Class SecurityAgent

    • Field Detail

      • PROPERTIES_ID

        public static final java.lang.String PROPERTIES_ID
        Properties id for the settings service.
        See Also:
        Constant Field Values
      • SECURITY_MESSAGE

        protected static final java.lang.String SECURITY_MESSAGE
        Header property for security messages.
        See Also:
        Constant Field Values
      • GLOBAL_NETWORK_NAME

        public static final java.lang.String GLOBAL_NETWORK_NAME
        Name of the global network.
        See Also:
        Constant Field Values
      • DEFAULT_GLOBAL_ROOT_CERTIFICATE

        public static final java.lang.String DEFAULT_GLOBAL_ROOT_CERTIFICATE
        Default root certificate for global network.
        See Also:
        Constant Field Values
      • usesecret

        protected boolean usesecret
        Flag whether to use the platform secret for authentication.
      • printsecret

        protected boolean printsecret
        Flag whether the platform secret should be printed during start.
      • defaultauthorization

        protected boolean defaultauthorization
        Flag whether to grant default authorization (allow basic service calls if name, network or platform is authenticated).
      • refuseuntrusted

        protected boolean refuseuntrusted
        Flag whether to refuse unauthenticated connections.
      • allownoauthname

        protected boolean allownoauthname
        Flag if connection with platforms without authenticated names are allowed.
      • allownonetwork

        protected boolean allownonetwork
        Flag if connection with platforms without authenticated networks are allowed.
      • loadjavatruststore

        protected boolean loadjavatruststore
        Flag whether to use the default Java trust store.
      • addglobalnetwork

        protected boolean addglobalnetwork
        Flag if the security should add a global network if no global network is set.
      • createdefaultnetwork

        protected boolean createdefaultnetwork
        Flag if the security should create a random default network if no network is set.
      • handshaketimeout

        protected long handshaketimeout
        Handshake timeout.
      • handshaketimeoutscale

        protected double handshaketimeoutscale
        Handshake timeout scale factor.
      • resettimeoutscale

        protected double resettimeoutscale
        Handshake reset scale factor.
      • sessionkeylifetime

        protected long sessionkeylifetime
        Lifetime of session keys, after which the handshake is repeated and a new session key is generated.
      • debug

        protected boolean debug
        Flag enabling debug printouts.
      • platformnamecertificate

        protected AbstractX509PemSecret platformnamecertificate
        The platform name certificate if available.
      • trustedplatforms

        protected java.util.Set<java.lang.String> trustedplatforms
        The platform names that are trusted and identified by name.
      • nameauthorities

        protected java.util.Set<org.bouncycastle.cert.X509CertificateHolder> nameauthorities
        Trusted authorities for certifying platform names.
      • customnameauthorities

        protected java.util.Set<org.bouncycastle.cert.X509CertificateHolder> customnameauthorities
        Custom (non-Java default) trusted authorities for certifying platform names.
      • allowedcryptosuites

        protected java.util.Map<java.lang.String,​java.lang.Class<?>> allowedcryptosuites
        Available crypt suites.
      • initializingcryptosuites

        protected java.util.Map<java.lang.String,​HandshakeState> initializingcryptosuites
        CryptoSuites currently initializing, value=Handshake state.
      • currentcryptosuites

        protected IRwMap<java.lang.String,​ICryptoSuite> currentcryptosuites
        CryptoSuites currently in use.
      • expiringcryptosuites

        protected MultiCollection<java.lang.String,​Tuple2<ICryptoSuite,​java.lang.Long>> expiringcryptosuites
        CryptoSuites that are expiring with expiration time.
      • roles

        protected java.util.Map<java.lang.String,​java.util.Set<java.lang.String>> roles
        Map of entities and associated roles.
      • cryptoreset

        protected IFuture<java.lang.Void> cryptoreset
        Crypto-Suite reset in progress.
      • cleanuptask

        protected volatile IFuture<java.lang.Void> cleanuptask
        Task for cleanup duties.
      • networknames

        protected java.util.Set<java.lang.String> networknames
        The list of network names (used by all service identifiers).
    • Constructor Detail

