Merge remote-tracking branch 'origin/main'

# Conflicts:
#	.idea/workspace.xml

Author: Maximilian Flügel

.idea/workspace.xml

@@ -1,2 +1,52 @@
 # iot-utilities-server-python
-Python WebSocket Server implementation that works just like the IoT-Utilities App
+Python WebSocket Server implementation that works like the IoT-Utilities Android App.
+
+## Usage
+
+- Download or clone the source code
+- Use your terminal to navigate into the folder of the project
+- Install the dependencies
+
+```
+pip3 install -r requirements.txt
+```
+
+- Make sure python 3 is installed, start the server:
+
+```
+python3 -m bin.main
+```
+
+The server implementation contains both an authentication server (default on port 5444) and a WebSocket server (default on port 5443).
+
+## Authentication Configuration
+
+For security reasons, the authentication credentials of the server have to be configured seperately.
+Therefore, edit the "config.json" file and enter the desired credentials for the server.
+
+- auth_username: Username required when using grant type "password"
+- auth_password: Password required when using grant type "password"
+- auth_secret: Secret required when using grant type "client_credentials"
+- jwt_signature_secret: Secret used to sign and verify the JWT access tokens
+
+Example:
+
+```json
+{
+  "auth_username": "<place_your_username_here>",
+  "auth_password": "<place_your_password_here>",
+  "auth_secret": "<place_your_secret_here>",
+  "jwt_signature_secret": "<place_your_secret_here>"
+}
+```
+
+## Command line arguments
+
+All command line arguments and explanations can be listed using the --help argument.
+
+--port: Port of the WebSocket server  
+--authport: Port of the Authentication server  
+--certificate: Path to the certificate PEM file  
+--raw: Prints the messages in JSON format if present
+
+> Note: The server supports both HTTP/WS and HTTPS/WSS connections. In order to encrypt the connection, a SSL certificate file (PEM format) needs to be provided using the --certificate command line argument. Example: python3 -m bin.main --certificate "test.pem"

README.md

@@ -1,5 +1,7 @@
 from src.endpoint.iot_endpoint_server import IoTEndpointServer
+from src.endpoint.iot_endpoint_authentication_server import IoTEndpointAuthenticationServer
 import argparse
+from threading import Thread
 
 
 def main():
@@ -14,13 +16,28 @@ def main():
     parser.add_argument("--raw", action="store_true", help="Enables/disables raw protobuf message output")
     arguments = parser.parse_args()
 
-    # Configure and start the WebSocket server
+    # Configure the WebSocket server
     server = IoTEndpointServer(
         arguments.port if arguments.port else 5443,
         arguments.certificate,
         arguments.raw
     )
-    server.start()
+
+    # Configure the authentication server
+    authentication_server = IoTEndpointAuthenticationServer(
+        arguments.certificate
+    )
+
+    # Start the threads for the servers
+    https_thread = Thread(target=authentication_server.start)
+    https_thread.start()
+
+    wss_thread = Thread(target=server.start)
+    wss_thread.start()
+
+    # Join the threads to the main thread
+    wss_thread.join()
+    https_thread.join()
 
 
 if __name__ == "__main__":

bin/main.py

@@ -0,0 +1,6 @@
+{
+  "auth_username": "USERNAME_HERE",
+  "auth_password": "PASSWORD_HERE",
+  "auth_secret": "AUTH_SECRET_HERE",
+  "jwt_signature_secret": "JWT_SECRET_HERE"
+}

config.json

@@ -0,0 +1,3 @@
+protobuf==3.20.1
+websockets~=10.3
+PyJWT~=2.6.0

requirements.txt

@@ -0,0 +1,5 @@
+class AuthenticationException(Exception):
+    """
+    Class that represents an exception that occurred during the authentication procedure of the program.
+    """
+    pass

src/authentication/__init__.py

@@ -0,0 +1,103 @@
+import json
+from src.authentication.authentication_exception import AuthenticationException
+from src.authentication.jwt_authenticator import JWTAuthenticator
+from src.configuration import config
+
+
+class ClientAuthenticationRequest:
+    """
+    Class that represents a single authentication request.
+    """
+
+    GRANT_TYPE_PASSWORD = "password"
+    GRANT_TYPE_REFRESH_TOKEN = "refresh_token"
+    GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials"
+
+    def __init__(
+            self,
+            grant_type=None,
+            client_id=None,
+            client_secret=None,
+            username=None,
+            password=None,
+            refresh_token=None,
+            scope=None):
+        """
+        Constructor of the instance.
+
+        :param grant_type: Type of authentication used during the procedure.
+        :type grant_type: str
+        :param client_id: Identifier of the authenticating client.
+        :type client_id: str
+        :param client_secret: Secret phrase used when authenticating with grant type "client-secret".
+        :type client_secret: str
+        :param username: Username used when authenticating with grant type "password".
+        :type username: str
+        :param password: Password used when authenticating with grant type "password".
+        :type password: str
+        :param refresh_token: Refresh token used when authenticating with grant type "refresh_token".
+        :type refresh_token: str
+        :param scope: Scope used by the client, e.g. Aruba.
+        :type scope: str
+        """
+        self.grant_type = grant_type
+        self.client_id = client_id
+        self.client_secret = client_secret
+        self.username = username
+        self.password = password
+        self.refresh_token = refresh_token
+        self.scope = scope
+
+    @staticmethod
+    def parse_from_json(json_string: str):
+        """
+        Function that parses an instance from a JSON string.
+
+        :param json_string: JSON string the instance should be parsed from.
+        :type json_string: str
+
+        :return: Returns the created instance.
+        """
+        loads = json.loads(json_string)
+        return ClientAuthenticationRequest(**loads)
+
+    def validate(self):
+        """
+        Method that validates the parsed authentication data.
+        Depending on the grant type, the authentication requires additional field:
+        password: requires the fields username and password.
+        refresh_token: requires the field refresh_token.
+        client_credentials: requires the field client_secret.
+
+        The remaining fields are optional: client_id, scope.
+        """
+        if not self.grant_type:
+            raise AuthenticationException("Parameter 'grant_type' missing")
+
+        if self.grant_type == self.GRANT_TYPE_PASSWORD:
+            if not self.username or not self.password:
+                raise AuthenticationException("Parameter 'username' or 'password' missing")
+        elif self.grant_type == self.GRANT_TYPE_REFRESH_TOKEN:
+            if not self.refresh_token:
+                raise AuthenticationException("Parameter 'refresh_token' missing")
+        elif self.grant_type == self.GRANT_TYPE_CLIENT_CREDENTIALS:
+            if not self.client_secret:
+                raise AuthenticationException("Parameter 'client_secret' missing")
+        else:
+            raise AuthenticationException(f"Unknown grant type '{self.grant_type}'")
+
+    def verify(self) -> bool:
+        """
+        Function that verifies the authentication credentials.
+        Depending on the authentication type, the credentials are verified.
+
+        :return: Returns whether the provided credentials are valid.
+        """
+        if self.grant_type == self.GRANT_TYPE_PASSWORD:
+            return self.username == config.auth_username and self.password == config.auth_password
+        elif self.grant_type == self.GRANT_TYPE_REFRESH_TOKEN:
+            return JWTAuthenticator.validate_refresh_token(self.refresh_token)
+        elif self.grant_type == self.GRANT_TYPE_CLIENT_CREDENTIALS:
+            return self.client_secret == config.auth_secret
+        else:
+            raise AuthenticationException(f"Unknown grant type '{self.grant_type}'")