public DefaultAuthorizer(SecurityStore store) { this(store, new SecurityChecker()); }
return checkPskIdentity(endpoint, clientIdentity, securityInfo); return checkRpkIdentity(endpoint, clientIdentity, securityInfo); return checkX509Identity(endpoint, clientIdentity, securityInfo);
/** * Return true if any of the securityInfos is valid for the given endpoint and client identity. * * @see #checkSecurityInfo(String, Identity, SecurityInfo) * * @param endpoint * @param clientIdentity * @param securityInfos * */ public boolean checkSecurityInfos(String endpoint, Identity clientIdentity, List<SecurityInfo> securityInfos) { // if this is a secure end-point, we must check that the registering client is using the right identity. if (clientIdentity.isSecure()) { if (securityInfos == null || securityInfos.isEmpty()) { LOG.debug("Client '{}' without security info try to connect through the secure endpoint", endpoint); return false; } else { for (SecurityInfo securityInfo : securityInfos) { if (checkSecurityInfo(endpoint, clientIdentity, securityInfo)) { return true; } } return false; } } else if (securityInfos != null && !securityInfos.isEmpty()) { LOG.debug("Client '{}' must connect using DTLS", endpoint); return false; } return true; }
protected boolean checkX509Identity(String endpoint, Identity clientIdentity, SecurityInfo securityInfo) { // Manage X509 certificate authentication // ---------------------------------------------------- if (!securityInfo.useX509Cert()) { LOG.debug("Client '{}' is not supposed to use X509 certificate to authenticate", endpoint); return false; } if (!matchX509Identity(endpoint, clientIdentity.getX509CommonName(), endpoint)) { return false; } LOG.trace("authenticated client '{}' using DTLS X509 certificates", endpoint); return true; }
@Override public BootstrapSession begin(String endpoint, Identity clientIdentity) { boolean authorized; if (bsSecurityStore != null) { List<SecurityInfo> securityInfos = bsSecurityStore.getAllByEndpoint(endpoint); authorized = securityChecker.checkSecurityInfos(endpoint, clientIdentity, securityInfos); } else { authorized = true; } return new DefaultBootstrapSession(endpoint, clientIdentity, authorized); }
protected boolean checkRpkIdentity(String endpoint, Identity clientIdentity, SecurityInfo securityInfo) { // Manage RPK authentication // ---------------------------------------------------- if (!securityInfo.useRPK()) { LOG.debug("Client '{}' is not supposed to use RPK to authenticate", endpoint); return false; } if (!matchRpkIdenity(endpoint, clientIdentity.getRawPublicKey(), securityInfo.getRawPublicKey())) { return false; } LOG.trace("authenticated client '{}' using DTLS RPK", endpoint); return true; }
protected boolean checkPskIdentity(String endpoint, Identity clientIdentity, SecurityInfo securityInfo) { // Manage PSK authentication // ---------------------------------------------------- if (!securityInfo.usePSK()) { LOG.debug("Client '{}' is not supposed to use PSK to authenticate", endpoint); return false; } if (!matchPskIdentity(endpoint, clientIdentity.getPskIdentity(), securityInfo.getIdentity())) { return false; } LOG.trace("Authenticated client '{}' using DTLS PSK", endpoint); return true; }
@Override public Registration isAuthorized(UplinkRequest<?> request, Registration registration, Identity senderIdentity) { // do we have security information for this client? SecurityInfo expectedSecurityInfo = null; if (securityStore != null) expectedSecurityInfo = securityStore.getByEndpoint(registration.getEndpoint()); if (securityChecker.checkSecurityInfo(registration.getEndpoint(), senderIdentity, expectedSecurityInfo)) { return registration; } else { return null; } } }
public DefaultBootstrapSessionManager(BootstrapSecurityStore bsSecurityStore) { this(bsSecurityStore, new SecurityChecker()); }