From 3886b6e2c5306523345745f0df69a44f13fd5ca0 Mon Sep 17 00:00:00 2001 From: Daniel Adam Date: Thu, 8 Aug 2024 13:59:31 +0200 Subject: [PATCH] fixup! Migrate device-provisioning-service to repository --- .github/workflows/build-publish.yaml | 3 + .github/workflows/test.yml | 18 +- Makefile | 1 + device-provisioning-service/README.md | 172 +------------ .../service/acls_test.go | 3 +- .../grpc/createEnrollmentGroup_test.go | 4 +- .../service/grpc/createHub_test.go | 4 +- .../grpc/deleteEnrollmentGroup_test.go | 4 +- .../service/grpc/deleteHubs_test.go | 4 +- .../grpc/deleteProvisioningRecords_test.go | 4 +- .../service/grpc/getEnrollmentGroups_test.go | 4 +- .../service/grpc/getHubs_test.go | 4 +- .../grpc/getProvisioningRecords_test.go | 4 +- .../grpc/updateEnrollmentGroup_test.go | 4 +- .../service/grpc/updateHub_test.go | 4 +- .../service/provisionCertificate_test.go | 10 +- .../service/provisionFail_test.go | 12 +- .../service/provisionOwnership_test.go | 4 +- .../service/provisionRecovery_test.go | 4 +- .../service/provisionRestart_test.go | 4 +- .../service/provisionRetry_test.go | 4 +- .../service/provision_test.go | 12 +- device-provisioning-service/workflow.svg | 180 ++++++++++++++ test/device-provisioning-service/Dockerfile | 96 ++++++++ test/device-provisioning-service/run.sh | 232 ++++++++++++++++++ 25 files changed, 576 insertions(+), 219 deletions(-) create mode 100644 device-provisioning-service/workflow.svg create mode 100644 test/device-provisioning-service/Dockerfile create mode 100755 test/device-provisioning-service/run.sh diff --git a/.github/workflows/build-publish.yaml b/.github/workflows/build-publish.yaml index 1483fc143..80e9822ff 100644 --- a/.github/workflows/build-publish.yaml +++ b/.github/workflows/build-publish.yaml @@ -123,6 +123,9 @@ jobs: directory: m2m-oauth-server file: .tmp/docker/m2m-oauth-server/Dockerfile template-file: tools/docker/Dockerfile.in + - name: test-device-provisioning-service + directory: test/device-provisioning-service + file: test/device-provisioning-service/Dockerfile uses: ./.github/workflows/build-publish-cfg.yaml with: name: ${{ matrix.name }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3dd6f9560..b2bbd52ef 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -28,7 +28,7 @@ jobs: include: # test with check race with coverage and sonarcloud - name: test - cmd: test + cmd: test-device-provisioning-service checkRace: "true" coapGateway: log: @@ -36,7 +36,7 @@ jobs: dumpBody: "true" - name: test/cqldb - cmd: test + cmd: test-device-provisioning-service checkRace: "true" database: "cqldb" coapGateway: @@ -46,14 +46,14 @@ jobs: # test without check race - name: test/norace - cmd: test + cmd: test-device-provisioning-service coapGateway: log: level: "debug" dumpBody: "true" - name: test/norace/cqldb - cmd: test + cmd: test-device-provisioning-service database: "cqldb" coapGateway: log: @@ -65,7 +65,7 @@ jobs: # - with ECDSA-SHA256 signature and P384 elliptic curve certificates # - with TEST_LEAD_RESOURCE_TYPE_FILTER, TEST_LEAD_RESOURCE_TYPE_USE_UUID - name: test/norace-384 - cmd: test + cmd: test-device-provisioning-service args: CERT_TOOL_SIGN_ALG=ECDSA-SHA384 CERT_TOOL_ELLIPTIC_CURVE=P384 TEST_LEAD_RESOURCE_TYPE_FILTER=last TEST_LEAD_RESOURCE_TYPE_USE_UUID=true # test @@ -73,7 +73,7 @@ jobs: # - with TEST_LEAD_RESOURCE_TYPE_FILTER, TEST_LEAD_RESOURCE_TYPE_REGEX_FILTER # - with logs from all services - name: test/norace/logs - cmd: test + cmd: test-device-provisioning-service args: TEST_LEAD_RESOURCE_TYPE_REGEX_FILTER='oic\.wk\.d,^/light/\d+$$' TEST_LEAD_RESOURCE_TYPE_FILTER=first coapGateway: log: @@ -103,6 +103,12 @@ jobs: cat /proc/cpuinfo echo "Number of cores: $(nproc)" echo "Number of threads: $(nproc --all)" + + - name: disable tcp/udp offloading + run: | + ifconfig + ethtool -K eth0 tx off rx off + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - uses: actions/checkout@v4 with: diff --git a/Makefile b/Makefile index 768966534..25e2d3895 100644 --- a/Makefile +++ b/Makefile @@ -407,6 +407,7 @@ define RUN-DOCKER -v $(WORKING_DIRECTORY)/.tmp/privKeys:/privKeys \ -v $(WORKING_DIRECTORY)/.tmp/usr/local/www:/usr/local/www \ -v /var/run/docker.sock:/var/run/docker.sock \ + -e PION_LOG_TRACE=all \ -e TEST_CLOUD_SID=$(CLOUD_SID) \ -e LISTEN_FILE_CA_POOL=/certs/root_ca.crt \ -e LISTEN_FILE_CERT_DIR_PATH=/certs \ diff --git a/device-provisioning-service/README.md b/device-provisioning-service/README.md index fbbed66f3..8d1e42c5d 100644 --- a/device-provisioning-service/README.md +++ b/device-provisioning-service/README.md @@ -5,175 +5,13 @@ The Device Provisioning Service provides API to provision device to the [plgd/hu ## Workflow -![Plant UML](./workflow.puml). +![Plant UML](./workflow.svg). ## Docker Image diff --git a/device-provisioning-service/service/acls_test.go b/device-provisioning-service/service/acls_test.go index 0b1811075..47cd45bbc 100644 --- a/device-provisioning-service/service/acls_test.go +++ b/device-provisioning-service/service/acls_test.go @@ -51,12 +51,13 @@ func TestAclsUDP(t *testing.T) { shutDown := test.New(t, dpsCfg) defer shutDown() - ctx, cancel := context.WithTimeout(context.Background(), time.Second*1) + ctx, cancel := context.WithTimeout(context.Background(), time.Second) defer cancel() tlsCfg := setupTLSConfig(t) c, err := dtls.Dial(dpsCfg.APIs.COAP.Addr, pkgCoapService.TLSConfigToDTLSConfig(tlsCfg), options.WithContext(ctx)) require.NoError(t, err) + defer func() { errC := c.Close() require.NoError(t, errC) diff --git a/device-provisioning-service/service/grpc/createEnrollmentGroup_test.go b/device-provisioning-service/service/grpc/createEnrollmentGroup_test.go index 1fdb15f9b..eafca75de 100644 --- a/device-provisioning-service/service/grpc/createEnrollmentGroup_test.go +++ b/device-provisioning-service/service/grpc/createEnrollmentGroup_test.go @@ -12,7 +12,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" "github.com/plgd-dev/hub/v2/pkg/config/property/urischeme" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" @@ -91,7 +91,7 @@ func TestDeviceProvisionServiceServerCreateEnrollmentGroup(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/createHub_test.go b/device-provisioning-service/service/grpc/createHub_test.go index 3b9e23a90..ebc991b0c 100644 --- a/device-provisioning-service/service/grpc/createHub_test.go +++ b/device-provisioning-service/service/grpc/createHub_test.go @@ -10,7 +10,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" @@ -55,7 +55,7 @@ func TestDeviceProvisionServiceServerCreateHub(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/deleteEnrollmentGroup_test.go b/device-provisioning-service/service/grpc/deleteEnrollmentGroup_test.go index 0ac7eacde..db7b78115 100644 --- a/device-provisioning-service/service/grpc/deleteEnrollmentGroup_test.go +++ b/device-provisioning-service/service/grpc/deleteEnrollmentGroup_test.go @@ -10,7 +10,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" ) @@ -44,7 +44,7 @@ func TestDeviceProvisionServiceServerDeleteEnrollmentGroups(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/deleteHubs_test.go b/device-provisioning-service/service/grpc/deleteHubs_test.go index 1cbc30aca..34c99fac7 100644 --- a/device-provisioning-service/service/grpc/deleteHubs_test.go +++ b/device-provisioning-service/service/grpc/deleteHubs_test.go @@ -10,7 +10,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" ) @@ -43,7 +43,7 @@ func TestDeviceProvisionServiceServerDeleteHubs(t *testing.T) { }, } - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/deleteProvisioningRecords_test.go b/device-provisioning-service/service/grpc/deleteProvisioningRecords_test.go index 2989fabcc..b184aa80e 100644 --- a/device-provisioning-service/service/grpc/deleteProvisioningRecords_test.go +++ b/device-provisioning-service/service/grpc/deleteProvisioningRecords_test.go @@ -9,7 +9,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" @@ -67,7 +67,7 @@ func TestDeviceProvisionServiceServerDeleteProvisioningRecords(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/getEnrollmentGroups_test.go b/device-provisioning-service/service/grpc/getEnrollmentGroups_test.go index 601ae9a85..cbe76ac30 100644 --- a/device-provisioning-service/service/grpc/getEnrollmentGroups_test.go +++ b/device-provisioning-service/service/grpc/getEnrollmentGroups_test.go @@ -12,7 +12,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" @@ -59,7 +59,7 @@ func TestDeviceProvisionServiceServerGetEnrollmentGroups(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/getHubs_test.go b/device-provisioning-service/service/grpc/getHubs_test.go index bcb5b8016..f23d20156 100644 --- a/device-provisioning-service/service/grpc/getHubs_test.go +++ b/device-provisioning-service/service/grpc/getHubs_test.go @@ -12,7 +12,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" @@ -59,7 +59,7 @@ func TestDeviceProvisionServiceServerGetHubs(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/getProvisioningRecords_test.go b/device-provisioning-service/service/grpc/getProvisioningRecords_test.go index 7a98df9a1..33bd37641 100644 --- a/device-provisioning-service/service/grpc/getProvisioningRecords_test.go +++ b/device-provisioning-service/service/grpc/getProvisioningRecords_test.go @@ -11,7 +11,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" @@ -74,7 +74,7 @@ func