org.eclipse.leshan.server.californium.LeshanServerBuilder Maven / Gradle / Ivy
/*******************************************************************************
* Copyright (c) 2013-2015 Sierra Wireless and others.
*
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v2.0
* and Eclipse Distribution License v1.0 which accompany this distribution.
*
* The Eclipse Public License is available at
* http://www.eclipse.org/legal/epl-v20.html
* and the Eclipse Distribution License is available at
* http://www.eclipse.org/org/documents/edl-v10.html.
*
* Contributors:
* Sierra Wireless - initial API and implementation
* Achim Kraus (Bosch Software Innovations GmbH) - use Lwm2mEndpointContextMatcher
* for secure endpoint.
* Achim Kraus (Bosch Software Innovations GmbH) - use CoapEndpointBuilder
*******************************************************************************/
package org.eclipse.leshan.server.californium;
import java.net.InetSocketAddress;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import org.eclipse.californium.core.network.CoapEndpoint;
import org.eclipse.californium.core.network.config.NetworkConfig;
import org.eclipse.californium.core.network.config.NetworkConfig.Keys;
import org.eclipse.californium.elements.DtlsEndpointContext;
import org.eclipse.californium.elements.UDPConnector;
import org.eclipse.californium.scandium.DTLSConnector;
import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
import org.eclipse.californium.scandium.config.DtlsConnectorConfig.Builder;
import org.eclipse.californium.scandium.dtls.CertificateType;
import org.eclipse.californium.scandium.dtls.x509.BridgeCertificateVerifier;
import org.eclipse.leshan.core.LwM2m;
import org.eclipse.leshan.core.californium.DefaultEndpointFactory;
import org.eclipse.leshan.core.californium.EndpointFactory;
import org.eclipse.leshan.core.node.LwM2mNode;
import org.eclipse.leshan.core.node.codec.DefaultLwM2mNodeDecoder;
import org.eclipse.leshan.core.node.codec.DefaultLwM2mNodeEncoder;
import org.eclipse.leshan.core.node.codec.LwM2mNodeDecoder;
import org.eclipse.leshan.core.node.codec.LwM2mNodeEncoder;
import org.eclipse.leshan.core.observation.Observation;
import org.eclipse.leshan.core.request.exception.ClientSleepingException;
import org.eclipse.leshan.server.californium.registration.CaliforniumRegistrationStore;
import org.eclipse.leshan.server.californium.registration.InMemoryRegistrationStore;
import org.eclipse.leshan.server.model.LwM2mModelProvider;
import org.eclipse.leshan.server.model.StandardModelProvider;
import org.eclipse.leshan.server.queue.ClientAwakeTimeProvider;
import org.eclipse.leshan.server.queue.StaticClientAwakeTimeProvider;
import org.eclipse.leshan.server.registration.RandomStringRegistrationIdProvider;
import org.eclipse.leshan.server.registration.Registration;
import org.eclipse.leshan.server.registration.RegistrationIdProvider;
import org.eclipse.leshan.server.registration.RegistrationStore;
import org.eclipse.leshan.server.security.Authorizer;
import org.eclipse.leshan.server.security.DefaultAuthorizer;
import org.eclipse.leshan.server.security.InMemorySecurityStore;
import org.eclipse.leshan.server.security.SecurityInfo;
import org.eclipse.leshan.server.security.SecurityStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Class helping you to build and configure a Californium based Leshan Lightweight M2M server. Usage: create it, call
* the different setters for changing the configuration and then call the {@link #build()} method for creating the
* {@link LeshanServer} ready to operate.
