Authorizer checks client do not change endpoint during same registration

See: #1415

leshan-lwm2m-server/src/main/java/org/eclipse/leshan/server/registration/RegistrationHandler.java

@@ -98,7 +98,8 @@ public SendableResponse<RegisterResponse> register(LwM2mPeer sender, RegisterReq
         Registration registrationToApproved = builder.build();
 
         // We check if the client get authorization.
-        Authorization authorization = authorizer.isAuthorized(registerRequest, registrationToApproved, sender);
+        Authorization authorization = authorizer.isAuthorized(registerRequest, registrationToApproved, sender,
+                endpointUsed);
         if (authorization.isDeclined()) {
             return new SendableResponse<>(RegisterResponse.forbidden(null));
         }
@@ -134,7 +135,8 @@ public void run() {
         return new SendableResponse<>(RegisterResponse.success(approvedRegistration.getId()), whenSent);
     }
 
-    public SendableResponse<UpdateResponse> update(LwM2mPeer sender, UpdateRequest updateRequest) {
+    public SendableResponse<UpdateResponse> update(LwM2mPeer sender, UpdateRequest updateRequest,
+            EndpointUri endpointUsed) {
 
         // We check if there is a registration to update
         Registration currentRegistration = registrationService.getById(updateRequest.getRegistrationId());
@@ -143,7 +145,7 @@ public SendableResponse<UpdateResponse> update(LwM2mPeer sender, UpdateRequest u
         }
 
         // We check if the client get authorization.
-        Authorization authorization = authorizer.isAuthorized(updateRequest, currentRegistration, sender);
+        Authorization authorization = authorizer.isAuthorized(updateRequest, currentRegistration, sender, endpointUsed);
         if (authorization.isDeclined()) {
             return new SendableResponse<>(UpdateResponse.badRequest("forbidden"));
         }
@@ -183,7 +185,8 @@ public void run() {
         }
     }
 
-    public SendableResponse<DeregisterResponse> deregister(LwM2mPeer sender, DeregisterRequest deregisterRequest) {
+    public SendableResponse<DeregisterResponse> deregister(LwM2mPeer sender, DeregisterRequest deregisterRequest,
+            EndpointUri endpointUsed) {
 
         // We check if there is a registration to remove
         Registration currentRegistration = registrationService.getById(deregisterRequest.getRegistrationId());
@@ -192,7 +195,8 @@ public SendableResponse<DeregisterResponse> deregister(LwM2mPeer sender, Deregis
         }
 
         // We check if the client get authorization.
-        Authorization authorization = authorizer.isAuthorized(deregisterRequest, currentRegistration, sender);
+        Authorization authorization = authorizer.isAuthorized(deregisterRequest, currentRegistration, sender,
+                endpointUsed);
         if (authorization.isDeclined()) {
             return new SendableResponse<>(DeregisterResponse.badRequest("forbidden"));
         }

leshan-lwm2m-server/src/main/java/org/eclipse/leshan/server/request/DefaultUplinkRequestReceiver.java

@@ -62,34 +62,34 @@ public class RequestHandler<T extends LwM2mResponse> implements UplinkDeviceMana
 
         private final LwM2mPeer sender;
         private final ClientProfile senderProfile;
-        private final EndpointUri endpoint;
+        private final EndpointUri endpointUri;
         private SendableResponse<? extends LwM2mResponse> response;
 
         public RequestHandler(LwM2mPeer sender, ClientProfile clientProfile, EndpointUri serverEndpointUri) {
             this.sender = sender;
             this.senderProfile = clientProfile;
-            this.endpoint = serverEndpointUri;
+            this.endpointUri = serverEndpointUri;
         }
 
         @Override
         public void visit(RegisterRequest request) {
-            response = registrationHandler.register(sender, request, endpoint);
+            response = registrationHandler.register(sender, request, endpointUri);
         }
 
         @Override
         public void visit(UpdateRequest request) {
-            response = registrationHandler.update(sender, request);
+            response = registrationHandler.update(sender, request, endpointUri);
 
         }
 
         @Override
         public void visit(DeregisterRequest request) {
-            response = registrationHandler.deregister(sender, request);
+            response = registrationHandler.deregister(sender, request, endpointUri);
         }
 
         @Override
         public void visit(SendRequest request) {
-            response = sendHandler.handleSend(sender, senderProfile.getRegistration(), request);
+            response = sendHandler.handleSend(sender, senderProfile.getRegistration(), request, endpointUri);
         }
 
         @SuppressWarnings("unchecked")

leshan-lwm2m-server/src/main/java/org/eclipse/leshan/server/security/Authorizer.java

