Example 1 with KapuaException
use of org.eclipse.kapua.KapuaException in project kapua by eclipse.
the class KapuaSecurityBrokerFilter method addExternalConnection.
private void addExternalConnection(ConnectionContext context, ConnectionInfo info) throws Exception {
// Clean-up credentials possibly associated with the current thread by previous connection.
ThreadContext.unbindSubject();
Context loginTotalContext = metricLoginAddConnectionTime.time();
String username = info.getUserName();
String password = info.getPassword();
String clientId = info.getClientId();
String clientIp = info.getClientIp();
ConnectionId connectionId = info.getConnectionId();
List<String> authDestinations = null;
if (logger.isDebugEnabled()) {
authDestinations = new ArrayList<>();
}
try {
// Build KapuaUsername
// User username = User.parse(username);//KapuaUserName
logger.info("User name {} - client id {}", new Object[] { username, clientId });
Context loginPreCheckTimeContext = metricLoginPreCheckTime.time();
// 1) validate client id
// Check the device Mqtt ClientId
// TODO move to deviceservice
// MqttUtils.checkDeviceClientId(clientId);
loginPreCheckTimeContext.stop();
Context loginShiroLoginTimeContext = metricLoginShiroLoginTime.time();
AuthenticationCredentials credentials = credentialsFactory.newInstance(username, password.toCharArray());
AccessToken accessToken = authenticationService.login(credentials);
KapuaId scopeId = accessToken.getScopeId();
KapuaId userId = accessToken.getUserId();
final Account account;
try {
account = KapuaSecurityUtils.doPriviledge(() -> accountService.find(scopeId));
} catch (Exception e) {
// to preserve the original exception message (if possible)
if (e instanceof AuthenticationException) {
throw (AuthenticationException) e;
} else {
throw new ShiroException("Error while find account!", e);
}
}
String accountName = account.getName();
loginShiroLoginTimeContext.stop();
// if a user acts as a child MOVED INSIDE KapuaAuthorizingRealm otherwise through REST API and console this @accountName won't work
// get account id and name from kapua session methods that check for the run as
//
// String accountName = kapuaSession.getSessionAccountName();
// long accountId = kapuaSession.getSessionAccountId();
// multiple account stealing link fix
String fullClientId = MessageFormat.format(AclConstants.MULTI_ACCOUNT_CLIENT_ID, scopeId.getId().longValue(), clientId);
KapuaPrincipal principal = new KapuaPrincipalImpl(accessToken, username, clientId, clientIp);
DeviceConnection deviceConnection = null;
// 3) check authorization
DefaultAuthorizationMap authMap = null;
if (isAdminUser(username)) {
metricLoginKapuasysTokenAttempt.inc();
// 3-1) admin authMap
authMap = buildAdminAuthMap(authDestinations, principal, fullClientId);
metricClientConnectedKapuasys.inc();
} else {
Context loginNormalUserTimeContext = metricLoginNormalUserTime.time();
metricLoginNormalUserAttempt.inc();
// 3-3) check permissions
Context loginCheckAccessTimeContext = metricLoginCheckAccessTime.time();
boolean[] hasPermissions = new boolean[] { // TODO check the permissions... move them to a constants class?