*/
public class LeshanServerBuilder {
private static final Logger LOG = LoggerFactory.getLogger(LeshanServerBuilder.class);
private CaliforniumRegistrationStore registrationStore;
private SecurityStore securityStore;
private LwM2mModelProvider modelProvider;
private Authorizer authorizer;
private ClientAwakeTimeProvider awakeTimeProvider;
private RegistrationIdProvider registrationIdProvider;
private InetSocketAddress localAddress;
private InetSocketAddress localSecureAddress;
private LwM2mNodeEncoder encoder;
private LwM2mNodeDecoder decoder;
private PublicKey publicKey;
private PrivateKey privateKey;
private X509Certificate[] certificateChain;
private Certificate[] trustedCertificates;
private NetworkConfig coapConfig;
private DtlsConnectorConfig.Builder dtlsConfigBuilder;
private EndpointFactory endpointFactory;
private boolean noSecuredEndpoint;
private boolean noUnsecuredEndpoint;
private boolean noQueueMode = false;
/** @since 1.1 */
protected boolean updateRegistrationOnNotification;
/**
*
* Set the address/port for unsecured CoAP Server.
*
*
* By default a wildcard address and the default CoAP port(5683) is used
*
* @param hostname The address to bind. If null wildcard address is used.
* @param port A valid port value is between 0 and 65535. A port number of zero will let the system pick up an
* ephemeral port in a bind operation.
*/
public LeshanServerBuilder setLocalAddress(String hostname, int port) {
if (hostname == null) {
this.localAddress = new InetSocketAddress(port);
} else {
this.localAddress = new InetSocketAddress(hostname, port);
}
return this;
}
/**
*
* Set the address for unsecured CoAP Server.
*
*
* By default a wildcard address and the default CoAP port(5683) is used.
*/
public LeshanServerBuilder setLocalAddress(InetSocketAddress localAddress) {
this.localAddress = localAddress;
return this;
}
/**
*
* Set the address/port for secured CoAP Server (Using DTLS).
*
*
* By default a wildcard address and the default CoAPs port(5684) is used.
*
* @param hostname The address to bind. If null wildcard address is used.
* @param port A valid port value is between 0 and 65535. A port number of zero will let the system pick up an
* ephemeral port in a bind operation.
*/
public LeshanServerBuilder setLocalSecureAddress(String hostname, int port) {
if (hostname == null) {
this.localSecureAddress = new InetSocketAddress(port);
} else {
this.localSecureAddress = new InetSocketAddress(hostname, port);
}
return this;
}
/**
*
* Set the address for secured CoAP Server (Using DTLS).
*
*
* By default a wildcard address and the default CoAP port(5684) is used.
*/
public LeshanServerBuilder setLocalSecureAddress(InetSocketAddress localSecureAddress) {
this.localSecureAddress = localSecureAddress;
return this;
}
/**
*
* Set your {@link RegistrationStore} implementation which stores {@link Registration} and {@link Observation}.
*
* By default the {@link InMemoryRegistrationStore} implementation is used.
*
*/
public LeshanServerBuilder setRegistrationStore(CaliforniumRegistrationStore registrationStore) {
this.registrationStore = registrationStore;
return this;
}
/**
*
* Set your {@link SecurityStore} implementation which stores {@link SecurityInfo}.
*
* By default no security store is set. It is needed for secured connection if you are using the defaultAuthorizer
* or if you want PSK feature activated. An {@link InMemorySecurityStore} is provided to start using secured
* connection.
*
*/
public LeshanServerBuilder setSecurityStore(SecurityStore securityStore) {
this.securityStore = securityStore;
return this;
}
/**
*
* Set your {@link Authorizer} implementation to define if a device if authorize to register to this server.
*
* By default the {@link DefaultAuthorizer} implementation is used, it needs a security store to accept secured
* connection.
*/
public LeshanServerBuilder setAuthorizer(Authorizer authorizer) {
this.authorizer = authorizer;
return this;
}
/**
*
* Set your {@link LwM2mModelProvider} implementation.
*
* By default the {@link StandardModelProvider} implementation is used which support all core objects for all
* devices.
*
*/
public LeshanServerBuilder setObjectModelProvider(LwM2mModelProvider objectModelProvider) {
this.modelProvider = objectModelProvider;
return this;
}
/**
*
* Set the {@link PublicKey} of the server which will be used for RawPublicKey DTLS authentication.
*
* This should be used for RPK support only. If you support RPK and X509,
* {@link LeshanServerBuilder#setCertificateChain(X509Certificate[])} should be used.