TestDeviceProvisionServiceServerGetProvisioningRecords(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/updateEnrollmentGroup_test.go b/device-provisioning-service/service/grpc/updateEnrollmentGroup_test.go index 215017a44..5565d2408 100644 --- a/device-provisioning-service/service/grpc/updateEnrollmentGroup_test.go +++ b/device-provisioning-service/service/grpc/updateEnrollmentGroup_test.go @@ -10,7 +10,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" @@ -65,7 +65,7 @@ func TestDeviceProvisionServiceServerUpdateEnrollmentGroup(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/grpc/updateHub_test.go b/device-provisioning-service/service/grpc/updateHub_test.go index f49187167..cf71e97e7 100644 --- a/device-provisioning-service/service/grpc/updateHub_test.go +++ b/device-provisioning-service/service/grpc/updateHub_test.go @@ -10,7 +10,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/pb" "github.com/plgd-dev/hub/v2/device-provisioning-service/service/grpc" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/stretchr/testify/require" @@ -64,7 +64,7 @@ func TestDeviceProvisionServiceServerUpdateHub(t *testing.T) { pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, test.MakeAuthorizationConfig().OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - ctx := kitNetGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ + ctx := pkgGrpc.CtxWithToken(context.Background(), config.CreateJwtToken(t, jwt.MapClaims{ "sub": test.DPSOwner, })) diff --git a/device-provisioning-service/service/provisionCertificate_test.go b/device-provisioning-service/service/provisionCertificate_test.go index 8f03022fb..2add099b8 100644 --- a/device-provisioning-service/service/provisionCertificate_test.go +++ b/device-provisioning-service/service/provisionCertificate_test.go @@ -34,7 +34,7 @@ import ( grpcPb "github.com/plgd-dev/hub/v2/grpc-gateway/pb" isEvents "github.com/plgd-dev/hub/v2/identity-store/events" "github.com/plgd-dev/hub/v2/pkg/log" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/resource-aggregate/commands" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" @@ -68,7 +68,7 @@ func TestProvisioningWithRenewal(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) + ctx = pkgGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), @@ -178,7 +178,7 @@ func TestProvisioningNewCertificateDuringConnectionToHub(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() token := oauthTest.GetDefaultAccessToken(t) - ctx = kitNetGrpc.CtxWithToken(ctx, token) + ctx = pkgGrpc.CtxWithToken(ctx, token) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), @@ -266,7 +266,7 @@ func TestOwnerWithUnknownCertificateAuthority(t *testing.T) { token := oauthTest.GetDefaultAccessToken(t) ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, token) + ctx = pkgGrpc.CtxWithToken(ctx, token) rootCA, err := os.ReadFile(os.Getenv("TEST_DPS_ROOT_CA_CERT_ALT")) require.NoError(t, err) @@ -462,7 +462,7 @@ func TestDisconnectAfterCredentialsUpdate(t *testing.T) { deviceID := hubTest.MustFindDeviceByName(test.TestDeviceObtName) ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) + ctx = pkgGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) deviceID, shutdownSim := test.OnboardDpsSim(ctx, t, c, deviceID, h.Cfg().APIs.COAP.Addr, test.TestDevsimResources) defer shutdownSim() h.StopDps() diff --git a/device-provisioning-service/service/provisionFail_test.go b/device-provisioning-service/service/provisionFail_test.go index 4cb2a3e51..6da6aec2e 100644 --- a/device-provisioning-service/service/provisionFail_test.go +++ b/device-provisioning-service/service/provisionFail_test.go @@ -20,7 +20,7 @@ import ( "github.com/plgd-dev/hub/v2/grpc-gateway/client" grpcPb "github.com/plgd-dev/hub/v2/grpc-gateway/pb" "github.com/plgd-dev/hub/v2/pkg/log" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/resource-aggregate/commands" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" @@ -117,7 +117,7 @@ func TestProvisioningWithExpiringCertificate(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() token := oauthTest.GetDefaultAccessToken(t) - ctx = kitNetGrpc.CtxWithToken(ctx, token) + ctx = pkgGrpc.CtxWithToken(ctx, token) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), @@ -149,7 +149,7 @@ func TestProvisioningWithExpiringCertificate(t *testing.T) { shortTimeout := time.Second * 30 // enough time for provisioning to succeed and certificate to expire shortCtx, shortCancel := context.WithTimeout(context.Background(), shortTimeout) defer shortCancel() - shortCtx = kitNetGrpc.CtxWithToken(shortCtx, token) + shortCtx = pkgGrpc.CtxWithToken(shortCtx, token) subClient, err := client.New(c).GrpcGatewayClient().SubscribeToEvents(shortCtx) require.NoError(t, err) @@ -246,7 +246,7 @@ func TestProvisioningWithExpiredCertificate(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() token := oauthTest.GetDefaultAccessToken(t) - ctx = kitNetGrpc.CtxWithToken(ctx, token) + ctx = pkgGrpc.CtxWithToken(ctx, token) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), @@ -309,7 +309,7 @@ func TestProvisioningWithExpiredCertificate(t *testing.T) { // DPS provisioning should fail and reprovisioning should be triggered shortCtx, shortCancel := context.WithTimeout(context.Background(), time.Second*20) defer shortCancel() - shortCtx = kitNetGrpc.CtxWithToken(shortCtx, token) + shortCtx = pkgGrpc.CtxWithToken(shortCtx, token) err = h.Verify(shortCtx) require.Error(t, err) } @@ -385,7 +385,7 @@ func TestProvisioningWithDeletedEnrollmentGroup(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) defer cancel() token := oauthTest.GetDefaultAccessToken(t) - ctx = kitNetGrpc.CtxWithToken(ctx, token) + ctx = pkgGrpc.CtxWithToken(ctx, token) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), diff --git a/device-provisioning-service/service/provisionOwnership_test.go b/device-provisioning-service/service/provisionOwnership_test.go index e6a8396e0..4d514e647 100644 --- a/device-provisioning-service/service/provisionOwnership_test.go +++ b/device-provisioning-service/service/provisionOwnership_test.go @@ -16,7 +16,7 @@ import ( "github.com/plgd-dev/hub/v2/grpc-gateway/client" grpcPb "github.com/plgd-dev/hub/v2/grpc-gateway/pb" isEvents "github.com/plgd-dev/hub/v2/identity-store/events" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/resource-aggregate/commands" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" @@ -46,7 +46,7 @@ func TestInvalidOwner(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() token := oauthTest.GetDefaultAccessToken(t) - ctx = kitNetGrpc.CtxWithToken(ctx, token) + ctx = pkgGrpc.CtxWithToken(ctx, token) corID := "allEvents" subClient, subID := test.SubscribeToAllEvents(ctx, t, c, corID) diff --git a/device-provisioning-service/service/provisionRecovery_test.go b/device-provisioning-service/service/provisionRecovery_test.go index 25e75e561..35307408d 100644 --- a/device-provisioning-service/service/provisionRecovery_test.go +++ b/device-provisioning-service/service/provisionRecovery_test.go @@ -16,7 +16,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/test" "github.com/plgd-dev/hub/v2/grpc-gateway/client" "github.com/plgd-dev/hub/v2/grpc-gateway/pb" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/resource-aggregate/commands" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" @@ -46,7 +46,7 @@ func testProvisioningWithDPSHandler(t *testing.T, h testDpsHandler, timeout time ctx, cancel := context.WithTimeout(context.Background(), timeout) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) + ctx = pkgGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), diff --git a/device-provisioning-service/service/provisionRestart_test.go b/device-provisioning-service/service/provisionRestart_test.go index 140a63585..ed8335ebe 100644 --- a/device-provisioning-service/service/provisionRestart_test.go +++ b/device-provisioning-service/service/provisionRestart_test.go @@ -12,7 +12,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/test" "github.com/plgd-dev/hub/v2/grpc-gateway/client" "github.com/plgd-dev/hub/v2/grpc-gateway/pb" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/resource-aggregate/commands" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" @@ -42,7 +42,7 @@ func TestReprovisioningAfterRestart(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute*2) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) + ctx = pkgGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), diff --git a/device-provisioning-service/service/provisionRetry_test.go b/device-provisioning-service/service/provisionRetry_test.go index 9d8916e10..96ca00627 100644 --- a/device-provisioning-service/service/provisionRetry_test.go +++ b/device-provisioning-service/service/provisionRetry_test.go @@ -13,7 +13,7 @@ import ( "github.com/plgd-dev/hub/v2/device-provisioning-service/test" "github.com/plgd-dev/hub/v2/grpc-gateway/client" "github.com/plgd-dev/hub/v2/grpc-gateway/pb" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/resource-aggregate/commands" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" @@ -96,7 +96,7 @@ func TestForceReprovisioning(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) + ctx = pkgGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), diff --git a/device-provisioning-service/service/provision_test.go b/device-provisioning-service/service/provision_test.go index e7dbccace..4ed762dd9 