Package jadex.platform.service.security

Class SecurityAgent

    • Field Detail

      • PROPERTIES_ID

        public static final java.lang.String PROPERTIES_ID
        Properties id for the settings service.
        See Also:
        Constant Field Values

      • SECURITY_MESSAGE

        protected static final java.lang.String SECURITY_MESSAGE
        Header property for security messages.
        See Also:
        Constant Field Values

      • GLOBAL_NETWORK_NAME

        public static final java.lang.String GLOBAL_NETWORK_NAME
        Name of the global network.
        See Also:
        Constant Field Values

      • DEFAULT_GLOBAL_ROOT_CERTIFICATE

        public static final java.lang.String DEFAULT_GLOBAL_ROOT_CERTIFICATE
        Default root certificate for global network.
        See Also:
        Constant Field Values

      • usesecret

        protected boolean usesecret
        Flag whether to use the platform secret for authentication.

      • printsecret

        protected boolean printsecret
        Flag whether the platform secret should be printed during start.

      • defaultauthorization

        protected boolean defaultauthorization
        Flag whether to grant default authorization (allow basic service calls if name, network or platform is authenticated).

      • refuseuntrusted

        protected boolean refuseuntrusted
        Flag whether to refuse unauthenticated connections.

      • allownoauthname

        protected boolean allownoauthname
        Flag if connection with platforms without authenticated names are allowed.

      • allownonetwork

        protected boolean allownonetwork
        Flag if connection with platforms without authenticated networks are allowed.

      • loadjavatruststore

        protected boolean loadjavatruststore
        Flag whether to use the default Java trust store.

      • addglobalnetwork

        protected boolean addglobalnetwork
        Flag if the security should add a global network if no global network is set.

      • createdefaultnetwork

        protected boolean createdefaultnetwork
        Flag if the security should create a random default network if no network is set.

      • handshaketimeout

        protected long handshaketimeout
        Handshake timeout.

      • handshaketimeoutscale

        protected double handshaketimeoutscale
        Handshake timeout scale factor.

      • resettimeoutscale

        protected double resettimeoutscale
        Handshake reset scale factor.

      • sessionkeylifetime

        protected long sessionkeylifetime
        Lifetime of session keys, after which the handshake is repeated and a new session key is generated.

      • debug

        protected boolean debug
        Flag enabling debug printouts.

      • platformnamecertificate

        protected AbstractX509PemSecret platformnamecertificate
        The platform name certificate if available.

      • trustedplatforms

        protected java.util.Set<java.lang.String> trustedplatforms
        The platform names that are trusted and identified by name.

      • nameauthorities

        protected java.util.Set<org.bouncycastle.cert.X509CertificateHolder> nameauthorities
        Trusted authorities for certifying platform names.

      • customnameauthorities

        protected java.util.Set<org.bouncycastle.cert.X509CertificateHolder> customnameauthorities
        Custom (non-Java default) trusted authorities for certifying platform names.

      • allowedcryptosuites

        protected java.util.Map<java.lang.String,​java.lang.Class<?>> allowedcryptosuites
        Available crypt suites.

      • initializingcryptosuites

        protected java.util.Map<java.lang.String,​HandshakeState> initializingcryptosuites
        CryptoSuites currently initializing, value=Handshake state.

      • currentcryptosuites

        protected IRwMap<java.lang.String,​ICryptoSuite> currentcryptosuites
        CryptoSuites currently in use.

      • expiringcryptosuites

        protected MultiCollection<java.lang.String,​Tuple2<ICryptoSuite,​java.lang.Long>> expiringcryptosuites
        CryptoSuites that are expiring with expiration time.

      • roles

        protected java.util.Map<java.lang.String,​java.util.Set<java.lang.String>> roles
        Map of entities and associated roles.

      • cryptoreset

        protected IFuture<java.lang.Void> cryptoreset
        Crypto-Suite reset in progress.

      • cleanuptask

        protected volatile IFuture<java.lang.Void> cleanuptask
        Task for cleanup duties.

      • networknames

        protected java.util.Set<java.lang.String> networknames
        The list of network names (used by all service identifiers).

    • Constructor Detail

      • SecurityAgent

        public SecurityAgent()

    • Method Detail

      • start

        public IFuture<java.lang.Void> start()
        Initialization.

      • encryptAndSign

        public IFuture<byte[]> encryptAndSign​(IMsgHeader header,
                                      byte[] content)
        Encrypts and signs the message for a receiver.
        Specified by:
        encryptAndSign in interface ISecurityService
        Parameters:
        receiver - The receiver.
        content - The content
        Returns:
        Encrypted/signed message.

      • setUsePlatformSecret

        public IFuture<java.lang.Void> setUsePlatformSecret​(boolean useplatformsecret)
        Sets whether the platform secret should be used.
        Specified by:
        setUsePlatformSecret in interface ISecurityService
        Parameters:
        useplatformsecret - The flag.
        Returns:
        Null, when done.

      • setPrintPlatformSecret

        public IFuture<java.lang.Void> setPrintPlatformSecret​(boolean printplatformsecret)
        Sets whether the platform secret should be printed.
        Specified by:
        setPrintPlatformSecret in interface ISecurityService
        Parameters:
        printplatformsecret - The flag.
        Returns:
        Null, when done.

      • setNetwork

        public IFuture<java.lang.Void> setNetwork​(java.lang.String networkname,
                                          java.lang.String secret)
        Sets a new network.
        Specified by:
        setNetwork in interface ISecurityService
        Parameters:
        networkname - The network name.
        secret - The secret.
        Returns:
        Null, when done.

      • removeNetwork

        public IFuture<java.lang.Void> removeNetwork​(java.lang.String networkname,
                                             java.lang.String secret)
        Remove a network.
        Specified by:
        removeNetwork in interface ISecurityService
        Parameters:
        networkname - The network name.
        secret - The secret, null to remove the network completely.
        Returns:
        Null, when done.

      • addNameAuthority

        public IFuture<java.lang.Void> addNameAuthority​(java.lang.String pemcertificate)
        Adds an authority for authenticating platform names.
        Specified by:
        addNameAuthority in interface ISecurityService
        Parameters:
        pemcertificate - The pem-encoded certificate.
        Returns:
        Null, when done.

      • removeNameAuthority

        public IFuture<java.lang.Void> removeNameAuthority​(java.lang.String pemcertificate)
        Remvoes an authority for authenticating platform names.
        Specified by:
        removeNameAuthority in interface ISecurityService
        Parameters:
        secret - The secret, only X.509 secrets allowed.
        Returns:
        Null, when done.

      • getNameAuthorities

        public IFuture<java.util.Set<java.lang.String>> getNameAuthorities()
        Adds an authority for authenticating platform names.
        Specified by:
        getNameAuthorities in interface ISecurityService
        Parameters:
        secret - The secret, only X.509 secrets allowed.
        Returns:
        Null, when done.

      • getCustomNameAuthorities

        public IFuture<java.util.Set<java.lang.String>> getCustomNameAuthorities()
        Gets all authorities not defined in the Java trust store for authenticating platform names.
        Specified by:
        getCustomNameAuthorities in interface ISecurityService
        Returns:
        List of name authorities.

      • getNetworkNames

        public IFuture<java.util.Set<java.lang.String>> getNetworkNames()
        Gets the current network names.
        Specified by:
        getNetworkNames in interface ISecurityService
        Returns:
        The current networks names.

      • addTrustedPlatform

        public IFuture<java.lang.Void> addTrustedPlatform​(java.lang.String name)
        Adds a name of an authenticated platform to allow access.
        Specified by:
        addTrustedPlatform in interface ISecurityService
        Parameters:
        name - The platform name, name must be authenticated with certificate.
        roles - The roles the platform should have, can be null or empty.
        Returns:
        Null, when done.

      • removeTrustedPlatform

        public IFuture<java.lang.Void> removeTrustedPlatform​(java.lang.String name)
        Adds a name of an authenticated platform to allow access.
        Specified by:
        removeTrustedPlatform in interface ISecurityService
        Parameters:
        name - The platform name.
        Returns:
        Null, when done.

      • getTrustedPlatforms

        public IFuture<java.util.Set<java.lang.String>> getTrustedPlatforms()
        Gets the trusted platforms that are specified by names.
        Specified by:
        getTrustedPlatforms in interface ISecurityService
        Returns:
        The trusted platforms and their roles.

      • getNetworkNamesSync

        public java.util.Set<java.lang.String> getNetworkNamesSync()
        Gets the current network names.
        Returns:
        The current networks names.

