2 * Copyright (c) 2016 Brocade Communication Systems and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
8 package org.opendaylight.netconf.callhome.mount;
10 import com.google.common.collect.Iterables;
11 import java.io.IOException;
12 import java.net.InetSocketAddress;
13 import java.net.SocketAddress;
14 import java.security.GeneralSecurityException;
15 import java.security.PublicKey;
16 import java.util.Collection;
17 import java.util.concurrent.ConcurrentHashMap;
18 import java.util.concurrent.ConcurrentMap;
19 import javax.annotation.Nonnull;
20 import org.opendaylight.mdsal.binding.api.DataBroker;
21 import org.opendaylight.mdsal.binding.api.DataObjectModification;
22 import org.opendaylight.mdsal.binding.api.DataObjectModification.ModificationType;
23 import org.opendaylight.mdsal.binding.api.DataTreeChangeListener;
24 import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
25 import org.opendaylight.mdsal.binding.api.DataTreeModification;
26 import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
27 import org.opendaylight.netconf.callhome.protocol.AuthorizedKeysDecoder;
28 import org.opendaylight.netconf.callhome.protocol.CallHomeAuthorization;
29 import org.opendaylight.netconf.callhome.protocol.CallHomeAuthorization.Builder;
30 import org.opendaylight.netconf.callhome.protocol.CallHomeAuthorizationProvider;
31 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev161109.NetconfCallhomeServer;
32 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev161109.credentials.Credentials;
33 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev161109.netconf.callhome.server.AllowedDevices;
34 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev161109.netconf.callhome.server.Global;
35 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev161109.netconf.callhome.server.Global.MountPointNamingStrategy;
36 import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.netconf.callhome.server.rev161109.netconf.callhome.server.allowed.devices.Device;
37 import org.opendaylight.yangtools.concepts.ListenerRegistration;
38 import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
39 import org.slf4j.Logger;
40 import org.slf4j.LoggerFactory;
42 public class CallHomeAuthProviderImpl implements CallHomeAuthorizationProvider, AutoCloseable {
44 private static final Logger LOG = LoggerFactory.getLogger(CallHomeAuthProviderImpl.class);
45 private static final InstanceIdentifier<Global> GLOBAL_PATH =
46 InstanceIdentifier.create(NetconfCallhomeServer.class).child(Global.class);
47 private static final DataTreeIdentifier<Global> GLOBAL =
48 DataTreeIdentifier.create(LogicalDatastoreType.CONFIGURATION, GLOBAL_PATH);
50 private static final InstanceIdentifier<Device> ALLOWED_DEVICES_PATH =
51 InstanceIdentifier.create(NetconfCallhomeServer.class).child(AllowedDevices.class).child(Device.class);
52 private static final DataTreeIdentifier<Device> ALLOWED_DEVICES =
53 DataTreeIdentifier.create(LogicalDatastoreType.CONFIGURATION, ALLOWED_DEVICES_PATH);
54 private static final DataTreeIdentifier<Device> ALLOWED_OP_DEVICES =
55 DataTreeIdentifier.create(LogicalDatastoreType.OPERATIONAL, ALLOWED_DEVICES_PATH);
57 private final GlobalConfig globalConfig = new GlobalConfig();
58 private final DeviceConfig deviceConfig = new DeviceConfig();
59 private final DeviceOp deviceOp = new DeviceOp();
60 private final ListenerRegistration<GlobalConfig> configReg;
61 private final ListenerRegistration<DeviceConfig> deviceReg;
62 private final ListenerRegistration<DeviceOp> deviceOpReg;
64 private final CallhomeStatusReporter statusReporter;
66 CallHomeAuthProviderImpl(final DataBroker broker) {
67 configReg = broker.registerDataTreeChangeListener(GLOBAL, globalConfig);
68 deviceReg = broker.registerDataTreeChangeListener(ALLOWED_DEVICES, deviceConfig);
69 deviceOpReg = broker.registerDataTreeChangeListener(ALLOWED_OP_DEVICES, deviceOp);
70 statusReporter = new CallhomeStatusReporter(broker);
75 public CallHomeAuthorization provideAuth(@Nonnull final SocketAddress remoteAddress,
76 @Nonnull final PublicKey serverKey) {
77 Device deviceSpecific = deviceConfig.get(serverKey);
79 Credentials deviceCred;
81 if (deviceSpecific != null) {
82 sessionName = deviceSpecific.getUniqueId();
83 deviceCred = deviceSpecific.getCredentials();
85 String syntheticId = fromRemoteAddress(remoteAddress);
86 if (globalConfig.allowedUnknownKeys()) {
87 sessionName = syntheticId;
89 statusReporter.asForceListedDevice(syntheticId, serverKey);
91 Device opDevice = deviceOp.get(serverKey);
92 if (opDevice == null) {
93 statusReporter.asUnlistedDevice(syntheticId, serverKey);
95 LOG.info("Repeating rejection of unlisted device with id of {}", opDevice.getUniqueId());
97 return CallHomeAuthorization.rejected();
101 final Credentials credentials = deviceCred != null ? deviceCred : globalConfig.getCredentials();
