Integrate with bundle

plgd-dev · Aug 12, 2024 · 2e70adf · 2e70adf
1 parent ee76f61
commit 2e70adf
Show file tree

Hide file tree

Showing 9 changed files with 128 additions and 14 deletions.
diff --git a/.github/workflows/build-publish.yaml b/.github/workflows/build-publish.yaml
@@ -123,6 +123,10 @@ jobs:
             directory: m2m-oauth-server
             file: .tmp/docker/m2m-oauth-server/Dockerfile
             template-file: tools/docker/Dockerfile.in
+          - name: device-provisioning-service
+            directory: device-provisioning-service
+            file: .tmp/docker/device-provisioning-service/Dockerfile
+            template-file: tools/docker/device-provisioning-service.in
           - name: test-device-provisioning-service
             directory: test/device-provisioning-service
             file: test/device-provisioning-service/Dockerfile

diff --git a/bundle/Dockerfile b/bundle/Dockerfile
@@ -120,6 +120,13 @@ RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd
     -o "/go/bin/$service" \
     ./cmd/service
 
+#device-provisioning-service
+ARG service=device-provisioning-service
+WORKDIR $root_directory/$service
+RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \
+    -o "/go/bin/$service" \
+    ./cmd/service
+
 #nats
 WORKDIR $root_directory
 RUN apkArch="$(apk --print-arch)"; \
@@ -251,6 +258,8 @@ ENV SNIPPET_SERVICE_PORT=9091
 ENV HTTP_SNIPPET_SERVICE_PORT=9092
 ENV M2M_OAUTH_SERVER_PORT=9079
 ENV HTTP_M2M_OAUTH_SERVER_PORT=9080
+ENV DEVICE_PROVISIONG_SERVICE_PORT=9093
+ENV HTTP_DEVICE_PROVISIONG_SERVICE_PORT=9094
 
 # OAuth
 ENV DEVICE_PROVIDER=plgd

diff --git a/bundle/nginx/nginx.conf.template b/bundle/nginx/nginx.conf.template
@@ -162,5 +162,32 @@ http {
       proxy_set_header Connection $connection_upgrade;
       proxy_set_header Host $host;
     }
+    location ~ ^(/device-provisioning-service) {
+      set $upstream_oauth_server https://127.0.0.1:REPLACE_HTTP_DEVICE_PROVISIONG_SERVICE_PORT;
+      proxy_pass                     $upstream_oauth_server;
+      proxy_ssl_certificate           /data/certs/internal/endpoint.crt;
+      proxy_ssl_certificate_key       /data/certs/internal/endpoint.key;
+      proxy_ssl_trusted_certificate   /data/certs/root_ca.crt;
+      proxy_ssl_verify                on;
+      set $cors_headers 'Authority,Method,Path,Scheme,Accept,Accept-Encoding,Accept-Language,Content-Type,Origin,Refer,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,correlation-id';
+      include /nginx/cors.oauth.conf;
+      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header   X-Forwarded-Proto $scheme;
+      proxy_set_header   X-Forwarded-Host $host;
+      proxy_set_header Host $host;
+    }
+    location ~ ^(/deviceprovisioningservice.pb.DeviceProvisionService) {
+      set $upstream_grpc_oauth_server grpcs://127.0.0.1:REPLACE_DEVICE_PROVISIONG_SERVICE_PORT;
+      grpc_pass                      $upstream_grpc_oauth_server;
+      grpc_ssl_certificate           /data/certs/internal/endpoint.crt;
+      grpc_ssl_certificate_key       /data/certs/internal/endpoint.key;
+      grpc_ssl_trusted_certificate   /data/certs/root_ca.crt;
+      grpc_read_timeout       31536000s;
+      grpc_send_timeout       31536000s;
+      client_body_timeout     31536000s;
+      grpc_socket_keepalive   on;
+      proxy_ssl_trusted_certificate   /data/certs/root_ca.crt;
+      proxy_ssl_verify                on;
+    }
   }
 }
diff --git a/bundle/run.sh b/bundle/run.sh
@@ -28,6 +28,8 @@ export SNIPPET_SERVICE_ADDRESS="localhost:${SNIPPET_SERVICE_PORT}"
 export SNIPPET_SERVICE_HTTP_ADDRESS="localhost:${HTTP_SNIPPET_SERVICE_PORT}"
 export M2M_OAUTH_SERVER_ADDRESS="localhost:${M2M_OAUTH_SERVER_PORT}"
 export M2M_OAUTH_SERVER_HTTP_ADDRESS="localhost:${HTTP_M2M_OAUTH_SERVER_PORT}"
+export DEVICE_PROVISIONG_SERVICE_ADDRESS="localhost:${DEVICE_PROVISIONG_SERVICE_PORT}"
+export DEVICE_PROVISIONG_SERVICE_HTTP_ADDRESS="localhost:${HTTP_DEVICE_PROVISIONG_SERVICE_PORT}"
 