authorizationService.isPermitted(permissionFactory.newPermission(DeviceLifecycleDomain.DEVICE_LIFECYCLE, Actions.connect, scopeId)), authorizationService.isPermitted(permissionFactory.newPermission(DeviceManagementDomain.DEVICE_MANAGEMENT, Actions.write, scopeId)), authorizationService.isPermitted(permissionFactory.newPermission(DatastoreDomain.DATA_STORE, Actions.read, scopeId)), authorizationService.isPermitted(permissionFactory.newPermission(DatastoreDomain.DATA_STORE, Actions.write, scopeId)) };
if (!hasPermissions[AclConstants.BROKER_CONNECT_IDX]) {
throw new KapuaIllegalAccessException(permissionFactory.newPermission(DeviceLifecycleDomain.DEVICE_LIFECYCLE, Actions.connect, scopeId).toString());
}
loginCheckAccessTimeContext.stop();
// 3-4) build authMap
authMap = buildAuthMap(authDestinations, principal, hasPermissions, accountName, clientId, fullClientId);
// 4) find device
Context loginFindClientIdTimeContext = metricLoginFindClientIdTime.time();
deviceConnection = deviceConnectionService.findByClientId(scopeId, clientId);
loginFindClientIdTimeContext.stop();
Context loginFindDevTimeContext = metricLoginFindDevTime.time();
// send connect message
ConnectionId previousConnectionId = connectionMap.get(fullClientId);
boolean stealingLinkDetected = (previousConnectionId != null);
// Update map for stealing link detection on disconnect
connectionMap.put(fullClientId, info.getConnectionId());
if (deviceConnection == null) {
DeviceConnectionCreator deviceConnectionCreator = deviceConnectionFactory.newCreator(scopeId);
deviceConnectionCreator.setClientId(clientId);
deviceConnectionCreator.setClientIp(clientIp);
deviceConnectionCreator.setProtocol("MQTT");
// TODO to be filled with the proper value
deviceConnectionCreator.setServerIp(null);
deviceConnectionCreator.setUserId(userId);
deviceConnection = deviceConnectionService.create(deviceConnectionCreator);
} else {
deviceConnection.setClientIp(clientIp);
deviceConnection.setProtocol("MQTT");
// TODO to be filled with the proper value
deviceConnection.setServerIp(null);
deviceConnection.setUserId(userId);
deviceConnection.setStatus(DeviceConnectionStatus.CONNECTED);
deviceConnectionService.update(deviceConnection);
// TODO manage the stealing link event (may be a good idea to use different connect status (connect -stealing)?
if (stealingLinkDetected) {
metricLoginStealingLinkConnect.inc();
// stealing link detected, skip info
logger.warn("Detected Stealing link for cliend id {} - account - last connection id was {} - current connection id is {} - IP: {} - No connection status changes!", new Object[] { clientId, accountName, previousConnectionId, info.getConnectionId(), info.getClientIp() });
}
}
loginFindDevTimeContext.stop();
loginNormalUserTimeContext.stop();
Context loginSendLogingUpdateMsgTimeContex = metricLoginSendLoginUpdateMsgTime.time();
loginSendLogingUpdateMsgTimeContex.stop();
metricClientConnectedClient.inc();
}
logAuthDestinationToLog(authDestinations);
ConnectorDescriptor connectorDescriptor = connectorsDescriptorMap.get((((TransportConnector) context.getConnector()).getName()));
KapuaSecurityContext securityCtx = new KapuaSecurityContext(principal, authMap, (deviceConnection != null ? deviceConnection.getId() : null), connectionId, connectorDescriptor);
context.setSecurityContext(securityCtx);
// multiple account stealing link fix
info.setClientId(fullClientId);
context.setClientId(fullClientId);
} catch (Exception e) {
metricLoginFailure.inc();
// fix ENTMQ-731
if (e instanceof KapuaAuthenticationException) {
KapuaAuthenticationException kapuaException = (KapuaAuthenticationException) e;
KapuaErrorCode errorCode = kapuaException.getCode();
if (errorCode.equals(KapuaAuthenticationErrorCodes.INVALID_USERNAME) || errorCode.equals(KapuaAuthenticationErrorCodes.INVALID_CREDENTIALS) || errorCode.equals(KapuaAuthenticationErrorCodes.INVALID_CREDENTIALS_TOKEN_PROVIDED)) {
logger.warn("Invalid username or password for user {} ({})", username, e.getMessage());
// activeMQ will map CredentialException into a CONNECTION_REFUSED_BAD_USERNAME_OR_PASSWORD message (see javadoc on top of this method)
CredentialException ce = new CredentialException("Invalid username and/or password or disabled or expired account!");
ce.setStackTrace(e.getStackTrace());
metricLoginInvalidUserPassword.inc();
throw ce;
} else if (errorCode.equals(KapuaAuthenticationErrorCodes.LOCKED_USERNAME) || errorCode.equals(KapuaAuthenticationErrorCodes.DISABLED_USERNAME) || errorCode.equals(KapuaAuthenticationErrorCodes.EXPIRED_CREDENTIALS)) {