      • setPlatformSecret

        public IFuture<java.lang.Void> setPlatformSecret​(IComponentIdentifier cid,
                                                 java.lang.String secret)
        Sets the secret of a platform.
        Specified by:
        setPlatformSecret in interface ISecurityService
        Parameters:
        cid - ID of the platform.
        secret - Encoded secret or null to remove.
        Returns:
        Encoded secret or null.

      • addRole

        public IFuture<java.lang.Void> addRole​(java.lang.String entity,
                                       java.lang.String role)
        Adds a role for an entity (platform or network name).
        Specified by:
        addRole in interface ISecurityService
        Parameters:
        entity - The entity name.
        role - The role name.
        Returns:
        Null, when done.

      • removeRole

        public IFuture<java.lang.Void> removeRole​(java.lang.String entity,
                                          java.lang.String role)
        Adds a role of an entity (platform or network name).
        Specified by:
        removeRole in interface ISecurityService
        Parameters:
        entity - The entity name.
        role - The role name.
        Returns:
        Null, when done.

      • getRoleMap

        public IFuture<java.util.Map<java.lang.String,​java.util.Set<java.lang.String>>> getRoleMap()
        Gets a copy of the current role map.
        Specified by:
        getRoleMap in interface ISecurityService
        Returns:
        Copy of the role map.

      • getJadexVersion

        public JadexVersion getJadexVersion​(IComponentIdentifier remoteid)
        Opportunistically returns the remote Jadex version if known.
        Specified by:
        getJadexVersion in interface ISecurityService
        Parameters:
        remoteid - ID of the remote platform.
        Returns:
        Null, if the version is cannot be determined, a JadexVersion otherwise. Note that the JadexVersion can still be an unknown version (as determined by isUnknown), which means that the platform itself reported an unknown version.

      • getInternalNetworks

        public MultiCollection<java.lang.String,​AbstractAuthenticationSecret> getInternalNetworks()
        Get access to the stored virtual network configurations.
        Returns:
        The stored virtual network configurations.

      • getInternalNameAuthorities

        public java.util.Set<org.bouncycastle.cert.X509CertificateHolder> getInternalNameAuthorities()
        Gets the name authorities.

      • getInternalTrustedPlatforms

        public java.util.Set<java.lang.String> getInternalTrustedPlatforms()
        Gets the trusted platform names.

      • getInternalPlatformNameCertificate

        public AbstractX509PemSecret getInternalPlatformNameCertificate()
        Get the platform name certificate.

      • getInternalUsePlatformSecret

        public boolean getInternalUsePlatformSecret()
        Checks whether to use platform secret.
        Returns:
        True, if used.

      • getInternalRefuseUntrusted

        public boolean getInternalRefuseUntrusted()
        Checks whether to allow untrusted connections.
        Returns:
        True, if used.

      • getInternalAllowNoAuthName

        public boolean getInternalAllowNoAuthName()
        Checks whether to allow connections without name authentication.
        Returns:
        True, if used.

      • getInternalAllowNoNetwork

        public boolean getInternalAllowNoNetwork()
        Checks whether to allow connections without network authentication.
        Returns:
        True, if used.

      • getInternalDefaultAuthorization

        public boolean getInternalDefaultAuthorization()
        Checks whether to allow the default authorization.
        Returns:
        True, if used.

      • setSecInfoMappedRoles

        public void setSecInfoMappedRoles​(SecurityInfo secinf)
        Sets the roles of a security info object.
        Parameters:
        secinf - Security info.
        defroles - Default roles that should be added.

      • checkCleanup

        protected void checkCleanup()

      • doCleanup

        protected void doCleanup()
        Cleans expired objects.

      • resetCryptoSuites

        protected IFuture<java.lang.Void> resetCryptoSuites()
        Resets the crypto suite in case of security state change (network secret changes etc.).

      • createCryptoSuite

        protected ICryptoSuite createCryptoSuite​(java.lang.String name,
                                         java.lang.String convid,
                                         JadexVersion remoteversion,
                                         boolean initializer)
        Creates a crypto suite of a particular name.
        Parameters:
        name - Name of the suite.
        convid - Conversation ID of handshake.
        remoteversion - The remote Jadex version.
        initializer - True, if suite should represent the initializer.
        Returns:
        The suite, null if not found.

