|
|
@ -50,7 +50,7 @@ import java.util.List;
|
|
|
|
import java.util.concurrent.TimeUnit;
|
|
|
|
import java.util.concurrent.TimeUnit;
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
/**
|
|
|
|
* Authorize the connecting users against Carbon Permission Model. Intended usage is
|
|
|
|
* Authorize the connecting users against CDMF. Intended usage is
|
|
|
|
* via providing fully qualified class name in broker.xml
|
|
|
|
* via providing fully qualified class name in broker.xml
|
|
|
|
* <p/>
|
|
|
|
* <p/>
|
|
|
|
* This is just a simple authorization model. For dynamic topics use an implementation based on IAuthorizer
|
|
|
|
* This is just a simple authorization model. For dynamic topics use an implementation based on IAuthorizer
|
|
|
@ -83,71 +83,79 @@ public class DeviceAccessBasedMQTTAuthorizer implements IAuthorizer {
|
|
|
|
@Override
|
|
|
|
@Override
|
|
|
|
public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic,
|
|
|
|
public boolean isAuthorizedForTopic(MQTTAuthorizationSubject authorizationSubject, String topic,
|
|
|
|
MQTTAuthoriztionPermissionLevel permissionLevel) {
|
|
|
|
MQTTAuthoriztionPermissionLevel permissionLevel) {
|
|
|
|
String topics[] = topic.split("/");
|
|
|
|
PrivilegedCarbonContext.startTenantFlow();
|
|
|
|
String tenantDomainFromTopic = topics[0];
|
|
|
|
PrivilegedCarbonContext.getThreadLocalCarbonContext().setTenantDomain(
|
|
|
|
if (!tenantDomainFromTopic.equals(authorizationSubject.getTenantDomain())) {
|
|
|
|
MultitenantConstants.SUPER_TENANT_DOMAIN_NAME, true);
|
|
|
|
return false;
|
|
|
|
try {
|
|
|
|
}
|
|
|
|
String topics[] = topic.split("/");
|
|
|
|
if (topics.length < 3) {
|
|
|
|
String tenantDomainFromTopic = topics[0];
|
|
|
|
|
|
|
|
if (!tenantDomainFromTopic.equals(authorizationSubject.getTenantDomain())) {
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (topics.length < 3) {
|
|
|
|
|
|
|
|
AuthorizationCacheKey authorizationCacheKey = new AuthorizationCacheKey(tenantDomainFromTopic
|
|
|
|
|
|
|
|
, authorizationSubject.getUsername(), "", "");
|
|
|
|
|
|
|
|
if (cache.get(authorizationCacheKey) != null && cache.get(authorizationCacheKey)) {
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
AuthorizationRequest authorizationRequest = new AuthorizationRequest();
|
|
|
|
|
|
|
|
authorizationRequest.setTenantDomain(tenantDomainFromTopic);
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
|
|
|
DeviceAuthorizationResult deviceAuthorizationResult =
|
|
|
|
|
|
|
|
deviceAccessAuthorizationAdminService.isAuthorized(authorizationRequest);
|
|
|
|
|
|
|
|
if (deviceAuthorizationResult != null) {
|
|
|
|
|
|
|
|
cache.put(authorizationCacheKey, true);
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
} catch (FeignException e) {
|
|
|
|
|
|
|
|
logger.error(e.getMessage(), e);
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
String deviceType = topics[1];
|
|
|
|
|
|
|
|
String deviceId = topics[2];
|
|
|
|
AuthorizationCacheKey authorizationCacheKey = new AuthorizationCacheKey(tenantDomainFromTopic
|
|
|
|
AuthorizationCacheKey authorizationCacheKey = new AuthorizationCacheKey(tenantDomainFromTopic
|
|
|
|
,authorizationSubject.getUsername(), "", "");
|
|
|
|
, authorizationSubject.getUsername(), deviceId, deviceType);
|
|
|
|
if (cache.get(authorizationCacheKey)) {
|
|
|
|
if (cache.get(authorizationCacheKey) != null && cache.get(authorizationCacheKey)) {
|
|
|
|
return true;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
List<String> requiredPermission;
|
|
|
|
|
|
|
|
if (permissionLevel == MQTTAuthoriztionPermissionLevel.SUBSCRIBE) {
|
|
|
|
|
|
|
|
requiredPermission = MQTTAuthorizationConfiguration.getSubscriberPermissions();
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
requiredPermission = MQTTAuthorizationConfiguration.getPublisherPermissions();
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
AuthorizationRequest authorizationRequest = new AuthorizationRequest();
|
|
|
|
AuthorizationRequest authorizationRequest = new AuthorizationRequest();
|
|
|
|
authorizationRequest.setTenantDomain(tenantDomainFromTopic);
|
|
|