*/
public LeshanServerBuilder setPublicKey(PublicKey publicKey) {
this.publicKey = publicKey;
return this;
}
/**
* Set the {@link PrivateKey} of the server which will be used for RawPublicKey(RPK) and X509 DTLS authentication.
*/
public LeshanServerBuilder setPrivateKey(PrivateKey privateKey) {
this.privateKey = privateKey;
return this;
}
/**
*
* Set the CertificateChain of the server which will be used for X509 DTLS authentication.
*
* For RPK the public key will be extract from the first X509 certificate of the certificate chain. If you only need
* RPK support, use {@link LeshanServerBuilder#setPublicKey(PublicKey)} instead.
*/
public LeshanServerBuilder setCertificateChain(T[] certificateChain) {
this.certificateChain = certificateChain;
return this;
}
/**
* The list of trusted certificates used to authenticate devices.
*/
public LeshanServerBuilder setTrustedCertificates(T[] trustedCertificates) {
this.trustedCertificates = trustedCertificates;
return this;
}
/**
*
* Set the {@link LwM2mNodeEncoder} which will encode {@link LwM2mNode} with supported content format.
*
* By default the {@link DefaultLwM2mNodeEncoder} is used. It supports Text, Opaque, TLV and JSON format.
*/
public LeshanServerBuilder setEncoder(LwM2mNodeEncoder encoder) {
this.encoder = encoder;
return this;
}
/**
*
* Set the {@link LwM2mNodeDecoder} which will decode data in supported content format to create {@link LwM2mNode}.
*
* By default the {@link DefaultLwM2mNodeDecoder} is used. It supports Text, Opaque, TLV and JSON format.
*/
public LeshanServerBuilder setDecoder(LwM2mNodeDecoder decoder) {
this.decoder = decoder;
return this;
}
/**
* Set the Californium/CoAP {@link NetworkConfig}.
*/
public LeshanServerBuilder setCoapConfig(NetworkConfig config) {
this.coapConfig = config;
return this;
}
/**
* Set the Scandium/DTLS Configuration : {@link Builder}.
*/
public LeshanServerBuilder setDtlsConfig(DtlsConnectorConfig.Builder config) {
this.dtlsConfigBuilder = config;
return this;
}
/**
* Advanced setter used to create custom CoAP endpoint.
*
* An {@link UDPConnector} is expected for unsecured endpoint and a {@link DTLSConnector} is expected for secured
* endpoint.
*
* @param endpointFactory An {@link EndpointFactory}, you can extends {@link DefaultEndpointFactory}.
* @return the builder for fluent Bootstrap Server creation.
*/
public LeshanServerBuilder setEndpointFactory(EndpointFactory endpointFactory) {
this.endpointFactory = endpointFactory;
return this;
}
/**
* deactivate unsecured CoAP endpoint
*/
public LeshanServerBuilder disableUnsecuredEndpoint() {
this.noUnsecuredEndpoint = true;
return this;
}
/**
* deactivate secured CoAP endpoint (DTLS)
*/
public LeshanServerBuilder disableSecuredEndpoint() {
this.noSecuredEndpoint = true;
return this;
}
/**
* deactivate PresenceService which tracks presence of devices using LWM2M Queue Mode. When Queue Mode is
* deactivated request is always sent immediately and {@link ClientSleepingException} will never be raised.
* Deactivate QueueMode can make sense if you want to handle it on your own or if you don't plan to support devices
* with queue mode.
*/
public LeshanServerBuilder disableQueueModeSupport() {
this.noQueueMode = true;
return this;
}
/**
* Sets a new {@link ClientAwakeTimeProvider} object different from the default one.
*
* By default a {@link StaticClientAwakeTimeProvider} will be used initialized with the
* MAX_TRANSMIT_WAIT
value available in CoAP {@link NetworkConfig} which should be by default 93s as
* defined in RFC7252.
*
* @param awakeTimeProvider the {@link ClientAwakeTimeProvider} to set.
*/
public LeshanServerBuilder setClientAwakeTimeProvider(ClientAwakeTimeProvider awakeTimeProvider) {
this.awakeTimeProvider = awakeTimeProvider;
return this;
}
/**
* Sets a new {@link RegistrationIdProvider} object different from the default one (Random string).