100644 --- a/device-provisioning-service/service/provision_test.go +++ b/device-provisioning-service/service/provision_test.go @@ -27,7 +27,7 @@ import ( httpgwTest "github.com/plgd-dev/hub/v2/http-gateway/test" "github.com/plgd-dev/hub/v2/identity-store/events" "github.com/plgd-dev/hub/v2/pkg/config/property/urischeme" - kitNetGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" "github.com/plgd-dev/hub/v2/resource-aggregate/commands" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" @@ -59,7 +59,7 @@ func TestProvisioning(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() token := oauthTest.GetDefaultAccessToken(t) - ctx = kitNetGrpc.CtxWithToken(ctx, token) + ctx = pkgGrpc.CtxWithToken(ctx, token) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), @@ -176,7 +176,7 @@ func TestProvisioningFactoryReset(t *testing.T) { token := oauthTest.GetDefaultAccessToken(t) ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, token) + ctx = pkgGrpc.CtxWithToken(ctx, token) deviceID, _ = test.OnboardDpsSim(ctx, t, c, deviceID, dpcCfg.APIs.COAP.Addr, test.TestDevsimResources) @@ -217,7 +217,7 @@ func TestProvisioningWithCloudChange(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Minute*2) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) + ctx = pkgGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), @@ -312,7 +312,7 @@ func TestProvisioningWithPSK(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*3600) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) + ctx = pkgGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), @@ -393,7 +393,7 @@ func TestProvisioningFromNewDPSAddress(t *testing.T) { ctx, cancel := context.WithTimeout(context.Background(), time.Second*30) defer cancel() - ctx = kitNetGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) + ctx = pkgGrpc.CtxWithToken(ctx, oauthTest.GetDefaultAccessToken(t)) conn, err := grpc.NewClient(config.GRPC_GW_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ RootCAs: hubTest.GetRootCertificatePool(t), diff --git a/device-provisioning-service/workflow.svg b/device-provisioning-service/workflow.svg new file mode 100644 index 000000000..4bb1d43c4 --- /dev/null +++ b/device-provisioning-service/workflow.svg @@ -0,0 +1,180 @@ +Deviceplgd hubOperatorOperatorOnboarding ToolOnboarding ToolDevice ApplicationDevice ApplicationDPS LibraryDPS LibraryDevice Provisioning ServiceDevice Provisioning ServiceCertificate Authority ServiceCertificate Authority ServiceOAuth2.0 ServerOAuth2.0 ServerUnique manufacturer certificateset during the productionConfiguration1Configure Enrollment GroupDPS Connectionalt[DPS Address set by the device - Call Home]2Set DPS address[DPS address configured by the tool running discovery - Multicast]3Discover x.com.plgd.dps.conf4Here I amDevices with the x.com.plgd.dps.conf resource will reply.5Own device6The onboarding tool becomes the owner of the deviceor already owns it.7Set DPS address8When the device is disowned or factory reset, the DPS address is set to empty.The device is authenticated by the manufacturer certificate.Expired certificate can be used if enabled.9Connect and authenticate using Manufacturer Certificate10Validate certificateValidation against Mfg CAregistered in the Enrollment Group andagainst the revocation list.alt[Valid]11Connection established[Invalid]12Close connectionCheck available contentContent available for the DPS library which is derived from the Enrollment Group configuration is used to drive the workflow of the provisioning.13Get available resources14Available provisioning flow resources{"if": [oic.if.r, oic.if.b]"links": [{"href": "/api/v1/provisioning/acls"},{"href": "/api/v1/provisioning/cloud-configuration"},{"href": "/api/v1/provisioning/credentials"},{"href": "/api/v1/provisioning/customResource1"}{"href": "/api/v1/provisioning/ownership"},{"href": "/api/v1/provisioning/ownership"},{"href": "/x.plgd.dev/time"},...]}Device time synchronization15Get current time(GET x.plgd.dev/time)16Current time17Apply time if out of syncDevice Ownership18Get device ownerhip(GET api/v1/provisioning/ownership)19Set owner from the Enrollment Group for the device20Device Owner Transfer Method21Apply OwnershipDevice Identity Credentials22Sign Identity CSR and retrieve device credentials(POST api/v1/provisioning/credentials)alt[JWT token not cached]23Get token using client credential flowwith the owner from the dps configuration24JWT Token25Sign device's Identity CSR26Identity Certificate and plgd hub CA27Identity Certificate and plgd hub CA28Apply Identity CredentialsGet Device ACLs29Get device ACLs(GET api/v1/provisioning/acls)30Retrieve custom entries, generate requiredfor plgd hub instance and owner from the Enrollment Group31Device ACLs32Apply ACLsResource pre-configuration33Get pre-configuration specified in the Enrollment Group(GET api/v1/provisioning/res?if=oic.if.b)34Resource content{"if": [oic.if.r, oic.if.b]"links": [{"href": "/api/v1/provisioning/custom/resource/1""etag": "0","rep": {...