Package org.openremote.manager.mqtt

Class UserAssetProvisioningMQTTHandler

java.lang.Object

org.openremote.manager.mqtt.MQTTHandler

org.openremote.manager.mqtt.UserAssetProvisioningMQTTHandler

public class UserAssetProvisioningMQTTHandler
extends MQTTHandler

This MQTTHandler is responsible for provisioning service users and assets and authenticating the client against the configured ProvisioningConfigs.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static class	UserAssetProvisioningMQTTHandler.ProvisioningPersistenceRouteBuilder

Field Summary

Fields

Modifier and Type	Field	Description
protected AssetStorageService	assetStorageService
protected ManagerKeycloakIdentityProvider	identityProvider
protected boolean	isKeycloak
protected static final Logger	LOG
static final String	PROVISIONING_TOKEN
static final String	PROVISIONING_USER_PREFIX
protected final ConcurrentMap<Long,Set<org.apache.activemq.artemis.spi.core.protocol.RemotingConnection>>	provisioningConfigAuthenticatedConnectionMap
protected ProvisioningService	provisioningService
protected io.micrometer.core.instrument.Timer	provisioningTimer
static final String	REQUEST_TOKEN
static final String	RESPONSE_TOKEN
protected final Map<String,org.apache.activemq.artemis.spi.core.protocol.RemotingConnection>	responseSubscribedConnections
protected org.openremote.container.timer.TimerService	timerService
static final String	UNIQUE_ID_PLACEHOLDER

Fields inherited from class org.openremote.manager.mqtt.MQTTHandler

clientEventService, clientSession, executorService, messageBrokerService, mqttBrokerService, producer, TOKEN_MULTI_LEVEL_WILDCARD, TOKEN_SINGLE_LEVEL_WILDCARD

Constructor Summary

Constructors

Constructor	Description
UserAssetProvisioningMQTTHandler()

Method Summary

Modifier and Type	Method	Description
boolean	canPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, org.keycloak.KeycloakSecurityContext securityContext, Topic topic)	Called to authorise a publish if MQTTHandler.handlesTopic(org.openremote.manager.mqtt.Topic) returned true; should return true if the publish is allowed otherwise return false.
boolean	canSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, org.keycloak.KeycloakSecurityContext securityContext, Topic topic)	Called to authorise a subscription if MQTTHandler.handlesTopic(org.openremote.manager.mqtt.Topic) returned true; should return true if the subscription is allowed otherwise return false.
boolean	checkCanPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, org.keycloak.KeycloakSecurityContext securityContext, Topic topic)	Checks that authenticated sessions and topic realm matches the authenticated user and also that topic client ID matches the connection client ID.
boolean	checkCanSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, org.keycloak.KeycloakSecurityContext securityContext, Topic topic)	Checks that authenticated session and topic realm matches the authenticated user and also that topic client ID matches the connection client ID.
protected void	forceClientDisconnects(long provisioningConfigId)
static org.openremote.model.asset.Asset<?>	getCreateClientAsset(AssetStorageService assetStorageService, String realm, String uniqueId, org.openremote.model.security.User serviceUser, org.openremote.model.provisioning.ProvisioningConfig<?,?> provisioningConfig)
static org.openremote.model.security.User	getCreateClientServiceUser(String realm, ManagerKeycloakIdentityProvider identityProvider, String uniqueId, org.openremote.model.provisioning.ProvisioningConfig<?,?> provisioningConfig)
protected Logger	getLogger()
protected org.openremote.model.provisioning.X509ProvisioningConfig	getMatchingX509ProvisioningConfig(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, X509Certificate clientCertificate)
Set<String>	getPublishListenerTopics()	Get the set of topics this handler wants to subscribe to for incoming publish messages; messages that match these topics will be passed to MQTTHandler.onPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.openremote.manager.mqtt.Topic, io.netty.buffer.ByteBuf).
protected org.apache.activemq.artemis.core.settings.impl.AddressSettings	getPublishTopicAddressSettings(org.openremote.model.Container container, String publishTopic)	Limit the number of messages allowed in the address queue and fail when over; this will disconnect the client.
protected String	getResponseTopic(Topic topic)
boolean	handlesTopic(Topic topic)	Checks that topic is valid and has at least 3 tokens (generally first two tokens should be {realm}/{clientId} but it is up to the MQTTHandler.canSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.keycloak.KeycloakSecurityContext, org.openremote.manager.mqtt.Topic) and/or MQTTHandler.canPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.keycloak.KeycloakSecurityContext, org.openremote.manager.mqtt.Topic) methods to validate this).
void	init(org.openremote.model.Container container, org.apache.activemq.artemis.core.config.Configuration serverConfiguration)	Called when the system starts to allow for initialisation.
protected static boolean	isProvisioningTopic(Topic topic)
protected static boolean	isRequestTopic(Topic topic)
protected static boolean	isResponseTopic(Topic topic)
void	onConnectionLost(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection)	Will be called when any client loses connection
void	onDisconnect(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection)	Will be called when any client disconnects
void	onPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, Topic topic, io.netty.buffer.ByteBuf body)	Called to handle publish if MQTTHandler.canPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.keycloak.KeycloakSecurityContext, org.openremote.manager.mqtt.Topic) returned true.
void	onSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, Topic topic)	Called to handle subscribe if MQTTHandler.canSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.keycloak.KeycloakSecurityContext, org.openremote.manager.mqtt.Topic) returned true.
void	onUnsubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, Topic topic)	Called to handle unsubscribe if MQTTHandler.handlesTopic(org.openremote.manager.mqtt.Topic) returned true.
protected void	processProvisioningRequest(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, Topic topic, io.netty.buffer.ByteBuf body)
protected void	processX509ProvisioningMessage(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection, Topic topic, org.openremote.model.provisioning.X509ProvisioningMessage provisioningMessage)
void	start(org.openremote.model.Container container)	Called when the system starts to allow for initialisation.
boolean	topicMatches(Topic topic)	Indicates if this handler will handle the specified topic; independent of whether it is a publish or subscribe.

