Merge pull request #3506 from ControlSystemStudio/pva_acl

PVA access permissions info

Author: kasemir

core/pv-pva/src/main/java/org/phoebus/pv/pva/PVA_PV.java

@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2019-2022 Oak Ridge National Laboratory.
+ * Copyright (c) 2019-2025 Oak Ridge National Laboratory.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -44,7 +44,9 @@ public PVA_PV(final String name, final String base_name) throws Exception
         // Analyze base_name, determine channel and request
         name_helper = PVNameHelper.forName(base_name);
         logger.log(Level.FINE, () -> "PVA '" + base_name + "' -> " + name_helper);
-        channel = PVA_Context.getInstance().getClient().getChannel(name_helper.getChannel(), this::channelStateChanged);
+        channel = PVA_Context.getInstance().getClient().getChannel(name_helper.getChannel(),
+                                                                   this::channelStateChanged,
+                                                                   this::accessRightsChanged);
     }
 
     private void channelStateChanged(final PVAChannel channel, final ClientChannelState state)
@@ -67,6 +69,11 @@ else if (! isDisconnected(super.read()))
         }
     }
 
+    private void accessRightsChanged(final PVAChannel channel, final boolean is_writable)
+    {
+        notifyListenersOfPermissions(! is_writable);
+    }
+
     private void handleMonitor(final PVAChannel channel,
                                final BitSet changes,
                                final BitSet overruns,

core/pva/src/main/java/org/epics/pva/PVASettings.java

@@ -219,7 +219,7 @@ public class PVASettings
     public static int EPICS_PVA_TCP_SOCKET_TMO = 5;
 
     /** Maximum number of array elements shown when printing data */
-    public static int EPICS_PVA_MAX_ARRAY_FORMATTING = 256;
+    public static int EPICS_PVA_MAX_ARRAY_FORMATTING = 50;
 
     /** Range of beacon periods in seconds recognized as "fast, new" beacons
      *  that re-start searches for disconnected channels.
@@ -275,6 +275,11 @@ public class PVASettings
         EPICS_PVAS_TLS_OPTIONS = get("EPICS_PVAS_TLS_OPTIONS", EPICS_PVAS_TLS_OPTIONS);
         require_client_cert =  EPICS_PVAS_TLS_OPTIONS.contains("client_cert=require");
         EPICS_PVA_TLS_KEYCHAIN = get("EPICS_PVA_TLS_KEYCHAIN", EPICS_PVA_TLS_KEYCHAIN);
+        if (EPICS_PVA_TLS_KEYCHAIN.isEmpty()  &&  !EPICS_PVAS_TLS_KEYCHAIN.isEmpty())
+        {
+            EPICS_PVA_TLS_KEYCHAIN = EPICS_PVAS_TLS_KEYCHAIN;
+            logger.log(Level.CONFIG, "EPICS_PVA_TLS_KEYCHAIN (empty) updated from EPICS_PVAS_TLS_KEYCHAIN");
+        }
         EPICS_PVA_SEND_BUFFER_SIZE = get("EPICS_PVA_SEND_BUFFER_SIZE", EPICS_PVA_SEND_BUFFER_SIZE);
         EPICS_PVA_FAST_BEACON_MIN = get("EPICS_PVA_FAST_BEACON_MIN", EPICS_PVA_FAST_BEACON_MIN);
         EPICS_PVA_FAST_BEACON_MAX = get("EPICS_PVA_FAST_BEACON_MAX", EPICS_PVA_FAST_BEACON_MAX);

core/pva/src/main/java/org/epics/pva/client/AccessRightsChangeHandler.java

@@ -0,0 +1,46 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Oak Ridge National Laboratory.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ ******************************************************************************/
+package org.epics.pva.client;
+
+import static org.epics.pva.PVASettings.logger;
+
+import java.nio.ByteBuffer;
+import java.util.logging.Level;
+
+import org.epics.pva.common.AccessRightsChange;
+import org.epics.pva.common.CommandHandler;
+import org.epics.pva.common.PVAHeader;
+
+/** Handle a server's CMD_ACL_CHANGE message
+ *  @author Kay Kasemir
+ */
+class AccessRightsChangeHandler implements CommandHandler<ClientTCPHandler>
+{
+    @Override
+    public byte getCommand()
+    {
+        return PVAHeader.CMD_ACL_CHANGE;
+    }
+
+    @Override
+    public void handleCommand(final ClientTCPHandler tcp, final ByteBuffer buffer) throws Exception
+    {
+        final AccessRightsChange acl = AccessRightsChange.decode(tcp.getRemoteAddress(), buffer.remaining(), buffer);
+        if (acl == null)
+            return;
+        final PVAChannel channel = tcp.getClient().getChannel(acl.cid);
+        if (channel == null)
+        {
+            logger.log(Level.WARNING, this + " received CMD_ACL_CHANGE for unknown channel ID " + acl.cid);
+            return;
+        }
+
+        logger.log(Level.FINE, () -> "Received '" + channel.getName() + "' " + acl);
+        channel.updateAccessRights(acl.havePUTaccess());
+    }
+}