      • SecurityAgent

        public SecurityAgent()
    • Method Detail

      • start

        public IFuture<java.lang.Void> start()
        Initialization.
      • encryptAndSign

        public IFuture<byte[]> encryptAndSign​(IMsgHeader header,
                                              byte[] content)
        Encrypts and signs the message for a receiver.
        Specified by:
        encryptAndSign in interface ISecurityService
        Parameters:
        receiver - The receiver.
        content - The content
        Returns:
        Encrypted/signed message.
      • setUsePlatformSecret

        public IFuture<java.lang.Void> setUsePlatformSecret​(boolean useplatformsecret)
        Sets whether the platform secret should be used.
        Specified by:
        setUsePlatformSecret in interface ISecurityService
        Parameters:
        useplatformsecret - The flag.
        Returns:
        Null, when done.
      • setPrintPlatformSecret

        public IFuture<java.lang.Void> setPrintPlatformSecret​(boolean printplatformsecret)
        Sets whether the platform secret should be printed.
        Specified by:
        setPrintPlatformSecret in interface ISecurityService
        Parameters:
        printplatformsecret - The flag.
        Returns:
        Null, when done.
      • setNetwork

        public IFuture<java.lang.Void> setNetwork​(java.lang.String networkname,
                                                  java.lang.String secret)
        Sets a new network.
        Specified by:
        setNetwork in interface ISecurityService
        Parameters:
        networkname - The network name.
        secret - The secret.
        Returns:
        Null, when done.
      • removeNetwork

        public IFuture<java.lang.Void> removeNetwork​(java.lang.String networkname,
                                                     java.lang.String secret)
        Remove a network.
        Specified by:
        removeNetwork in interface ISecurityService
        Parameters:
        networkname - The network name.
        secret - The secret, null to remove the network completely.
        Returns:
        Null, when done.
      • addNameAuthority

        public IFuture<java.lang.Void> addNameAuthority​(java.lang.String pemcertificate)
        Adds an authority for authenticating platform names.
        Specified by:
        addNameAuthority in interface ISecurityService
        Parameters:
        pemcertificate - The pem-encoded certificate.
        Returns:
        Null, when done.
      • removeNameAuthority

        public IFuture<java.lang.Void> removeNameAuthority​(java.lang.String pemcertificate)
        Remvoes an authority for authenticating platform names.
        Specified by:
        removeNameAuthority in interface ISecurityService
        Parameters:
        secret - The secret, only X.509 secrets allowed.
        Returns:
        Null, when done.
      • getNameAuthorities

        public IFuture<java.util.Set<java.lang.String>> getNameAuthorities()
        Adds an authority for authenticating platform names.
        Specified by:
        getNameAuthorities in interface ISecurityService
        Parameters:
        secret - The secret, only X.509 secrets allowed.
        Returns:
        Null, when done.
      • getCustomNameAuthorities

        public IFuture<java.util.Set<java.lang.String>> getCustomNameAuthorities()
        Gets all authorities not defined in the Java trust store for authenticating platform names.
        Specified by:
        getCustomNameAuthorities in interface ISecurityService
        Returns:
        List of name authorities.
      • getNetworkNames

        public IFuture<java.util.Set<java.lang.String>> getNetworkNames()
        Gets the current network names.
        Specified by:
        getNetworkNames in interface ISecurityService
        Returns:
        The current networks names.
      • addTrustedPlatform

        public IFuture<java.lang.Void> addTrustedPlatform​(java.lang.String name)
        Adds a name of an authenticated platform to allow access.
        Specified by:
        addTrustedPlatform in interface ISecurityService
        Parameters:
        name - The platform name, name must be authenticated with certificate.
        roles - The roles the platform should have, can be null or empty.
        Returns:
        Null, when done.
      • removeTrustedPlatform

        public IFuture<java.lang.Void> removeTrustedPlatform​(java.lang.String name)
        Adds a name of an authenticated platform to allow access.
        Specified by:
        removeTrustedPlatform in interface ISecurityService
        Parameters:
        name - The platform name.
        Returns:
        Null, when done.
      • getTrustedPlatforms

        public IFuture<java.util.Set<java.lang.String>> getTrustedPlatforms()
        Gets the trusted platforms that are specified by names.
        Specified by:
        getTrustedPlatforms in interface ISecurityService
        Returns:
        The trusted platforms and their roles.
      • getNetworkNamesSync

        public java.util.Set<java.lang.String> getNetworkNamesSync()
        Gets the current network names.
        Returns:
        The current networks names.
      • setPlatformSecret

