Allow fleet-provisioning to change user and group during runtime

aws-greengrass · Dec 19, 2024 · 2842030 · 2842030
1 parent bbeb9e1
commit 2842030
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 45 deletions.
diff --git a/docs/FLEET_PROVISIONING.md b/docs/FLEET_PROVISIONING.md
@@ -24,17 +24,11 @@ follow few important pre-steps
 1. This section assumes that the system has already met the dependencies
    mentioned in [SETUP.md](./SETUP.md#dependencies).
 2. Make sure you are logged in as root.
-3. Allow read access to all user for your certificates
-   `chmod -R +rx /ggcredentials/`.
-4. Make sure you do not fill `iotCredEndpoint/iotDataEndpoint` under
+3. Make sure you do not fill `iotCredEndpoint/iotDataEndpoint` under
    `aws.greengrass.NucleusLite` you should only fill these fields under
    `aws.greengrass.fleet_provisioning`'s config. See the
    [sample config below](#configyaml).
-5. Fleet provisioning assumes the your `GGL_SYSTEMD_SYSTEM_USER` and
-   `GGL_SYSTEMD_SYSTEM_GROUP` mentioned in [CMakeLists.txt](../CMakeLists.txt)
-   to be `ggcore:ggcore` please change appropriately if these values are changed
-   during compile time.
-6. If this is your not first run, remove the socket at
+4. If this is your not first run, remove the socket at
    `/run/greengrass/iotcoredfleet`, if it exists.
 
 Sample Fleet provisioning template:
@@ -139,7 +133,11 @@ $ cp ./run/config.yaml /etc/greengrass/config.yaml
 $ ./misc/run_nucleus
 ```
 
-In root user shell, run fleet provisioning:
+In root user shell, run the fleet provisioning binary.
+
+If you changed `GGL_SYSTEMD_SYSTEM_USER` and `GGL_SYSTEMD_SYSTEM_GROUP`
+mentioned in [CMakeLists.txt](../CMakeLists.txt), you can override deafult by
+adding `-u "ggcore:ggcore"` at the end of following command:
 
 ```sh
 $ ../build/bin/fleet-provisioning
@@ -148,7 +146,7 @@ $ ../build/bin/fleet-provisioning
 Now this will trigger the fleet provisioning script which will take a few
 minutes to complete.
 
-> Note: Device will reboot in case of successful run.
+> Note: Device will reboot in case of a successful run.
 
 If you are storing the standard output then look for log:
 `Process Complete, Your device is now provisioned`.

diff --git a/fleet-provisioning/bin/fleet-provisioning.c b/fleet-provisioning/bin/fleet-provisioning.c
@@ -18,35 +18,50 @@ static char doc[] = "fleet provisioner -- Executable to automatically "
                     "provision the device to AWS IOT core";
 static const char COMPONENT_NAME[] = "fleet-provisioning";
 
-static struct argp_option opts[] = {
-    { "claim-key",
-      'k',
-      "path",
-      0,
-      "Path to key for client claim private certificate",
-      0 },
-    { "claim-cert",
-      'c',
-      "path",
-      0,
-      "Path to key for client claim certificate",
-      0 },
-    { "template-name",
-      't',
-      "name",
-      0,
-      "AWS fleet provisioning template name",
-      0 },
-    { "template-param",
-      'p',
-      "json",
-      0,
-      "[optional] Fleet Prov additional parameters",
-      0 },
-    { "data-endpoint", 'e', "name", 0, "AWS IoT Core data endpoint", 0 },
-    { "root-ca-path", 'r', "path", 0, "Path to key for client certificate", 0 },
-    { 0 }
-};
+static struct argp_option opts[]
+    = { { "user-group",
+          'u',
+          "name",
+          0,
+          "[optional]GGL_SYSTEMD_SYSTEM_USER user and group \":\" seprated",
+          0 },
+        { "claim-key",
+          'k',
+          "path",
+          0,
+          "[optional]Path to key for client claim private certificate",
+          0 },
+        { "claim-cert",
+          'c',
+          "path",
+          0,
+          "[optional]Path to key for client claim certificate",
+          0 },
+        { "template-name",
+          't',
+          "name",
+          0,
+          "[optional]AWS fleet provisioning template name",
+          0 },
+        { "template-param",
+          'p',
+          "json",
+          0,
+          "[optional]Fleet Prov additional parameters",
+          0 },
+        { "data-endpoint",
+          'e',
+          "name",
+          0,
+          "[optional]AWS IoT Core data endpoint",
+          0 },
+        { "root-ca-path",
+          'r',
+          "path",
+          0,
+          "[optional]Path to key for client certificate",
+          0 },
+        { 0 } };
 
 static error_t arg_parser(int key, char *arg, struct argp_state *state) {
     FleetProvArgs *args = state->input;
@@ -69,8 +84,14 @@ static error_t arg_parser(int key, char *arg, struct argp_state *state) {
     case 'r':
         args->root_ca_path = arg;
         break;
+    case 'u':
+        args->user_group = arg;
+        break;
     case ARGP_KEY_END:
-        // ALL keys have defaults further in.
+        if (args->user_group == NULL) {
+            args->user_group = "ggcore:ggcore";
+        }
+        // All keys are optional other are set down the line
         break;
     default:
         return ARGP_ERR_UNKNOWN;

diff --git a/fleet-provisioning/include/fleet-provisioning.h b/fleet-provisioning/include/fleet-provisioning.h
@@ -16,6 +16,7 @@ typedef struct {
     char *data_endpoint;
     char *root_ca_path;
     char *iotcored_path;
+    char *user_group;
 } FleetProvArgs;
 
 GglError run_fleet_prov(FleetProvArgs *args, pid_t *pid);

diff --git a/fleet-provisioning/src/entry.c b/fleet-provisioning/src/entry.c
@@ -28,6 +28,8 @@
 #define MAX_TEMPLATE_PARAM_LEN 4096
 #define MAX_PATH_LEN 4096
 
+GglBuffer ggcredentials_path = GGL_STR("/ggcredentials");
+
 static GglError start_iotcored(FleetProvArgs *args, pid_t *iotcored_pid) {
     char *iotcore_d_args[]
         = { args->iotcored_path,  "-n", "iotcoredfleet",       "-e",
@@ -191,8 +193,8 @@ static GglError fetch_from_db(FleetProvArgs *args) {
     return GGL_ERR_OK;
 }
 
-static GglError update_cred_access(void) {
-    char *args[] = { "chown", "-R", "ggcore:ggcore", "/ggcredentials/", NULL };
+static GglError update_cred_access(char *user_group) {
+    char *args[] = { "chown", "-R", user_group, "/ggcredentials/", NULL };
 
     GglError ret = ggl_exec_command(args);
     if (ret != GGL_ERR_OK) {
@@ -272,8 +274,6 @@ static GglError update_iot_endpoints(void) {
 }
 
 GglError run_fleet_prov(FleetProvArgs *args, pid_t *pid) {
-    GglBuffer ggcredentials_path = GGL_STR("/ggcredentials");
-
     int config_dir;
     GglError ret
         = ggl_dir_open(ggcredentials_path, O_RDONLY, false, &config_dir);
@@ -401,7 +401,7 @@ GglError run_fleet_prov(FleetProvArgs *args, pid_t *pid) {
         return ret;
     }
 
-    ret = update_cred_access();
+    ret = update_cred_access(args->user_group);
     if (ret != GGL_ERR_OK) {
         return ret;
     }