-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to authenticate via client certificates updated #166
base: master
Are you sure you want to change the base?
Conversation
726d39e
to
04676d2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In #38 (comment), I said:
It would be great to have an actual test case for this with a reverse proxy. We already use nginx for some test cases (see test/conftest.py).
This would be really useful.
docs/using.rst
Outdated
ssl_verify = true | ||
tenant_id = DEFAULT | ||
target_name = test-target | ||
auth_token = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be commented, too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed !
src/config-file.c
Outdated
key_client_cert_exists = get_key_string(ini_file, "client", "client_cert", &config->client_cert, NULL, NULL); | ||
|
||
key_client_key_exists = get_key_string(ini_file, "client", "client_key", &config->client_key, NULL, NULL); | ||
|
||
if (!key_auth_token_exists && !key_gateway_token_exists && !(key_client_cert_exists && key_client_key_exists)) { | ||
g_set_error(error, 1, 4, "Neither a token nor client certificate are set!"); | ||
return NULL; | ||
} | ||
if (key_auth_token_exists && key_gateway_token_exists) { | ||
else if (key_auth_token_exists && key_gateway_token_exists) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can see, this allows various strange combinations of auth/gateway token and cert/key:
- auth_token + client_cert + client_key
- gateway_token + client_cert + client_key
Since there a no later checks, both auth methods would need to be present. Does hawkBit support these cases?
- auth_token + client_cert
- auth_token + client_key
- gateway_token + client_cert
- gateway_token + client_key
These cases lead to auth_token or gateway_token being used, but no warning/error. That should be fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's possible to have two level of security in the same time:
- Reverse proxy do authentication with cert
- Hawkbit with token
So in my opinion we should allow token+ cert.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, this should be documented then. The last 4 scenarios should be fixed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this enough documented : https://github.com/rauc/rauc-hawkbit-updater/pull/166/files#diff-00d05b0405040981002c129a067f3ae336e345b5b62512322b116f63aec6c341R62 ?
What do you mean by 'The last 4 scenarios should be fixed." ?
docs/using.rst
Outdated
ssl = true | ||
ssl_verify = true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From #38 (comment):
What happens if these options are false?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added the answer here : https://github.com/flobz/rauc-hawkbit-updater/blob/419925f13ac05d311d92e9129661783456726d78/docs/using.rst?plain=1#L66
If the CA of the reverse proxy server is untrusted set ssl_verify
to false
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, but what about the ssl
option? That is required, right? Should be documented and a run time check would also be nice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you're right I forgot this check : c972261
curl_easy_setopt(curl, CURLOPT_SSLCERT, hawkbit_config->client_cert); | ||
curl_easy_setopt(curl, CURLOPT_SSLKEY, hawkbit_config->client_key); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The existence of these files was never checked. What happens if they don't exist?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I add a check 118b83d
docs/using.rst
Outdated
Authentication | ||
-------------- |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please leave this section as is and add the sections below as subsections.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Client certificate and privat key of Client certificate are send to the set Server. Add description on how to use this authentication method in "docs/using.rst" file. Signed-off-by: Cem Tenruh <[email protected]>
Signed-off-by: Cem Tenruh <[email protected]>
04676d2
to
419925f
Compare
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
419925f
to
9a2bb21
Compare
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
9a2bb21
to
28cf12b
Compare
I add test but there is an issue. Hawkbit doesn't support downloading artifacts using http and https in the same time. |
6d90f92
to
146096a
Compare
@Bastian-Krause can you restart the "workflow" please ? I would like to check if change made to the pipeline works. |
I've just triggered the CI workflow |
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
146096a
to
4816283
Compare
Ok I fixed the CI but I don't understand why it worked before and why it doesn't work anymore... |
This will probably need to wait a few more weeks until I have time to review this. |
…s in the same time Signed-off-by: Florian Bezannier <[email protected]>
0770400
to
99dc571
Compare
It's fixed in hawkbit 0.3.0. @Bastian-Krause would you be able to do a review soon ? |
Hello,
I updated this PR: #38 to apply @Bastian-Krause recommendation.
If there anything else to before merging ?