logger.warn("User {} not authorized ({})", username, e.getMessage());
// activeMQ-MQ will map SecurityException into a CONNECTION_REFUSED_NOT_AUTHORIZED message (see javadoc on top of this method)
SecurityException se = new SecurityException("User not authorized!");
se.setStackTrace(e.getStackTrace());
throw se;
}
}
// Excluded CredentialException, InvalidClientIDException, SecurityException all others exceptions will be mapped by activeMQ to a CONNECTION_REFUSED_SERVER_UNAVAILABLE message (see
// javadoc on top of this method)
// Not trapped exception now:
// KapuaException
logger.info("@@ error", e);
throw e;
} finally {
// 7) logout
Context loginShiroLogoutTimeContext = metricLoginShiroLogoutTime.time();
authenticationService.logout();
ThreadContext.unbindSubject();
loginShiroLogoutTimeContext.stop();
loginTotalContext.stop();
}
}
Also used :
Account(org.eclipse.kapua.service.account.Account)
KapuaAuthenticationException(org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticationException)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
ShiroException(org.apache.shiro.ShiroException)
AuthenticationCredentials(org.eclipse.kapua.service.authentication.AuthenticationCredentials)
TransportConnector(org.apache.activemq.broker.TransportConnector)
ConnectionId(org.apache.activemq.command.ConnectionId)
KapuaAuthenticationException(org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticationException)
CredentialException(javax.security.auth.login.CredentialException)
AccessToken(org.eclipse.kapua.service.authentication.AccessToken)
KapuaId(org.eclipse.kapua.model.id.KapuaId)
SecurityContext(org.apache.activemq.security.SecurityContext)
ConnectionContext(org.apache.activemq.broker.ConnectionContext)
Context(com.codahale.metrics.Timer.Context)
ThreadContext(org.apache.shiro.util.ThreadContext)
KapuaPrincipal(org.eclipse.kapua.service.authentication.KapuaPrincipal)
ShiroException(org.apache.shiro.ShiroException)
KapuaAuthenticationException(org.eclipse.kapua.service.authentication.shiro.KapuaAuthenticationException)
KapuaIllegalAccessException(org.eclipse.kapua.KapuaIllegalAccessException)
CredentialException(javax.security.auth.login.CredentialException)
AuthenticationException(org.apache.shiro.authc.AuthenticationException)
KapuaException(org.eclipse.kapua.KapuaException)
KapuaIllegalAccessException(org.eclipse.kapua.KapuaIllegalAccessException)
KapuaErrorCode(org.eclipse.kapua.KapuaErrorCode)
DeviceConnection(org.eclipse.kapua.service.device.registry.connection.DeviceConnection)
DefaultAuthorizationMap(org.apache.activemq.security.DefaultAuthorizationMap)
DeviceConnectionCreator(org.eclipse.kapua.service.device.registry.connection.DeviceConnectionCreator)
Example 2 with KapuaException
use of org.eclipse.kapua.KapuaException in project kapua by eclipse.
the class AbstractKapuaConfigurableService method getConfigMetadata.
@Override
public KapuaTocd getConfigMetadata() throws KapuaException {
KapuaLocator locator = KapuaLocator.getInstance();
AuthorizationService authorizationService = locator.getService(AuthorizationService.class);
PermissionFactory permissionFactory = locator.getFactory(PermissionFactory.class);
KapuaId scopeId = KapuaSecurityUtils.getSession().getScopeId();
authorizationService.checkPermission(permissionFactory.newPermission(domain, Actions.read, scopeId));
try {
TmetadataImpl metadata = readMetadata(this.pid);
if (metadata.getOCD() != null && metadata.getOCD().size() > 0) {
for (KapuaTocd ocd : metadata.getOCD()) {
if (ocd.getId() != null && ocd.getId().equals(pid)) {
return ocd;
}
}
}
return null;
} catch (Exception e) {
throw KapuaConfigurationException.internalError(e);
}
}
Also used :
KapuaLocator(org.eclipse.kapua.locator.KapuaLocator)
AuthorizationService(org.eclipse.kapua.service.authorization.AuthorizationService)
PermissionFactory(org.eclipse.kapua.service.authorization.permission.PermissionFactory)
KapuaId(org.eclipse.kapua.model.id.KapuaId)
TmetadataImpl(org.eclipse.kapua.commons.configuration.metatype.TmetadataImpl)
KapuaTocd(org.eclipse.kapua.model.config.metatype.KapuaTocd)
XMLStreamException(javax.xml.stream.XMLStreamException)
KapuaEntityNotFoundException(org.eclipse.kapua.KapuaEntityNotFoundException)
IOException(java.io.IOException)
KapuaException(org.eclipse.kapua.KapuaException)
Example 3 with KapuaException
use of org.eclipse.kapua.KapuaException in project kapua by eclipse.