core/pva/src/main/java/org/epics/pva/client/ClientAccessRightsListener.java

@@ -0,0 +1,27 @@
+/*******************************************************************************
+ * Copyright (c) 2025 Oak Ridge National Laboratory.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ ******************************************************************************/
+package org.epics.pva.client;
+
+/** Listener to a {@link PVAChannel} access rights
+ *  @author Kay Kasemir
+ */
+@FunctionalInterface
+public interface ClientAccessRightsListener
+{
+    /** Invoked when the channel access rights change
+     *
+     *  <p>Will be called as soon as possible, i.e. within
+     *  the thread that handles the network communication.
+     *
+     *  <p>Client code <b>must not</b> block.
+     *
+     *  @param channel      Channel with updated permissions
+     *  @param is_writable  May we write to the channel?
+     */
+    public void channelAccessRightsChanged(PVAChannel channel, boolean is_writable);
+}

core/pva/src/main/java/org/epics/pva/client/ClientChannelListener.java

@@ -1,16 +1,16 @@
 /*******************************************************************************
- * Copyright (c) 2019 Oak Ridge National Laboratory.
+ * Copyright (c) 2019-2025 Oak Ridge National Laboratory.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
  * http://www.eclipse.org/legal/epl-v10.html
  ******************************************************************************/
 package org.epics.pva.client;
 
-/** Listener to a {@link PVAChannel}
- *
+/** Listener to a {@link PVAChannel} state
  *  @author Kay Kasemir
  */
+@FunctionalInterface
 public interface ClientChannelListener
 {
     /** Invoked when the channel state changes

core/pva/src/main/java/org/epics/pva/client/ClientTCPHandler.java

@@ -48,6 +48,7 @@ class ClientTCPHandler extends TCPHandler
                               new ValidatedHandler(),
                               new EchoHandler(),
                               new CreateChannelHandler(),
+                              new AccessRightsChangeHandler(),
                               new DestroyChannelHandler(),
                               new GetHandler(),
                               new PutHandler(),

core/pva/src/main/java/org/epics/pva/client/PVAChannel.java

@@ -12,6 +12,7 @@
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CopyOnWriteArrayList;
 import java.util.concurrent.TimeoutException;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.concurrent.atomic.AtomicReference;
 import java.util.logging.Level;
@@ -38,13 +39,13 @@
  *
  *  <p>When no longer in use, the channel should be {@link #close()}d.
  *
- * 
+ *
  * Note that several methods return a CompletableFuture.
  * This has been done because at this time the Futures used internally are indeed CompletableFutures
  * and this type offers an extensive API for composition and chaining of futures.
  * But note that user code must never call 'complete(..)' nor 'completeExceptionally()'
  * on the provided CompletableFutures.
- * 
+ *
  *  @author Kay Kasemir
  */
 @SuppressWarnings("nls")
@@ -63,7 +64,11 @@ public class PVAChannel extends SearchRequest.Channel implements AutoCloseable
 
     private final PVAClient client;
     private final ClientChannelListener listener;
+    private final ClientAccessRightsListener access_rights_listener;
     private volatile int sid = -1;
+    // For compatibility with earlier implementation,
+    // assume channels are writable until access_rights_listener tells otherwise
+    private AtomicBoolean is_writable = new AtomicBoolean(true);
 
     /** State
      *
@@ -79,11 +84,14 @@ public class PVAChannel extends SearchRequest.Channel implements AutoCloseable
 
     private final CopyOnWriteArrayList<MonitorRequest> subscriptions = new CopyOnWriteArrayList<>();
 
-    PVAChannel(final PVAClient client, final String name, final ClientChannelListener listener)
+    PVAChannel(final PVAClient client, final String name,
+               final ClientChannelListener listener,
+               final ClientAccessRightsListener access_rights_listener)
     {
         super(CID_Provider.incrementAndGet(), name);
         this.client = client;
         this.listener = listener;
+        this.access_rights_listener = access_rights_listener;
     }
 
     PVAClient getClient()
@@ -121,6 +129,21 @@ public boolean isConnected()
         return getState() == ClientChannelState.CONNECTED;
     }
 
