security-policies

Author: Caideyipi

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/sink/protocol/opcua/OpcUaSink.java

@@ -57,9 +57,11 @@
 import java.util.Arrays;
 import java.util.Map;
 import java.util.Objects;
+import java.util.Set;
 import java.util.UUID;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.stream.Collectors;
 
 import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_IOTDB_PASSWORD_DEFAULT_VALUE;
 import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_IOTDB_PASSWORD_KEY;
@@ -90,6 +92,7 @@
 import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_OPC_UA_SECURITY_DIR_DEFAULT_VALUE;
 import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_OPC_UA_SECURITY_DIR_KEY;
 import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_OPC_UA_SECURITY_POLICY_KEY;
+import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_OPC_UA_SECURITY_POLICY_SERVER_DEFAULT_VALUES;
 import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_OPC_UA_TCP_BIND_PORT_DEFAULT_VALUE;
 import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_OPC_UA_TCP_BIND_PORT_KEY;
 import static org.apache.iotdb.commons.pipe.config.constant.PipeSinkConstant.CONNECTOR_OPC_UA_VALUE_NAME_DEFAULT_VALUE;
@@ -270,6 +273,18 @@ private void customizeServer(final PipeParameters parameters) {
                 CONNECTOR_OPC_UA_ENABLE_ANONYMOUS_ACCESS_KEY,
                 SINK_OPC_UA_ENABLE_ANONYMOUS_ACCESS_KEY),
             CONNECTOR_OPC_UA_ENABLE_ANONYMOUS_ACCESS_DEFAULT_VALUE);
+    final Set<SecurityPolicy> securityPolicies =
+        (parameters.hasAnyAttributes(
+                    CONNECTOR_OPC_UA_SECURITY_POLICY_KEY, SINK_OPC_UA_SECURITY_POLICY_KEY)
+                ? Arrays.stream(
+                    parameters
+                        .getStringByKeys(
+                            CONNECTOR_OPC_UA_SECURITY_POLICY_KEY, SINK_OPC_UA_SECURITY_POLICY_KEY)
+                        .replace(" ", "")
+                        .split(","))
+                : CONNECTOR_OPC_UA_SECURITY_POLICY_SERVER_DEFAULT_VALUES.stream())
+            .map(this::getSecurityPolicy)
+            .collect(Collectors.toSet());
 
     synchronized (SERVER_KEY_TO_REFERENCE_COUNT_AND_NAME_SPACE_MAP) {
       serverKey = httpsBindPort + ":" + tcpBindPort;
@@ -288,7 +303,8 @@ private void customizeServer(final PipeParameters parameters) {
                                 .setUser(user)
                                 .setPassword(password)
                                 .setSecurityDir(securityDir)
-                                .setEnableAnonymousAccess(enableAnonymousAccess);
+                                .setEnableAnonymousAccess(enableAnonymousAccess)
+                                .setSecurityPolicies(securityPolicies);
                         final OpcUaServer newServer = builder.build();
                         nameSpace = new OpcUaNameSpace(newServer, builder);
                         nameSpace.startup();
@@ -312,34 +328,14 @@ private void customizeServer(final PipeParameters parameters) {
   }
 
   private void customizeClient(final String nodeUrl, final PipeParameters parameters) {
-    final SecurityPolicy policy;
-    switch (parameters
-        .getStringOrDefault(
-            Arrays.asList(CONNECTOR_OPC_UA_SECURITY_POLICY_KEY, SINK_OPC_UA_SECURITY_POLICY_KEY),
-            CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_256_SHA_256_VALUE)
-        .toUpperCase()) {
-      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_NONE_VALUE:
-        policy = SecurityPolicy.None;
-        break;
-      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_128_RSA_15_VALUE:
-        policy = SecurityPolicy.Basic128Rsa15;
-        break;
-      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_256_VALUE:
-        policy = SecurityPolicy.Basic256;
-        break;
-      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_256_SHA_256_VALUE:
-        policy = SecurityPolicy.Basic256Sha256;
-        break;
-      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_AES128_SHA256_RSAOAEP_VALUE:
-        policy = SecurityPolicy.Aes128_Sha256_RsaOaep;
-        break;
-      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_AES256_SHA256_RSAPSS_VALUE:
-        policy = SecurityPolicy.Aes256_Sha256_RsaPss;
-        break;
-      default:
-        throw new PipeException(
-            "The security policy can only be 'None', 'Basic128Rsa15', 'Basic256', 'Basic256Sha256', 'Aes128_Sha256_RsaOaep' or 'Aes256_Sha256_RsaPss'.");
-    }
+    final SecurityPolicy policy =
+        getSecurityPolicy(
+            parameters
+                .getStringOrDefault(
+                    Arrays.asList(
+                        CONNECTOR_OPC_UA_SECURITY_POLICY_KEY, SINK_OPC_UA_SECURITY_POLICY_KEY),
+                    CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_256_SHA_256_VALUE)
+                .toUpperCase());
 
     final IdentityProvider provider;
     final String userName =
@@ -372,6 +368,26 @@ private void customizeClient(final String nodeUrl, final PipeParameters paramete
     new ClientRunner(client, securityDir, password).run();
   }
 