the class AssetInfoStoreServiceImpl method query.
@Override
public AssetInfoListResult query(KapuaId scopeId, AssetInfoQuery query) throws KapuaException {
//
// Argument Validation
ArgumentValidator.notNull(scopeId, "scopeId");
ArgumentValidator.notNull(query, "query");
//
// Check Access
this.checkDataAccess(scopeId, Actions.read);
//
// Do the find
AccountInfo accountInfo = getAccountServicePlan(scopeId);
String scopeName = accountInfo.getAccount().getName();
LocalServicePlan accountServicePlan = accountInfo.getServicePlan();
long ttl = accountServicePlan.getDataTimeToLive() * DAY_MILLIS;
if (!accountServicePlan.getDataStorageEnabled() || ttl == LocalServicePlan.DISABLED) {
logger.debug("Storage not enabled for account {}, returning empty result", scopeName);
return new AssetInfoListResultImpl();
}
try {
String everyIndex = EsUtils.getAnyIndexName(scopeName);
AssetInfoListResult result = null;
result = EsAssetDAO.connection(EsClient.getcurrent()).instance(everyIndex, EsSchema.ASSET_TYPE_NAME).query(query);
return result;
} catch (Exception exc) {
// CassandraUtils.handleException(e);
throw KapuaException.internalError(exc);
}
}
Also used :
AssetInfoListResult(org.eclipse.kapua.service.datastore.model.AssetInfoListResult)
LocalServicePlan(org.eclipse.kapua.service.datastore.internal.elasticsearch.LocalServicePlan)
AssetInfoListResultImpl(org.eclipse.kapua.service.datastore.internal.model.AssetInfoListResultImpl)
KapuaException(org.eclipse.kapua.KapuaException)
Example 4 with KapuaException
use of org.eclipse.kapua.KapuaException in project kapua by eclipse.
the class AssetInfoStoreServiceImpl method delete.
//
// @Override
// public StorableId store(KapuaId scopeId, AssetInfoCreator creator)
// throws KapuaException
// {
// // TODO DAOs are ready, need to evaluate if this functionality
// // have to be available or not. Currently entries are added by
// // the message service directy
// throw KapuaException.internalError("Not implemented");
// }
//
// @Override
// public StorableId update(KapuaId scopeId, AssetInfo assetInfo)
// throws KapuaException
// {
// // TODO DAOs are ready, need to evaluate if this functionality
// // have to be available or not. Currently entries are updated by
// // the message service directy
// throw KapuaException.internalError("Not implemented");
// }
@Override
public void delete(KapuaId scopeId, StorableId id) throws KapuaException {
//
// Argument Validation
ArgumentValidator.notNull(scopeId, "scopeId");
ArgumentValidator.notNull(id, "id");
//
// Check Access
this.checkDataAccess(scopeId, Actions.delete);
//
// Do the find
AccountInfo accountInfo = getAccountServicePlan(scopeId);
String scopeName = accountInfo.getAccount().getName();
LocalServicePlan accountServicePlan = accountInfo.getServicePlan();
long ttl = accountServicePlan.getDataTimeToLive() * DAY_MILLIS;
if (!accountServicePlan.getDataStorageEnabled() || ttl == LocalServicePlan.DISABLED) {
logger.debug("Storage not enabled for account {}, return", scopeName);
return;
}
try {
String everyIndex = EsUtils.getAnyIndexName(scopeName);
EsAssetDAO.connection(EsClient.getcurrent()).instance(everyIndex, EsSchema.ASSET_TYPE_NAME).deleteById(id.toString());
} catch (Exception exc) {
// CassandraUtils.handleException(e);
throw KapuaException.internalError(exc);
}
}
Also used :
LocalServicePlan(org.eclipse.kapua.service.datastore.internal.elasticsearch.LocalServicePlan)
KapuaException(org.eclipse.kapua.KapuaException)
Example 5 with KapuaException
use of org.eclipse.kapua.KapuaException in project kapua by eclipse.