Methods inherited from class org.openremote.manager.mqtt.MQTTHandler

addPublishConsumer, addPublishTopicServerConfiguration, getAuthContextFromConnection, getAuthContextFromSecurityContext, getName, getPriority, getSecurityContextFromSubject, getSubjectFromConnection, onConnect, onConnectionAuthenticated, onUserAssetLinksChanged, publishMessage, stop, topicClientID, topicClientIdMatches, topicRealm, topicRealmAllowed, topicTokenCountGreaterThan, topicTokenIndexToString

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

LOG

protected static final Logger LOG

PROVISIONING_TOKEN

public static final String PROVISIONING_TOKEN

See Also:

• Constant Field Values

REQUEST_TOKEN

public static final String REQUEST_TOKEN

See Also:

• Constant Field Values

RESPONSE_TOKEN

public static final String RESPONSE_TOKEN

See Also:

• Constant Field Values

UNIQUE_ID_PLACEHOLDER

public static final String UNIQUE_ID_PLACEHOLDER

See Also:

• Constant Field Values

PROVISIONING_USER_PREFIX

public static final String PROVISIONING_USER_PREFIX

See Also:

• Constant Field Values

provisioningService

protected ProvisioningService provisioningService

timerService

protected org.openremote.container.timer.TimerService timerService

assetStorageService

protected AssetStorageService assetStorageService

identityProvider

protected ManagerKeycloakIdentityProvider identityProvider

isKeycloak

protected boolean isKeycloak

provisioningConfigAuthenticatedConnectionMap

protected final ConcurrentMap<Long,Set<org.apache.activemq.artemis.spi.core.protocol.RemotingConnection>> provisioningConfigAuthenticatedConnectionMap

provisioningTimer

protected io.micrometer.core.instrument.Timer provisioningTimer

responseSubscribedConnections

protected final Map<String,org.apache.activemq.artemis.spi.core.protocol.RemotingConnection> responseSubscribedConnections

Constructor Details

UserAssetProvisioningMQTTHandler

public UserAssetProvisioningMQTTHandler()

Method Details

init

public void init(org.openremote.model.Container container,
 org.apache.activemq.artemis.core.config.Configuration serverConfiguration)
          throws Exception

Description copied from class: MQTTHandler

Called when the system starts to allow for initialisation.

Overrides:

init in class MQTTHandler

Throws:

Exception

start

public void start(org.openremote.model.Container container)
           throws Exception

Description copied from class: MQTTHandler

Called when the system starts to allow for initialisation.

Overrides:

start in class MQTTHandler

Throws:

Exception

getPublishTopicAddressSettings

protected org.apache.activemq.artemis.core.settings.impl.AddressSettings getPublishTopicAddressSettings(org.openremote.model.Container container,
 String publishTopic)

Limit the number of messages allowed in the address queue and fail when over; this will disconnect the client. Approx 20ms per request with 20s timeout on auto provisioning request = 1000

Overrides:

getPublishTopicAddressSettings in class MQTTHandler

handlesTopic

public boolean handlesTopic(Topic topic)

Description copied from class: MQTTHandler

Checks that topic is valid and has at least 3 tokens (generally first two tokens should be {realm}/{clientId} but it is up to the MQTTHandler.canSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.keycloak.KeycloakSecurityContext, org.openremote.manager.mqtt.Topic) and/or MQTTHandler.canPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.keycloak.KeycloakSecurityContext, org.openremote.manager.mqtt.Topic) methods to validate this).

Overrides:

handlesTopic in class MQTTHandler

checkCanSubscribe

public boolean checkCanSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 org.keycloak.KeycloakSecurityContext securityContext,
 Topic topic)

Description copied from class: MQTTHandler

Checks that authenticated session and topic realm matches the authenticated user and also that topic client ID matches the connection client ID.