        public IFuture<java.lang.Void> setPlatformSecret​(IComponentIdentifier cid,
                                                         java.lang.String secret)
        Sets the secret of a platform.
        Specified by:
        setPlatformSecret in interface ISecurityService
        Parameters:
        cid - ID of the platform.
        secret - Encoded secret or null to remove.
        Returns:
        Encoded secret or null.
      • addRole

        public IFuture<java.lang.Void> addRole​(java.lang.String entity,
                                               java.lang.String role)
        Adds a role for an entity (platform or network name).
        Specified by:
        addRole in interface ISecurityService
        Parameters:
        entity - The entity name.
        role - The role name.
        Returns:
        Null, when done.
      • removeRole

        public IFuture<java.lang.Void> removeRole​(java.lang.String entity,
                                                  java.lang.String role)
        Adds a role of an entity (platform or network name).
        Specified by:
        removeRole in interface ISecurityService
        Parameters:
        entity - The entity name.
        role - The role name.
        Returns:
        Null, when done.
      • getRoleMap

        public IFuture<java.util.Map<java.lang.String,​java.util.Set<java.lang.String>>> getRoleMap()
        Gets a copy of the current role map.
        Specified by:
        getRoleMap in interface ISecurityService
        Returns:
        Copy of the role map.
      • getJadexVersion

        public JadexVersion getJadexVersion​(IComponentIdentifier remoteid)
        Opportunistically returns the remote Jadex version if known.
        Specified by:
        getJadexVersion in interface ISecurityService
        Parameters:
        remoteid - ID of the remote platform.
        Returns:
        Null, if the version is cannot be determined, a JadexVersion otherwise. Note that the JadexVersion can still be an unknown version (as determined by isUnknown), which means that the platform itself reported an unknown version.
      • getInternalNetworks

        public MultiCollection<java.lang.String,​AbstractAuthenticationSecret> getInternalNetworks()
        Get access to the stored virtual network configurations.
        Returns:
        The stored virtual network configurations.
      • getInternalNameAuthorities

        public java.util.Set<org.bouncycastle.cert.X509CertificateHolder> getInternalNameAuthorities()
        Gets the name authorities.
      • getInternalTrustedPlatforms

        public java.util.Set<java.lang.String> getInternalTrustedPlatforms()
        Gets the trusted platform names.
      • getInternalPlatformNameCertificate

        public AbstractX509PemSecret getInternalPlatformNameCertificate()
        Get the platform name certificate.
      • getInternalUsePlatformSecret

        public boolean getInternalUsePlatformSecret()
        Checks whether to use platform secret.
        Returns:
        True, if used.
      • getInternalRefuseUntrusted

        public boolean getInternalRefuseUntrusted()
        Checks whether to allow untrusted connections.
        Returns:
        True, if used.
      • getInternalAllowNoAuthName

        public boolean getInternalAllowNoAuthName()
        Checks whether to allow connections without name authentication.
        Returns:
        True, if used.
      • getInternalAllowNoNetwork

        public boolean getInternalAllowNoNetwork()
        Checks whether to allow connections without network authentication.
        Returns:
        True, if used.
      • getInternalDefaultAuthorization

        public boolean getInternalDefaultAuthorization()
        Checks whether to allow the default authorization.
        Returns:
        True, if used.
      • setSecInfoMappedRoles

        public void setSecInfoMappedRoles​(SecurityInfo secinf)
        Sets the roles of a security info object.
        Parameters:
        secinf - Security info.
        defroles - Default roles that should be added.
      • checkCleanup

        protected void checkCleanup()
      • doCleanup

        protected void doCleanup()
        Cleans expired objects.
      • resetCryptoSuites

        protected IFuture<java.lang.Void> resetCryptoSuites()
        Resets the crypto suite in case of security state change (network secret changes etc.).
      • createCryptoSuite

        protected ICryptoSuite createCryptoSuite​(java.lang.String name,
                                                 java.lang.String convid,
                                                 JadexVersion remoteversion,
                                                 boolean initializer)
        Creates a crypto suite of a particular name.
        Parameters:
        name - Name of the suite.
        convid - Conversation ID of handshake.
        remoteversion - The remote Jadex version.
        initializer - True, if suite should represent the initializer.
        Returns:
        The suite, null if not found.
      • expireCryptosuite

