Feat/ota 2666/garage tools mutual tls #1243
Conversation
Codecov Report
@@ Coverage Diff @@
## master #1243 +/- ##
=========================================
Coverage ? 79.33%
=========================================
Files ? 171
Lines ? 10160
Branches ? 0
=========================================
Hits ? 8060
Misses ? 2100
Partials ? 0
Continue to review full report at Codecov.
|
|
Pushed a trivial fix for the debian testing ci |
src/sota_tools/authenticate_test.cc
Outdated
|
|
||
| /* Authenticate with nothing (no auth). | ||
| * Parse authentication information from treehub.json. | ||
| * Parse images repository URL from a provided archive. */ | ||
| TEST(authenticate, good_cert_noauth_zip) { | ||
| // Authenticates with ssl_noauth_server on port 2443. |
There was a problem hiding this comment.
Just a minor nitpicking: would be better to use "tls" instead of "ssl" everywhere to be consistent with kTls and such.
| /* Authenticate with OAuth2. | ||
| * Parse authentication information from treehub.json. */ | ||
| TEST(authenticate, good_zip) { | ||
| // Authenticates with the ATS portal to the SaaS instance. |
There was a problem hiding this comment.
What is "the ATS portal", is it connect.ota.here.com ?
There was a problem hiding this comment.
Nope, that's the normal portal. https://app.atsgarage.com/ is the old portal that surprisingly still works but basically serves the same content.
| TreehubServer treehub; | ||
| int r = authenticate("", creds, treehub); | ||
| int r = authenticate("tests/fake_http_server/server.crt", creds, treehub); |
There was a problem hiding this comment.
Maybe, makes sense to pass "tests/fake_http_server/server.crt" as the test parameter ?
There was a problem hiding this comment.
Sorry, where should it get passed from?
There was a problem hiding this comment.
From corrsponding CMakeLists.txt
add_aktualizr_test(NAME SOURCES <> ARGS )
There was a problem hiding this comment.
but, it's really not important, not sure if it's worth bothering
There was a problem hiding this comment.
Seems like that's just moving the hardcoded value to a more obscure place. I'm not sure I see the benefit right now. That said, I'm interested in redoing this logic so that we can generate all the certs and such dynamically, and once that is done, something like what you are suggesting will probably be necessary.
There was a problem hiding this comment.
Yeah, + for the dynamic certs generation, also using TEST_F/test fixtures/base class is an ideal for sharing the same context across multiple tests.
src/sota_tools/authenticate_test.cc
Outdated
|
|
||
| /* Authenticate with nothing (no auth). | ||
| * Parse authentication information from treehub.json. | ||
| * Parse images repository URL from a provided archive. */ | ||
| TEST(authenticate, good_cert_noauth_zip) { | ||
| // Authenticates with ssl_noauth_server on port 2443. |
There was a problem hiding this comment.
Is this port number 2443 actually hard-coded value or it's a parameter or a configuration variable ?
There was a problem hiding this comment.
It's hardcoded. It probably shouldn't be anymore. I'll look into that.
| boost::filesystem::path filepath = "tests/sota_tools/auth_test_noauth_good.zip"; | ||
| ServerCredentials creds(filepath); | ||
| EXPECT_EQ(creds.GetMethod(), AuthMethod::kNone); | ||
| TreehubServer treehub; | ||
| int r = authenticate("tests/fake_http_server/client.crt", creds, treehub); | ||
| int r = authenticate("tests/fake_http_server/server.crt", creds, treehub); |
There was a problem hiding this comment.
Maybe, makes sense to pass "tests/fake_http_server/server.crt" as the test parameter ?
| TreehubServer treehub; | ||
| int r = authenticate("", ServerCredentials(filepath), treehub); | ||
| int r = authenticate("", creds, treehub); | ||
| EXPECT_EQ(0, r); | ||
| CurlEasyWrapper curl_handle; | ||
| curlEasySetoptWrapper(curl_handle.get(), CURLOPT_VERBOSE, 1); |
There was a problem hiding this comment.
Does it make sense to continue the test control flow if the authentication fails, if not then ASSERT_EQ should serve better here.
There was a problem hiding this comment.
