Merge pull request #10063 from Rhyaldir/add_dtls_cid_support

Support DTLS Connection ID with configuration
thingsboard · Feb 15, 2024 · 921159d · 921159d
2 parents e4d69b9 + 99d8f99
commit 921159d
Show file tree

Hide file tree

Showing 14 changed files with 721 additions and 5 deletions.
diff --git a/application/src/main/resources/thingsboard.yml b/application/src/main/resources/thingsboard.yml
@@ -1044,6 +1044,8 @@ transport:
     dtls:
       # RFC7925_RETRANSMISSION_TIMEOUT_IN_MILLISECONDS = 9000
       retransmission_timeout: "${LWM2M_DTLS_RETRANSMISSION_TIMEOUT_MS:9000}"
+      # "" disables connection id support, 0 enables support but not for incoming traffic, any value greater than 0 set the connection id size in bytes
+      connection_id_length: "${LWM2M_DTLS_CONNECTION_ID_LENGTH:6}"
     server:
       # LwM2M Server ID
       id: "${LWM2M_SERVER_ID:123}"

diff --git a/common/transport/lwm2m/pom.xml b/common/transport/lwm2m/pom.xml
@@ -94,6 +94,11 @@
             <artifactId>junit-vintage-engine</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-inline</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.awaitility</groupId>
             <artifactId>awaitility</artifactId>

diff --git a/...java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapService.java b/...java/org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapService.java
@@ -38,6 +38,7 @@
 import java.security.cert.X509Certificate;
 
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
+import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_CONNECTION_ID_LENGTH;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_RECOMMENDED_CIPHER_SUITES_ONLY;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_RECOMMENDED_CURVES_ONLY;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_RETRANSMISSION_TIMEOUT;
@@ -95,6 +96,7 @@ public LeshanBootstrapServer getLhBootstrapServer() {
         dtlsConfig.set(DTLS_RECOMMENDED_CURVES_ONLY, serverConfig.isRecommendedSupportedGroups());
         dtlsConfig.set(DTLS_RECOMMENDED_CIPHER_SUITES_ONLY, serverConfig.isRecommendedCiphers());
         dtlsConfig.set(DTLS_RETRANSMISSION_TIMEOUT, serverConfig.getDtlsRetransmissionTimeout(), MILLISECONDS);
+        dtlsConfig.set(DTLS_CONNECTION_ID_LENGTH, serverConfig.getDtlsConnectionIdLength());
         dtlsConfig.set(DTLS_ROLE, SERVER_ONLY);
         setServerWithCredentials(builder, dtlsConfig);
 

diff --git a/...c/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportServerConfig.java b/...c/main/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportServerConfig.java
@@ -41,6 +41,10 @@ public class LwM2MTransportServerConfig implements LwM2MSecureServerConfig {
     @Value("${transport.lwm2m.dtls.retransmission_timeout:9000}")
     private int dtlsRetransmissionTimeout;
 
+    @Getter
+    @Value("${transport.lwm2m.dtls.connection_id_length:6}")
+    private Integer dtlsConnectionIdLength;
+
     @Getter
     @Value("${transport.lwm2m.timeout:}")
     private Long timeout;

diff --git a/...main/java/org/thingsboard/server/transport/lwm2m/server/DefaultLwM2mTransportService.java b/...main/java/org/thingsboard/server/transport/lwm2m/server/DefaultLwM2mTransportService.java
@@ -43,6 +43,7 @@
 import java.security.cert.X509Certificate;
 
 import static java.util.concurrent.TimeUnit.MILLISECONDS;
+import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_CONNECTION_ID_LENGTH;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_RECOMMENDED_CIPHER_SUITES_ONLY;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_RECOMMENDED_CURVES_ONLY;
 import static org.eclipse.californium.scandium.config.DtlsConfig.DTLS_RETRANSMISSION_TIMEOUT;
@@ -139,6 +140,7 @@ private LeshanServer getLhServer() {
         dtlsConfig.set(DTLS_RECOMMENDED_CURVES_ONLY, config.isRecommendedSupportedGroups());
         dtlsConfig.set(DTLS_RECOMMENDED_CIPHER_SUITES_ONLY, config.isRecommendedCiphers());
         dtlsConfig.set(DTLS_RETRANSMISSION_TIMEOUT, config.getDtlsRetransmissionTimeout(), MILLISECONDS);
+        dtlsConfig.set(DTLS_CONNECTION_ID_LENGTH, config.getDtlsConnectionIdLength());
         dtlsConfig.set(DTLS_ROLE, SERVER_ONLY);
 
