Skip to content

[#2825] Extend credentials management service to support auth-id template #2985

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kaniyan wants to merge 3 commits into
base: master
Choose a base branch
from
Open

[#2825] Extend credentials management service to support auth-id template #2985

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a9af944
[#2825] Extend credentials management service to support auth-id temp…
kaniyan Nov 22, 2021
142b98a
Incorporate review comments and minor improvements
kaniyan Dec 6, 2021
bd060cd
Add tests and incorporate review comments
kaniyan Dec 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions core/src/main/java/org/eclipse/hono/util/CredentialsConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,11 @@ public final class CredentialsConstants extends RequestResponseApiConstants {
* The name of the field that contains the authentication identifier.
*/
public static final String FIELD_AUTH_ID = "auth-id";
/**
* The name of the field that contains the generated authentication identifier
* by applying the template to the subject DN.
*/
public static final String FIELD_GENERATED_AUTH_ID = "generated-auth-id";
Copy link
Contributor

@sophokles73 sophokles73 Dec 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we still need this constant now that we do not expose the generated ID field anymore?

Copy link
Contributor Author

@kaniyan kaniyan Dec 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes it is still being used in CredentialsServiceImpl.

/**
* The name of the field that contains the secret(s) of the credentials.
*/
Expand Down
9 changes: 9 additions & 0 deletions core/src/main/java/org/eclipse/hono/util/RegistryManagementConstants.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -180,6 +180,15 @@ public final class RegistryManagementConstants extends RequestResponseApiConstan
* The name of the field that contains the authentication identifier.
*/
public static final String FIELD_AUTH_ID = "auth-id";
/**
* The name of the field that contains the generated authentication identifier
* by applying the template to the subject DN.
*/
public static final String FIELD_GENERATED_AUTH_ID = "generated-auth-id";
/**
* The name of the field that contains the issuer DN of the client certificate.
*/
public static final String FIELD_ISSUER_DN = "issuer-dn";
/**
* The name of the field that contains the secret(s) of the credentials.
*/
Expand Down
7 changes: 5 additions & 2 deletions ...c/src/main/java/org/eclipse/hono/service/base/jdbc/store/device/TableManagementStore.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
import org.eclipse.hono.service.management.device.Device;
import org.eclipse.hono.service.management.tenant.Tenant;
import org.eclipse.hono.tracing.TracingHelper;
import org.eclipse.hono.util.RegistryManagementConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -162,6 +163,7 @@ public TableManagementStore(final SQLClient client, final Tracer tracer, final S
"device_id",
"type",
"auth_id",
"generated_auth_id",
"data");

this.deleteAllCredentialsStatement = cfg
Expand Down Expand Up @@ -692,8 +694,9 @@ public Future<Versioned<Boolean>> setCredentials(
.expand(map -> {
map.put("tenant_id", key.getTenantId());
map.put("device_id", key.getDeviceId());
map.put("type", c.getString("type"));
map.put("auth_id", c.getString("auth-id"));
map.put("type", c.getString(RegistryManagementConstants.FIELD_TYPE));
map.put("auth_id", c.getString(RegistryManagementConstants.FIELD_AUTH_ID));
map.put("generated_auth_id", c.getString(RegistryManagementConstants.FIELD_GENERATED_AUTH_ID));
map.put("data", c.toString());
})
.trace(this.tracer, span.context())
Expand Down
2 changes: 2 additions & 0 deletions ...c/main/resources/org/eclipse/hono/service/base/jdbc/store/device/base.postgresql.sql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,14 @@ insertCredentialEntry: |
device_id,
type,
auth_id,
generated_auth_id,
data
) VALUES (
:tenant_id,
:device_id,
:type,
:auth_id,
:generated_auth_id,
:data::jsonb
)

Expand Down
4 changes: 3 additions & 1 deletion ...ase-jdbc/src/main/resources/org/eclipse/hono/service/base/jdbc/store/device/base.sql.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ findCredentials: |
WHERE
tenant_id=:tenant_id
AND
auth_id=:auth_id
COALESCE(generated_auth_id, auth_id)=:auth_id
AND
type=:type

Expand All @@ -112,12 +112,14 @@ insertCredentialEntry: |
device_id,
type,
auth_id,
generated_auth_id,
data
) VALUES (
:tenant_id,
:device_id,
:type,
:auth_id,
:generated_auth_id,
:data
)

Expand Down
5 changes: 3 additions & 2 deletions services/base-jdbc/src/main/resources/sql/h2/02-create.devices.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@ CREATE TABLE IF NOT EXISTS device_credentials
TENANT_ID VARCHAR(256) NOT NULL,
DEVICE_ID VARCHAR(256) NOT NULL,

TYPE VARCHAR(64) NOT NULL,
AUTH_ID VARCHAR(256) NOT NULL,
TYPE VARCHAR(64) NOT NULL,
AUTH_ID VARCHAR(256) NOT NULL,
GENERATED_AUTH_ID VARCHAR(256),

DATA TEXT,

Expand Down
5 changes: 3 additions & 2 deletions services/base-jdbc/src/main/resources/sql/postgresql/02-create.devices.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,9 @@ CREATE TABLE IF NOT EXISTS device_credentials
TENANT_ID VARCHAR(36) NOT NULL,
DEVICE_ID VARCHAR(256) NOT NULL,