*
* @param registrationIdProvider the {@link RegistrationIdProvider} to set.
*/
public void setRegistrationIdProvider(RegistrationIdProvider registrationIdProvider) {
this.registrationIdProvider = registrationIdProvider;
}
/**
* Update Registration on notification.
*
* There is some use cases where device can have a dynamic IP (E.g. NAT environment), the specification says to use
* an UPDATE request to notify server about IP address/ port changes. But it seems there is some rare use case where
* this update REQUEST can not be done.
*
* With this option you can allow Leshan to update Registration on observe notification. This is clearly OUT OF
* SPECIFICATION and so this is not recommended and should be used only if there is no other way.
*
* For {@code coap://} you probably need to use a the Relaxed response matching mode.
*
*
* coapConfig.setString(NetworkConfig.Keys.RESPONSE_MATCHING, "RELAXED");
*
*
* @since 1.1
*
* @see Dynamic
* IP environnement documentaiton
*/
public LeshanServerBuilder setUpdateRegistrationOnNotification(boolean updateRegistrationOnNotification) {
this.updateRegistrationOnNotification = updateRegistrationOnNotification;
return this;
}
/**
* The default Californium/CoAP {@link NetworkConfig} used by the builder.
*/
public static NetworkConfig createDefaultNetworkConfig() {
NetworkConfig networkConfig = new NetworkConfig();
networkConfig.set(Keys.MID_TRACKER, "NULL");
return networkConfig;
}
/**
* Create the {@link LeshanServer}.
*
* Next step will be to start it : {@link LeshanServer#start()}.
*
* @return the LWM2M server.
* @throws IllegalStateException if builder configuration is not consistent.
*/
public LeshanServer build() {
if (localAddress == null)
localAddress = new InetSocketAddress(LwM2m.DEFAULT_COAP_PORT);
if (registrationStore == null)
registrationStore = new InMemoryRegistrationStore();
if (authorizer == null)
authorizer = new DefaultAuthorizer(securityStore);
if (modelProvider == null)
modelProvider = new StandardModelProvider();
if (encoder == null)
encoder = new DefaultLwM2mNodeEncoder();
if (decoder == null)
decoder = new DefaultLwM2mNodeDecoder();
if (coapConfig == null)
coapConfig = createDefaultNetworkConfig();
if (awakeTimeProvider == null) {
int maxTransmitWait = coapConfig.getInt(Keys.MAX_TRANSMIT_WAIT);
if (maxTransmitWait == 0) {
LOG.warn(
"No value available for MAX_TRANSMIT_WAIT in CoAP NetworkConfig. Fallback with a default 93s value.");
awakeTimeProvider = new StaticClientAwakeTimeProvider();
} else {
awakeTimeProvider = new StaticClientAwakeTimeProvider(maxTransmitWait);
}
}
if (registrationIdProvider == null)
registrationIdProvider = new RandomStringRegistrationIdProvider();
if (endpointFactory == null) {
endpointFactory = new DefaultEndpointFactory("LWM2M Server");
}
// handle dtlsConfig
DtlsConnectorConfig dtlsConfig = null;
if (!noSecuredEndpoint && shouldTryToCreateSecureEndpoint()) {
if (dtlsConfigBuilder == null) {
dtlsConfigBuilder = new DtlsConnectorConfig.Builder();
}
// Set default DTLS setting for Leshan unless user change it.
