diff --git a/.github/workflows/build-publish.yaml b/.github/workflows/build-publish.yaml index 80e9822ff..10a450ae8 100644 --- a/.github/workflows/build-publish.yaml +++ b/.github/workflows/build-publish.yaml @@ -123,6 +123,10 @@ jobs: directory: m2m-oauth-server file: .tmp/docker/m2m-oauth-server/Dockerfile template-file: tools/docker/Dockerfile.in + - name: device-provisioning-service + directory: device-provisioning-service + file: .tmp/docker/device-provisioning-service/Dockerfile + template-file: tools/docker/Dockerfile.in - name: test-device-provisioning-service directory: test/device-provisioning-service file: test/device-provisioning-service/Dockerfile diff --git a/bundle/Dockerfile b/bundle/Dockerfile index 246ee36c9..06fb3a624 100644 --- a/bundle/Dockerfile +++ b/bundle/Dockerfile @@ -120,6 +120,13 @@ RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd -o "/go/bin/$service" \ ./cmd/service +#device-provisioning-service +ARG service=device-provisioning-service +WORKDIR $root_directory/$service +RUN go build -ldflags "-linkmode external -extldflags -static -X github.com/plgd-dev/hub/v2/pkg/build.CommitDate=$COMMIT_DATE -X github.com/plgd-dev/hub/v2/pkg/build.CommitHash=$SHORT_COMMIT -X github.com/plgd-dev/hub/v2/pkg/build.BuildDate=$DATE -X github.com/plgd-dev/hub/v2/pkg/build.Version=$VERSION -X github.com/plgd-dev/hub/v2/pkg/build.ReleaseURL=$RELEASE_URL" \ + -o "/go/bin/$service" \ + ./cmd/service + #nats WORKDIR $root_directory RUN apkArch="$(apk --print-arch)"; \ @@ -251,6 +258,8 @@ ENV SNIPPET_SERVICE_PORT=9091 ENV HTTP_SNIPPET_SERVICE_PORT=9092 ENV M2M_OAUTH_SERVER_PORT=9079 ENV HTTP_M2M_OAUTH_SERVER_PORT=9080 +ENV DEVICE_PROVISIONG_SERVICE_PORT=9093 +ENV HTTP_DEVICE_PROVISIONG_SERVICE_PORT=9094 # OAuth ENV DEVICE_PROVIDER=plgd diff --git a/bundle/nginx/nginx.conf.template b/bundle/nginx/nginx.conf.template index 409d5b3fe..fb11588c8 100644 --- a/bundle/nginx/nginx.conf.template +++ b/bundle/nginx/nginx.conf.template @@ -162,5 +162,32 @@ http { proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; } + location ~ ^(/device-provisioning-service) { + set $upstream_oauth_server https://127.0.0.1:REPLACE_HTTP_DEVICE_PROVISIONG_SERVICE_PORT; + proxy_pass $upstream_oauth_server; + proxy_ssl_certificate /data/certs/internal/endpoint.crt; + proxy_ssl_certificate_key /data/certs/internal/endpoint.key; + proxy_ssl_trusted_certificate /data/certs/root_ca.crt; + proxy_ssl_verify on; + set $cors_headers 'Authority,Method,Path,Scheme,Accept,Accept-Encoding,Accept-Language,Content-Type,Origin,Refer,Sec-Fetch-Dest,Sec-Fetch-Mode,Sec-Fetch-Site,Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,correlation-id'; + include /nginx/cors.oauth.conf; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header Host $host; + } + location ~ ^(/deviceprovisioningservice.pb.DeviceProvisionService) { + set $upstream_grpc_oauth_server grpcs://127.0.0.1:REPLACE_DEVICE_PROVISIONG_SERVICE_PORT; + grpc_pass $upstream_grpc_oauth_server; + grpc_ssl_certificate /data/certs/internal/endpoint.crt; + grpc_ssl_certificate_key /data/certs/internal/endpoint.key; + grpc_ssl_trusted_certificate /data/certs/root_ca.crt; + grpc_read_timeout 31536000s; + grpc_send_timeout 31536000s; + client_body_timeout 31536000s; + grpc_socket_keepalive