         /*  Create credentials */

diff --git a/...va/org/thingsboard/server/transport/lwm2m/server/store/TbLwM2mRedisRegistrationStore.java b/...va/org/thingsboard/server/transport/lwm2m/server/store/TbLwM2mRedisRegistrationStore.java
@@ -29,7 +29,6 @@
 import org.eclipse.leshan.core.util.Validate;
 import org.eclipse.leshan.server.californium.registration.CaliforniumRegistrationStore;
 import org.eclipse.leshan.server.redis.RedisRegistrationStore;
-import org.eclipse.leshan.server.redis.serialization.IdentitySerDes;
 import org.eclipse.leshan.server.redis.serialization.ObservationSerDes;
 import org.eclipse.leshan.server.redis.serialization.RegistrationSerDes;
 import org.eclipse.leshan.server.registration.Deregistration;
@@ -45,6 +44,7 @@
 import org.springframework.data.redis.core.Cursor;
 import org.springframework.data.redis.core.ScanOptions;
 import org.springframework.integration.redis.util.RedisLockRegistry;
+import org.thingsboard.server.transport.lwm2m.server.store.util.LwM2MIdentitySerDes;
 
 import java.net.InetSocketAddress;
 import java.util.ArrayList;
@@ -110,12 +110,18 @@ public TbLwM2mRedisRegistrationStore(RedisConnectionFactory connectionFactory, l
 
     public TbLwM2mRedisRegistrationStore(RedisConnectionFactory connectionFactory, ScheduledExecutorService schedExecutor, long cleanPeriodInSec,
                                          long lifetimeGracePeriodInSec, int cleanLimit) {
+        this(connectionFactory, schedExecutor, cleanPeriodInSec, lifetimeGracePeriodInSec, cleanLimit,
+                new RedisLockRegistry(connectionFactory, "Registration"));
+    }
+
+    public TbLwM2mRedisRegistrationStore(RedisConnectionFactory connectionFactory, ScheduledExecutorService schedExecutor, long cleanPeriodInSec,
+                                         long lifetimeGracePeriodInSec, int cleanLimit, RedisLockRegistry lockRegistry) {
         this.connectionFactory = connectionFactory;
         this.schedExecutor = schedExecutor;
         this.cleanPeriod = cleanPeriodInSec;
         this.cleanLimit = cleanLimit;
         this.gracePeriod = lifetimeGracePeriodInSec;
-        this.redisLock = new RedisLockRegistry(connectionFactory, "Registration");
+        this.redisLock = lockRegistry;
     }
 
     /* *************** Redis Key utility function **************** */
@@ -173,7 +179,7 @@ public Deregistration addRegistration(Registration registration) {
                     if (!oldRegistration.getSocketAddress().equals(registration.getSocketAddress())) {
                         removeAddrIndex(connection, oldRegistration);
                     }
-                    if (!oldRegistration.getIdentity().equals(registration.getIdentity())) {
+                    if (registrationsHaveDifferentIdentities(oldRegistration, registration)) {
                         removeIdentityIndex(connection, oldRegistration);
                     }
                     // remove old observation
@@ -231,7 +237,7 @@ public UpdatedRegistration updateRegistration(RegistrationUpdate update) {
                 if (!r.getSocketAddress().equals(updatedRegistration.getSocketAddress())) {
                     removeAddrIndex(connection, r);
                 }
-                if (!r.getIdentity().equals(updatedRegistration.getIdentity())) {
+                if (registrationsHaveDifferentIdentities(r, updatedRegistration)) {
                     removeIdentityIndex(connection, r);
                 }
 
@@ -402,6 +408,12 @@ private void removeExpiration(RedisConnection connection, Registration registrat
         connection.zRem(EXP_EP, registration.getEndpoint().getBytes(UTF_8));
     }
 
+    private boolean registrationsHaveDifferentIdentities(Registration first, Registration second){
+        var first_identity_string = LwM2MIdentitySerDes.serialize(first.getIdentity()).toString();
+        var second_identity_string = LwM2MIdentitySerDes.serialize(second.getIdentity()).toString();
+        return !first_identity_string.equals(second_identity_string);
+    }
+
     private byte[] toRegIdKey(String registrationId) {
         return toKey(REG_EP_REGID_IDX, registrationId);
     }
@@ -411,7 +423,7 @@ private byte[] toRegAddrKey(InetSocketAddress addr) {
     }
 
     private byte[] toRegIdentityKey(Identity identity) {
-        return toKey(REG_EP_IDENTITY, IdentitySerDes.serialize(identity).toString());
+        return toKey(REG_EP_IDENTITY, LwM2MIdentitySerDes.serialize(identity).toString());
     }
 
