Implementation of custom L2M2M Authorizer

@@ -15,14 +15,53 @@
  */
 package org.thingsboard.server.transport.lwm2m.secure;
 
+import lombok.RequiredArgsConstructor;
 import org.eclipse.leshan.core.request.Identity;
 import org.eclipse.leshan.core.request.UplinkRequest;
 import org.eclipse.leshan.server.registration.Registration;
 import org.eclipse.leshan.server.security.Authorizer;
+import org.eclipse.leshan.server.security.SecurityChecker;
+import org.eclipse.leshan.server.security.SecurityInfo;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.queue.util.TbLwM2mTransportComponent;
+import org.thingsboard.server.transport.lwm2m.server.client.LwM2mClientContext;
+import org.thingsboard.server.transport.lwm2m.server.store.TbLwM2MDtlsSessionStore;
+import org.thingsboard.server.transport.lwm2m.server.store.TbLwM2mSecurityStore;
 
+@Component
+@RequiredArgsConstructor
+@TbLwM2mTransportComponent
 public class TbLwM2MAuthorizer implements Authorizer {
+
+    private final TbLwM2MDtlsSessionStore sessionStorage;
+    private final TbLwM2mSecurityStore securityStore;
+    private final SecurityChecker securityChecker = new SecurityChecker();
+    private final LwM2mClientContext clientContext;
+
     @Override
     public Registration isAuthorized(UplinkRequest<?> request, Registration registration, Identity senderIdentity) {
-        return null;
+        if (senderIdentity.isX509()) {
+            TbX509DtlsSessionInfo sessionInfo = sessionStorage.get(registration.getEndpoint());
+            if (sessionInfo != null) {
+                if (senderIdentity.getX509CommonName().equals(sessionInfo.getX509CommonName())) {
+                    clientContext.registerClient(registration, sessionInfo.getCredentials());
+                    // X509 certificate is valid and matches endpoint.
+                    return registration;
+                } else {
+                    // X509 certificate is not valid.
+                    return null;
+                }
+            }
+            // If session info is not found, this may be the trusted certificate, so we still need to check all other options below.
+        }
+        SecurityInfo expectedSecurityInfo = null;
+        if (securityStore != null) {
+            expectedSecurityInfo = securityStore.getByEndpoint(registration.getEndpoint());
+        }
+        if (securityChecker.checkSecurityInfo(registration.getEndpoint(), senderIdentity, expectedSecurityInfo)) {
+            return registration;
+        } else {
+            return null;
+        }
     }
 }

@@ -15,6 +15,7 @@
  */
 package org.thingsboard.server.transport.lwm2m.secure;
 
+import com.fasterxml.jackson.databind.JsonNode;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.californium.elements.util.CertPathUtil;
@@ -32,6 +33,7 @@ import org.eclipse.californium.scandium.util.ServerNames;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
+import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.common.data.DeviceProfile;
 import org.thingsboard.server.common.msg.EncryptionUtil;
 import org.thingsboard.server.common.transport.TransportService;
@@ -40,6 +42,7 @@ import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsRes
 import org.thingsboard.server.common.transport.util.SslUtil;
 import org.thingsboard.server.gen.transport.TransportProtos;
 import org.thingsboard.server.transport.lwm2m.config.LwM2MTransportServerConfig;
+import org.thingsboard.server.transport.lwm2m.server.store.TbLwM2MDtlsSessionStore;
 
 import javax.annotation.PostConstruct;
 import javax.security.auth.x500.X500Principal;
@@ -60,7 +63,7 @@ import java.util.concurrent.TimeUnit;
 public class TbLwM2MDtlsCertificateVerifier implements NewAdvancedCertificateVerifier {
 
     private final TransportService transportService;
-    private final TbLwM2MDtlsSessionStorage sessionStorage;
+    private final TbLwM2MDtlsSessionStore sessionStorage;
     private final LwM2MTransportServerConfig config;
 
     @SuppressWarnings("deprecation")
@@ -130,16 +133,24 @@ public class TbLwM2MDtlsCertificateVerifier implements NewAdvancedCertificateVer
                                         latch.countDown();
                                     }
                                 });
-                        latch.await(10, TimeUnit.SECONDS);
-                        ValidateDeviceCredentialsResponse msg = deviceCredentialsResponse[0];
-                        if (msg != null && strCert.equals(msg.getCredentials())) {
-                            credentialsBody = msg.getCredentials();
-                            DeviceProfile deviceProfile = msg.getDeviceProfile();
-                            if (msg.hasDeviceInfo() && deviceProfile != null) {
-                                String endpoint = sha3Hash; //TODO: extract endpoint from credentials body and push to storage
-                                sessionStorage.put(endpoint, msg);
+                        if (latch.await(10, TimeUnit.SECONDS)) {
+                            ValidateDeviceCredentialsResponse msg = deviceCredentialsResponse[0];
+                            if (msg != null && org.thingsboard.server.common.data.StringUtils.isNotEmpty(msg.getCredentials())) {
+                                JsonNode credentialsJson = JacksonUtil.toJsonNode(msg.getCredentials());
+                                String certBody = credentialsJson.get("cert").asText();
+                                String endpoint = credentialsJson.get("endpoint").asText();
+                                if (strCert.equals(certBody)) {
+                                    //TODO: extract endpoint from credentials body and push to storage
+                                    credentialsBody = msg.getCredentials();
+                                    DeviceProfile deviceProfile = msg.getDeviceProfile();
+                                    if (msg.hasDeviceInfo() && deviceProfile != null) {
+                                        sessionStorage.put(endpoint, new TbX509DtlsSessionInfo(cert.getSubjectX500Principal().getName(), msg));
+                                        break;
+                                    }
+                                } else {
+                                    log.trace("[{}][{}] Certificate mismatch. Expected: {}, Actual: {}", endpoint, sha3Hash, strCert, certBody);
+                                }
                             }
-                            break;
                         }
                     } catch (InterruptedException |
                             CertificateEncodingException |

