2 * Copyright (c) 2016 Brocade Communication Systems and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.callhome.mount;
10 import com.google.common.collect.Iterables;
11 import java.io.IOException;
12 import java.net.InetSocketAddress;
13 import java.net.SocketAddress;
14 import java.security.GeneralSecurityException;
15 import java.security.PublicKey;
16 import java.util.Collection;
17 import java.util.concurrent.ConcurrentHashMap;
18 import java.util.concurrent.ConcurrentMap;
19 import org.opendaylight.mdsal.binding.api.DataBroker;
20 import org.opendaylight.mdsal.binding.api.DataObjectModification;
21 import org.opendaylight.mdsal.binding.api.DataObjectModification.ModificationType;
22 import org.opendaylight.mdsal.binding.api.DataTreeChangeListener;
23 import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
24 import org.opendaylight.mdsal.binding.api.DataTreeModification;
25 import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
26 import org.opendaylight.netconf.callhome.protocol.AuthorizedKeysDecoder;
27 import org.opendaylight.netconf.callhome.protocol.CallHomeAuthorization;
28 import org.opendaylight.netconf.callhome.protocol.CallHomeAuthorization.Builder;
29 import org.opendaylight.netconf.callhome.protocol.CallHomeAuthorizationProvider;
30 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.NetconfCallhomeServer;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.credentials.Credentials;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.AllowedDevices;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.Global;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.Global.MountPointNamingStrategy;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.allowed.devices.Device;
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.allowed.devices.device.transport.Ssh;
37 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev201015.netconf.callhome.server.allowed.devices.device.transport.ssh.SshClientParams;
38 import org.opendaylight.yangtools.concepts.ListenerRegistration;
39 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
40 import org.slf4j.Logger;
41 import org.slf4j.LoggerFactory;
43 public class CallHomeAuthProviderImpl implements CallHomeAuthorizationProvider, AutoCloseable {
45 private static final Logger LOG = LoggerFactory.getLogger(CallHomeAuthProviderImpl.class);
46 private static final InstanceIdentifier<Global> GLOBAL_PATH =
47 InstanceIdentifier.create(NetconfCallhomeServer.class).child(Global.class);
48 private static final DataTreeIdentifier<Global> GLOBAL =
49 DataTreeIdentifier.create(LogicalDatastoreType.CONFIGURATION, GLOBAL_PATH);
51 private static final InstanceIdentifier<Device> ALLOWED_DEVICES_PATH =
52 InstanceIdentifier.create(NetconfCallhomeServer.class).child(AllowedDevices.class).child(Device.class);
53 private static final DataTreeIdentifier<Device> ALLOWED_DEVICES =
54 DataTreeIdentifier.create(LogicalDatastoreType.CONFIGURATION, ALLOWED_DEVICES_PATH);
55 private static final DataTreeIdentifier<Device> ALLOWED_OP_DEVICES =
56 DataTreeIdentifier.create(LogicalDatastoreType.OPERATIONAL, ALLOWED_DEVICES_PATH);
58 private final GlobalConfig globalConfig = new GlobalConfig();
59 private final DeviceConfig deviceConfig = new DeviceConfig();
60 private final DeviceOp deviceOp = new DeviceOp();
61 private final ListenerRegistration<GlobalConfig> configReg;
62 private final ListenerRegistration<DeviceConfig> deviceReg;
63 private final ListenerRegistration<DeviceOp> deviceOpReg;
65 private final CallhomeStatusReporter statusReporter;
67 CallHomeAuthProviderImpl(final DataBroker broker) {
68 configReg = broker.registerDataTreeChangeListener(GLOBAL, globalConfig);
69 deviceReg = broker.registerDataTreeChangeListener(ALLOWED_DEVICES, deviceConfig);
70 deviceOpReg = broker.registerDataTreeChangeListener(ALLOWED_OP_DEVICES, deviceOp);
71 statusReporter = new CallhomeStatusReporter(broker);
75 public CallHomeAuthorization provideAuth(final SocketAddress remoteAddress, final PublicKey serverKey) {
76 Device deviceSpecific = deviceConfig.get(serverKey);
78 Credentials deviceCred;
80 if (deviceSpecific != null) {
81 sessionName = deviceSpecific.getUniqueId();
82 if (deviceSpecific.getTransport() instanceof Ssh) {
83 final SshClientParams clientParams = ((Ssh) deviceSpecific.getTransport()).getSshClientParams();
84 deviceCred = clientParams.getCredentials();
86 deviceCred = deviceSpecific.getCredentials();
89 String syntheticId = fromRemoteAddress(remoteAddress);
90 if (globalConfig.allowedUnknownKeys()) {
91 sessionName = syntheticId;
93 statusReporter.asForceListedDevice(syntheticId, serverKey);
95 Device opDevice = deviceOp.get(serverKey);
96 if (opDevice == null) {
97 statusReporter.asUnlistedDevice(syntheticId, serverKey);
99 LOG.info("Repeating rejection of unlisted device with id of {}", opDevice.getUniqueId());
101 return CallHomeAuthorization.rejected();
105 final Credentials credentials = deviceCred != null ? deviceCred : globalConfig.getCredentials();
107 if (credentials == null) {
