Merge pull request #50 from TAK-Product-Center/upstream/5.2-RELEASE-16

TAK Server 5.2-RELEASE-16

src/docs/README_fedhub.md

@@ -82,23 +82,54 @@ sudo dnf install checkpolicy
 cd /opt/tak/federation-hub && sudo ./apply-selinux.sh && sudo semodule -l | grep takserver
 ```
 
+## Install and Run Debian
+Update apt
+
+```
+sudo apt update -y
+```
+
+To install from the .deb, run: (if you see the error: couldn't be accessed by user 'apt'. - pkgAcquire::Run (13: Permission denied), that is OK)
+
+```
+sudo apt install <absolute path>/takserver-fed-hub_*.deb -y
+```
+
+
+
 ## Install Mongo
 Make sure /opt/tak/federation-hub/configs/federation-hub-broker.yml has your database credentials defined. Defaults will be generated otherwise
 ```
 dbUsername: martiuser
 dbPassword: pass4marti
 ```
 
-Mongo Setup
+Mongo Setup RHEL
 ```
+sudo cp /opt/tak/federation-hub/scripts/db/mongodb-org.repo /etc/yum.repos.d/mongodb-org.repo
 sudo yum install -y mongodb-org
 sudo systemctl daemon-reload
 sudo systemctl enable mongod
 sudo systemctl restart mongod
 sudo /opt/tak/federation-hub/scripts/db/configure.sh
 ```
 
-## Update from RPM
+Mongo Setup Debian
+```
+sudo apt install curl software-properties-common gnupg apt-transport-https ca-certificates -y
+
+curl -fsSL https://pgp.mongodb.com/server-7.0.asc |  sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor
+
+echo "deb [ arch=amd64,arm64 signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-7.0.list
+
+sudo apt update && sudo apt install mongodb-org -y
+sudo systemctl enable mongod
+sudo systemctl restart mongod
+
+sudo /opt/tak/federation-hub/scripts/db/configure.sh
+```
+
+## Update Fedhub
 Before updating the Federation Hub, you should back up the policy file and list of authorized users:
 
 ```
@@ -116,6 +147,11 @@ RHEL8
 sudo yum upgrade takserver-fed-hub-*.noarch.rpm
 ```
 
+Debian
+```
+sudo apt install <absolute path>/takserver-fed-hub_*.deb -y
+```
+
 The policy and authorized can then be replaced:
 ```
 mv /tmp/ui_generated_policy.json /opt/tak/federation-hub/

src/federation-common/build.gradle

@@ -22,6 +22,8 @@ dependencies {
   implementation group: 'org.apache.ignite', name: 'ignite-slf4j', version: ignite_version
   implementation 'org.apache.commons:commons-lang3:' + commons_lang_version
   implementation group: 'commons-codec', name: 'commons-codec', version: commons_codec_version
+  implementation group: 'io.jsonwebtoken', name: 'jjwt', version: jsonwebtoken_version
+
 }
 
 compileJava {

src/federation-common/src/main/java/tak/server/federation/FederateTokenGroup.java

@@ -0,0 +1,18 @@
+package tak.server.federation;
+
+public class FederateTokenGroup extends FederateGroup {
+
+	private String token;
+
+	public FederateTokenGroup(FederateIdentity federateIdentity) {
+		super(federateIdentity);
+	}
+
+	public String getToken() {
+		return token;
+	}
+
+	public void setToken(String token) {
+		this.token = token;
+	}
+}

src/federation-common/src/main/java/tak/server/federation/GuardedStreamHolder.java

@@ -2,14 +2,12 @@
 
 import static java.util.Objects.requireNonNull;
 
-import java.math.BigInteger;
 import java.util.Comparator;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 import java.util.concurrent.ConcurrentSkipListSet;
 