|
authorizationRequest.setTenantDomain(tenantDomainFromTopic);
|
|
|
|
|
|
|
|
if (requiredPermission != null) {
|
|
|
|
|
|
|
|
authorizationRequest.setPermissions(requiredPermission);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
authorizationRequest.setUsername(authorizationSubject.getUsername());
|
|
|
|
|
|
|
|
DeviceIdentifier deviceIdentifier = new DeviceIdentifier();
|
|
|
|
|
|
|
|
deviceIdentifier.setId(deviceId);
|
|
|
|
|
|
|
|
deviceIdentifier.setType(deviceType);
|
|
|
|
|
|
|
|
List<DeviceIdentifier> deviceIdentifiers = new ArrayList<>();
|
|
|
|
|
|
|
|
deviceIdentifiers.add(deviceIdentifier);
|
|
|
|
|
|
|
|
authorizationRequest.setDeviceIdentifiers(deviceIdentifiers);
|
|
|
|
try {
|
|
|
|
try {
|
|
|
|
DeviceAuthorizationResult deviceAuthorizationResult =
|
|
|
|
DeviceAuthorizationResult deviceAuthorizationResult =
|
|
|
|
deviceAccessAuthorizationAdminService.isAuthorized(authorizationRequest);
|
|
|
|
deviceAccessAuthorizationAdminService.isAuthorized(authorizationRequest);
|
|
|
|
if (deviceAuthorizationResult != null) {
|
|
|
|
List<DeviceIdentifier> devices = deviceAuthorizationResult.getAuthorizedDevices();
|
|
|
|
cache.put(authorizationCacheKey, true);
|
|
|
|
if (devices != null && devices.size() > 0) {
|
|
|
|
return true;
|
|
|
|
DeviceIdentifier authorizedDevice = devices.get(0);
|
|
|
|
|
|
|
|
if (authorizedDevice.getId().equals(deviceId) && authorizedDevice.getType().equals(deviceType)) {
|
|
|
|
|
|
|
|
cache.put(authorizationCacheKey, true);
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
|
|
|
|
} catch (FeignException e) {
|
|
|
|
} catch (FeignException e) {
|
|
|
|
return false;
|
|
|
|
logger.error(e.getMessage(), e);
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
String deviceType = topics[1];
|
|
|
|
|
|
|
|
String deviceId = topics[2];
|
|
|
|
|
|
|
|
AuthorizationCacheKey authorizationCacheKey = new AuthorizationCacheKey(tenantDomainFromTopic
|
|
|
|
|
|
|
|
,authorizationSubject.getUsername(), deviceId, deviceType);
|
|
|
|
|
|
|
|
if (cache.get(authorizationCacheKey)) {
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
List<String> requiredPermission;
|
|
|
|
|
|
|
|
if (permissionLevel == MQTTAuthoriztionPermissionLevel.SUBSCRIBE) {
|
|
|
|
|
|
|
|
requiredPermission = MQTTAuthorizationConfiguration.getSubscriberPermissions();
|
|
|
|
|
|
|
|
} else {
|
|
|
|
|
|
|
|
requiredPermission = MQTTAuthorizationConfiguration.getPublisherPermissions();
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
AuthorizationRequest authorizationRequest = new AuthorizationRequest();
|
|
|
|
|
|
|
|
authorizationRequest.setTenantDomain(tenantDomainFromTopic);
|
|
|
|
|
|
|
|
if (requiredPermission != null) {
|
|
|
|
|
|
|
|
authorizationRequest.setPermissions(requiredPermission);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
authorizationRequest.setUsername(authorizationSubject.getUsername());
|
|
|
|
|
|
|
|
DeviceIdentifier deviceIdentifier = new DeviceIdentifier();
|
|
|
|
|
|
|
|
deviceIdentifier.setId(deviceId);
|
|
|
|
|
|
|
|
deviceIdentifier.setType(deviceType);
|
|
|
|
|
|
|
|
List<DeviceIdentifier> deviceIdentifiers = new ArrayList<>();
|
|
|
|
|
|
|
|
deviceIdentifiers.add(deviceIdentifier);
|
|
|
|
|
|
|
|
authorizationRequest.setDeviceIdentifiers(deviceIdentifiers);
|
|
|
|
|
|
|
|
try {
|
|
|
|
|
|
|
|
DeviceAuthorizationResult deviceAuthorizationResult =
|
|
|
|
|
|
|
|
deviceAccessAuthorizationAdminService.isAuthorized(authorizationRequest);
|
|
|
|
|
|
|
|
List<DeviceIdentifier> devices = deviceAuthorizationResult.getAuthorizedDevices();
|
|
|
|
|
|
|
|
if (devices != null && devices.size() > 0) {
|
|
|
|
|
|
|
|
DeviceIdentifier authorizedDevice = devices.get(0);
|
|
|
|
|
|
|
|
if (authorizedDevice.getId().equals(deviceId) && authorizedDevice.getType().equals(deviceType)) {
|
|
|
|
|
|
|
|
cache.put(authorizationCacheKey, true);
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} catch (FeignException e) {
|
|
|
|
} finally {
|
|
|
|
// do nothing.
|
|
|
|
PrivilegedCarbonContext.endTenantFlow();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
|