The EXPECT_EQ shouldn't hurt and it's not like we'll save a huge amount of test time if we fail earlier. We normally use EXPECT for everything unless there's a good reason not to. If there is consensus around changing that norm, I'm open to revising it, though.
There was a problem hiding this comment.
No worries, I don't think that there is much practical benefits in it.
| method_ = AuthMethod::kTls; | ||
| } else if (strcmp(filename, "api_gateway.url") == 0) { | ||
| use_api_gateway = true; | ||
| ostree_server_ = readArchiveFile(a)->str(); |
There was a problem hiding this comment.
I read this like ostree_server and api_gateway are the same entity.
There was a problem hiding this comment.
Unfortunately, for backwards compatibility, we have to support the case where there is no API gateway for some period. Going forward, there should always be such a gateway, but if we don't have the URL in the credentials.zip (or there wasn't such a gateway deployed), we still need to be able to talk to treehub directly.
| try { | ||
| ptree pt; | ||
| if (use_api_gateway) { | ||
| repo_url_ = ostree_server_; |
There was a problem hiding this comment.
Now, ostree_server becomes repo_url :)
Some of the answers can be gleaned from https://github.com/advancedtelematic/aktualizr/blob/master/docs/provisioning-methods-and-credentialszip.adoc. What exactly are you looking for, though? Do you want a sequence diagram or a better explanation of the options?
You mean you want to use the ostree commandline tool? If so, I don't think you can. We are operating on OSTree objects directly and parsing them with glib ourselves to walk the object trees. (We do that to avoid a dependency on libostree.) Or is there something else you want to do? |
pattivacek
force-pushed
the
feat/OTA-2666/garage-tools-mutual-tls
branch
from
f1705ad
to
3f9e8a6
Compare
I've already figured out what I wanted by debugging through the code. Thanks. |
pattivacek
force-pushed
the
feat/OTA-2666/garage-tools-mutual-tls
branch
from
3f9e8a6
to
870db0a
Compare
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
The old method required seperate client cert, key, and root CA in the credentials archive. It has been unused as far as I can tell for at least a year, if not two or more. The one test for it has been broken for a long time. That method has been replaced with mutual TLS support, which is what the backend is transitioning to. OAuth2 support will eventually get dropped on the server, but in the meantime we still need to support it for some transitional period. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Added new server certs to get this to work correctly. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Verify that it actually uses TLS but fails. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
This means they don't have to be hardcoded binary objects anymore. Even better would be to actually generate the p12 based on the certs as I'd originally planned but ran out of time for. Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
Used by tests/sota_tools/cert_generation/generate-zips.sh Signed-off-by: Laurent Bonnans <laurent.bonnans@here.com>
Signed-off-by: Patrick Vacek <patrickvacek@gmail.com>
pattivacek
force-pushed
the
feat/OTA-2666/garage-tools-mutual-tls
branch
from
870db0a
to
85deb96
Compare
|
Should we merge this or wait until we can test with a "real" server? I had also considered doing some more work to make the test data more dynamically generated, but I didn't want to do it before I knew for sure that it worked with the final server implementation. I particularly wanted to get rid of the binary p12 files that I had to had to this PR in its current state. |
|
If it doesn't break something that's already working (which I think it's the case), we can probably merge it. |
Yeah, fair enough. I don't want to have to keep rebasing this, and I'm pretty sure this is on the right track for the eventual integration with the real server implementation. There's still some improvements that could be made here, especially in the automation of the tests, but I think it's a good start. |
Short version: it works! Well, it works as far as the unit tests are concerned. The certs were generated by the Makefile that @simao provided and @koshelev, @jochenschneider, and @zabbal consulted with.
Long version: This still hasn't been tested with any real server implementation. Also, this PR currently violates my preference to keep binaries out of git. I was able to add some scripts to generate the zip files based on the p12, but that could be taken further to start from just the certs, or we could go even further and basically incorporate Simao's Makefile. That would be cool, actually. Also, it's annoying that in the current branch, I delete the old zips, add new ones, delete them, and add p12s. It should probably be refactored/rebased to just delete the old zips and add the p12s directly. I'm not fixing it right now in case there are other changes based on code review or testing with a real server.
Also: there should be more unit tests for various the combinations of client_auth.p12, api_gateway.url, and treehub.json. We should test that we prefer the p12 and URL if available.