@@ -15,12 +15,13 @@
  */
 package org.thingsboard.server.transport.lwm2m.secure;
 
+import lombok.Data;
 import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
 
-public interface TbLwM2MDtlsSessionStorage {
+@Data
+public class TbX509DtlsSessionInfo {
 
-    void put(String endpoint, ValidateDeviceCredentialsResponse msg);
-
-    ValidateDeviceCredentialsResponse get(String endpoint);
+    private final String x509CommonName;
+    private final ValidateDeviceCredentialsResponse credentials;
 
 }

@@ -17,6 +17,7 @@ package org.thingsboard.server.transport.lwm2m.server.client;
 
 import org.eclipse.leshan.server.registration.Registration;
 import org.thingsboard.server.common.data.DeviceProfile;
+import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
 import org.thingsboard.server.gen.transport.TransportProtos;
 
 import java.util.Collection;
@@ -59,4 +60,6 @@ public interface LwM2mClientContext {
     Set<String> getSupportedIdVerInClient(Registration registration);
 
     LwM2mClient getClientByDeviceId(UUID deviceId);
+
+    void registerClient(Registration registration, ValidateDeviceCredentialsResponse credentials);
 }

@@ -21,6 +21,7 @@ import org.eclipse.leshan.server.registration.Registration;
 import org.eclipse.leshan.server.security.EditableSecurityStore;
 import org.springframework.stereotype.Service;
 import org.thingsboard.server.common.data.DeviceProfile;
+import org.thingsboard.server.common.transport.auth.ValidateDeviceCredentialsResponse;
 import org.thingsboard.server.gen.transport.TransportProtos;
 import org.thingsboard.server.queue.util.TbLwM2mTransportComponent;
 import org.thingsboard.server.transport.lwm2m.secure.EndpointSecurityInfo;
@@ -137,6 +138,13 @@ public class LwM2mClientContextImpl implements LwM2mClientContext {
     }
 
     @Override
+    public void registerClient(Registration registration, ValidateDeviceCredentialsResponse credentials) {
+        LwM2mClient client = new LwM2mClient(context.getNodeId(), registration.getEndpoint(), null, null, credentials, credentials.getDeviceProfile().getUuidId(), UUID.randomUUID());
+        lwM2mClientsByEndpoint.put(registration.getEndpoint(), client);
+        lwM2mClientsByRegistrationId.put(registration.getId(), client);
+    }
+
+    @Override
     public Collection<LwM2mClient> getLwM2mClients() {
         return lwM2mClientsByEndpoint.values();
     }

+/**
+ * Copyright © 2016-2021 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.transport.lwm2m.server.store;
+
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.queue.util.TbLwM2mTransportComponent;
+import org.thingsboard.server.transport.lwm2m.secure.TbX509DtlsSessionInfo;
+
+import java.util.concurrent.ConcurrentHashMap;
+
+@Component
+@TbLwM2mTransportComponent
+public class TbL2M2MDtlsSessionInMemoryStore implements TbLwM2MDtlsSessionStore {
+
+    private final ConcurrentHashMap<String, TbX509DtlsSessionInfo> store = new ConcurrentHashMap<>();
+
+    @Override
+    public void put(String endpoint, TbX509DtlsSessionInfo msg) {
+        store.put(endpoint, msg);
+    }
+
+    @Override
+    public TbX509DtlsSessionInfo get(String endpoint) {
+        return store.get(endpoint);
+    }
+}

+/**
+ * Copyright © 2016-2021 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.transport.lwm2m.server.store;
+
+
+import org.thingsboard.server.transport.lwm2m.secure.TbX509DtlsSessionInfo;
+
+public interface TbLwM2MDtlsSessionStore {
+
+    void put(String endpoint, TbX509DtlsSessionInfo msg);
+
+    TbX509DtlsSessionInfo get(String endpoint);
+
+    //TODO: add way to delete the session by endpoint.
+
+}

@@ -20,12 +20,16 @@ import org.eclipse.leshan.server.security.EditableSecurityStore;
 import org.eclipse.leshan.server.security.NonUniqueSecurityInfoException;
 import org.eclipse.leshan.server.security.SecurityInfo;
 import org.eclipse.leshan.server.security.SecurityStoreListener;
+import org.springframework.stereotype.Component;
+import org.thingsboard.server.queue.util.TbLwM2mTransportComponent;
 import org.thingsboard.server.transport.lwm2m.server.client.LwM2mClient;
 import org.thingsboard.server.transport.lwm2m.server.client.LwM2mClientContext;
 
 import java.util.Collection;
 
 @Slf4j
+@Component
+@TbLwM2mTransportComponent
 public class TbLwM2mSecurityStore implements EditableSecurityStore {
 
     private final LwM2mClientContext clientContext;