-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add subcomponent/subdevice processing
Up to now the IFF-agent can only manage one single device with a certain id. This limits cases where the device is consisting of several subsystems. For such cases, all the subsystem data was mapped to the main device with the respective id. With these changes, a device can now consist of several subsystems and these IDs can be added to the device token. This PR contains everything needed to support subdevice/subcomponent processing: * IFF-Agent accepts deviceIds in the TCP/UDP messages * IFF-Agent utils offer additional options to add subcomponent IDs and send data for subcompoentns * Keycloak allows now the field "subdevice_ids" in the token to add subdevice IDs * The MQTT-Bridge permits subdevice IDs to stream data Related Epic: #514 Related User-stories: #555 Signed-off-by: marcel <[email protected]>
- Loading branch information
1 parent
c47580c
commit 71f4e30
Showing
22 changed files
with
644 additions
and
102 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
/** | ||
* Copyright (c) 2023 Intel Corporation | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
/** | ||
* Available variables: | ||
* user - the current user | ||
* realm - the current realm | ||
* token - the current token | ||
* userSession - the current userSession | ||
* keycloakSession - the current keycloakSession | ||
*/ | ||
|
||
var onboarding_token_expiration = java.lang.System.getenv("OISP_FRONTEND_DEVICE_ACCOUNT_ENDPOINT"); | ||
var subdeviceIdsH = keycloakSession.getContext().getRequestHeaders() | ||
.getRequestHeader("X-SubDeviceIDs")[0]; | ||
if (subdeviceIdsH !== null && subdeviceIdsH !== undefined) { | ||
subdeviceIdsH = JSON.parse(subdeviceIdsH) | ||
} | ||
var inputRequest = keycloakSession.getContext().getHttpRequest(); | ||
var params = inputRequest.getDecodedFormParameters(); | ||
var origTokenParam = params.getFirst("orig_token"); | ||
var grantType = params.getFirst("grant_type"); | ||
var tokens = keycloakSession.tokens(); | ||
var origToken = tokens.decode(origTokenParam, Java.type("org.keycloak.representations.AccessToken").class) | ||
|
||
if (typeof(onboarding_token_expiration) !== 'number') { | ||
// if not otherwise configured onboardig token is valid for 5 minutes | ||
onboarding_token_expiration = 300; | ||
} | ||
if (grantType === 'refresh_token' && origToken !== null) { | ||
var session = userSession.getId(); | ||
var otherClaims = origToken.getOtherClaims(); | ||
var origTokenSubDeviceIds; | ||
if (otherClaims !== null) { | ||
|
||
origTokenSubDeviceIds = otherClaims.get("sub_device_ids"); | ||
} | ||
var origTokenSession = origToken.getSessionId(); | ||
|
||
if (origTokenSubDeviceIds !== null && origTokenSubDeviceIds !== undefined) { | ||
// Has origToken same session? | ||
if (origTokenSession !== session) { | ||
print("Warning: Rejecting subdeviceids claim due to session mismatch between refresh_token and orig_token") | ||
exports = JSON.stringify([]); | ||
} else { | ||
exports = origTokenSubDeviceIds; | ||
} | ||
} else { | ||
// If there is no origTokenDeviceId, there must be an X-DeviceId header AND origToken must be valid | ||
if (!origToken.isExpired() && subdeviceIdsH !== null && subdeviceIdsH !== undefined) { | ||
exports = subdeviceIdsH | ||
} else { | ||
print("Warning: Rejecting subdeviceid claim due to orig_token is expired or there is not valid X-SubDeviceIDs Header.") | ||
exports = JSON.stringify([]); | ||
} | ||
} | ||
} else if (grantType === 'password'){ | ||
var currentTimeInSeconds = new Date().getTime() / 1000; | ||
token.exp(currentTimeInSeconds + onboarding_token_expiration); | ||
exports = null | ||
} else if (origToken === null) { | ||
print("Warning: Rejecting token due to invalid orig_token.") | ||
exports = JSON.stringify([]) | ||
} |
Oops, something went wrong.