     private byte[] toEndpointKey(String endpoint) {

diff --git a/...in/java/org/thingsboard/server/transport/lwm2m/server/store/util/LwM2MIdentitySerDes.java b/...in/java/org/thingsboard/server/transport/lwm2m/server/store/util/LwM2MIdentitySerDes.java
@@ -0,0 +1,63 @@
+/**
+ * Copyright © 2016-2024 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.transport.lwm2m.server.store.util;
+
+import com.eclipsesource.json.Json;
+import com.eclipsesource.json.JsonObject;
+import org.apache.commons.lang3.NotImplementedException;
+import org.eclipse.leshan.core.request.Identity;
+import org.eclipse.leshan.core.util.Hex;
+
+import java.security.PublicKey;
+
+public class LwM2MIdentitySerDes {
+
+    private static final String KEY_ADDRESS = "address";
+    private static final String KEY_PORT = "port";
+    private static final String KEY_ID = "id";
+    private static final String KEY_CN = "cn";
+    private static final String KEY_RPK = "rpk";
+    protected static final String KEY_LWM2MIDENTITY_TYPE = "type";
+    protected static final String LWM2MIDENTITY_TYPE_UNSECURE = "unsecure";
+    protected static final String LWM2MIDENTITY_TYPE_PSK = "psk";
+    protected static final String LWM2MIDENTITY_TYPE_X509 = "x509";
+    protected static final String LWM2MIDENTITY_TYPE_RPK = "rpk";
+
+    public static JsonObject serialize(Identity identity) {
+        JsonObject o = Json.object();
+
+        if (identity.isPSK()) {
+            o.set(KEY_LWM2MIDENTITY_TYPE, LWM2MIDENTITY_TYPE_PSK);
+            o.set(KEY_ID, identity.getPskIdentity());
+        } else if (identity.isRPK()) {
+            o.set(KEY_LWM2MIDENTITY_TYPE, LWM2MIDENTITY_TYPE_RPK);
+            PublicKey publicKey = identity.getRawPublicKey();
+            o.set(KEY_RPK, Hex.encodeHexString(publicKey.getEncoded()));
+        } else if (identity.isX509()) {
+            o.set(KEY_LWM2MIDENTITY_TYPE, LWM2MIDENTITY_TYPE_X509);
+            o.set(KEY_CN, identity.getX509CommonName());
+        } else {
+            o.set(KEY_LWM2MIDENTITY_TYPE, LWM2MIDENTITY_TYPE_UNSECURE);
+            o.set(KEY_ADDRESS, identity.getPeerAddress().getHostString());
+            o.set(KEY_PORT, identity.getPeerAddress().getPort());
+        }
+        return o;
+    }
+
+    public static Identity deserialize(JsonObject peer) {
+        throw new NotImplementedException();
+    }
+}
diff --git a/.../org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapServiceTest.java b/.../org/thingsboard/server/transport/lwm2m/bootstrap/LwM2MTransportBootstrapServiceTest.java
@@ -0,0 +1,105 @@
+/**
+ * Copyright © 2016-2024 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.transport.lwm2m.bootstrap;
+
+import org.eclipse.californium.core.network.CoapEndpoint;
+import org.eclipse.californium.scandium.config.DtlsConnectorConfig;
+import org.eclipse.leshan.server.californium.LeshanServer;
+import org.eclipse.leshan.server.californium.bootstrap.LeshanBootstrapServer;
+import org.eclipse.leshan.server.californium.registration.CaliforniumRegistrationStore;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.test.util.ReflectionTestUtils;
+import org.thingsboard.server.cache.ota.OtaPackageDataCache;
+import org.thingsboard.server.common.transport.TransportService;
+import org.thingsboard.server.transport.lwm2m.bootstrap.secure.TbLwM2MDtlsBootstrapCertificateVerifier;
+import org.thingsboard.server.transport.lwm2m.bootstrap.store.LwM2MBootstrapSecurityStore;
+import org.thingsboard.server.transport.lwm2m.bootstrap.store.LwM2MInMemoryBootstrapConfigStore;
+import org.thingsboard.server.transport.lwm2m.config.LwM2MTransportBootstrapConfig;
+import org.thingsboard.server.transport.lwm2m.config.LwM2MTransportServerConfig;
+import org.thingsboard.server.transport.lwm2m.secure.TbLwM2MAuthorizer;
+import org.thingsboard.server.transport.lwm2m.secure.TbLwM2MDtlsCertificateVerifier;
+import org.thingsboard.server.transport.lwm2m.server.store.TbSecurityStore;
+import org.thingsboard.server.transport.lwm2m.server.uplink.LwM2mUplinkMsgHandler;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.BDDMockito.when;
+
+@ExtendWith(MockitoExtension.class)
+public class LwM2MTransportBootstrapServiceTest {
+
+    @Mock
+    private LwM2MTransportServerConfig serverConfig;
+    @Mock
+    private LwM2MTransportBootstrapConfig bootstrapConfig;
+    @Mock
+    private LwM2MBootstrapSecurityStore lwM2MBootstrapSecurityStore;
+    @Mock
