2 * Copyright (c) 2016 Brocade Communication Systems and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.callhome.protocol;
10 import com.google.common.base.Preconditions;
11 import com.google.common.collect.ImmutableSet;
12 import java.security.KeyPair;
13 import java.util.Collection;
14 import java.util.HashSet;
16 import org.apache.sshd.ClientSession;
17 import org.apache.sshd.client.session.ClientSessionImpl;
20 * Authorization context for incoming call home sessions.
22 * @see CallHomeAuthorizationProvider
24 public abstract class CallHomeAuthorization {
25 private static final CallHomeAuthorization REJECTED = new CallHomeAuthorization() {
28 public boolean isServerAllowed() {
33 protected String getSessionName() {
38 protected void applyTo(ClientSession session) {
39 throw new IllegalStateException("Server is not allowed.");
44 * Returns CallHomeAuthorization object with intent to
45 * reject incoming connection.
47 * {@link CallHomeAuthorizationProvider} may use returned object
48 * as return value for {@link CallHomeAuthorizationProvider#provideAuth(java.net.SocketAddress, java.security.PublicKey)}
49 * if the incoming session should be rejected due to policy implemented
52 * @return CallHomeAuthorization with {@code isServerAllowed() == false}
54 public static final CallHomeAuthorization rejected() {
59 * Creates a builder for CallHomeAuthorization with intent
60 * to accept incoming connection and to provide credentials.
62 * Note: If session with same sessionName is already opened and
63 * active, incoming session will be rejected.
65 * @param sessionName Application specific unique identifier for incoming session
66 * @param username Username to be used for authorization
67 * @return Builder which allows to specify credentials.
69 public static final Builder serverAccepted(String sessionName, String username) {
70 return new Builder(sessionName, username);
74 * Returns true if incomming connection is allowed.
76 * @return true if incoming connection from SSH Server is allowed.
78 public abstract boolean isServerAllowed();
81 * Applies provided authentification to Mina SSH Client Session
83 * @param session Client Session to which authorization parameters will by applied
85 protected abstract void applyTo(ClientSession session);
87 protected abstract String getSessionName();
90 * Builder for CallHomeAuthorization which accepts incoming connection.
92 * Use {@link CallHomeAuthorization#serverAccepted(String, String)} to instantiate
95 public static class Builder implements org.opendaylight.yangtools.concepts.Builder<CallHomeAuthorization> {
97 private final String nodeId;
98 private final String username;
99 private Set<String> passwords = new HashSet<>();
100 private Set<KeyPair> clientKeys = new HashSet<>();
102 private Builder(String nodeId, String username) {
103 this.nodeId = Preconditions.checkNotNull(nodeId);
104 this.username = Preconditions.checkNotNull(username);
108 * Adds password, which will be used for password-based authorization.
110 * @param password Password to be used for password-based authorization.
111 * @return this builder.
113 public Builder addPassword(String password) {
114 this.passwords.add(password);
119 * Adds public / private key pair to be used for public-key based authorization.
121 * @param clientKey Keys to be used for authorization.
122 * @return this builder.
124 public Builder addClientKeys(KeyPair clientKey) {
125 this.clientKeys.add(clientKey);
130 public CallHomeAuthorization build() {
131 return new ServerAllowed(nodeId, username, passwords, clientKeys);
136 private static class ServerAllowed extends CallHomeAuthorization {
138 private final String nodeId;
139 private final String username;
140 private final Set<String> passwords;
141 private final Set<KeyPair> clientKeyPair;
143 ServerAllowed(String nodeId, String username, Collection<String> passwords, Collection<KeyPair> clientKeyPairs) {
144 this.username = Preconditions.checkNotNull(username);
145 this.passwords = ImmutableSet.copyOf(passwords);
146 this.clientKeyPair = ImmutableSet.copyOf(clientKeyPairs);
147 this.nodeId = Preconditions.checkNotNull(nodeId);
151 protected String getSessionName() {
156 public boolean isServerAllowed() {
161 protected void applyTo(ClientSession session) {
162 Preconditions.checkArgument(session instanceof ClientSessionImpl);
163 ((ClientSessionImpl) session).setUsername(username);
165 // First try authentication using server host keys, else try password.
166 for (KeyPair keyPair : clientKeyPair) {
167 session.addPublicKeyIdentity(keyPair);
169 for (String password : passwords) {
170 session.addPasswordIdentity(password);