103 if (credentials == null) {
104 LOG.info("No credentials found for {}, rejecting.", remoteAddress);
105 return CallHomeAuthorization.rejected();
108 Builder authBuilder = CallHomeAuthorization.serverAccepted(sessionName, credentials.getUsername());
109 for (String password : credentials.getPasswords()) {
110 authBuilder.addPassword(password);
112 return authBuilder.build();
116 public void close() {
122 private String fromRemoteAddress(final SocketAddress remoteAddress) {
123 if (remoteAddress instanceof InetSocketAddress) {
124 InetSocketAddress socketAddress = (InetSocketAddress) remoteAddress;
125 String ip = socketAddress.getAddress().getHostAddress();
127 final MountPointNamingStrategy strat = globalConfig.getMountPointNamingStrategy();
132 return ip + ":" + socketAddress.getPort();
134 throw new IllegalStateException("Unhandled naming strategy " + strat);
137 return remoteAddress.toString();
140 private abstract static class AbstractDeviceListener implements DataTreeChangeListener<Device> {
143 public final void onDataTreeChanged(final Collection<DataTreeModification<Device>> mods) {
144 for (DataTreeModification<Device> dataTreeModification : mods) {
145 final DataObjectModification<Device> deviceMod = dataTreeModification.getRootNode();
146 final ModificationType modType = deviceMod.getModificationType();
149 deleteDevice(deviceMod.getDataBefore());
151 case SUBTREE_MODIFIED:
153 deleteDevice(deviceMod.getDataBefore());
154 writeDevice(deviceMod.getDataAfter());
157 throw new IllegalStateException("Unhandled modification type " + modType);
162 private void deleteDevice(final Device dataBefore) {
163 if (dataBefore != null) {
164 final String publicKey = dataBefore.getSshHostKey();
165 if (publicKey != null) {
166 LOG.debug("Removing device {}", dataBefore.getUniqueId());
167 removeDevice(publicKey, dataBefore);
169 LOG.debug("Ignoring removal of device {}, no host key present", dataBefore.getUniqueId());
174 private void writeDevice(final Device dataAfter) {
175 final String publicKey = dataAfter.getSshHostKey();
176 if (publicKey != null) {
177 LOG.debug("Adding device {}", dataAfter.getUniqueId());
178 addDevice(publicKey, dataAfter);
180 LOG.debug("Ignoring addition of device {}, no host key present", dataAfter.getUniqueId());
184 abstract void addDevice(String publicKey, Device device);
186 abstract void removeDevice(String publicKey, Device device);
189 private static class DeviceConfig extends AbstractDeviceListener {
190 private final ConcurrentMap<PublicKey, Device> byPublicKey = new ConcurrentHashMap<>();
191 private final AuthorizedKeysDecoder keyDecoder = new AuthorizedKeysDecoder();
193 Device get(final PublicKey key) {
194 return byPublicKey.get(key);
198 void addDevice(final String publicKey, final Device device) {
199 final PublicKey key = publicKey(publicKey, device);
201 byPublicKey.put(key, device);
206 void removeDevice(final String publicKey, final Device device) {
207 final PublicKey key = publicKey(publicKey, device);
209 byPublicKey.remove(key);
213 private PublicKey publicKey(final String hostKey, final Device device) {
215 return keyDecoder.decodePublicKey(hostKey);
216 } catch (GeneralSecurityException e) {
217 LOG.error("Unable to decode SSH key for {}. Ignoring update for this device", device.getUniqueId(), e);
223 private static class DeviceOp extends AbstractDeviceListener {
224 private final ConcurrentMap<String, Device> byPublicKey = new ConcurrentHashMap<>();
226 Device get(final PublicKey serverKey) {
229 skey = AuthorizedKeysDecoder.encodePublicKey(serverKey);
230 } catch (IOException | IllegalArgumentException e) {
231 LOG.error("Unable to encode server key: {}", serverKey, e);
235 return byPublicKey.get(skey);
239 void removeDevice(final String publicKey, final Device device) {
240 byPublicKey.remove(publicKey);
244 void addDevice(final String publicKey, final Device device) {
245 byPublicKey.put(publicKey, device);
249 private static class GlobalConfig implements DataTreeChangeListener<Global> {
250 private volatile Global current = null;
253 public void onDataTreeChanged(final Collection<DataTreeModification<Global>> mods) {
254 if (!mods.isEmpty()) {
255 current = Iterables.getLast(mods).getRootNode().getDataAfter();
259 boolean allowedUnknownKeys() {
260 final Global local = current;
261 // Deal with null values.
262 return local != null && Boolean.TRUE.equals(local.isAcceptAllSshKeys());
265 Credentials getCredentials() {
266 final Global local = current;
267 return local != null ? local.getCredentials() : null;
270 MountPointNamingStrategy getMountPointNamingStrategy() {
271 final Global local = current;
272 final MountPointNamingStrategy strat = local != null ? local.getMountPointNamingStrategy() : null;
273 return strat == null ? MountPointNamingStrategy.IPPORT : strat;