on; + proxy_ssl_trusted_certificate /data/certs/root_ca.crt; + proxy_ssl_verify on; + } } } \ No newline at end of file diff --git a/bundle/run.sh b/bundle/run.sh index f5cce3654..5b655b4ce 100755 --- a/bundle/run.sh +++ b/bundle/run.sh @@ -28,6 +28,8 @@ export SNIPPET_SERVICE_ADDRESS="localhost:${SNIPPET_SERVICE_PORT}" export SNIPPET_SERVICE_HTTP_ADDRESS="localhost:${HTTP_SNIPPET_SERVICE_PORT}" export M2M_OAUTH_SERVER_ADDRESS="localhost:${M2M_OAUTH_SERVER_PORT}" export M2M_OAUTH_SERVER_HTTP_ADDRESS="localhost:${HTTP_M2M_OAUTH_SERVER_PORT}" +export DEVICE_PROVISIONG_SERVICE_ADDRESS="localhost:${DEVICE_PROVISIONG_SERVICE_PORT}" +export DEVICE_PROVISIONG_SERVICE_HTTP_ADDRESS="localhost:${HTTP_DEVICE_PROVISIONG_SERVICE_PORT}" export INTERNAL_CERT_DIR_PATH="$CERTIFICATES_PATH/internal" export GRPC_INTERNAL_CERT_NAME="endpoint.crt" @@ -491,6 +493,8 @@ if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "${NGINX_PATH}/nginx.conf" ]; then sed -i "s/REPLACE_HTTP_SNIPPET_SERVICE_PORT/$HTTP_SNIPPET_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf sed -i "s/REPLACE_M2M_OAUTH_SERVER_PORT/$M2M_OAUTH_SERVER_PORT/g" ${NGINX_PATH}/nginx.conf sed -i "s/REPLACE_HTTP_M2M_OAUTH_SERVER_PORT/$HTTP_M2M_OAUTH_SERVER_PORT/g" ${NGINX_PATH}/nginx.conf + sed -i "s/REPLACE_DEVICE_PROVISIONG_SERVICE_PORT/$DEVICE_PROVISIONG_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf + sed -i "s/REPLACE_HTTP_DEVICE_PROVISIONG_SERVICE_PORT/$HTTP_DEVICE_PROVISIONG_SERVICE_PORT/g" ${NGINX_PATH}/nginx.conf fi # nats @@ -1356,6 +1360,68 @@ while true; do sleep 1 done +# device-provisioning-service +echo "starting device-provisioning-service" +## configuration +if [ "${OVERRIDE_FILES}" = "true" ] || [ ! -f "/data/device-provisioning-service.yaml" ]; then +cat /configs/device-provisioning-service.yaml | + yq e "\ + .log.level = \"${LOG_LEVEL}\" | + .apis.coap.address = \"${DEVICE_PROVISIONG_SERVICE_ADDRESS}\" | + .apis.http.enabled = true | + .apis.http.address = \"${DEVICE_PROVISIONG_SERVICE_HTTP_ADDRESS}\" | + .apis.http.authorization.ownerClaim = \"${OWNER_CLAIM}\" | + .apis.grpc.authorization.endpoints[0].http.tls.useSystemCAPool = true | + .apis.grpc.authorization.endpoints[0].authority = \"https://${OAUTH_ENDPOINT}\" | + .apis.grpc.authorization.endpoints[1].authority = \"https://${M2M_OAUTH_SERVER_ENDPOINT}\" | + .apis.http.authorization.audience = \"${SERVICE_OAUTH_AUDIENCE}\" | + .clients.storage.mongoDB.uri = \"${MONGODB_URI}\" | + .clients.openTelemetryCollector.grpc.enabled = ${OPEN_TELEMETRY_EXPORTER_ENABLED} | + .clients.openTelemetryCollector.grpc.address = \"${OPEN_TELEMETRY_EXPORTER_ADDRESS}\" | + .clients.openTelemetryCollector.grpc.tls.caPool = \"${OPEN_TELEMETRY_EXPORTER_CA_POOL}\" | + .clients.openTelemetryCollector.grpc.tls.keyFile = \"${OPEN_TELEMETRY_EXPORTER_KEY_FILE}\" | + .clients.openTelemetryCollector.grpc.tls.certFile = \"${OPEN_TELEMETRY_EXPORTER_CERT_FILE}\" | + .clients.openTelemetryCollector.grpc.tls.useSystemCAPool = true | + .enrollmentGroups[0].id = \"${TODO}\" | + .enrollmentGroups[0].owner = \"${TODO}\" | + .enrollmentGroups[0].preSharedKeyFile = \"${TODO}\" | + .enrollmentGroups[0].attestationMechanism.x509.certificateChain = \"${TODO}\" | + .enrollmentGroups[0].attestationMechanism.x509.expiredCertificateEnabled = false | + .enrollmentGroups[0].hubs[0].caPool = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].hubID = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].gateways = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].certificateAuthority.grpc.address = \"${CERTIFICATE_AUTHORITY_ADDRESS}\" + .enrollmentGroups[0].hubs[0].authorization.ownerClaim = \"${OWNER_CLAIM}\" | + .enrollmentGroups[0].hubs[0].authorization.deviceIDClaim = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].authorization.provider.name = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].authorization.provider.authority = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].authorization.provider.clientID = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].authorization.provider.clientSecretFile = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].authorization.provider.scopes = \"${TODO}\" | + .enrollmentGroups[0].hubs[0].authorization.provider.audience = \"${TODO}\" +" - > /data/device-provisioning-service.yaml +fi +device-provisioning-service --config /data/device-provisioning-service.yaml >$LOGS_PATH/device-provisioning-service.log 2>&1 & +status=$? +device_provisioning_service_pid=$! +if [ $status -ne 0 ]; then + echo "Failed to start device-provisioning-service: $status" + sync + cat $LOGS_PATH/device-provisioning-service.log + exit $status +fi + +# waiting for ca. Without wait, sometimes the service didn't connect. +i=0 +while true; do + i=$((i+1)) + if openssl s_client -connect ${DEVICE_PROVISIONG_SERVICE_ADDRESS} -cert ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_NAME} -key ${INTERNAL_CERT_DIR_PATH}/${GRPC_INTERNAL_CERT_KEY_NAME} <<< "Q" 2>/dev/null > /dev/null; then + break + fi + echo "Try to reconnect to device-provisioning-service(${DEVICE_PROVISIONG_SERVICE_ADDRESS}) $i" + sleep 1 +done + echo "Open browser at https://${DOMAIN}" # Naive check runs checks once a minute to see if either of the processes exited. @@ -1487,4 +1553,11 @@ while sleep 10; do cat $LOGS_PATH/snippet-service.log exit 1 fi + ps aux |grep $device_provisioning_service_pid |grep -q -v grep + if [ $? -ne 0 ]; then + echo "device-provisioning-service has already exited." + sync + cat $LOGS_PATH/device-provisioning-service.log + exit 1 + fi done diff --git a/device-provisioning-service/service/http/getRegistrations_test.go b/device-provisioning-service/service/http/getRegistrations_test.go index 505d09536..7204eb611 100644 --- a/device-provisioning-service/service/http/getRegistrations_test.go +++ b/device-provisioning-service/service/http/getRegistrations_test.go @@ -11,8 +11,8 @@ import ( httpService "github.com/plgd-dev/hub/v2/device-provisioning-service/service/http" "github.com/plgd-dev/hub/v2/device-provisioning-service/test" httpgwTest "github.com/plgd-dev/hub/v2/http-gateway/test" + pkgHttpPb "github.com/plgd-dev/hub/v2/pkg/net/http/pb" hubTest "github.com/plgd-dev/hub/v2/test" - httpTest "github.com/plgd-dev/hub/v2/test/http" oauthTest "github.com/plgd-dev/hub/v2/test/oauth-server/test" hubTestService "github.com/plgd-dev/hub/v2/test/service" "github.com/stretchr/testify/assert" @@ -106,7 +106,7 @@ func TestDeviceProvisionServiceServerGetProvisioningRecords(t *testing.T) { var