan.server.bootstrap.DefaultBootstrapAuthorizer;
 import org.eclipse.leshan.server.bootstrap.DefaultBootstrapHandler;
 import org.eclipse.leshan.server.bootstrap.DefaultBootstrapSessionManager;
 import org.eclipse.leshan.server.bootstrap.InMemoryBootstrapConfigStore;
 import org.eclipse.leshan.server.bootstrap.LwM2mBootstrapRequestSender;
 import org.eclipse.leshan.server.model.LwM2mBootstrapModelProvider;
 import org.eclipse.leshan.server.model.StandardBootstrapModelProvider;
+import org.eclipse.leshan.server.security.BootstrapAuthorizer;
 import org.eclipse.leshan.server.security.BootstrapSecurityStore;
 import org.eclipse.leshan.server.security.SecurityChecker;
 import org.slf4j.Logger;
@@ -107,6 +109,8 @@ public class LeshanBootstrapServerBuilder {
 
     private boolean enableOscore = false;
 
+    private BootstrapAuthorizer authorizer;
+
     /**
      * Set the address/port for unsecured CoAP communication (<code>coap://</code>).
      * <p>
@@ -247,7 +251,6 @@ public <T extends Certificate> LeshanBootstrapServerBuilder setTrustedCertificat
      *
      * @param configStore the bootstrap configuration store.
      * @return the builder for fluent Bootstrap Server creation.
-     *
      */
     public LeshanBootstrapServerBuilder setConfigStore(BootstrapConfigStore configStore) {
         this.configStore = configStore;
@@ -302,7 +305,6 @@ public LeshanBootstrapServerBuilder setBootstrapHandlerFactory(BootstrapHandlerF
      * Set your {@link LwM2mBootstrapModelProvider} implementation.
      * </p>
      * By default the {@link StandardBootstrapModelProvider}.
-     *
      */
     public LeshanBootstrapServerBuilder setObjectModelProvider(LwM2mBootstrapModelProvider objectModelProvider) {
         this.modelProvider = objectModelProvider;
@@ -411,6 +413,16 @@ public LeshanBootstrapServerBuilder setEnableOscore(boolean enableOscore) {
         return this;
     }
 
+    /**
+     * Set the Bootstrap authorizer {@link BootstrapAuthorizer}
+     * <p>
+     * By default the {@link DefaultBootstrapAuthorizer} is used.
+     */
+    public LeshanBootstrapServerBuilder setAuthorizer(BootstrapAuthorizer authorizer) {
+        this.authorizer = authorizer;
+        return this;
+    }
+
     /**
      * Create the default CoAP/Californium {@link Configuration} used by the builder.
      * <p>
@@ -458,8 +470,11 @@ public BootstrapHandler create(LwM2mBootstrapRequestSender sender,
                     "modelProvider is set but you also provide a custom SessionManager so this provider will not be used");
         }
         if (sessionManager == null) {
-            sessionManager = new DefaultBootstrapSessionManager(securityStore, new SecurityChecker(),
-                    new BootstrapConfigStoreTaskProvider(configStore), modelProvider);
+            SecurityChecker securityChecker = new SecurityChecker();
+            if (authorizer == null)
+                authorizer = new DefaultBootstrapAuthorizer(securityStore, securityChecker);
+            sessionManager = new DefaultBootstrapSessionManager(new BootstrapConfigStoreTaskProvider(configStore),
+                    modelProvider, authorizer);
         }
         if (coapConfig == null) {
             coapConfig = createDefaultCoapConfiguration();

diff --git a/...er-core/src/main/java/org/eclipse/leshan/server/bootstrap/DefaultBootstrapAuthorizer.java b/...er-core/src/main/java/org/eclipse/leshan/server/bootstrap/DefaultBootstrapAuthorizer.java
@@ -0,0 +1,51 @@
+/*******************************************************************************
+ * Copyright (c) 2016 Sierra Wireless and others.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v2.0
+ * and Eclipse Distribution License v1.0 which accompany this distribution.
+ *
+ * The Eclipse Public License is available at
+ *    http://www.eclipse.org/legal/epl-v20.html
+ * and the Eclipse Distribution License is available at
+ *    http://www.eclipse.org/org/documents/edl-v10.html.
+ *
+ * Contributors:
+ *     Orange - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.leshan.server.bootstrap;
+
+import java.util.Iterator;
+
+import org.eclipse.leshan.core.request.BootstrapRequest;
+import org.eclipse.leshan.core.request.Identity;
+import org.eclipse.leshan.server.security.BootstrapAuthorizer;
+import org.eclipse.leshan.server.security.BootstrapSecurityStore;
+import org.eclipse.leshan.server.security.SecurityChecker;
+import org.eclipse.leshan.server.security.SecurityInfo;
+
+public class DefaultBootstrapAuthorizer implements BootstrapAuthorizer {
+
+    private BootstrapSecurityStore bsSecurityStore;
+    private SecurityChecker securityChecker;
+
+    public DefaultBootstrapAuthorizer(BootstrapSecurityStore bsSecurityStore, SecurityChecker securityChecker) {
+        this.bsSecurityStore = bsSecurityStore;
+        this.securityChecker = securityChecker;
+    }
+
+    public DefaultBootstrapAuthorizer(BootstrapSecurityStore bsSecurityStore) {
+        this.bsSecurityStore = bsSecurityStore;
+        this.securityChecker = new SecurityChecker();
+    }
+
+    @Override
+    public boolean isAuthorized(BootstrapRequest request, Identity clientIdentity) {
+        if (bsSecurityStore != null && securityChecker != null) {
+            Iterator<SecurityInfo> securityInfos = bsSecurityStore.getAllByEndpoint(request.getEndpointName());
+            return securityChecker.checkSecurityInfos(request.getEndpointName(), clientIdentity, securityInfos);
+        } else {
+            return true;
+        }
+    }
+}
diff --git a/...ore/src/main/java/org/eclipse/leshan/server/bootstrap/DefaultBootstrapSessionManager.java b/...ore/src/main/java/org/eclipse/leshan/server/bootstrap/DefaultBootstrapSessionManager.java
@@ -16,7 +16,6 @@
 package org.eclipse.leshan.server.bootstrap;
 