}},{"href": "/api/v1/provisioning/custom/resource/2""etag": "1","rep": {...}},...]}Get plgd hub configuration35Get plgd hub connection data(GET api/v1/provisioning/cloud-configuration)36Get token using client credential flowwith owner from the dps configuration37Get connection data of plgd hubregistered in the Enrollment Group38Token & connection data39Provisioning device for plgd hub connection40Close connection41Start Cloud Managerplgd hub connectionFlow continues in a standard way, as documentedhere \ No newline at end of file diff --git a/test/device-provisioning-service/Dockerfile b/test/device-provisioning-service/Dockerfile new file mode 100644 index 000000000..fa5722f13 --- /dev/null +++ b/test/device-provisioning-service/Dockerfile @@ -0,0 +1,96 @@ +FROM golang:1.22.3-alpine AS build +RUN apk add --no-cache curl git build-base +WORKDIR $GOPATH/src/github.com/plgd-dev/hub +COPY go.mod go.sum ./ +RUN go mod download +COPY . . +WORKDIR /usr/local/go +RUN ( patch -p1 < "$GOPATH/src/github.com/plgd-dev/hub/tools/docker/patches/shrink_tls_conn.patch" ) + +ARG ROOT_DIRECTORY=$GOPATH/src/github.com/plgd-dev/hub + +# cert-tool +WORKDIR $ROOT_DIRECTORY/tools/cert-tool +RUN go build \ + -ldflags "-linkmode external -extldflags -static" \ + -o /go/bin/cert-tool + +# WORKDIR / +# RUN cd "$GOPATH"/pkg/mod/github.com/plgd-dev/kit/v2* \ +# && go build \ +# -ldflags "-linkmode external -extldflags -static" \ +# -o /go/bin/certificate-generator ./cmd/certificate-generator + +ARG DPS_DIRECTORY=$ROOT_DIRECTORY/device-provisioning-service + +WORKDIR $DPS_DIRECTORY/service +RUN go test -c \ + -ldflags "-linkmode external -extldflags -static" \ + -o /go/bin/dps-service.test + +WORKDIR $DPS_DIRECTORY/store/mongodb +RUN go test -c \ + -ldflags "-linkmode external -extldflags -static" \ + -o /go/bin/dps-mongodb.test + +WORKDIR $DPS_DIRECTORY/security/oauth/clientcredentials +RUN go test -c \ + -ldflags "-linkmode external -extldflags -static" \ + -o /go/bin/dps-clientcredentials.test + +# nats +WORKDIR $ROOT_DIRECTORY +RUN apkArch="$(apk --print-arch)"; \ + case "$apkArch" in \ + armhf) ARCH='arm' ;; \ + aarch64) ARCH='arm64' ;; \ + x86) ARCH='386' ;; \ + x86_64) ARCH='amd64' ;; \ + *) echo >&2 "error: unsupported architecture: $apkArch"; exit 1 ;; \ + esac; \ + curl -L https://github.com/nats-io/nats-server/releases/download/v2.3.1/nats-server-v2.3.1-linux-${ARCH}.zip -o ./nats-server.zip ; \ + curl -L https://github.com/nats-io/natscli/releases/download/0.0.24/nats-0.0.24-linux-${ARCH}.zip -o ./nats.zip +RUN mkdir -p ./nats-server +RUN unzip ./nats-server.zip -d ./nats-server +RUN cp ./nats-server/*/nats-server /go/bin/nats-server + +RUN mkdir -p ./nats +RUN unzip ./nats.zip -d ./nats +RUN cp ./nats/*/nats /go/bin/nats + +FROM ubuntu:22.04 AS service +RUN apt update && \ + DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y ca-certificates curl gnupg iproute2 lsb-release netcat-traditional openssl systemctl wget \ + && apt-get clean +RUN wget -qO - https://www.mongodb.org/static/pgp/server-6.0.asc | gpg --dearmor | tee /usr/share/keyrings/mongodb.gpg > /dev/null +RUN ARCH="$(dpkg --print-architecture)" ; \ + wget https://github.com/mikefarah/yq/releases/download/v4.6.3/yq_linux_${ARCH} -O /usr/bin/yq && chmod +x /usr/bin/yq ; \ + echo "deb [ arch=${ARCH} signed-by=/usr/share/keyrings/mongodb.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/6.0 multiverse" | tee /etc/apt/sources.list.d/mongodb-org-6.0.list +RUN curl -fsSL https://download.docker.com/linux/ubuntu/gpg | /usr/bin/gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg +RUN echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list +RUN apt update && \ + DEBIAN_FRONTEND=noninteractive apt-get --no-install-recommends install -y docker-ce mongodb-org mongodb-org-server \ + && apt-get clean +COPY --from=build /go/bin/cert-tool /usr/local/bin/cert-tool +COPY --from=build /go/bin/dps-service.test /usr/local/bin/dps-service.test +COPY --from=build /go/bin/dps-mongodb.test /usr/local/bin/dps-mongodb.test +COPY --from=build /go/bin/dps-clientcredentials.test /usr/local/bin/dps-clientcredentials.test +COPY --from=build /go/bin/nats-server /usr/local/bin/nats-server +COPY --from=build /go/bin/nats /usr/local/bin/nats +COPY test/device-provisioning-service/run.sh /usr/local/bin/run.sh + +# global +ENV FQDN="localhost" +ENV PREPARE_ENV="true" +ENV RUN="true" + +# global - certificates generated by cert-tool +ENV CERT_TOOL_SIGN_ALG=ECDSA-SHA256 +ENV CERT_TOOL_ELLIPTIC_CURVE=P256 + +# ports +ENV MONGO_PORT=27017 +ENV NATS_PORT=4222 +# ENV COAP_GATEWAY_UDP_ENABLED=false + +ENTRYPOINT ["/usr/local/bin/run.sh"] diff --git a/test/device-provisioning-service/run.sh b/test/device-provisioning-service/run.sh new file mode 100755 index 000000000..f4b05035d --- /dev/null +++ b/test/device-provisioning-service/run.sh @@ -0,0 +1,232 @@ +#!