@@ -16,6 +16,7 @@
 package org.eclipse.leshan.server.security;
 
 import org.eclipse.leshan.core.ResponseCode;
+import org.eclipse.leshan.core.endpoint.EndpointUri;
 import org.eclipse.leshan.core.peer.LwM2mPeer;
 import org.eclipse.leshan.core.request.UplinkRequest;
 import org.eclipse.leshan.server.registration.Registration;
@@ -42,8 +43,10 @@ public interface Authorizer {
      *        For register request this is the registration which will be created<br>
      *        For update request this is the registration before the update was done.
      * @param sender the {@link LwM2mPeer} which sent the request.
+     * @param endpointUri the endpoint URI which receive the request.
      *
      * @return an {@link Authorization} status.
      */
-    Authorization isAuthorized(UplinkRequest<?> request, Registration registration, LwM2mPeer sender);
+    Authorization isAuthorized(UplinkRequest<?> request, Registration registration, LwM2mPeer sender,
+            EndpointUri endpointUri);
 }

leshan-lwm2m-server/src/main/java/org/eclipse/leshan/server/security/DefaultAuthorizer.java

@@ -15,7 +15,9 @@
  *******************************************************************************/
 package org.eclipse.leshan.server.security;
 
+import org.eclipse.leshan.core.endpoint.EndpointUri;
 import org.eclipse.leshan.core.peer.LwM2mPeer;
+import org.eclipse.leshan.core.request.RegisterRequest;
 import org.eclipse.leshan.core.request.UplinkRequest;
 import org.eclipse.leshan.server.registration.Registration;
 import org.eclipse.leshan.servers.security.Authorization;
@@ -45,8 +47,31 @@ public DefaultAuthorizer(SecurityStore store, SecurityChecker checker) {
     }
 
     @Override
-    public Authorization isAuthorized(UplinkRequest<?> request, Registration registration, LwM2mPeer sender) {
+    public Authorization isAuthorized(UplinkRequest<?> request, Registration registration, LwM2mPeer sender,
+            EndpointUri endpointUri) {
 
+        if (!checkEndpointUri(request, registration, sender, endpointUri)) {
+            return Authorization.declined();
+        }
+
+        return checkIdentity(request, registration, sender, endpointUri);
+    }
+
+    protected boolean checkEndpointUri(UplinkRequest<?> request, Registration registration, LwM2mPeer sender,
+            EndpointUri endpointUri) {
+        if (!(request instanceof RegisterRequest)) {
+            // we do not allow to client to switch to another server endpoint within same registration
+            if (registration.getEndpointUri().equals(endpointUri)) {
+                return true;
+            } else {
+                return false;
+            }
+        }
+        return true;
+    }
+
+    protected Authorization checkIdentity(UplinkRequest<?> request, Registration registration, LwM2mPeer sender,
+            EndpointUri endpointUri) {
         // do we have security information for this client?
         SecurityInfo expectedSecurityInfo = null;
         if (securityStore != null)

leshan-lwm2m-server/src/main/java/org/eclipse/leshan/server/send/SendHandler.java

@@ -19,6 +19,7 @@
 import java.util.Map;
 import java.util.concurrent.CopyOnWriteArrayList;
 
+import org.eclipse.leshan.core.endpoint.EndpointUri;
 import org.eclipse.leshan.core.node.LwM2mNode;
 import org.eclipse.leshan.core.node.LwM2mPath;
 import org.eclipse.leshan.core.node.TimestampedLwM2mNodes;
@@ -64,7 +65,7 @@ public void removeListener(SendListener listener) {
     }
 
     public SendableResponse<SendResponse> handleSend(LwM2mPeer sender, Registration registration,
-            final SendRequest request) {
+            final SendRequest request, EndpointUri serverEndpointUri) {
 
         // try to update registration if needed
         final Registration updatedRegistration;

leshan-lwm2m-server/src/test/java/org/eclipse/leshan/server/registration/RegistrationHandlerTest.java

@@ -76,7 +76,8 @@ public void test_application_data_from_authorizer() {
         authorizer.willReturn(Authorization.approved(updatedAppData));
 
         // handle UPDATE request
-        registrationHandler.update(givenIdentity(), givenUpdateRequestWithID(registration.getId()));
+        registrationHandler.update(givenIdentity(), givenUpdateRequestWithID(registration.getId()),
+                givenServerEndpointUri());
 
         // check result
         registration = registrationStore.getRegistrationByEndpoint("myEndpoint");
@@ -105,7 +106,8 @@ public void test_update_without_application_data_from_authorizer() {
         authorizer.willReturn(Authorization.approved());
 
         // handle UPDATE request
-        registrationHandler.update(givenIdentity(), givenUpdateRequestWithID(registration.getId()));
+        registrationHandler.update(givenIdentity(), givenUpdateRequestWithID(registration.getId()),
+                givenServerEndpointUri());
 
         // check result
         registration = registrationStore.getRegistrationByEndpoint("myEndpoint");
@@ -142,7 +144,8 @@ public void willReturn(Authorization authorization) {
         }
 
         @Override
-        public Authorization isAuthorized(UplinkRequest<?> request, Registration registration, LwM2mPeer sender) {
+        public Authorization isAuthorized(UplinkRequest<?> request, Registration registration, LwM2mPeer sender,
+                EndpointUri endpointUri) {
             return autorization;
         }
     }