DtlsConnectorConfig incompleteConfig = dtlsConfigBuilder.getIncompleteConfig();
// Handle PSK Store
if (incompleteConfig.getAdvancedPskStore() != null) {
LOG.warn(
"PskStore should be automatically set by Leshan. Using a custom implementation is not advised.");
} else if (securityStore != null) {
dtlsConfigBuilder.setAdvancedPskStore(new LwM2mAdvancedPskStore(this.securityStore, registrationStore));
}
// Handle secure address
if (incompleteConfig.getAddress() == null) {
if (localSecureAddress == null) {
localSecureAddress = new InetSocketAddress(LwM2m.DEFAULT_COAP_SECURE_PORT);
}
dtlsConfigBuilder.setAddress(localSecureAddress);
} else if (localSecureAddress != null && !localSecureAddress.equals(incompleteConfig.getAddress())) {
throw new IllegalStateException(String.format(
"Configuration conflict between LeshanBuilder and DtlsConnectorConfig.Builder for secure address: %s != %s",
localSecureAddress, incompleteConfig.getAddress()));
}
// Handle active peers
if (incompleteConfig.getMaxConnections() == null)
dtlsConfigBuilder.setMaxConnections(coapConfig.getInt(Keys.MAX_ACTIVE_PEERS));
if (incompleteConfig.getStaleConnectionThreshold() == null)
dtlsConfigBuilder.setStaleConnectionThreshold(coapConfig.getLong(Keys.MAX_PEER_INACTIVITY_PERIOD));
// check conflict for private key
if (privateKey != null) {
if (incompleteConfig.getPrivateKey() != null && !incompleteConfig.getPrivateKey().equals(privateKey)) {
throw new IllegalStateException(String.format(
"Configuration conflict between LeshanBuilder and DtlsConnectorConfig.Builder for private key: %s != %s",
privateKey, incompleteConfig.getPrivateKey()));
}
// if in raw key mode and not in X.509 set the raw keys
if (certificateChain == null && publicKey != null) {
if (incompleteConfig.getPublicKey() != null && !incompleteConfig.getPublicKey().equals(publicKey)) {
throw new IllegalStateException(String.format(
"Configuration conflict between LeshanBuilder and DtlsConnectorConfig.Builder for public key: %s != %s",
publicKey, incompleteConfig.getPublicKey()));
}
dtlsConfigBuilder.setIdentity(privateKey, publicKey);
}
// if in X.509 mode set the private key, certificate chain, public key is extracted from the certificate
if (certificateChain != null && certificateChain.length > 0) {
if (incompleteConfig.getCertificateChain() != null
&& !Arrays.asList(certificateChain).equals(incompleteConfig.getCertificateChain())) {
throw new IllegalStateException(String.format(
"Configuration conflict between LeshanBuilder and DtlsConnectorConfig.Builder for certificate chain: %s != %s",
Arrays.toString(certificateChain), incompleteConfig.getCertificateChain()));
}
dtlsConfigBuilder.setIdentity(privateKey, certificateChain, CertificateType.X_509,
CertificateType.RAW_PUBLIC_KEY);
}
// handle trusted certificates or RPK
if (incompleteConfig.getAdvancedCertificateVerifier() != null) {
if (trustedCertificates != null) {
throw new IllegalStateException(
"Configuration conflict between LeshanBuilder and DtlsConnectorConfig.Builder: if a AdvancedCertificateVerifier is set, trustedCertificates must not be set.");
}
} else {
BridgeCertificateVerifier.Builder verifierBuilder = new BridgeCertificateVerifier.Builder();
if (incompleteConfig.getRpkTrustStore() != null) {
verifierBuilder.setTrustedRPKs(incompleteConfig.getRpkTrustStore());
} else {
// by default trust all RPK
verifierBuilder.setTrustAllRPKs();
}
if (incompleteConfig.getTrustStore() != null) {
if (trustedCertificates != null
&& !Arrays.equals(trustedCertificates, incompleteConfig.getTrustStore())) {
throw new IllegalStateException(String.format(
"Configuration conflict between LeshanBuilder and DtlsConnectorConfig.Builder for trusted Certificates (trustStore) : \n%s != \n%s",
Arrays.toString(trustedCertificates),
Arrays.toString(incompleteConfig.getTrustStore())));
}
verifierBuilder.setTrustedCertificates(incompleteConfig.getTrustStore());
} else {
if (trustedCertificates != null) {
verifierBuilder.setTrustedCertificates(trustedCertificates);
}
}
if (incompleteConfig.getCertificateVerifier() != null) {
if (trustedCertificates != null) {
throw new IllegalStateException(
"Configuration conflict between LeshanBuilder and DtlsConnectorConfig.Builder: if a CertificateVerifier is set, trustedCertificates must not be set.");
}
verifierBuilder.setCertificateVerifier(incompleteConfig.getCertificateVerifier());
}
dtlsConfigBuilder.setAdvancedCertificateVerifier(verifierBuilder.build());
}
}
// Deactivate SNI by default
// TODO should we support SNI ?