+    /** @return <code>true</code> if channel has write permissions */
+    public boolean isWritable()
+    {
+        return is_writable.get();
+    }
+
+    /** Called by AccessRightsChangeHandler
+     *  @param may_write Is channel writable?
+     */
+    void updateAccessRights(final boolean may_write)
+    {
+        if (is_writable.getAndSet(may_write) != may_write)
+            access_rights_listener.channelAccessRightsChanged(this, may_write);
+    }
+
     /** Wait for channel to connect
      *  @return {@link CompletableFuture} to await connection.
      *          <code>true</code> on success,

core/pva/src/main/java/org/epics/pva/client/PVAClient.java

@@ -40,12 +40,14 @@
  *
  *  @author Kay Kasemir
  */
-@SuppressWarnings("nls")
 public class PVAClient implements AutoCloseable
 {
-    /** Default channel listener logs state changes */
+    /** Default channel state listener logs state changes */
     private static final ClientChannelListener DEFAULT_CHANNEL_LISTENER = (ch, state) ->  logger.log(Level.INFO, ch.toString());
 
+    /** Default channel access rights listener does nothing */
+    private static final ClientAccessRightsListener DEFAULT_ACCESS_RIGHTS_LISTENER = (ch, write) ->  {};
+
     private final ClientUDPHandler udp;
 
     private final BeaconTracker beacons = new BeaconTracker();
@@ -166,7 +168,23 @@ public PVAChannel getChannel(final String channel_name)
      */
     public PVAChannel getChannel(final String channel_name, final ClientChannelListener listener)
     {
-        final PVAChannel channel = new PVAChannel(this, channel_name, listener);
+        return getChannel(channel_name, listener, DEFAULT_ACCESS_RIGHTS_LISTENER);
+    }
+
+    /** Create channel by name
+     *
+     *  <p>Starts search.
+     *
+     *  @param channel_name PVA channel name
+     *  @param state_listener {@link ClientChannelListener} that will be invoked with connection state updates
+     *  @param access_rights_listener {@link ClientAccessRightsListener} that will be invoked with access rights updates
+     *  @return {@link PVAChannel}
+     */
+    public PVAChannel getChannel(final String channel_name,
+                                 final ClientChannelListener state_listener,
+                                 final ClientAccessRightsListener access_rights_listener)
+    {
+        final PVAChannel channel = new PVAChannel(this, channel_name, state_listener, access_rights_listener);
         channels_by_id.putIfAbsent(channel.getCID(), channel);
 
         // Register with search

core/pva/src/main/java/org/epics/pva/client/PVAClientMain.java

@@ -71,7 +71,10 @@ private static void help()
 
     private static void setLogLevel(final Level level)
     {
-        PVASettings.logger.setLevel(level);
+        // Cannot use PVASettings.logger here because that would
+        // construct it and log CONFIG messages before we might be
+        // able to disable them
+        Logger.getLogger("org.epics.pva").setLevel(level);
         Logger.getLogger("jdk.event.security").setLevel(level);
     }
 
@@ -97,8 +100,8 @@ private static void info(final List<String> names) throws Exception
                     final PVAChannel pv = iter.next();
                     if (pv.getState() == ClientChannelState.CONNECTED)
                     {
-                        PVASettings.logger.log(Level.INFO, "Server: " + pv.getTCP().getServerX509Name());
-                        PVASettings.logger.log(Level.INFO, "Client: " + pv.getTCP().getClientX509Name());
+                        PVASettings.logger.log(Level.INFO, "Server X509 Name: " + pv.getTCP().getServerX509Name());
+                        PVASettings.logger.log(Level.INFO, "Client X509 Name: " + pv.getTCP().getClientX509Name());
 
                         final PVAData data = pv.info(request).get(timeout_ms, TimeUnit.MILLISECONDS);
                         System.out.println(pv.getName() + " = " + data.formatType());
@@ -142,8 +145,8 @@ private static void get(final List<String> names) throws Exception
                     final PVAChannel pv = iter.next();
                     if (pv.getState() == ClientChannelState.CONNECTED)
                     {
-                        PVASettings.logger.log(Level.INFO, "Server: " + pv.getTCP().getServerX509Name());
-                        PVASettings.logger.log(Level.INFO, "Client: " + pv.getTCP().getClientX509Name());
+                        PVASettings.logger.log(Level.INFO, "Server X509 Name: " + pv.getTCP().getServerX509Name());
+                        PVASettings.logger.log(Level.INFO, "Client X509 Name: " + pv.getTCP().getClientX509Name());
 
                         final PVAData data = pv.read(request).get(timeout_ms, TimeUnit.MILLISECONDS);
                         System.out.println(pv.getName() + " = " + data);
@@ -188,8 +191,8 @@ private static void monitor(final List<String> names) throws Exception
                     {
                         try
                         {
-                            PVASettings.logger.log(Level.INFO, "Server: " + ch.getTCP().getServerX509Name());
-                            PVASettings.logger.log(Level.INFO, "Client: " + ch.getTCP().getClientX509Name());
+                            PVASettings.logger.log(Level.INFO, "Server X509 Name: " + ch.getTCP().getServerX509Name());
+                            PVASettings.logger.log(Level.INFO, "Client X509 Name: " + ch.getTCP().getClientX509Name());
                             ch.subscribe(request, listener);
                         }
                         catch (Exception ex)