      • expireCryptosuite

        protected void expireCryptosuite​(java.lang.String pfname)
        Expires a cryptosuite.
        Parameters:
        pfname - Platform name.

      • refreshCryptosuiteRoles

        protected void refreshCryptosuiteRoles()
        Refreshed crypto suite roles.

      • sendSecurityHandshakeMessage

        public void sendSecurityHandshakeMessage​(IComponentIdentifier receiver,
                                         BasicSecurityMessage message)
        Sends a security handshake message.
        Parameters:
        receiver - Receiver of the message.
        message - The message.

      • initializeHandshake

        protected void initializeHandshake​(java.lang.String cid)
        Init handshake with other platform.
        Parameters:
        cid - The platform id.

      • loadSettings

        protected IFuture<java.util.Map<java.lang.String,​java.lang.Object>> loadSettings()
        Loads the settings.

      • saveSettings

        protected void saveSettings()
        Saves the current settings.

      • sendSecurityMessage

        protected IFuture<java.lang.Void> sendSecurityMessage​(IComponentIdentifier receiver,
                                                      java.lang.Object message)
        Sends a security message.
        Parameters:
        receiver - Receiver of the message.
        message - The message.
        Returns:
        Null, when sent.

      • isSecurityMessage

        public static final boolean isSecurityMessage​(IMsgHeader header)
        Checks if a message is a security message.
        Parameters:
        header - The message header.
        Returns:
        True, if security message.

      • requestReencryption

        protected IFuture<byte[]> requestReencryption​(java.lang.String platformname,
                                              byte[] content)
        Request reencryption by source.
        Parameters:
        source - Source of the content.
        content - The encrypted content.
        Returns:
        Reply of decryption request, may be exception.

      • isValid

        public IFuture<java.lang.Boolean> isValid()
        Test if the service is valid.
        Specified by:
        isValid in interface IService
        Returns:
        True, if service can be used.

      • getPropertyMap

        public java.util.Map<java.lang.String,​java.lang.Object> getPropertyMap()
        Get the map of properties (considered as constant).
        Specified by:
        getPropertyMap in interface IService
        Returns:
        The service property map (if any).

      • startService

        public IFuture<java.lang.Void> startService()
        Start the service.
        Specified by:
        startService in interface IInternalService
        Returns:
        A future that is done when the service has completed starting.

      • shutdownService

        public IFuture<java.lang.Void> shutdownService()
        Shutdown the service.
        Specified by:
        shutdownService in interface IInternalService
        Returns:
        A future that is done when the service has completed its shutdown.

      • getProperty

        protected static final <T> T getProperty​(java.lang.String property,
                                         java.util.Map<java.lang.String,​java.lang.Object> args,
                                         java.util.Map<java.lang.String,​java.lang.Object> settings,
                                         T defaultprop)
        Gets the right property from arguments, settings and default.
        Parameters:
        property - Property name.
        args - Arguments.
        settings - Settings.
        defaultprop - Default.
        Returns:
        The property.

      • flattenRoleMap

        public static final java.util.List<Tuple2<java.lang.String,​java.lang.String>> flattenRoleMap​(java.util.Map<java.lang.String,​java.util.Set<java.lang.String>> rolemap)
        Helper for flattening the role map.

      • getNameAuthoritiesInfo

        public IFuture<java.lang.String[][]> getNameAuthoritiesInfo()
        Get infos about name authorities. Format is [{subjectid,dn,custom},...]
        Specified by:
        getNameAuthoritiesInfo in interface ISecurityService
        Returns:
        Infos about the name authorities.

      • invokeMethod

        public IFuture<java.lang.Object> invokeMethod​(java.lang.String methodname,
                                              ClassInfo[] argtypes,
                                              java.lang.Object[] args,
                                              ClassInfo rettype)
        Invoke a method reflectively.
        Specified by:
        invokeMethod in interface IService
        Parameters:
        methodname - The method name.
        argtypes - The argument types (can be null if method exists only once).
        args - The arguments.
        rettype - The future return type if it is a specific future.
        Returns:
        The result.

      • getMethodInfos

        public IFuture<MethodInfo[]> getMethodInfos()
        Get reflective info about the service methods, args, return types.
        Specified by:
        getMethodInfos in interface IService
        Returns:
        The method infos.