Overrides:

checkCanSubscribe in class MQTTHandler

checkCanPublish

public boolean checkCanPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 org.keycloak.KeycloakSecurityContext securityContext,
 Topic topic)

Description copied from class: MQTTHandler

Checks that authenticated sessions and topic realm matches the authenticated user and also that topic client ID matches the connection client ID.

Overrides:

checkCanPublish in class MQTTHandler

topicMatches

public boolean topicMatches(Topic topic)

Description copied from class: MQTTHandler

Indicates if this handler will handle the specified topic; independent of whether it is a publish or subscribe. Should generally check the third token onwards unless MQTTHandler.handlesTopic(org.openremote.manager.mqtt.Topic) has been overridden.

Specified by:

topicMatches in class MQTTHandler

getLogger

protected Logger getLogger()

Specified by:

getLogger in class MQTTHandler

canSubscribe

public boolean canSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 org.keycloak.KeycloakSecurityContext securityContext,
 Topic topic)

Description copied from class: MQTTHandler

Called to authorise a subscription if MQTTHandler.handlesTopic(org.openremote.manager.mqtt.Topic) returned true; should return true if the subscription is allowed otherwise return false.

Specified by:

canSubscribe in class MQTTHandler

onSubscribe

public void onSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 Topic topic)

Description copied from class: MQTTHandler

Called to handle subscribe if MQTTHandler.canSubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.keycloak.KeycloakSecurityContext, org.openremote.manager.mqtt.Topic) returned true.

Specified by:

onSubscribe in class MQTTHandler

onUnsubscribe

public void onUnsubscribe(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 Topic topic)

Description copied from class: MQTTHandler

Called to handle unsubscribe if MQTTHandler.handlesTopic(org.openremote.manager.mqtt.Topic) returned true.

Specified by:

onUnsubscribe in class MQTTHandler

getPublishListenerTopics

public Set<String> getPublishListenerTopics()

Description copied from class: MQTTHandler

Get the set of topics this handler wants to subscribe to for incoming publish messages; messages that match these topics will be passed to MQTTHandler.onPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.openremote.manager.mqtt.Topic, io.netty.buffer.ByteBuf).

Specified by:

getPublishListenerTopics in class MQTTHandler

canPublish

public boolean canPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 org.keycloak.KeycloakSecurityContext securityContext,
 Topic topic)

Description copied from class: MQTTHandler

Called to authorise a publish if MQTTHandler.handlesTopic(org.openremote.manager.mqtt.Topic) returned true; should return true if the publish is allowed otherwise return false.

Specified by:

canPublish in class MQTTHandler

onPublish

public void onPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 Topic topic,
 io.netty.buffer.ByteBuf body)

Description copied from class: MQTTHandler

Called to handle publish if MQTTHandler.canPublish(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection, org.keycloak.KeycloakSecurityContext, org.openremote.manager.mqtt.Topic) returned true.

Specified by:

onPublish in class MQTTHandler

onConnectionLost

public void onConnectionLost(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection)

Description copied from class: MQTTHandler

Will be called when any client loses connection

Overrides:

onConnectionLost in class MQTTHandler

onDisconnect

public void onDisconnect(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection)

Description copied from class: MQTTHandler

Will be called when any client disconnects

Overrides:

onDisconnect in class MQTTHandler

processProvisioningRequest

protected void processProvisioningRequest(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 Topic topic,
 io.netty.buffer.ByteBuf body)

isProvisioningTopic

protected static boolean isProvisioningTopic(Topic topic)

isRequestTopic

protected static boolean isRequestTopic(Topic topic)

isResponseTopic

protected static boolean isResponseTopic(Topic topic)

getResponseTopic

protected String getResponseTopic(Topic topic)

processX509ProvisioningMessage

protected void processX509ProvisioningMessage(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 Topic topic,
 org.openremote.model.provisioning.X509ProvisioningMessage provisioningMessage)

getMatchingX509ProvisioningConfig

protected org.openremote.model.provisioning.X509ProvisioningConfig getMatchingX509ProvisioningConfig(org.apache.activemq.artemis.spi.core.protocol.RemotingConnection connection,
 X509Certificate clientCertificate)

getCreateClientServiceUser

public static org.openremote.model.security.User getCreateClientServiceUser(String realm,
 ManagerKeycloakIdentityProvider identityProvider,
 String uniqueId,
 org.openremote.model.provisioning.ProvisioningConfig<?,?> provisioningConfig)
                                                                     throws RuntimeException

Throws:

RuntimeException

getCreateClientAsset

public static org.openremote.model.asset.Asset<?> getCreateClientAsset(AssetStorageService assetStorageService,
 String realm,
 String uniqueId,
 org.openremote.model.security.User serviceUser,
 org.openremote.model.provisioning.ProvisioningConfig<?,?> provisioningConfig)
                                                                throws RuntimeException

Throws:

RuntimeException

forceClientDisconnects

protected void forceClientDisconnects(long provisioningConfigId)