the class MessageStoreServiceImpl method find.
@Override
public Message find(KapuaId scopeId, StorableId id, MessageFetchStyle fetchStyle) throws KapuaException {
//
// Argument Validation
ArgumentValidator.notNull(scopeId, "scopeId");
ArgumentValidator.notNull(id, "id");
ArgumentValidator.notNull(fetchStyle, "fetchStyle");
//
// Check Access
this.checkDataAccess(scopeId, Actions.read);
AccountInfo accountInfo = getAccountServicePlan(scopeId);
String scopeName = accountInfo.getAccount().getName();
try {
String everyIndex = EsUtils.getAnyIndexName(scopeName);
MessageListResult result = null;
result = EsMessageDAO.connection(EsClient.getcurrent()).instance(everyIndex, EsSchema.MESSAGE_TYPE_NAME).query(null);
if (true)
throw KapuaException.internalError("Method not implemented.");
return null;
} catch (Exception exc) {
// CassandraUtils.handleException(e);
throw KapuaException.internalError(exc);
}
}
Also used :
MessageListResult(org.eclipse.kapua.service.datastore.model.MessageListResult)
KapuaInvalidTopicException(org.eclipse.kapua.service.datastore.internal.elasticsearch.KapuaInvalidTopicException)
ParseException(java.text.ParseException)
EsDatastoreException(org.eclipse.kapua.service.datastore.internal.elasticsearch.EsDatastoreException)
DocumentAlreadyExistsException(org.elasticsearch.index.engine.DocumentAlreadyExistsException)
IOException(java.io.IOException)
UnknownHostException(java.net.UnknownHostException)
KapuaException(org.eclipse.kapua.KapuaException)
Aggregations
KapuaException (org.eclipse.kapua.KapuaException)99
EntityManager (org.eclipse.kapua.commons.jpa.EntityManager)53
AuthorizationService (org.eclipse.kapua.service.authorization.AuthorizationService)50
PermissionFactory (org.eclipse.kapua.service.authorization.permission.PermissionFactory)50
KapuaEntityNotFoundException (org.eclipse.kapua.KapuaEntityNotFoundException)48
KapuaLocator (org.eclipse.kapua.locator.KapuaLocator)48
KapuaIllegalArgumentException (org.eclipse.kapua.KapuaIllegalArgumentException)19
LocalServicePlan (org.eclipse.kapua.service.datastore.internal.elasticsearch.LocalServicePlan)17
DeviceManagementSetting (org.eclipse.kapua.service.device.management.commons.setting.DeviceManagementSetting)12
Date (java.util.Date)11
KapuaIllegalAccessException (org.eclipse.kapua.KapuaIllegalAccessException)10
Account (org.eclipse.kapua.service.account.Account)9
DeviceCallExecutor (org.eclipse.kapua.service.device.management.commons.call.DeviceCallExecutor)8
DeviceManagementException (org.eclipse.kapua.service.device.management.commons.exception.DeviceManagementException)8
DeviceEventCreator (org.eclipse.kapua.service.device.registry.event.DeviceEventCreator)8
DeviceEventFactory (org.eclipse.kapua.service.device.registry.event.DeviceEventFactory)8
DeviceEventService (org.eclipse.kapua.service.device.registry.event.DeviceEventService)8
IOException (java.io.IOException)7
TranslatorException (org.eclipse.kapua.translator.exception.TranslatorException)7
UnknownHostException (java.net.UnknownHostException)6
