[CloudSync] Adding TLS to secure MQTT Client Broker Communication

[nitu-s-gupta]

Description

Certificates can be generated using openssl library and copied to /var/edge-orchestration/mqtt/certs folder. This will aloow the secure communication between mqtt broker and client.

Fixes # (#382)

Type of change

• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

1.MQTT mosquitto broker is configured to be running in the AWS endpoint. The certificates are copied to /etc/mosquitto/certs folder and corresponding path is specified in the configuration file
In the client side the root CA certificates are copied in the /var/edge-orchestration/mqtt/certs
2. The edge orchestration is build and run using following command with option CLOUD_SYNC set to true

docker run -it -d --privileged --network="host" --name edge-orchestration -e CLOUD_SYNC=true -v /var/edge-orchestration/:/var/edge-orchestration/:rw -v /var/run/docker.sock:/var/run/docker.sock:rw -v /proc/:/process/:ro  lfedge/edge-home-orchestration-go:latest

3. From the another terminal/post make a curl command as follows to publish data using home edge to the broker running on AWS endpoint

curl --location --request POST 'http://192.168.1.107:56001/api/v1/orchestration/cloudsyncmgr' \
--header 'Content-Type: text/plain' \
--data-raw '{
    "appid": "com.nokia.homeedge1",
    "payload": "{Another data from TV1 and testdata}",
    "topic": "home1/livingroom",
    "url" : "ec2-54-205-12-98.compute-1.amazonaws.com"
}'

Test Configuration:

• OS type & version: (Ubuntu 20.04)
• Hardware: (x86)
• Edge Orchestration Release: (v1.1.0)

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings

[tiokim]

Thanks for the contribution! Please take a look at my comments.

[tiokim]

PTAL!

[tiokim]

LGTM Thanks!

[MoonkiHong]

+1

[tdrozdovsky]

Suggested change

	log.Println("CloudSync init set")
	log.Info(logPrefix, "CloudSync init set")

[nitu-s-gupta]

Done!!

[tdrozdovsky]

Suggested change

	log.Println(logPrefix, "Orchestration init with secure option")
	log.Info(logPrefix, "Orchestration init with secure option")

[nitu-s-gupta]

Done!!

[tdrozdovsky]

logPrefix = "[cloudsyncmgr]" change to logPrefix = "[cloudsyncmgr] "

[nitu-s-gupta]

Done!!

[tdrozdovsky]

Before logPrefix = "[MQTTConnectionMgr]" should be change to 1logPrefix = "[MQTTConnectionMgr] "`

Suggested change

	log.Info(logPrefix, " The broker is", URL)
	log.Info(logPrefix, "The broker is", URL)

[nitu-s-gupta]

Done!!

[tdrozdovsky]

Suggested change

	log.Warn(err.Error())
	log.Warn(logPrefix, err.Error())

[nitu-s-gupta]

Done!

[tdrozdovsky]

Suggested change

	// TODO Use Username and password to provide authorization to MQTT Broker zuncomment the below two lines to enable authorization after creating password file for each user
	// TODO: Use Username and Password to provide authorization to MQTT Broker uncomment the below two lines to enable authorization after creating password file for each user. This is temporary solution!

[nitu-s-gupta]

This is not a temporary solution. Its the solution as suggested by mosquitto broker. So its user dependent and hence commented. I can uncomment and put it but then what will be the password set by the user and username hence it is user dependent and also its one of the secure modes of communication as provided by Mosquitto broker as mentioned in the documentation

[tdrozdovsky]

1. login and password cannot be stored in the program and must be exported from a secure storage
2. more suitable option is a signed certificate with a fixed SAN (we had difficulties with this, but I will investigate this issue in more detail later)
   So I think this is a temporary solution.

[nitu-s-gupta]

Yes , it should be ideally but you have to pass the password through copts only thats the architecture design of Mosquitto broker . Secondly Certificates through SAN can give you secure communication channel which is already done. The issue was resolved by me. There is no issue in it. So I think there is some confusion from your side. SAN certificates were fine and are working fine now. As already mentioned in previous PR also the issue was resolved and it wasnot certificates issue.
Storing certificate at any location wouldnt change passing of password through copts only the path will change. SO i disagree with your point of this being a temporary solution.

[tdrozdovsky]

As I wrote above, this is a temporary solution, since the password cannot be stored in the program.

[tdrozdovsky]

We can take it step by step

1. while we consider the option of communication with only one broker
2. we have two options: a) add the phrase that this is a temporary solution, accept this request, and urgently prepare to read the login and password from an external file; b) we finish reading the login and password from an external file or from another place

If accepted in the current version: we need remove the OpenSSF "passing" and "silver" badge from our project (because it violates security requirements ), and also the container that is downloaded from dockerhub will not work fully.

[tdrozdovsky]

I'm more concerned about the unprotected storage password in the code (hardcoded). And as I said earlier, we can implement the issues of secure interaction with the broker later

[suresh-lc]

We need to fix the secure location for password file storage . We can discuss that separately. And this file reading should not take much time. So once we fix the file location we can raise PR for that. @nitu-s-gupta : Please remove the lines..

[tiokim]

@nitu-s-gupta Please create an issue to discuss about cert and password.

[suresh-lc]

@nitu-s-gupta Please create an issue to discuss about cert and password.

#471

[suresh-lc]

+1

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[tdrozdovsky]

LGTM