/usr/bin/env bash +set -e + +umask 0000 + +# Configure services +export PATH="/usr/local/bin:$PATH" + +COAP_GATEWAY_HUB_ID="adebc667-1f2b-41e3-bf5c-6d6eabc68cc6" + +CERTIFICATES_PATH="/data/certs" +DEVICE_CERTIFICATES_PATH="/data/certs/device" +OAUTH_KEYS_PATH="/data/privKeys" +LOGS_PATH="/data/log" +MONGO_PATH="/data/db" + +# CERTS +CA_POOL_DIR="$CERTIFICATES_PATH" +CA_POOL_CERT_NAME="root_ca.crt" +CA_POOL_CERT_KEY_NAME="root_ca.key" +CA_POOL_CERT_PATH="${CERTIFICATES_PATH}/${CA_POOL_CERT_NAME}" +CA_POOL_CERT_KEY_PATH="${CERTIFICATES_PATH}/${CA_POOL_CERT_KEY_NAME}" +CA_POOL_CERT_ALT_NAME="root_ca_alt.crt" +CA_POOL_CERT_KEY_ALT_NAME="root_ca_alt.key" +CA_POOL_CERT_ALT_PATH="${CERTIFICATES_PATH}/${CA_POOL_CERT_ALT_NAME}" +CA_POOL_CERT_KEY_ALT_PATH="${CERTIFICATES_PATH}/${CA_POOL_CERT_KEY_ALT_NAME}" +CA_POOL_CERT_VALID_FROM="2000-01-01T12:00:00Z" +CA_POOL_CERT_VALID_FOR="876000h" + +COAP_GATEWAY_CERT_NAME="coap.crt" +COAP_GATEWAY_CERT_KEY_NAME="coap.key" +COAP_GATEWAY_CERT="${CERTIFICATES_PATH}/${COAP_GATEWAY_CERT_NAME}" +COAP_GATEWAY_CERT_KEY="${CERTIFICATES_PATH}/${COAP_GATEWAY_CERT_KEY_NAME}" +HTTP_CERT_NAME="http.crt" +HTTP_CERT_KEY_NAME="http.key" +HTTP_CERT="${CERTIFICATES_PATH}/${HTTP_CERT_NAME}" +HTTP_CERT_KEY="${CERTIFICATES_PATH}/${HTTP_CERT_KEY_NAME}" +MONGODB_CERT_KEY="${CERTIFICATES_PATH}/mongo.key" + +DPS_CA_CERT="${DEVICE_CERTIFICATES_PATH}/dpsca.pem" +DPS_CA_CERT_KEY="${DEVICE_CERTIFICATES_PATH}/dpscakey.pem" +DPS_INTERMEDIATECA_CERT="${DEVICE_CERTIFICATES_PATH}/intermediatecacrt.pem" +DPS_INTERMEDIATECA_CERT_KEY="${DEVICE_CERTIFICATES_PATH}/intermediatecakey.pem" +DPS_MFG_CERT="${DEVICE_CERTIFICATES_PATH}/mfgcrt.pem" +DPS_MFG_CERT_KEY="${DEVICE_CERTIFICATES_PATH}/mfgkey.pem" + +# LISTEN CERTS +export LISTEN_FILE_CA_POOL="${CA_POOL_CERT_PATH}" +export LISTEN_FILE_CERT_DIR_PATH="${CERTIFICATES_PATH}" +export LISTEN_FILE_CERT_NAME="${HTTP_CERT_NAME}" +export LISTEN_FILE_CERT_KEY_NAME="${HTTP_CERT_KEY_NAME}" +LISTEN_FILE_CERT="${LISTEN_FILE_CERT_DIR_PATH}/${LISTEN_FILE_CERT_NAME}" +LISTEN_FILE_CERT_KEY="${LISTEN_FILE_CERT_DIR_PATH}/${LISTEN_FILE_CERT_KEY_NAME}" + +CERT_TOOL_SIGN_ALG=${CERT_TOOL_SIGN_ALG:-ECDSA-SHA256} +CERT_TOOL_ELLIPTIC_CURVE=${CERT_TOOL_ELLIPTIC_CURVE:-P256} + +function startMongo { + ID=$1 + PORT=$2 + REPLICA_SET=$3 + echo "starting mongod ${ID}" + HOST=localhost:${PORT} + DB_PATH="${MONGO_PATH}/${ID}" + mkdir -p ${DB_PATH} + mongod --setParameter maxNumActiveUserIndexBuilds=64 \ + --port "${PORT}" \ + --dbpath "${DB_PATH}" \ + --tlsMode requireTLS \ + --tlsCAFile "${CA_POOL_CERT_PATH}" \ + --replSet ${REPLICA_SET} \ + --bind_ip localhost \ + --tlsCertificateKeyFile "${MONGODB_CERT_KEY}" >"${LOGS_PATH}/mongod.$ID.log" 2>&1 & + status=$? + mongo_pid=$! + if [ $status -ne 0 ]; then + echo "Failed to start mongod: ${status}" + sync + cat "${LOGS_PATH}/mongod.$ID.log" + exit ${status} + fi + + # waiting for mongo DB. Without wait, sometimes auth service didn't connect. + i=0 + while [ $i -le 20 ]; do + i=$((i+1)) + if openssl s_client -connect "${HOST}" -cert "${LISTEN_FILE_CERT}" -key "${LISTEN_FILE_CERT_KEY}" <<< "Q" 2>/dev/null > /dev/null; then + break + fi + if [ $i -eq 20 ]; then + echo "Failed to connect to mongodb(${HOST})" + exit 1 + fi + echo "Try to reconnect to mongodb(${HOST}) $i" + sleep 1 + done +} + +if [ "${PREPARE_ENV}" = "true" ]; then + mkdir -p "${CERTIFICATES_PATH}" + echo "generating CA cert" + cert-tool --cmd.generateRootCA --outCert="${CA_POOL_CERT_PATH}" --outKey="${CA_POOL_CERT_KEY_PATH}" \ + --cert.subject.cn="Root CA" --cert.signatureAlgorithm=${CERT_TOOL_SIGN_ALG} --cert.ellipticCurve=${CERT_TOOL_ELLIPTIC_CURVE} \ + --cert.validFrom="${CA_POOL_CERT_VALID_FROM}" --cert.validFor="${CA_POOL_CERT_VALID_FOR}" + + fqdnSAN="--cert.san.domain=$FQDN" + if ip route get $FQDN 2>/dev/null >/dev/null; then + fqdnSAN="--cert.san.ip=$FQDN" + fi + echo "generating HTTP cert" + cert-tool --cmd.generateCertificate --outCert="${HTTP_CERT}" --outKey="${HTTP_CERT_KEY}" \ + --cert.subject.cn="localhost" --cert.san.domain="localhost" --cert.san.ip="0.0.0.0" --cert.san.ip="127.0.0.1" $fqdnSAN \ + --signerCert="${CA_POOL_CERT_PATH}" --signerKey="${CA_POOL_CERT_KEY_PATH}" \ + --cert.signatureAlgorithm=${CERT_TOOL_SIGN_ALG} --cert.ellipticCurve=${CERT_TOOL_ELLIPTIC_CURVE} + + echo "generating COAP-GW cert" + COAP_GATEWAY_UNSECURE_FQDN=$FQDN + COAP_GATEWAY_FQDN=$FQDN + cert-tool --cmd.generateIdentityCertificate="${COAP_GATEWAY_HUB_ID}" --outCert="${COAP_GATEWAY_CERT}" \ + --outKey="${COAP_GATEWAY_CERT_KEY}" --cert.san.domain="${COAP_GATEWAY_FQDN}" --signerCert="${CA_POOL_CERT_PATH}" \ + --signerKey="${CA_POOL_CERT_KEY_PATH}" --cert.signatureAlgorithm=${CERT_TOOL_SIGN_ALG} --cert.ellipticCurve=${CERT_TOOL_ELLIPTIC_CURVE} + + echo "generating mongodb cert" + cat "${HTTP_CERT}" > "${MONGODB_CERT_KEY}" + cat "${HTTP_CERT_KEY}" >> "${MONGODB_CERT_KEY}" + + echo "generating DPS client device certs" + mkdir -p "${DEVICE_CERTIFICATES_PATH}" + cp "${CA_POOL_CERT_PATH}" "${DPS_CA_CERT}" + cp "${CA_POOL_CERT_KEY_PATH}" "${DPS_CA_CERT_KEY}" + cert-tool --signerCert="${DPS_CA_CERT}" --signerKey="${DPS_CA_CERT_KEY}" --outCert="${DPS_INTERMEDIATECA_CERT}" \ + --outKey="${DPS_INTERMEDIATECA_CERT_KEY}" --cert.basicConstraints.maxPathLen=0 --cert.subject.cn="intermediateCA" \ + --cmd.generateIntermediateCA --cert.signatureAlgorithm=${CERT_TOOL_SIGN_ALG} --cert.ellipticCurve=${CERT_TOOL_ELLIPTIC_CURVE} + cert-tool --signerCert="${DPS_INTERMEDIATECA_CERT}" --signerKey="${DPS_INTERMEDIATECA_CERT_KEY}" \ + --outCert="${DPS_MFG_CERT}" --outKey="${DPS_MFG_CERT_KEY}" --cert.san.domain=localhost --cert.san.ip=127.0.0.1 \ + --cert.subject.cn="mfg" --cmd.generateCertificate --cert.signatureAlgorithm=${CERT_TOOL_SIGN_ALG} --cert.ellipticCurve=${CERT_TOOL_ELLIPTIC_CURVE} + echo "generating alternative CA for testing" + cert-tool --cmd.generateRootCA --outCert="${CA_POOL_CERT_ALT_PATH}" --outKey="${CA_POOL_CERT_KEY_ALT_PATH}" \ + --cert.subject.cn="Root CA" --cert.signatureAlgorithm=${CERT_TOOL_SIGN_ALG} --cert.ellipticCurve=${CERT_TOOL_ELLIPTIC_CURVE} \ + --cert.validFrom="${CA_POOL_CERT_VALID_FROM}" --cert.validFor="${CA_POOL_CERT_VALID_FOR}" + chmod -R 0777 "${CERTIFICATES_PATH}" + + mkdir -p "${OAUTH_KEYS_PATH}" + openssl genrsa -out ${OAUTH_KEYS_PATH}/idTokenKey.pem 4096 + openssl ecparam -name prime256v1 -genkey -noout -out ${OAUTH_KEYS_PATH}/accessTokenKey.pem + openssl ecparam -name prime256v1 -genkey -noout -out ${OAUTH_KEYS_PATH}/m2mAccessTokenKey.pem + + # nats + cat > /data/nats.config <$LOGS_PATH/nats-server.log 2>&1 & + status=$? + nats_server_pid=$! + if [ $status -ne 0 ]; then + echo "Failed to start nats-server: $status" + sync + cat "$LOGS_PATH/nats-server.log" + exit $status + fi + + NATS_HOST="localhost:${NATS_PORT}" + NATS_URL="nats://${NATS_HOST}" + + # waiting for nats. Without wait, sometimes auth service didn't connect. + i=0 + while [ $i -le 20 ]; do + i=$((i+1)) + if nc -z localhost $NATS_PORT; then + break + fi + if [ $i -eq 20 ]; then + echo "Failed to connect to nats(${NATS_HOST})" + exit 1 + fi + echo "Try to reconnect to nats(${NATS_HOST}) $i" + cat "$LOGS_PATH/nats-server.log" + sleep 1 + done + + echo "starting mongo replica set" + MONGO_REPLICA_SET=myReplicaSet + startMongo 0 ${MONGO_PORT} ${MONGO_REPLICA_SET} + startMongo 1 27018 ${MONGO_REPLICA_SET} + startMongo 2 27019 ${MONGO_REPLICA_SET} + mongosh --tls --tlsCAFile ${CA_POOL_CERT_PATH} --tlsCertificateKeyFile ${MONGODB_CERT_KEY} --eval "rs.initiate({ + _id: \"${MONGO_REPLICA_SET}\", + members: [ + {_id: 0, host: \"localhost:${MONGO_PORT}\"}, + {_id: 1, host: \"localhost:27018\"}, + {_id: 2, host: \"localhost:27019\"} + ] + })" + + # needed by dps-service.test, dps-mongodb.test, dps-clientcredentials.test + export TEST_COAP_GW_CERT_FILE="${COAP_GATEWAY_CERT}" + export TEST_COAP_GW_KEY_FILE="${COAP_GATEWAY_CERT_KEY}" + export TEST_ROOT_CA_CERT="${CA_POOL_CERT_PATH}" + export TEST_ROOT_CA_KEY="${CA_POOL_CERT_KEY_PATH}" + export TEST_CLOUD_SID="${COAP_GATEWAY_HUB_ID}" + export TEST_OAUTH_SERVER_ID_TOKEN_PRIVATE_KEY="${OAUTH_KEYS_PATH}/idTokenKey.pem" + export TEST_OAUTH_SERVER_ACCESS_TOKEN_PRIVATE_KEY="${OAUTH_KEYS_PATH}/accessTokenKey.pem" + export TEST_DPS_INTERMEDIATE_CA_CERT=${DPS_INTERMEDIATECA_CERT} + export TEST_DPS_INTERMEDIATE_CA_KEY=${DPS_INTERMEDIATECA_CERT_KEY} + # alternative certificate authority to validate security + export TEST_DPS_ROOT_CA_CERT_ALT="${CA_POOL_CERT_ALT_PATH}" + export TEST_DPS_ROOT_CA_KEY_ALT="${CA_POOL_CERT_KEY_ALT_PATH}" + export M2M_OAUTH_SERVER_PRIVATE_KEY="${OAUTH_KEYS_PATH}/m2mAccessTokenKey.pem" + + echo "starting dps-service test" + dps-service.test -test.v -test.timeout 1200s + + echo "starting dps-mongodb test" + dps-mongodb.test -test.v -test.timeout 600s + + echo "starting dps-clientcredentials test" + dps-clientcredentials.test -test.v -test.timeout 600s +fi