+  private SecurityPolicy getSecurityPolicy(final String securityPolicy) {
+    switch (securityPolicy.toUpperCase()) {
+      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_NONE_VALUE:
+        return SecurityPolicy.None;
+      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_128_RSA_15_VALUE:
+        return SecurityPolicy.Basic128Rsa15;
+      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_256_VALUE:
+        return SecurityPolicy.Basic256;
+      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_256_SHA_256_VALUE:
+        return SecurityPolicy.Basic256Sha256;
+      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_AES128_SHA256_RSAOAEP_VALUE:
+        return SecurityPolicy.Aes128_Sha256_RsaOaep;
+      case CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_AES256_SHA256_RSAPSS_VALUE:
+        return SecurityPolicy.Aes256_Sha256_RsaPss;
+      default:
+        throw new PipeException(
+            "The security policy can only be 'None', 'Basic128Rsa15', 'Basic256', 'Basic256Sha256', 'Aes128_Sha256_RsaOaep' or 'Aes256_Sha256_RsaPss'.");
+    }
+  }
+
   @Override
   public void handshake() throws Exception {
     // Server side, do nothing

iotdb-core/datanode/src/main/java/org/apache/iotdb/db/pipe/sink/protocol/opcua/server/OpcUaServerBuilder.java

@@ -83,6 +83,7 @@ public class OpcUaServerBuilder implements Closeable {
   private String password;
   private Path securityDir;
   private boolean enableAnonymousAccess;
+  private Set<SecurityPolicy> securityPolicies;
   private DefaultTrustListManager trustListManager;
 
   public OpcUaServerBuilder setTcpBindPort(final int tcpBindPort) {
@@ -115,6 +116,11 @@ public OpcUaServerBuilder setEnableAnonymousAccess(final boolean enableAnonymous
     return this;
   }
 
+  public OpcUaServerBuilder setSecurityPolicies(final Set<SecurityPolicy> securityPolicies) {
+    this.securityPolicies = securityPolicies;
+    return this;
+  }
+
   public OpcUaServer build() throws Exception {
     Files.createDirectories(securityDir);
     if (!Files.exists(securityDir)) {
@@ -237,30 +243,35 @@ private Set<EndpointConfiguration> createEndpointConfigurations(
                     USER_TOKEN_POLICY_USERNAME,
                     USER_TOKEN_POLICY_X509);
 
-        final EndpointConfiguration.Builder noSecurityBuilder =
-            builder
-                .copy()
-                .setSecurityPolicy(SecurityPolicy.None)
-                .setSecurityMode(MessageSecurityMode.None);
-
-        endpointConfigurations.add(buildTcpEndpoint(noSecurityBuilder, tcpBindPort));
-        endpointConfigurations.add(buildHttpsEndpoint(noSecurityBuilder, httpsBindPort));
-
-        endpointConfigurations.add(
-            buildTcpEndpoint(
-                builder
-                    .copy()
-                    .setSecurityPolicy(SecurityPolicy.Basic256Sha256)
-                    .setSecurityMode(MessageSecurityMode.SignAndEncrypt),
-                tcpBindPort));
-
-        endpointConfigurations.add(
-            buildHttpsEndpoint(
-                builder
-                    .copy()
-                    .setSecurityPolicy(SecurityPolicy.Basic256Sha256)
-                    .setSecurityMode(MessageSecurityMode.Sign),
-                httpsBindPort));
+        if (securityPolicies.contains(SecurityPolicy.None)) {
+          final EndpointConfiguration.Builder noSecurityBuilder =
+              builder
+                  .copy()
+                  .setSecurityPolicy(SecurityPolicy.None)
+                  .setSecurityMode(MessageSecurityMode.None);
+
+          endpointConfigurations.add(buildTcpEndpoint(noSecurityBuilder, tcpBindPort));
+          endpointConfigurations.add(buildHttpsEndpoint(noSecurityBuilder, httpsBindPort));
+          securityPolicies.remove(SecurityPolicy.None);
+        }
+
+        for (final SecurityPolicy securityPolicy : securityPolicies) {
+          endpointConfigurations.add(
+              buildTcpEndpoint(
+                  builder
+                      .copy()
+                      .setSecurityPolicy(securityPolicy)
+                      .setSecurityMode(MessageSecurityMode.SignAndEncrypt),
+                  tcpBindPort));
+
+          endpointConfigurations.add(
+              buildHttpsEndpoint(
+                  builder
+                      .copy()
+                      .setSecurityPolicy(securityPolicy)
+                      .setSecurityMode(MessageSecurityMode.Sign),
+                  httpsBindPort));
+        }
 
         final EndpointConfiguration.Builder discoveryBuilder =
             builder

iotdb-core/node-commons/src/main/java/org/apache/iotdb/commons/pipe/config/constant/PipeSinkConstant.java

@@ -28,6 +28,7 @@
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 
 import static org.apache.iotdb.commons.conf.IoTDBConstant.MB;
@@ -211,6 +212,12 @@ public class PipeSinkConstant {
   public static final String CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_AES256_SHA256_RSAPSS_VALUE =
       "AES256_SHA256_RSAPSS";
 
+  public static final List<String> CONNECTOR_OPC_UA_SECURITY_POLICY_SERVER_DEFAULT_VALUES =
+      Arrays.asList(
+          CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_BASIC_256_SHA_256_VALUE,
+          CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_AES128_SHA256_RSAOAEP_VALUE,
+          CONNECTOR_OPC_UA_QUALITY_SECURITY_POLICY_AES256_SHA256_RSAPSS_VALUE);
+
   public static final String CONNECTOR_OPC_UA_HISTORIZING_KEY = "connector.opcua.historizing";
   public static final String SINK_OPC_UA_HISTORIZING_KEY = "sink.opcua.historizing";
   public static final boolean CONNECTOR_OPC_UA_HISTORIZING_DEFAULT_VALUE = false;