-
Notifications
You must be signed in to change notification settings - Fork 12
Expand file tree
/
Copy pathLoxoneAuth.java
More file actions
512 lines (446 loc) · 18.6 KB
/
LoxoneAuth.java
File metadata and controls
512 lines (446 loc) · 18.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
package cz.smarteon.loxone;
import cz.smarteon.loxone.message.ApiInfo;
import cz.smarteon.loxone.message.EncryptedCommand;
import cz.smarteon.loxone.message.Hashing;
import cz.smarteon.loxone.message.LoxoneMessage;
import cz.smarteon.loxone.message.LoxoneMessageCommand;
import cz.smarteon.loxone.message.PubKeyInfo;
import cz.smarteon.loxone.message.Token;
import cz.smarteon.loxone.message.TokenPermissionType;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.crypto.SecretKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import static cz.smarteon.loxone.Codec.bytesToBase64;
import static cz.smarteon.loxone.Codec.concatToBytes;
import static cz.smarteon.loxone.Command.keyExchange;
import static cz.smarteon.loxone.message.LoxoneMessageCommand.getKey;
import static java.util.Collections.singletonMap;
import static java.util.Objects.requireNonNull;
/**
* Encapsulates algorithms necessary to perform loxone authentication with loxone server version 10.
* First the {@link #init()} should be called, then the other methods work correctly.
*
* @see <a href=
* "https://www.loxone.com/enen/wp-content/uploads/sites/3/2016/10/1000_Communicating-with-the-Miniserver.pdf"
* >Loxone communication</a>
*/
@SuppressWarnings("checkstyle:ClassFanOutComplexity")
public class LoxoneAuth implements LoxoneMessageCommandResponseListener {
/**
* UUID of this client sent as part of token request.
*/
public static final String CLIENT_UUID = "5231fc55-a384-41b4-b0ae10b7f774add1";
/**
* Default value of client info sent as part of token request.
*/
public static final String DEFAULT_CLIENT_INFO = "loxoneJava";
private static final Logger LOG = LoggerFactory.getLogger(LoxoneAuth.class);
private static final int MAX_SALT_USAGE = 20;
private final LoxoneHttp loxoneHttp;
private final LoxoneProfile profile;
private final LoxoneMessageCommand<Hashing> getKeyCommand;
private final LoxoneMessageCommand<Hashing> getVisuHashCommand;
private final List<AuthListener> authListeners;
// Crypto stuff
private ApiInfo apiInfo;
private PublicKey publicKey;
private SecretKey sharedKey;
private SecureRandom sha1PRNG;
private byte[] sharedKeyIv;
private String sharedSalt;
private int saltUsageCount;
// Communication stuff
private Hashing visuHashing;
private Hashing hashing;
private Token token;
private TokenStateEvaluator tokenStateEvaluator = new TokenStateEvaluator() { };
private TokenRepository tokenRepository = new InMemoryTokenRepository();
private String clientInfo = DEFAULT_CLIENT_INFO;
private TokenPermissionType tokenPermissionType = TokenPermissionType.WEB;
private EncryptedCommand<Token> lastTokenCommand;
private CommandSender commandSender;
private boolean autoRefreshToken;
private ScheduledExecutorService autoRefreshScheduler;
private ScheduledFuture<?> autoRefreshFuture;
/**
* Creates new instance.
* @param loxoneHttp loxone http interface used to perform some necessary http calls to loxone
* @param profile loxone profile
*/
public LoxoneAuth(@NotNull LoxoneHttp loxoneHttp, @NotNull LoxoneProfile profile) {
this.loxoneHttp = requireNonNull(loxoneHttp, "loxoneHttp shouldn't be null");
this.profile = requireNonNull(profile, "profile shouldn't be null");
this.getKeyCommand = getKey(profile.getUsername());
this.getVisuHashCommand = LoxoneMessageCommand.getVisuHash(profile.getUsername());
this.authListeners = new CopyOnWriteArrayList<>();
}
@Deprecated
public LoxoneAuth(@NotNull LoxoneHttp loxoneHttp, @NotNull String loxoneUser, @NotNull String loxonePass,
@Nullable String loxoneVisPass) {
this(loxoneHttp, new LoxoneProfile(loxoneHttp.endpoint, loxoneUser, loxonePass, loxoneVisPass));
}
/**
* @return loxone {@link ApiInfo}, or null if not properly initialized
*/
public ApiInfo getApiInfo() {
return apiInfo;
}
/**
* @return loxone user
*/
public String getUser() {
return profile.getUsername();
}
/**
* @return UUID of loxone-java client (currently hardcoded to {@link #CLIENT_UUID})
*/
public String getUuid() {
return CLIENT_UUID;
}
/**
* @return clientInfo sent as part of token request
*/
public String getClientInfo() {
return clientInfo;
}
/**
* Allows to modify client info sent as part of token request, defaults to {@link #DEFAULT_CLIENT_INFO}.