-import javax.net.ssl.SSLSession;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -19,9 +17,9 @@
 import com.atakmap.Tak.FederateHops;
 import com.atakmap.Tak.FederateProvenance;
 import com.atakmap.Tak.FederatedEvent;
+import com.atakmap.Tak.Identity.ConnectionType;
 import com.atakmap.Tak.ROL;
 import com.atakmap.Tak.Subscription;
-import com.atakmap.Tak.Identity.ConnectionType;
 import com.google.common.base.Strings;
 
 import io.grpc.ClientCall;
@@ -46,6 +44,8 @@ public class GuardedStreamHolder<T> {
     private FederateIdentity federateIdentity;
     private Subscription subscription;
     private int maxFederateHops = -1;
+    private String clientFingerprint;
+    private List<String> clientGroups;
 
     private boolean isRunningInHub = false;
 
@@ -75,7 +75,7 @@ public GuardedStreamHolder(ClientCall<T, Subscription> clientCall, String fedId,
     }
 
     // for incoming connections
-    public GuardedStreamHolder(StreamObserver<T> clientStream, String clientName, String certHash, SSLSession session, Subscription subscription, Comparator<T> comp, boolean isRunningInHub) {
+    public GuardedStreamHolder(StreamObserver<T> clientStream, String clientName, String certHash, String sessionId, Subscription subscription, Comparator<T> comp, boolean isRunningInHub) {
 
         requireNonNull(clientStream, "FederatedEvent client stream");
 
@@ -97,7 +97,7 @@ public GuardedStreamHolder(StreamObserver<T> clientStream, String clientName, St
         // new takservers will send their CoreConfig serverId. if present, use it, otherwise generate a random unique identifier
         String serverId = subscription.getIdentity().getServerId();
         if (Strings.isNullOrEmpty(serverId)) {
-        	serverId = new BigInteger(session.getId()).toString();
+        	serverId = sessionId;
         }
         String fedId = clientName + "-" + certHash  + "-" + serverId;
 
@@ -144,8 +144,8 @@ public synchronized void send(T event) {
         	// since hub outgoing connections can forward traffic to other hubs, we need to keep a list of visited nodes
             // so that we can stop cycles
             FederateProvenance prov = FederateProvenance.newBuilder()
-        			.setFederationServerId(FederationHubDependencyInjectionProxy.getInstance().fedHubServerConfig().getFullId())
-        			.setFederationServerName(FederationHubDependencyInjectionProxy.getInstance().fedHubServerConfig().getServerName())
+        			.setFederationServerId(FederationHubDependencyInjectionProxy.getInstance().fedHubServerConfigManager().getConfig().getFullId())
+        			.setFederationServerName(FederationHubDependencyInjectionProxy.getInstance().fedHubServerConfigManager().getConfig().getServerName())
         			.build();
 
             Set<FederateProvenance> federateProvenances = new HashSet<>();
@@ -345,7 +345,23 @@ public void setMaxFederateHops(int maxFederateHops) {
     	this.maxFederateHops = maxFederateHops;
     }
 
-    @Override
+	public String getClientFingerprint() {
+		return clientFingerprint;
+	}
+
+	public void setClientFingerprint(String clientFingerprint) {
+		this.clientFingerprint = clientFingerprint;
+	}
+
+	public List<String> getClientGroups() {
+		return clientGroups;
+	}
+
+	public void setClientGroups(List<String> clientGroups) {
+		this.clientGroups = clientGroups;
+	}
+
+	@Override
 	public String toString() {
 		return "GuardedStreamHolder [clientStream=" + clientStream + ", clientCall=" + clientCall + ", lastHealthTime="
 				+ lastHealthTime + ", lastHealthStatus=" + lastHealthStatus + ", federateIdentity=" + federateIdentity

src/federation-common/src/main/java/tak/server/federation/TokenAuthCredential.java