108 LOG.info("No credentials found for {}, rejecting.", remoteAddress);
109 return CallHomeAuthorization.rejected();
112 Builder authBuilder = CallHomeAuthorization.serverAccepted(sessionName, credentials.getUsername());
113 for (String password : credentials.getPasswords()) {
114 authBuilder.addPassword(password);
116 return authBuilder.build();
120 public void close() {
126 private String fromRemoteAddress(final SocketAddress remoteAddress) {
127 if (remoteAddress instanceof InetSocketAddress) {
128 InetSocketAddress socketAddress = (InetSocketAddress) remoteAddress;
129 String ip = socketAddress.getAddress().getHostAddress();
131 final MountPointNamingStrategy strat = globalConfig.getMountPointNamingStrategy();
136 return ip + ":" + socketAddress.getPort();
138 throw new IllegalStateException("Unhandled naming strategy " + strat);
141 return remoteAddress.toString();
144 private abstract static class AbstractDeviceListener implements DataTreeChangeListener<Device> {
147 public final void onDataTreeChanged(final Collection<DataTreeModification<Device>> mods) {
148 for (DataTreeModification<Device> dataTreeModification : mods) {
149 final DataObjectModification<Device> deviceMod = dataTreeModification.getRootNode();
150 final ModificationType modType = deviceMod.getModificationType();
153 deleteDevice(deviceMod.getDataBefore());
155 case SUBTREE_MODIFIED:
157 deleteDevice(deviceMod.getDataBefore());
158 writeDevice(deviceMod.getDataAfter());
161 throw new IllegalStateException("Unhandled modification type " + modType);
166 private void deleteDevice(final Device dataBefore) {
167 if (dataBefore != null) {
168 final String publicKey = getHostPublicKey(dataBefore);
169 if (publicKey != null) {
170 LOG.debug("Removing device {}", dataBefore.getUniqueId());
171 removeDevice(publicKey, dataBefore);
173 LOG.debug("Ignoring removal of device {}, no host key present", dataBefore.getUniqueId());
178 private void writeDevice(final Device dataAfter) {
179 final String publicKey = getHostPublicKey(dataAfter);
180 if (publicKey != null) {
181 LOG.debug("Adding device {}", dataAfter.getUniqueId());
182 addDevice(publicKey, dataAfter);
184 LOG.debug("Ignoring addition of device {}, no host key present", dataAfter.getUniqueId());
188 private String getHostPublicKey(final Device device) {
189 if (device.getTransport() instanceof Ssh) {
190 return ((Ssh) device.getTransport()).getSshClientParams().getHostKey();
192 return device.getSshHostKey();
196 abstract void addDevice(String publicKey, Device device);
198 abstract void removeDevice(String publicKey, Device device);
201 private static class DeviceConfig extends AbstractDeviceListener {
202 private final ConcurrentMap<PublicKey, Device> byPublicKey = new ConcurrentHashMap<>();
203 private final AuthorizedKeysDecoder keyDecoder = new AuthorizedKeysDecoder();
205 Device get(final PublicKey key) {
206 return byPublicKey.get(key);
210 void addDevice(final String publicKey, final Device device) {
211 final PublicKey key = publicKey(publicKey, device);
213 byPublicKey.put(key, device);
218 void removeDevice(final String publicKey, final Device device) {
219 final PublicKey key = publicKey(publicKey, device);
221 byPublicKey.remove(key);
225 private PublicKey publicKey(final String hostKey, final Device device) {
227 return keyDecoder.decodePublicKey(hostKey);
228 } catch (GeneralSecurityException e) {
229 LOG.error("Unable to decode SSH key for {}. Ignoring update for this device", device.getUniqueId(), e);
235 private static class DeviceOp extends AbstractDeviceListener {
236 private final ConcurrentMap<String, Device> byPublicKey = new ConcurrentHashMap<>();
238 Device get(final PublicKey serverKey) {
241 skey = AuthorizedKeysDecoder.encodePublicKey(serverKey);
242 } catch (IOException | IllegalArgumentException e) {
243 LOG.error("Unable to encode server key: {}", serverKey, e);
247 return byPublicKey.get(skey);
251 void removeDevice(final String publicKey, final Device device) {
252 byPublicKey.remove(publicKey);
256 void addDevice(final String publicKey, final Device device) {
257 byPublicKey.put(publicKey, device);
261 private static class GlobalConfig implements DataTreeChangeListener<Global> {
262 private volatile Global current = null;
265 public void onDataTreeChanged(final Collection<DataTreeModification<Global>> mods) {
266 if (!mods.isEmpty()) {
267 current = Iterables.getLast(mods).getRootNode().getDataAfter();
271 boolean allowedUnknownKeys() {
272 final Global local = current;
273 // Deal with null values.
274 return local != null && Boolean.TRUE.equals(local.isAcceptAllSshKeys());
277 Credentials getCredentials() {
278 final Global local = current;
279 return local != null ? local.getCredentials() : null;
282 MountPointNamingStrategy getMountPointNamingStrategy() {
283 final Global local = current;
284 final MountPointNamingStrategy strat = local != null ? local.getMountPointNamingStrategy() : null;
285 return strat == null ? MountPointNamingStrategy.IPPORT : strat;