+    private LwM2MInMemoryBootstrapConfigStore lwM2MInMemoryBootstrapConfigStore;
+    @Mock
+    private TransportService transportService;
+    @Mock
+    private TbLwM2MDtlsBootstrapCertificateVerifier certificateVerifier;
+
+
+    @Test
+    public void getLHServer_creates_ConnectionIdGenerator_when_connection_id_length_not_null(){
+        final Integer CONNECTION_ID_LENGTH = 6;
+        when(serverConfig.getDtlsConnectionIdLength()).thenReturn(CONNECTION_ID_LENGTH);
+        var lwM2MBootstrapService = createLwM2MBootstrapService();
+
+        var server = lwM2MBootstrapService.getLhBootstrapServer();
+        var securedEndpoint = (CoapEndpoint) ReflectionTestUtils.getField(server, "securedEndpoint");
+        assertThat(securedEndpoint).isNotNull();
+
+        var config = (DtlsConnectorConfig) ReflectionTestUtils.getField(securedEndpoint.getConnector(), "config");
+        assertThat(config).isNotNull();
+        assertThat(config.getConnectionIdGenerator()).isNotNull();
+        assertThat((Integer) ReflectionTestUtils.getField(config.getConnectionIdGenerator(), "connectionIdLength"))
+                .isEqualTo(CONNECTION_ID_LENGTH);
+    }
+
+    @Test
+    public void getLHServer_creates_no_ConnectionIdGenerator_when_connection_id_length_is_null(){
+        when(serverConfig.getDtlsConnectionIdLength()).thenReturn(null);
+        var lwM2MBootstrapService = createLwM2MBootstrapService();
+
+        var server = lwM2MBootstrapService.getLhBootstrapServer();
+        var securedEndpoint = (CoapEndpoint) ReflectionTestUtils.getField(server, "securedEndpoint");
+        assertThat(securedEndpoint).isNotNull();
+
+        var config = (DtlsConnectorConfig) ReflectionTestUtils.getField(securedEndpoint.getConnector(), "config");
+        assertThat(config).isNotNull();
+        assertThat(config.getConnectionIdGenerator()).isNull();
+    }
+
+    private LwM2MTransportBootstrapService createLwM2MBootstrapService() {
+        setDefaultConfigVariables();
+        return new LwM2MTransportBootstrapService(serverConfig, bootstrapConfig, lwM2MBootstrapSecurityStore,
+                lwM2MInMemoryBootstrapConfigStore, transportService, certificateVerifier);
+    }
+
+    private void setDefaultConfigVariables(){
+        when(bootstrapConfig.getPort()).thenReturn(5683);
+        when(bootstrapConfig.getSecurePort()).thenReturn(5684);
+        when(serverConfig.isRecommendedCiphers()).thenReturn(false);
+        when(serverConfig.getDtlsRetransmissionTimeout()).thenReturn(9000);
+    }
+
+
+}
diff --git a/...st/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportServerConfigTest.java b/...st/java/org/thingsboard/server/transport/lwm2m/config/LwM2MTransportServerConfigTest.java
@@ -0,0 +1,61 @@
+/**
+ * Copyright © 2016-2024 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.transport.lwm2m.config;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.boot.test.context.SpringBootContextLoader;
+import org.springframework.boot.test.mock.mockito.MockBean;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.thingsboard.server.common.transport.config.ssl.SslCredentialsConfig;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@ExtendWith(SpringExtension.class)
+@EnableConfigurationProperties(value = LwM2MTransportServerConfig.class)
+@ContextConfiguration(classes = {LwM2MTransportServerConfig.class}, loader = SpringBootContextLoader.class)
+@TestPropertySource(properties = {
+        "transport.sessions.report_timeout=10",
+        "transport.lwm2m.security.recommended_ciphers=true",
+        "transport.lwm2m.security.recommended_supported_groups=true",
+        "transport.lwm2m.downlink_pool_size=10",
+        "transport.lwm2m.uplink_pool_size=10",
+        "transport.lwm2m.ota_pool_size=10",
+        "transport.lwm2m.clean_period_in_sec=2",
+        "transport.lwm2m.dtls.connection_id_length="
+
+})
+class LwM2MTransportServerConfigTest {
+
+    @MockBean(name = "lwm2mServerCredentials")
+    private SslCredentialsConfig credentialsConfig;
+
+    @MockBean(name = "lwm2mTrustCredentials")
+    private SslCredentialsConfig trustCredentialsConfig;
+
+    @Autowired
+    private LwM2MTransportServerConfig serverConfig;
+
+    @Test
+    void getDtlsConnectionIdLength_return_null_is_property_is_empty() {
+        // note: transport.lwm2m.dtls.connect_id_length is set in TestPropertySource
+        assertThat(serverConfig.getDtlsConnectionIdLength()).isNull();
+    }
+}