* @param clientInfo client info
*/
public void setClientInfo(String clientInfo) {
this.clientInfo = clientInfo;
}
/**
* @return used token permission type
*/
public TokenPermissionType getTokenPermissionType() {
return tokenPermissionType;
}
/**
* Token permission type used to acquire token. Defaults to {@link TokenPermissionType#WEB}
* @param tokenPermissionType token permission type
*/
public void setTokenPermissionType(final TokenPermissionType tokenPermissionType) {
this.tokenPermissionType = tokenPermissionType;
}
/**
* Set the command sender which allows to send commands over websocket to miniserver. It must be set, otherwise this
* class cannot work.
* @param commandSender command sender.
*/
public void setCommandSender(final CommandSender commandSender) {
this.commandSender = requireNonNull(commandSender, "commandSender can't be null");
}
/**
* Whether is configured to refresh token automatically.
* @return true if is configured to automatically refresh token, false (default) otherwise
*/
public boolean isAutoRefreshToken() {
return autoRefreshToken;
}
/**
* Allow or disallow to automatically refresh token. Disabled by default. If set to true the token refresh will
* be scheduled after next token receive. If se to false, when previously true, only next token refresh are
* prevented, not the currently scheduled one.
* @param autoRefreshToken whether to automatically refresh token
*/
public void setAutoRefreshToken(final boolean autoRefreshToken) {
this.autoRefreshToken = autoRefreshToken;
}
/**
* Allows to specify scheduler used to auto refresh tokens. If not set the new single thread scheduler
* is created internally.
* @see #setAutoRefreshToken(boolean)
* @param autoRefreshScheduler scheduler use to refresh tokens
*/
public void setAutoRefreshScheduler(final @NotNull ScheduledExecutorService autoRefreshScheduler) {
this.autoRefreshScheduler = requireNonNull(autoRefreshScheduler, "autoRefreshScheduler can't be null");
}
void setTokenStateEvaluator(final TokenStateEvaluator tokenStateEvaluator) {
this.tokenStateEvaluator = tokenStateEvaluator;
}
/**
* Allows setting {@link TokenRepository} in order to make tokens persistent.
* @param tokenRepository repository to use
*/
public void setTokenRepository(final @NotNull TokenRepository tokenRepository) {
this.tokenRepository = tokenRepository;
}
/**
* Initialize the loxone authentication. Fetches the API info (address and version) and prepare the cryptography.
*/
public void init() {
LOG.trace("LoxoneAuth init start");
fetchApiInfo();
fetchPublicKey();
sha1PRNG = LoxoneCrypto.getSecureRandom();
if (sharedKey == null) {
sharedKey = LoxoneCrypto.createSharedKey();
}
sharedKeyIv = LoxoneCrypto.createSharedKeyIv(sha1PRNG);
LOG.trace("LoxoneAuth init finish");
}
/**
* @return true if properly initialized, false otherwise
*/
boolean isInitialized() {
return publicKey != null && sharedKey != null && sharedKeyIv != null && sha1PRNG != null;
}
/**
* @return headers necessary for authentication of HTTP connection
*/
public Map<String, String> authHeaders() {
return singletonMap("Authorization", "Basic "
+ bytesToBase64(concatToBytes(profile.getUsername(), profile.getPassword())));
}
/**
* Returns RSA encrypted generated shared key prepared for key exchange.
* May throw an exception if not initialized properly.
