Add option to authenticate via client certificates updated #166
Conversation
flobz
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
4 times, most recently
from
726d39e
to
04676d2
Compare
There was a problem hiding this comment.
In #38 (comment), I said:
It would be great to have an actual test case for this with a reverse proxy. We already use nginx for some test cases (see test/conftest.py).
This would be really useful.
docs/using.rst
Outdated
| ssl_verify = true | ||
| tenant_id = DEFAULT | ||
| target_name = test-target | ||
| auth_token = |
There was a problem hiding this comment.
Shouldn't this be commented, too?
src/config-file.c
Outdated
| key_client_cert_exists = get_key_string(ini_file, "client", "client_cert", &config->client_cert, NULL, NULL); | ||
|
|
||
| key_client_key_exists = get_key_string(ini_file, "client", "client_key", &config->client_key, NULL, NULL); | ||
|
|
||
| if (!key_auth_token_exists && !key_gateway_token_exists && !(key_client_cert_exists && key_client_key_exists)) { | ||
| g_set_error(error, 1, 4, "Neither a token nor client certificate are set!"); | ||
| return NULL; | ||
| } | ||
| if (key_auth_token_exists && key_gateway_token_exists) { | ||
| else if (key_auth_token_exists && key_gateway_token_exists) { |
There was a problem hiding this comment.
As far as I can see, this allows various strange combinations of auth/gateway token and cert/key:
- auth_token + client_cert + client_key
- gateway_token + client_cert + client_key
Since there a no later checks, both auth methods would need to be present. Does hawkBit support these cases?
- auth_token + client_cert
- auth_token + client_key
- gateway_token + client_cert
- gateway_token + client_key
These cases lead to auth_token or gateway_token being used, but no warning/error. That should be fixed.
There was a problem hiding this comment.
It's possible to have two level of security in the same time:
- Reverse proxy do authentication with cert
- Hawkbit with token
So in my opinion we should allow token+ cert.
There was a problem hiding this comment.
Okay, this should be documented then. The last 4 scenarios should be fixed.
There was a problem hiding this comment.
Is this enough documented : https://github.com/rauc/rauc-hawkbit-updater/pull/166/files#diff-00d05b0405040981002c129a067f3ae336e345b5b62512322b116f63aec6c341R62 ?
What do you mean by 'The last 4 scenarios should be fixed." ?
docs/using.rst
Outdated
| ssl = true | ||
| ssl_verify = true |
There was a problem hiding this comment.
From #38 (comment):
What happens if these options are false?
There was a problem hiding this comment.
I added the answer here : https://github.com/flobz/rauc-hawkbit-updater/blob/419925f13ac05d311d92e9129661783456726d78/docs/using.rst?plain=1#L66
If the CA of the reverse proxy server is untrusted set ssl_verify to false.
There was a problem hiding this comment.
Okay, but what about the ssl option? That is required, right? Should be documented and a run time check would also be nice.
There was a problem hiding this comment.
you're right I forgot this check : c972261
| curl_easy_setopt(curl, CURLOPT_SSLCERT, hawkbit_config->client_cert); | ||
| curl_easy_setopt(curl, CURLOPT_SSLKEY, hawkbit_config->client_key); |
There was a problem hiding this comment.
The existence of these files was never checked. What happens if they don't exist?
docs/using.rst
Outdated
| Authentication | ||
| -------------- |
There was a problem hiding this comment.
Please leave this section as is and add the sections below as subsections.
Client certificate and privat key of Client certificate are send to the set Server. Add description on how to use this authentication method in "docs/using.rst" file. Signed-off-by: Cem Tenruh <[email protected]>
Signed-off-by: Cem Tenruh <[email protected]>
flobz
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
04676d2
to
419925f
Compare
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
flobz
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
419925f
to
9a2bb21
Compare
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
flobz
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
9a2bb21
to
28cf12b
Compare
I add test but there is an issue. Hawkbit doesn't support downloading artifacts using http and https in the same time. |
flobz
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
3 times, most recently
from
6d90f92
to
146096a
Compare
|
@Bastian-Krause can you restart the "workflow" please ? I would like to check if change made to the pipeline works. |
|
I've just triggered the CI workflow |
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
Signed-off-by: Florian Bezannier <[email protected]>
flobz
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
146096a
to
4816283
Compare
|
Ok I fixed the CI but I don't understand why it worked before and why it doesn't work anymore... |
|
This will probably need to wait a few more weeks until I have time to review this. |
…s in the same time Signed-off-by: Florian Bezannier <[email protected]>
flobz
force-pushed
the
WIP/ctenruh-phytec/client_certificates
branch
from
0770400
to
99dc571
Compare
It's fixed in hawkbit 0.3.0. @Bastian-Krause would you be able to do a review soon ? |
Hello,
I updated this PR: #38 to apply @Bastian-Krause recommendation.
If there anything else to before merging ?