 import java.util.ArrayList;
-import java.util.Iterator;
 import java.util.List;
 
 import org.eclipse.leshan.core.request.BootstrapDownlinkRequest;
@@ -28,9 +27,9 @@
 import org.eclipse.leshan.server.bootstrap.BootstrapTaskProvider.Tasks;
 import org.eclipse.leshan.server.model.LwM2mBootstrapModelProvider;
 import org.eclipse.leshan.server.model.StandardBootstrapModelProvider;
+import org.eclipse.leshan.server.security.BootstrapAuthorizer;
 import org.eclipse.leshan.server.security.BootstrapSecurityStore;
 import org.eclipse.leshan.server.security.SecurityChecker;
-import org.eclipse.leshan.server.security.SecurityInfo;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -45,47 +44,35 @@ public class DefaultBootstrapSessionManager implements BootstrapSessionManager {
 
     private static final Logger LOG = LoggerFactory.getLogger(DefaultBootstrapSessionManager.class);
 
-    private BootstrapSecurityStore bsSecurityStore;
-    private SecurityChecker securityChecker;
     private BootstrapTaskProvider tasksProvider;
     private LwM2mBootstrapModelProvider modelProvider;
+    private final BootstrapAuthorizer authorizer;
 
     /**
      * Create a {@link DefaultBootstrapSessionManager} using a default {@link SecurityChecker} to accept or refuse new
      * {@link BootstrapSession}.
-     *
-     * @param bsSecurityStore the {@link BootstrapSecurityStore} used by default {@link SecurityChecker}.
      */
     public DefaultBootstrapSessionManager(BootstrapSecurityStore bsSecurityStore, BootstrapConfigStore configStore) {
-        this(bsSecurityStore, new SecurityChecker(), new BootstrapConfigStoreTaskProvider(configStore),
-                new StandardBootstrapModelProvider());
+        this(new BootstrapConfigStoreTaskProvider(configStore), new StandardBootstrapModelProvider(),
+                new DefaultBootstrapAuthorizer(bsSecurityStore));
     }
 
     /**
      * Create a {@link DefaultBootstrapSessionManager}.
-     *
-     * @param bsSecurityStore the {@link BootstrapSecurityStore} used by {@link SecurityChecker}.
-     * @param securityChecker used to accept or refuse new {@link BootstrapSession}.
      */
-    public DefaultBootstrapSessionManager(BootstrapSecurityStore bsSecurityStore, SecurityChecker securityChecker,
-            BootstrapTaskProvider tasksProvider, LwM2mBootstrapModelProvider modelProvider) {
+    public DefaultBootstrapSessionManager(BootstrapTaskProvider tasksProvider,
+            LwM2mBootstrapModelProvider modelProvider, BootstrapAuthorizer authorizer) {
         Validate.notNull(tasksProvider);
         Validate.notNull(modelProvider);
-        this.bsSecurityStore = bsSecurityStore;
-        this.securityChecker = securityChecker;
+        Validate.notNull(authorizer);
         this.tasksProvider = tasksProvider;
         this.modelProvider = modelProvider;
+        this.authorizer = authorizer;
     }
 
     @Override
     public BootstrapSession begin(BootstrapRequest request, Identity clientIdentity) {
-        boolean authorized;
-        if (bsSecurityStore != null && securityChecker != null) {
-            Iterator<SecurityInfo> securityInfos = bsSecurityStore.getAllByEndpoint(request.getEndpointName());
-            authorized = securityChecker.checkSecurityInfos(request.getEndpointName(), clientIdentity, securityInfos);
-        } else {
-            authorized = true;
-        }
+        boolean authorized = authorizer.isAuthorized(request, clientIdentity);
         DefaultBootstrapSession session = new DefaultBootstrapSession(request, clientIdentity, authorized);
         LOG.trace("Bootstrap session started : {}", session);
 

diff --git a/leshan-server-core/src/main/java/org/eclipse/leshan/server/security/BootstrapAuthorizer.java b/leshan-server-core/src/main/java/org/eclipse/leshan/server/security/BootstrapAuthorizer.java
@@ -0,0 +1,31 @@
+/*******************************************************************************
+ * Copyright (c) 2016 Sierra Wireless and others.
+ *
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v2.0
+ * and Eclipse Distribution License v1.0 which accompany this distribution.
+ *
+ * The Eclipse Public License is available at
+ *    http://www.eclipse.org/legal/epl-v20.html
+ * and the Eclipse Distribution License is available at
+ *    http://www.eclipse.org/org/documents/edl-v10.html.
+ *
+ * Contributors:
+ *     Orange - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.leshan.server.security;
+
+import org.eclipse.leshan.core.request.BootstrapRequest;
+import org.eclipse.leshan.core.request.Identity;
+
+public interface BootstrapAuthorizer {
+
+    /**
+     * Returns if request is authorized for given client identity.
+     *
+     * @param request the request received
+     * @param clientIdentity the {@link Identity} of the client that sent the request.
+     * @return <code>true</code> if request is authorized or <code>false</code> if it is not authorized.
+     */
+    boolean isAuthorized(BootstrapRequest request, Identity clientIdentity);
+}