 export INTERNAL_CERT_DIR_PATH="$CERTIFICATES_PATH/internal"
 export GRPC_INTERNAL_CERT_NAME="endpoint.crt"
@@ -491,6 +493,8 @@ if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "${NGINX_PATH}/nginx.conf" ]; then
   sed -i "s/REPLACE_HTTP_SNIPPET_SERVICE_PORT/$HTTP_SNIPPET_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf
   sed -i "s/REPLACE_M2M_OAUTH_SERVER_PORT/$M2M_OAUTH_SERVER_PORT/g" ${NGINX_PATH}/nginx.conf
   sed -i "s/REPLACE_HTTP_M2M_OAUTH_SERVER_PORT/$HTTP_M2M_OAUTH_SERVER_PORT/g" ${NGINX_PATH}/nginx.conf
+  sed -i "s/REPLACE_DEVICE_PROVISIONG_SERVICE_PORT/$DEVICE_PROVISIONG_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf
+  sed -i "s/REPLACE_HTTP_DEVICE_PROVISIONG_SERVICE_PORT/$HTTP_DEVICE_PROVISIONG_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf
 fi
 
 # nats
@@ -1356,6 +1360,68 @@ while true; do
   sleep 1
 done
 
+# device-provisioning-service
+echo "starting device-provisioning-service"
+## configuration
+if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "/data/device-provisioning-service.yaml" ]; then
+cat /configs/device-provisioning-service.yaml |
+  yq e "\
+  .log.level = \"${LOG_LEVEL}\" |
+  .apis.coap.address = \"${DEVICE_PROVISIONG_SERVICE_ADDRESS}\" |
+  .apis.http.enabled = true |
+  .apis.http.address = \"${DEVICE_PROVISIONG_SERVICE_HTTP_ADDRESS}\" |
+  .apis.http.authorization.ownerClaim = \"${OWNER_CLAIM}\" |
+  .apis.grpc.authorization.endpoints[0].http.tls.useSystemCAPool = true |
+  .apis.grpc.authorization.endpoints[0].authority = \"https://${OAUTH_ENDPOINT}\" |
+  .apis.grpc.authorization.endpoints[1].authority = \"https://${M2M_OAUTH_SERVER_ENDPOINT}\" |
+  .apis.http.authorization.audience = \"${SERVICE_OAUTH_AUDIENCE}\" |
+  .clients.storage.mongoDB.uri = \"${MONGODB_URI}\" |
+  .clients.openTelemetryCollector.grpc.enabled = ${OPEN_TELEMETRY_EXPORTER_ENABLED} |
+  .clients.openTelemetryCollector.grpc.address = \"${OPEN_TELEMETRY_EXPORTER_ADDRESS}\" |
+  .clients.openTelemetryCollector.grpc.tls.caPool = \"${OPEN_TELEMETRY_EXPORTER_CA_POOL}\" |
+  .clients.openTelemetryCollector.grpc.tls.keyFile = \"${OPEN_TELEMETRY_EXPORTER_KEY_FILE}\" |
+  .clients.openTelemetryCollector.grpc.tls.certFile = \"${OPEN_TELEMETRY_EXPORTER_CERT_FILE}\" |
+  .clients.openTelemetryCollector.grpc.tls.useSystemCAPool = true |
+  .enrollmentGroups[0].id = \"${TODO}\" |
+  .enrollmentGroups[0].owner = \"${TODO}\" |
+  .enrollmentGroups[0].preSharedKeyFile = \"${TODO}\" |
+  .enrollmentGroups[0].attestationMechanism.x509.certificateChain = \"${TODO}\" |
+  .enrollmentGroups[0].attestationMechanism.x509.expiredCertificateEnabled = false |
+  .enrollmentGroups[0].hubs[0].caPool = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].hubID = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].gateways = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].certificateAuthority.grpc.address = \"${CERTIFICATE_AUTHORITY_ADDRESS}\"
+  .enrollmentGroups[0].hubs[0].authorization.ownerClaim = \"${OWNER_CLAIM}\" |
+  .enrollmentGroups[0].hubs[0].authorization.deviceIDClaim = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].authorization.provider.name = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].authorization.provider.authority = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].authorization.provider.clientID = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].authorization.provider.clientSecretFile = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].authorization.provider.scopes = \"${TODO}\" |
+  .enrollmentGroups[0].hubs[0].authorization.provider.audience = \"${TODO}\"
+" - > /data/device-provisioning-service.yaml
+fi
+device-provisioning-service --config /data/device-provisioning-service.yaml >$LOGS_PATH/device-provisioning-service.log 2>&1 &
+status=$?
+device_provisioning_service_pid=$!
+if [ $status -ne 0 ]; then
+  echo "Failed to start device-provisioning-service: $status"
+  sync
+  cat $LOGS_PATH/device-provisioning-service.log
+  exit $status
+fi
+
+# waiting for ca. Without wait, sometimes the service didn't connect.
+i=0
+while true; do
+  i=$((i+1))
+  if openssl s_client -connect ${DEVICE_PROVISIONG_SERVICE_ADDRESS} -cert ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_NAME} -key ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_KEY_NAME} <<< "Q" 2>/dev/null > /dev/null; then
+    break
+  fi
+  echo "Try to reconnect to device-provisioning-service(${DEVICE_PROVISIONG_SERVICE_ADDRESS}) $i"
+  sleep 1
+done
+
 echo "Open browser at https://${DOMAIN}"
 
 # Naive check runs checks once a minute to see if either of the processes exited.
@@ -1487,4 +1553,11 @@ while sleep 10; do
     cat $LOGS_PATH/snippet-service.log
    exit 1
   fi
+  ps aux |grep $device_provisioning_service_pid |grep -q -v grep
+  if [ $? -ne 0 ]; then
+    echo "device-provisioning-service has already exited."
+    sync
+    cat $LOGS_PATH/device-provisioning-service.log
+   exit 1
+  fi
 done
diff --git a/device-provisioning-service/service/http/getRegistrations_test.go b/device-provisioning-service/service/http/getRegistrations_test.go
@@ -11,8 +11,8 @@ import (
 	httpService "github.com/plgd-dev/hub/v2/device-provisioning-service/service/http"
 	"github.com/plgd-dev/hub/v2/device-provisioning-service/test"
 	httpgwTest "github.com/plgd-dev/hub/v2/http-gateway/test"
+	pkgHttpPb "github.com/plgd-dev/hub/v2/pkg/net/http/pb"
 	hubTest "github.com/plgd-dev/hub/v2/test"
-	httpTest "github.com/plgd-dev/hub/v2/test/http"
 	oauthTest "github.com/plgd-dev/hub/v2/test/oauth-server/test"
 	hubTestService "github.com/plgd-dev/hub/v2/test/service"
 	"github.com/stretchr/testify/assert"
@@ -106,7 +106,7 @@ func TestDeviceProvisionServiceServerGetProvisioningRecords(t *testing.T) {
 			var got pb.ProvisioningRecords
 			for {
 				var dev pb.ProvisioningRecord
-				err := httpTest.Unmarshal(resp.StatusCode, resp.Body, &dev)
+				err := pkgHttpPb.Unmarshal(resp.StatusCode, resp.Body, &dev)
 				if errors.Is(err, io.EOF) {
 					break
 				}

diff --git a/device-provisioning-service/service/http/service.go b/device-provisioning-service/service/http/service.go
@@ -13,7 +13,8 @@ import (
 	"github.com/plgd-dev/hub/v2/http-gateway/serverMux"
 	"github.com/plgd-dev/hub/v2/pkg/fsnotify"
 	"github.com/plgd-dev/hub/v2/pkg/log"
-	kitNetHttp "github.com/plgd-dev/hub/v2/pkg/net/http"
+	pkgHttp "github.com/plgd-dev/hub/v2/pkg/net/http"
+	pkgHttpJwt "github.com/plgd-dev/hub/v2/pkg/net/http/jwt"
 	"github.com/plgd-dev/hub/v2/pkg/net/listener"
 	"github.com/plgd-dev/hub/v2/pkg/security/jwt/validator"
 	"go.opentelemetry.io/otel/trace"
@@ -41,7 +42,7 @@ func New(ctx context.Context, serviceName string, config Config, fileWatcher *fs
 	pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, config.Authorization.OwnerClaim))
 	grpcClient := pb.NewDeviceProvisionServiceClient(ch)
 
-	auth := kitNetHttp.NewInterceptorWithValidator(validator, kitNetHttp.NewDefaultAuthorizationRules(APIV1))
+	auth := pkgHttpJwt.NewInterceptorWithValidator(validator, pkgHttp.NewDefaultAuthorizationRules(API))
 	mux := serverMux.New()
 	r := serverMux.NewRouter(queryCaseInsensitive, auth)
 
@@ -51,7 +52,7 @@ func New(ctx context.Context, serviceName string, config Config, fileWatcher *fs
 	}
 	r.PathPrefix("/").Handler(mux)
 	httpServer := &http.Server{
-		Handler:           kitNetHttp.OpenTelemetryNewHandler(r, serviceName, tracerProvider),
+		Handler:           pkgHttp.OpenTelemetryNewHandler(r, serviceName, tracerProvider),
 		ReadTimeout:       config.Server.ReadTimeout,
 		ReadHeaderTimeout: config.Server.ReadHeaderTimeout,
 		WriteTimeout:      config.Server.WriteTimeout,

diff --git a/device-provisioning-service/service/http/uri.go b/device-provisioning-service/service/http/uri.go
@@ -2,8 +2,8 @@ package http
 
 // HTTP Service URIs.
 const (
-	API   = "/api"
-	APIV1 = API + "/v1"
+	Base = "/device-provisioning-service"
+	API  = Base + "/api/v1"
 
-	ProvisioningRecords = APIV1 + "/provisioning-records"
+	ProvisioningRecords = API + "/provisioning-records"
 )
diff --git a/device-provisioning-service/service/provision_test.go b/device-provisioning-service/service/provision_test.go
@@ -28,11 +28,11 @@ import (
 	"github.com/plgd-dev/hub/v2/pkg/config/property/urischeme"
 	"github.com/plgd-dev/hub/v2/pkg/fn"
 	pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc"
+	pkgHttpPb "github.com/plgd-dev/hub/v2/pkg/net/http/pb"
 	"github.com/plgd-dev/hub/v2/resource-aggregate/commands"
 	hubTest "github.com/plgd-dev/hub/v2/test"
 	"github.com/plgd-dev/hub/v2/test/config"
 	"github.com/plgd-dev/hub/v2/test/device/ocf"
-	httpTest "github.com/plgd-dev/hub/v2/test/http"
 	oauthTest "github.com/plgd-dev/hub/v2/test/oauth-server/test"
 	"github.com/plgd-dev/hub/v2/test/sdk"
 	hubTestService "github.com/plgd-dev/hub/v2/test/service"
@@ -106,7 +106,7 @@ func TestProvisioning(t *testing.T) {
 	var got []*pb.ProvisioningRecord
 	for {
 		var dev pb.ProvisioningRecord
-		err := httpTest.Unmarshal(resp.StatusCode, resp.Body, &dev)
+		err := pkgHttpPb.Unmarshal(resp.StatusCode, resp.Body, &dev)
 		if errors.Is(err, io.EOF) {
 			break
 		}
@@ -387,7 +387,7 @@ func TestProvisioningWithPSK(t *testing.T) {
 	var got []*pb.ProvisioningRecord
 	for {
 		var dev pb.ProvisioningRecord
-		err := httpTest.Unmarshal(resp.StatusCode, resp.Body, &dev)
+		err := pkgHttpPb.Unmarshal(resp.StatusCode, resp.Body, &dev)
 		if errors.Is(err, io.EOF) {
 			break
 		}

diff --git a/device-provisioning-service/uri/uri.go b/device-provisioning-service/uri/uri.go
@@ -2,12 +2,12 @@ package uri
 
 // COAP Service URIs.
 const (
-	API   = "/api"
-	APIV1 = API + "/v1"
+	Base = "/device-provisioning-service"
+	API  = Base + "/api/v1"
 
 	CoAPsTCPSchemePrefix = "coaps+tcp://"
 
-	Provisioning       = APIV1 + "/provisioning"
+	Provisioning       = API + "/provisioning"
 	Resources          = Provisioning + "/resources"
 	ACLs               = Provisioning + "/acls"
 	Credentials        = Provisioning + "/credentials"