* @return RSA encrypted sharedKey
*/
private String getSessionKey() {
checkInitialized();
return LoxoneCrypto.createSessionKey(sharedKey, sharedKeyIv, publicKey);
}
/**
* Computes visualization hash, which can be used in secured command, implies that visualization hashing has
* been obtained recently using getvisusalt command.
* @return visualization hash
*/
public String getVisuHash() {
return onVisuPassSet("compute visu hash",
() -> LoxoneCrypto.loxoneHashing(profile.getVisuPassword(), null, visuHashing, "secured command"));
}
/**
* Checks whether this authentication is in usable state - in terms to be used for authorized commands. In case
* it returns false the authentication must be started over using {@link #startAuthentication()}.
* @return true if the connection is authenticated, false otherwise
*/
boolean isUsable() {
return tokenStateEvaluator.evaluate(token).isUsable();
}
/**
* Starts the authentication mechanism.
*/
void startAuthentication() {
authListeners.forEach(AuthListener::beforeAuth);
token = tokenRepository.getToken(profile);
sendCommand(keyExchange(getSessionKey())); // TODO is necessary to recreate the session key everytime?
sendCommand(getKeyCommand);
}
void startVisuAuthentication() {
authListeners.forEach(AuthListener::beforeVisuAuth);
onVisuPassSet("start visual authentication", () -> {
sendCommand(getVisuHashCommand);
return null;
});
}
/**
* Processes all authentication related incoming commands.
* @param command command to process
* @param message message to process
* @return state
*/
@Override
@NotNull
@SuppressWarnings({"checkstyle:CyclomaticComplexity", "checkstyle:ReturnCount", "checkstyle:NestedIfDepth"})
public State onCommand(
@NotNull final Command<? extends LoxoneMessage<?>> command,
@NotNull final LoxoneMessage<?> message) {
if (message.isSuccess()) {
if (getKeyCommand.equals(command)) {
hashing = getKeyCommand.ensureValue(message.getValue());
final TokenState tokenState = tokenStateEvaluator.evaluate(token);
if (tokenState.isExpired()) {
lastTokenCommand = EncryptedCommand.getToken(
LoxoneCrypto
.loxoneHashing(profile.getPassword(), profile.getUsername(), hashing, "gettoken"),
profile.getUsername(), tokenPermissionType, CLIENT_UUID, clientInfo, this::encryptCommand
);
} else if (tokenState.needsRefresh()) {
lastTokenCommand = EncryptedCommand.refreshToken(
LoxoneCrypto
.loxoneHashing(requireNonNull(token.getToken()), hashing, "refreshtoken"),
profile.getUsername(), this::encryptCommand
);
} else {
lastTokenCommand = EncryptedCommand.authWithToken(
LoxoneCrypto
.loxoneHashing(requireNonNull(token.getToken()), hashing, "authwithtoken"),
profile.getUsername(), this::encryptCommand
);
}
sendCommand(lastTokenCommand);
return State.CONSUMED;
} else if (getVisuHashCommand.equals(command)) {
visuHashing = getVisuHashCommand.ensureValue(message.getValue());
authListeners.forEach(AuthListener::visuAuthCompleted);
return State.CONSUMED;
} else if (lastTokenCommand != null && lastTokenCommand.equals(command)) {
final Token newToken = lastTokenCommand.ensureValue(message.getValue());
token = token == null ? newToken : token.merge(newToken);
LOG.info("Got loxone token, valid until: " + token.getValidUntilDateTime() + ", seconds to expire: "
+ token.getSecondsToExpire());
tokenRepository.putToken(profile, token);
if (autoRefreshToken) {
final long secondsToRefresh = tokenStateEvaluator.evaluate(token).secondsToRefresh();
if (secondsToRefresh > 0) {
if (autoRefreshScheduler != null) {
LOG.info("Scheduling token auto refresh in " + secondsToRefresh + " seconds");
autoRefreshFuture = autoRefreshScheduler
.schedule(this::startAuthentication, secondsToRefresh, TimeUnit.SECONDS);
} else {
LOG.warn("autoRefreshScheduler not set, can't schedule token refresh");
}
} else {
LOG.warn("Can't schedule token auto refresh, token expires too early or is already expired");
}
}
authListeners.forEach(AuthListener::authCompleted);
lastTokenCommand = null;
return State.CONSUMED;
}
} else if (message.isAuthFailed()) {
LOG.info("Authentication failed discarding current token");
token = null;
tokenRepository.removeToken(profile);
return State.CONSUMED;
}
return State.IGNORED;
}
@Override
public boolean acceptsErrorResponses() {
return true;
}
/**
* Registers {@link AuthListener} to notify it about authentication events.
