Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to authenticate via client certificates updated #166

Open
wants to merge 17 commits into
base: master
Choose a base branch
from

Conversation

flobz
Copy link

@flobz flobz commented Sep 27, 2023

Hello,
I updated this PR: #38 to apply @Bastian-Krause recommendation.
If there anything else to before merging ?

@flobz flobz force-pushed the WIP/ctenruh-phytec/client_certificates branch 4 times, most recently from 726d39e to 04676d2 Compare September 27, 2023 12:55
Copy link
Member

@Bastian-Krause Bastian-Krause left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In #38 (comment), I said:

It would be great to have an actual test case for this with a reverse proxy. We already use nginx for some test cases (see test/conftest.py).

This would be really useful.

docs/using.rst Outdated
ssl_verify = true
tenant_id = DEFAULT
target_name = test-target
auth_token =
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be commented, too?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed !

Comment on lines 264 to 288
key_client_cert_exists = get_key_string(ini_file, "client", "client_cert", &config->client_cert, NULL, NULL);

key_client_key_exists = get_key_string(ini_file, "client", "client_key", &config->client_key, NULL, NULL);

if (!key_auth_token_exists && !key_gateway_token_exists && !(key_client_cert_exists && key_client_key_exists)) {
g_set_error(error, 1, 4, "Neither a token nor client certificate are set!");
return NULL;
}
if (key_auth_token_exists && key_gateway_token_exists) {
else if (key_auth_token_exists && key_gateway_token_exists) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can see, this allows various strange combinations of auth/gateway token and cert/key:

  • auth_token + client_cert + client_key
  • gateway_token + client_cert + client_key

Since there a no later checks, both auth methods would need to be present. Does hawkBit support these cases?

  • auth_token + client_cert
  • auth_token + client_key
  • gateway_token + client_cert
  • gateway_token + client_key

These cases lead to auth_token or gateway_token being used, but no warning/error. That should be fixed.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's possible to have two level of security in the same time:

  • Reverse proxy do authentication with cert
  • Hawkbit with token

So in my opinion we should allow token+ cert.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, this should be documented then. The last 4 scenarios should be fixed.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this enough documented : https://github.com/rauc/rauc-hawkbit-updater/pull/166/files#diff-00d05b0405040981002c129a067f3ae336e345b5b62512322b116f63aec6c341R62 ?
What do you mean by 'The last 4 scenarios should be fixed." ?

docs/using.rst Outdated
Comment on lines 66 to 67
ssl = true
ssl_verify = true
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From #38 (comment):

What happens if these options are false?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the answer here : https://github.com/flobz/rauc-hawkbit-updater/blob/419925f13ac05d311d92e9129661783456726d78/docs/using.rst?plain=1#L66
If the CA of the reverse proxy server is untrusted set ssl_verify to false.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, but what about the ssl option? That is required, right? Should be documented and a run time check would also be nice.

Copy link
Author

@flobz flobz Oct 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you're right I forgot this check : c972261

Comment on lines +262 to +266
curl_easy_setopt(curl, CURLOPT_SSLCERT, hawkbit_config->client_cert);
curl_easy_setopt(curl, CURLOPT_SSLKEY, hawkbit_config->client_key);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The existence of these files was never checked. What happens if they don't exist?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I add a check 118b83d

docs/using.rst Outdated
Comment on lines 6 to 7
Authentication
--------------
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please leave this section as is and add the sections below as subsections.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

Client certificate and privat key of Client certificate are send to the set
Server. Add description on how to use this authentication method in
"docs/using.rst" file.

Signed-off-by: Cem Tenruh <[email protected]>
@flobz flobz force-pushed the WIP/ctenruh-phytec/client_certificates branch from 04676d2 to 419925f Compare October 6, 2023 14:53
flobz added 3 commits October 6, 2023 17:03
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
@flobz flobz force-pushed the WIP/ctenruh-phytec/client_certificates branch from 419925f to 9a2bb21 Compare October 6, 2023 15:04
@flobz flobz force-pushed the WIP/ctenruh-phytec/client_certificates branch from 9a2bb21 to 28cf12b Compare October 6, 2023 15:05
@flobz
Copy link
Author

flobz commented Oct 6, 2023

In #38 (comment), I said:

It would be great to have an actual test case for this with a reverse proxy. We already use nginx for some test cases (see test/conftest.py).

This would be really useful.

I add test but there is an issue. Hawkbit doesn't support downloading artifacts using http and https in the same time.
I add a PR on hawkbit repo eclipse-hawkbit/hawkbit#1449 but for now two hawkbit container config are needed.

@Bastian-Krause Bastian-Krause added the enhancement New feature or request label Oct 9, 2023
@flobz flobz force-pushed the WIP/ctenruh-phytec/client_certificates branch 3 times, most recently from 6d90f92 to 146096a Compare October 10, 2023 19:02
@flobz
Copy link
Author

flobz commented Oct 18, 2023

@Bastian-Krause can you restart the "workflow" please ? I would like to check if change made to the pipeline works.

@ejoerns
Copy link
Member

ejoerns commented Oct 18, 2023

I've just triggered the CI workflow

flobz added 4 commits October 24, 2023 09:09
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
flobz added 2 commits October 24, 2023 09:13
Signed-off-by: Florian Bezannier <[email protected]>
@flobz flobz force-pushed the WIP/ctenruh-phytec/client_certificates branch from 146096a to 4816283 Compare October 24, 2023 07:21
@flobz
Copy link
Author

flobz commented Oct 24, 2023

Ok I fixed the CI but I don't understand why it worked before and why it doesn't work anymore...
I had to add this b2d77d9.
Can you restart the workflow please ?

@Bastian-Krause
Copy link
Member

This will probably need to wait a few more weeks until I have time to review this.

@flobz flobz requested a review from Bastian-Krause October 24, 2023 10:11
@flobz flobz force-pushed the WIP/ctenruh-phytec/client_certificates branch from 0770400 to 99dc571 Compare December 5, 2023 15:50
@flobz
Copy link
Author

flobz commented Dec 5, 2023

I add test but there is an issue. Hawkbit doesn't support downloading artifacts using http and https in the same time. I add a PR on hawkbit repo eclipse/hawkbit#1449 but for now two hawkbit container config are needed.

It's fixed in hawkbit 0.3.0.

@Bastian-Krause would you be able to do a review soon ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants