diff --git a/docs/using.rst b/docs/using.rst index 3a545ddc..b0ec0aad 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -38,7 +38,7 @@ list of trusted certificates. The clients request has: -- to have a TLS connection to the reverse proxy server +- to have a TLS connection to the reverse proxy server (`ssl` config option must be true) - to contain the client certificate - to have the common name of the server certificate match the server name set in the configuration file as "hawkbit_server" diff --git a/src/config-file.c b/src/config-file.c index 089b1ccd..13ba5779 100644 --- a/src/config-file.c +++ b/src/config-file.c @@ -268,29 +268,6 @@ Config* load_config_file(const gchar *config_file, GError **error) key_client_key_exists = get_key_string(ini_file, "client", "client_key", &config->client_key, NULL, NULL); - if (key_client_key_exists && key_client_cert_exists) { - client_cert_auth = TRUE; - if (g_access(config->client_cert, F_OK|R_OK)!=0) { - g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, - "Can't read client_cert: %s",config->client_cert); - return NULL; - } - else if (g_access(config->client_key, F_OK|R_OK)!=0) { - g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, - "Can't read client_key: %s",config->client_key); - return NULL; - } - } - if (!key_auth_token_exists && !key_gateway_token_exists && !(client_cert_auth)) { - g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, "Neither a token nor client certificate are set!"); - return NULL; - } - else if (key_auth_token_exists && key_gateway_token_exists) { - g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, - "Both 'auth_token' and 'gateway_token' set"); - return NULL; - } - if (!get_key_string(ini_file, "client", "target_name", &config->controller_id, NULL, error)) return NULL; @@ -345,6 +322,33 @@ Config* load_config_file(const gchar *config_file, GError **error) "'bundle_download_location' is required if 'stream_bundle' is disabled"); return NULL; } + if (key_client_key_exists && key_client_cert_exists) { + client_cert_auth = TRUE; + if(!config->ssl){ + g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, + "'ssl' config option must be true for client certificate authentication"); + return NULL; + } + if (g_access(config->client_cert, F_OK|R_OK)!=0) { + g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, + "Can't read client_cert: %s",config->client_cert); + return NULL; + } + else if (g_access(config->client_key, F_OK|R_OK)!=0) { + g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, + "Can't read client_key: %s",config->client_key); + return NULL; + } + } + if (!key_auth_token_exists && !key_gateway_token_exists && !(client_cert_auth)) { + g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, "Neither a token nor client certificate are set!"); + return NULL; + } + else if (key_auth_token_exists && key_gateway_token_exists) { + g_set_error(error, G_KEY_FILE_ERROR, G_KEY_FILE_ERROR_INVALID_VALUE, + "Both 'auth_token' and 'gateway_token' set"); + return NULL; + } return g_steal_pointer(&config); } diff --git a/test/test_basics.py b/test/test_basics.py index df231510..96fca4f3 100644 --- a/test/test_basics.py +++ b/test/test_basics.py @@ -92,6 +92,18 @@ def test_register_and_check_valid_gateway_token(hawkbit, adjust_config, trailing assert 'MESSAGE: Checking for new software...' in out assert err == '' +def test_config_client_cert_ssl_false(adjust_config): + """Test config with client cert authentication but ssl false.""" + file_path="/bad/file" + config = adjust_config({"client": {"client_cert": "any", + "client_key": "any", + }}, + remove={'client': 'auth_token'}) + + out, err, exitcode = run(f'rauc-hawkbit-updater -c "{config}" -r') + assert exitcode == 4 + assert f"'ssl' config option must be true for client certificate authentication" in err + @pytest.mark.parametrize("client_cert", [None, "bad_path", "good_file","empty"]) @pytest.mark.parametrize("client_key", [None, "bad_path", "good_file","empty"]) def test_config_client_cert_and_key(adjust_config,tmp_path_factory,client_cert,client_key): @@ -111,14 +123,13 @@ def parameter_to_value(key, value): client_cert_conf = parameter_to_value("client_cert",client_cert) client_key_conf = parameter_to_value("client_key",client_key) - config = adjust_config({"client": {**client_cert_conf, **client_key_conf}}, + config = adjust_config({"client": {**client_cert_conf, **client_key_conf, "ssl": "true"}}, remove={'client': 'auth_token'}) out, err, exitcode = run(f'rauc-hawkbit-updater -c "{config}" -r') if "good_file" == client_key == client_cert: assert exitcode == 1 assert 'MESSAGE: Checking for new software...' in out - assert 'WARNING: Failed to authenticate. Check client certificate and client private key' in err elif client_key is None or client_cert is None: assert exitcode == 4 assert err.strip() == \ diff --git a/test/test_mtls.py b/test/test_mtls.py index 227a5143..c4becfdf 100644 --- a/test/test_mtls.py +++ b/test/test_mtls.py @@ -1,6 +1,6 @@ import pytest -from test.helper import run +from helper import run @pytest.mark.parametrize('mode', ('download','streaming')) def test_install_success_mtls(hawkbit, adjust_config, bundle_assigned,