* @param listener listener to register
*/
public void registerAuthListener(final AuthListener listener) {
authListeners.add(listener);
}
/**
* Allows to tear down when websocket is closed.
*/
void wsClosed() {
if (autoRefreshFuture != null) {
autoRefreshFuture.cancel(true);
}
}
void killToken() {
sendCommand(
Command.killToken(
LoxoneCrypto.loxoneHashing(requireNonNull(token.getToken()), hashing, "killtoken"),
profile.getUsername()
)
);
tokenRepository.removeToken(profile);
}
private void sendCommand(final Command<?> command) {
if (commandSender != null) {
commandSender.send(command);
} else {
throw new IllegalStateException("CommandSender not set, authentication cannot work correctly");
}
}
/**
* Encrypts the given command, returning encrypted command ready to be sent to loxone,may throw exception
* if not properly initialized.
* @param command command to be encrypted
* @return new command which carries the given command encrypted
*/
private String encryptCommand(String command) {
if (sharedSalt == null) {
sharedSalt = LoxoneCrypto.generateSalt(sha1PRNG);
}
String saltPart = "salt/" + sharedSalt;
if (isNewSaltNeeded()) {
LOG.trace("changing the salt");
saltPart = "nextSalt/" + sharedSalt + "/";
sharedSalt = LoxoneCrypto.generateSalt(sha1PRNG);
saltPart += sharedSalt;
}
return encryptWithSharedKey(saltPart + "/" + command);
}
private void checkInitialized() {
if (!isInitialized()) {
throw new IllegalStateException("LoxoneAuth has not been initialized - call init() first");
}
}
private void fetchApiInfo() {
LOG.trace("Fetching ApiInfo start");
try {
final LoxoneMessage<ApiInfo> msg = loxoneHttp.get(LoxoneMessageCommand.DEV_CFG_API);
msg.getValue();
apiInfo = msg.getValue();
} finally {
LOG.trace("Fetching ApiInfo finish");
}
}
private void fetchPublicKey() {
LOG.trace("Fetching PublicKey start");
try {
final LoxoneMessage<PubKeyInfo> msg = loxoneHttp.get(LoxoneMessageCommand.DEV_SYS_GETPUBLICKEY);
msg.getValue();
publicKey = msg.getValue().asPublicKey();
} finally {
LOG.trace("Fetching PublicKey finish");
}
}
private String encryptWithSharedKey(final String data) {
checkInitialized();
return LoxoneCrypto.encrypt(data, sharedKey, sharedKeyIv);
}
/**
* It is/isn't necessary to create new salt based on MAX_SALT_USAGE or the timestamp
* “nextSalt/{prevSalt}/{nextSalt}/{cmd} sent with command
*
* return true/false should/shouldn't create new salt.
* */
@SuppressWarnings("checkstyle:EmptyBlock")
private boolean isNewSaltNeeded() {
if (saltUsageCount <= 0) {
//TODO update sharedSalt every hour
}
saltUsageCount++;
if (saltUsageCount >= MAX_SALT_USAGE) {
saltUsageCount = 0;
return true;
}
return false;
}
private <T> T onVisuPassSet(String actionDescription, Supplier<T> action) {
if (profile.getVisuPassword() != null) {
return action.get();
} else {
throw new IllegalStateException("Can't " + actionDescription + " when visualization password not set.");
}
}
private static class InMemoryTokenRepository implements TokenRepository {
private final Map<LoxoneProfile, Token> tokens = new ConcurrentHashMap<>(1);
@Override
public @Nullable Token getToken(final @NotNull LoxoneProfile profile) {
return tokens.get(profile);
}
@Override
public void putToken(final @NotNull LoxoneProfile profile, final @NotNull Token token) {
tokens.put(profile, token);
}
@Override
public void removeToken(final @NotNull LoxoneProfile profile) {
tokens.remove(profile);
}
}
}