if (incompleteConfig.isSniEnabled() == null) {
dtlsConfigBuilder.setSniEnabled(false);
}
// Do no allow Server to initiated Handshake by default, for U device request will be allowed to initiate
// handshake (see Registration.shouldInitiateConnection())
Boolean serverOnly = incompleteConfig.isServerOnly();
if (serverOnly == null || !serverOnly) {
if (incompleteConfig.getDefaultHandshakeMode() == null) {
dtlsConfigBuilder.setDefaultHandshakeMode(DtlsEndpointContext.HANDSHAKE_MODE_NONE);
}
}
// we try to build the dtlsConfig, if it fail we will just not create the secured endpoint
try {
dtlsConfig = dtlsConfigBuilder.build();
} catch (IllegalStateException e) {
LOG.warn("Unable to create DTLS config and so secured endpoint.", e);
}
}
// create endpoints
CoapEndpoint unsecuredEndpoint = null;
if (!noUnsecuredEndpoint) {
unsecuredEndpoint = endpointFactory.createUnsecuredEndpoint(localAddress, coapConfig, registrationStore);
}
CoapEndpoint securedEndpoint = null;
if (!noSecuredEndpoint && dtlsConfig != null) {
securedEndpoint = endpointFactory.createSecuredEndpoint(dtlsConfig, coapConfig, registrationStore);
}
if (securedEndpoint == null && unsecuredEndpoint == null) {
throw new IllegalStateException(
"All CoAP enpoints are deactivated, at least one endpoint should be activated");
}
return createServer(unsecuredEndpoint, securedEndpoint, registrationStore, securityStore, authorizer,
modelProvider, encoder, decoder, coapConfig, noQueueMode, awakeTimeProvider, registrationIdProvider);
}
/**
* @return true if we should try to create a secure endpoint on {@link #build()}
*/
protected boolean shouldTryToCreateSecureEndpoint() {
return dtlsConfigBuilder != null || certificateChain != null || privateKey != null || publicKey != null
|| securityStore != null || trustedCertificates != null;
}
/**
* Create the LeshanServer
.
*
* You can extend LeshanServerBuilder
and override this method to create a new builder which will be
* able to build an extended LeshanServer
.
*
* @param unsecuredEndpoint CoAP endpoint used for coap://
communication.
* @param securedEndpoint CoAP endpoint used for coaps://
communication.
* @param registrationStore the {@link Registration} store.
* @param securityStore the {@link SecurityInfo} store.
* @param authorizer define which devices is allow to register on this server.
* @param modelProvider provides the objects description for each client.
* @param decoder decoder used to decode response payload.
* @param encoder encode used to encode request payload.
* @param coapConfig the CoAP {@link NetworkConfig}.
* @param noQueueMode true to disable presenceService.
* @param awakeTimeProvider to set the client awake time if queue mode is used.
* @param registrationIdProvider to provide registrationId using for location-path option values on response of
* Register operation.
*
* @return the LWM2M server
*/
protected LeshanServer createServer(CoapEndpoint unsecuredEndpoint, CoapEndpoint securedEndpoint,
CaliforniumRegistrationStore registrationStore, SecurityStore securityStore, Authorizer authorizer,
LwM2mModelProvider modelProvider, LwM2mNodeEncoder encoder, LwM2mNodeDecoder decoder,
NetworkConfig coapConfig, boolean noQueueMode, ClientAwakeTimeProvider awakeTimeProvider,
RegistrationIdProvider registrationIdProvider) {
return new LeshanServer(unsecuredEndpoint, securedEndpoint, registrationStore, securityStore, authorizer,
modelProvider, encoder, decoder, coapConfig, noQueueMode, awakeTimeProvider, registrationIdProvider,
updateRegistrationOnNotification);
}
}