@@ -0,0 +1,40 @@
+package tak.server.federation;
+
+import static io.grpc.Metadata.ASCII_STRING_MARSHALLER;
+
+import java.util.concurrent.Executor;
+
+import io.grpc.CallCredentials;
+import io.grpc.Metadata;
+import io.grpc.Status;
+
+public class TokenAuthCredential extends CallCredentials {
+	public static final String BEARER_TYPE = "Bearer";
+
+	public static final Metadata.Key<String> AUTHORIZATION_METADATA_KEY = Metadata.Key.of("Authorization",
+			ASCII_STRING_MARSHALLER);
+
+	private final String token;
+
+	public TokenAuthCredential(String token) {
+		this.token = token;
+	}
+
+	@Override
+	public void applyRequestMetadata(final RequestInfo requestInfo, final Executor executor,
+			final MetadataApplier metadataApplier) {
+
+		executor.execute(new Runnable() {
+			@Override
+			public void run() {
+				try {
+					Metadata headers = new Metadata();
+					headers.put(AUTHORIZATION_METADATA_KEY, String.format("%s %s", BEARER_TYPE, token));
+					metadataApplier.apply(headers);
+				} catch (Throwable e) {
+					metadataApplier.fail(Status.UNAUTHENTICATED.withCause(e));
+				}
+			}
+		});
+	}
+}

src/federation-common/src/main/java/tak/server/federation/hub/FederationHubDependencyInjectionProxy.java

@@ -11,7 +11,7 @@
 public class FederationHubDependencyInjectionProxy implements ApplicationContextAware {
     private static ApplicationContext springContext;
 
-    private static FederationHubDependencyInjectionProxy instance = null;
+    private volatile static FederationHubDependencyInjectionProxy instance = null;
 
     public static FederationHubDependencyInjectionProxy getInstance() {
         if (instance == null) {
@@ -35,7 +35,7 @@ public void setApplicationContext(ApplicationContext context) throws BeansExcept
         this.springContext = context;
     }
 
-    private FederationHubPolicyManager fedHubPolicyManager = null;
+    private volatile FederationHubPolicyManager fedHubPolicyManager = null;
 
     public FederationHubPolicyManager fedHubPolicyManager() {
         if (fedHubPolicyManager == null) {
@@ -49,7 +49,7 @@ public FederationHubPolicyManager fedHubPolicyManager() {
         return fedHubPolicyManager;
     }
 
-    private SSLConfig sslConfig = null;
+    private volatile SSLConfig sslConfig = null;
 
     public SSLConfig sslConfig() {
         if (sslConfig == null) {
@@ -63,21 +63,21 @@ public SSLConfig sslConfig() {
         return sslConfig;
     }
 
-    private FederationHubServerConfig fedHubServerConfig = null;
+    private volatile FederationHubServerConfigManager fedHubServerConfigManager = null;
 
-    public FederationHubServerConfig fedHubServerConfig() {
-        if (fedHubServerConfig == null) {
+    public FederationHubServerConfigManager fedHubServerConfigManager() {
+        if (fedHubServerConfigManager == null) {
             synchronized (this) {
-                if (fedHubServerConfig == null) {
-                    fedHubServerConfig = springContext.getBean(FederationHubServerConfig.class);
+                if (fedHubServerConfigManager == null) {
+                	fedHubServerConfigManager = springContext.getBean(FederationHubServerConfigManager.class);
                 }
             }
         }
 
-        return fedHubServerConfig;
+        return fedHubServerConfigManager;
     }
 
-    private FederationHubBroker federationHubBroker = null;
+    private volatile FederationHubBroker federationHubBroker = null;
 
     public FederationHubBroker federationHubBroker() {
         if (federationHubBroker == null) {
@@ -91,7 +91,7 @@ public FederationHubBroker federationHubBroker() {
         return federationHubBroker;
     }
 
-    private FederationHubBrokerMetrics federationHubBrokerMetrics = null;
+    private volatile FederationHubBrokerMetrics federationHubBrokerMetrics = null;
 
     public FederationHubBrokerMetrics federationHubBrokerMetrics() {
         if (federationHubBrokerMetrics == null) {
@@ -104,7 +104,7 @@ public FederationHubBrokerMetrics federationHubBrokerMetrics() {
         return federationHubBrokerMetrics;
     }
 
-    private HubConnectionStore hubConnectionStore = null;
+    private volatile HubConnectionStore hubConnectionStore = null;
 
     public HubConnectionStore hubConnectionStore() {
         if (hubConnectionStore == null) {