        protected void expireCryptosuite​(java.lang.String pfname)
        Expires a cryptosuite.
        Parameters:
        pfname - Platform name.
      • refreshCryptosuiteRoles

        protected void refreshCryptosuiteRoles()
        Refreshed crypto suite roles.
      • sendSecurityHandshakeMessage

        public void sendSecurityHandshakeMessage​(IComponentIdentifier receiver,
                                                 BasicSecurityMessage message)
        Sends a security handshake message.
        Parameters:
        receiver - Receiver of the message.
        message - The message.
      • initializeHandshake

        protected void initializeHandshake​(java.lang.String cid)
        Init handshake with other platform.
        Parameters:
        cid - The platform id.
      • loadSettings

        protected IFuture<java.util.Map<java.lang.String,​java.lang.Object>> loadSettings()
        Loads the settings.
      • saveSettings

        protected void saveSettings()
        Saves the current settings.
      • sendSecurityMessage

        protected IFuture<java.lang.Void> sendSecurityMessage​(IComponentIdentifier receiver,
                                                              java.lang.Object message)
        Sends a security message.
        Parameters:
        receiver - Receiver of the message.
        message - The message.
        Returns:
        Null, when sent.
      • isSecurityMessage

        public static final boolean isSecurityMessage​(IMsgHeader header)
        Checks if a message is a security message.
        Parameters:
        header - The message header.
        Returns:
        True, if security message.
      • requestReencryption

        protected IFuture<byte[]> requestReencryption​(java.lang.String platformname,
                                                      byte[] content)
        Request reencryption by source.
        Parameters:
        source - Source of the content.
        content - The encrypted content.
        Returns:
        Reply of decryption request, may be exception.
      • isValid

        public IFuture<java.lang.Boolean> isValid()
        Test if the service is valid.
        Specified by:
        isValid in interface IService
        Returns:
        True, if service can be used.
      • getPropertyMap

        public java.util.Map<java.lang.String,​java.lang.Object> getPropertyMap()
        Get the map of properties (considered as constant).
        Specified by:
        getPropertyMap in interface IService
        Returns:
        The service property map (if any).
      • startService

        public IFuture<java.lang.Void> startService()
        Start the service.
        Specified by:
        startService in interface IInternalService
        Returns:
        A future that is done when the service has completed starting.
      • shutdownService

        public IFuture<java.lang.Void> shutdownService()
        Shutdown the service.
        Specified by:
        shutdownService in interface IInternalService
        Returns:
        A future that is done when the service has completed its shutdown.
      • getProperty

        protected static final <T> T getProperty​(java.lang.String property,
                                                 java.util.Map<java.lang.String,​java.lang.Object> args,
                                                 java.util.Map<java.lang.String,​java.lang.Object> settings,
                                                 T defaultprop)
        Gets the right property from arguments, settings and default.
        Parameters:
        property - Property name.
        args - Arguments.
        settings - Settings.
        defaultprop - Default.
        Returns:
        The property.
      • flattenRoleMap

        public static final java.util.List<Tuple2<java.lang.String,​java.lang.String>> flattenRoleMap​(java.util.Map<java.lang.String,​java.util.Set<java.lang.String>> rolemap)
        Helper for flattening the role map.
      • getNameAuthoritiesInfo

        public IFuture<java.lang.String[][]> getNameAuthoritiesInfo()
        Get infos about name authorities. Format is [{subjectid,dn,custom},...]
        Specified by:
        getNameAuthoritiesInfo in interface ISecurityService
        Returns:
        Infos about the name authorities.
      • invokeMethod

        public IFuture<java.lang.Object> invokeMethod​(java.lang.String methodname,
                                                      ClassInfo[] argtypes,
                                                      java.lang.Object[] args,
                                                      ClassInfo rettype)
        Invoke a method reflectively.
        Specified by:
        invokeMethod in interface IService
        Parameters:
        methodname - The method name.
        argtypes - The argument types (can be null if method exists only once).
        args - The arguments.
        rettype - The future return type if it is a specific future.
        Returns:
        The result.
      • getMethodInfos

        public IFuture<MethodInfo[]> getMethodInfos()
        Get reflective info about the service methods, args, return types.
        Specified by:
        getMethodInfos in interface IService
        Returns:
        The method infos.