TYPE VARCHAR(64) NOT NULL,
AUTH_ID VARCHAR(256) NOT NULL,
TYPE VARCHAR(64) NOT NULL,
AUTH_ID VARCHAR(256) NOT NULL,
GENERATED_AUTH_ID VARCHAR(256),

DATA JSONB,

Expand Down
25 changes: 22 additions & 3 deletions ...eclipse/hono/deviceregistry/service/credentials/AbstractCredentialsManagementService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;

import org.eclipse.hono.auth.HonoPasswordEncoder;
import org.eclipse.hono.client.ClientErrorException;
Expand All @@ -35,6 +36,9 @@
import org.eclipse.hono.service.management.credentials.CommonCredential;
import org.eclipse.hono.service.management.credentials.CredentialsManagementService;
import org.eclipse.hono.service.management.credentials.PasswordCredential;
import org.eclipse.hono.service.management.credentials.X509CertificateCredential;
import org.eclipse.hono.service.management.credentials.X509CertificateCredentialWithGeneratedAuthId;
import org.eclipse.hono.service.management.tenant.Tenant;
import org.eclipse.hono.util.Futures;
import org.eclipse.hono.util.Lifecycle;
import org.eclipse.hono.util.Strings;
Expand Down Expand Up @@ -177,10 +181,11 @@ public final Future<OperationResult<Void>> updateCredentials(
Objects.requireNonNull(resourceVersion);
Objects.requireNonNull(span);

return this.tenantInformationService
.getTenant(tenantId, span)
final Future<Tenant> tenantFuture = tenantInformationService.getTenant(tenantId, span);
return tenantFuture
.compose(tenant -> tenant.checkCredentialsLimitExceeded(tenantId, credentials))
.compose(ok -> verifyAndEncodePasswords(credentials))
.compose(ok -> applyAuthIdTemplateForX509CertificateCredentials(tenantFuture.result(), credentials))
.compose(this::verifyAndEncodePasswords)
.compose(encodedCredentials -> processUpdateCredentials(
DeviceKey.from(tenantId, deviceId),
encodedCredentials,
Expand Down Expand Up @@ -279,4 +284,18 @@ protected List<CommonCredential> checkCredentials(final List<CommonCredential> c
return credentials;
}

private static Future<List<CommonCredential>> applyAuthIdTemplateForX509CertificateCredentials(
final Tenant tenant,
final List<CommonCredential> credentials) {
final List<CommonCredential> creds = credentials.stream()
.map(cred -> {
if (cred instanceof X509CertificateCredential) {
return X509CertificateCredentialWithGeneratedAuthId.applyAuthIdTemplate(
(X509CertificateCredential) cred, tenant);
}
return cred;
})
.collect(Collectors.toUnmodifiableList());
return Future.succeededFuture(creds);
}
}
3 changes: 2 additions & 1 deletion ...registry-base/src/main/java/org/eclipse/hono/deviceregistry/util/DeviceRegistryUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,8 @@ private DeviceRegistryUtils() {
*/
public static <T> Future<T> mapError(final Throwable error, final String tenantId) {
if (error instanceof IllegalArgumentException) {
return Future.failedFuture(new ClientErrorException(tenantId, HttpURLConnection.HTTP_BAD_REQUEST, error.getMessage()));
return Future.failedFuture(
new ClientErrorException(tenantId, HttpURLConnection.HTTP_BAD_REQUEST, error.getMessage(), error));
}
return Future.failedFuture(error);
}
Expand Down
10 changes: 10 additions & 0 deletions ...istry-base/src/main/java/org/eclipse/hono/service/management/credentials/Credentials.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,16 @@ public static PskCredential createPSKCredential(final String authId, final Strin
return new PskCredential(authId, List.of(s));
}

/**
* Creates a X509 certificate based credential from the given subject DN.
*
* @param subjectDN The subject DN.
* @return The X509 certificate credential.
*/
public static X509CertificateCredential createX509CertificateCredential(final String subjectDN) {
return X509CertificateCredential.fromSubjectDn(subjectDN, List.of(new X509CertificateSecret()));
}

/**
* Creates a password type based credential containing a hashed password secret.
*
Expand Down
13 changes: 13 additions & 0 deletions ...ipse/hono/service/management/credentials/DelegatingCredentialsManagementHttpEndpoint.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import org.eclipse.hono.service.management.OperationResult;
import org.eclipse.hono.tracing.TracingHelper;
import org.eclipse.hono.util.RegistryManagementConstants;
import org.eclipse.hono.util.Strings;

import io.opentracing.Span;
import io.vertx.core.CompositeFuture;
Expand Down Expand Up @@ -207,7 +208,19 @@ private static List<CommonCredential> decodeCredentials(final JsonArray array) {
return array.stream()
.filter(JsonObject.class::isInstance)
.map(JsonObject.class::cast)
.map(DelegatingCredentialsManagementHttpEndpoint::checkForGeneratedAuthId)
.map(json -> json.mapTo(CommonCredential.class))
.collect(Collectors.toList());
}

private static JsonObject checkForGeneratedAuthId(final JsonObject credential) {
final String type = credential.getString(RegistryManagementConstants.FIELD_TYPE);
if (!Strings.isNullOrEmpty(type) && type.equals(RegistryManagementConstants.SECRETS_TYPE_X509_CERT)) {
if (credential.containsKey(RegistryManagementConstants.FIELD_GENERATED_AUTH_ID)) {
throw new IllegalArgumentException(
"credentials object contains an invalid attribute [generated-auth-id]");
}
}
return credential;
}
}
Loading