got pb.ProvisioningRecords for { var dev pb.ProvisioningRecord - err := httpTest.Unmarshal(resp.StatusCode, resp.Body, &dev) + err := pkgHttpPb.Unmarshal(resp.StatusCode, resp.Body, &dev) if errors.Is(err, io.EOF) { break } diff --git a/device-provisioning-service/service/http/service.go b/device-provisioning-service/service/http/service.go index fd05b7327..919202a6b 100644 --- a/device-provisioning-service/service/http/service.go +++ b/device-provisioning-service/service/http/service.go @@ -13,7 +13,8 @@ import ( "github.com/plgd-dev/hub/v2/http-gateway/serverMux" "github.com/plgd-dev/hub/v2/pkg/fsnotify" "github.com/plgd-dev/hub/v2/pkg/log" - kitNetHttp "github.com/plgd-dev/hub/v2/pkg/net/http" + pkgHttp "github.com/plgd-dev/hub/v2/pkg/net/http" + pkgHttpJwt "github.com/plgd-dev/hub/v2/pkg/net/http/jwt" "github.com/plgd-dev/hub/v2/pkg/net/listener" "github.com/plgd-dev/hub/v2/pkg/security/jwt/validator" "go.opentelemetry.io/otel/trace" @@ -41,7 +42,7 @@ func New(ctx context.Context, serviceName string, config Config, fileWatcher *fs pb.RegisterDeviceProvisionServiceServer(ch, grpc.NewDeviceProvisionServiceServer(store, config.Authorization.OwnerClaim)) grpcClient := pb.NewDeviceProvisionServiceClient(ch) - auth := kitNetHttp.NewInterceptorWithValidator(validator, kitNetHttp.NewDefaultAuthorizationRules(APIV1)) + auth := pkgHttpJwt.NewInterceptorWithValidator(validator, pkgHttp.NewDefaultAuthorizationRules(API)) mux := serverMux.New() r := serverMux.NewRouter(queryCaseInsensitive, auth) @@ -51,7 +52,7 @@ func New(ctx context.Context, serviceName string, config Config, fileWatcher *fs } r.PathPrefix("/").Handler(mux) httpServer := &http.Server{ - Handler: kitNetHttp.OpenTelemetryNewHandler(r, serviceName, tracerProvider), + Handler: pkgHttp.OpenTelemetryNewHandler(r, serviceName, tracerProvider), ReadTimeout: config.Server.ReadTimeout, ReadHeaderTimeout: config.Server.ReadHeaderTimeout, WriteTimeout: config.Server.WriteTimeout, diff --git a/device-provisioning-service/service/http/uri.go b/device-provisioning-service/service/http/uri.go index 62591e28c..a7ef3c297 100644 --- a/device-provisioning-service/service/http/uri.go +++ b/device-provisioning-service/service/http/uri.go @@ -2,8 +2,8 @@ package http // HTTP Service URIs. const ( - API = "/api" - APIV1 = API + "/v1" + Base = "/device-provisioning-service" + API = Base + "/api/v1" - ProvisioningRecords = APIV1 + "/provisioning-records" + ProvisioningRecords = API + "/provisioning-records" ) diff --git a/device-provisioning-service/service/provision_test.go b/device-provisioning-service/service/provision_test.go index 64b1085e8..63028947d 100644 --- a/device-provisioning-service/service/provision_test.go +++ b/device-provisioning-service/service/provision_test.go @@ -28,11 +28,11 @@ import ( "github.com/plgd-dev/hub/v2/pkg/config/property/urischeme" "github.com/plgd-dev/hub/v2/pkg/fn" pkgGrpc "github.com/plgd-dev/hub/v2/pkg/net/grpc" + pkgHttpPb "github.com/plgd-dev/hub/v2/pkg/net/http/pb" "github.com/plgd-dev/hub/v2/resource-aggregate/commands" hubTest "github.com/plgd-dev/hub/v2/test" "github.com/plgd-dev/hub/v2/test/config" "github.com/plgd-dev/hub/v2/test/device/ocf" - httpTest "github.com/plgd-dev/hub/v2/test/http" oauthTest "github.com/plgd-dev/hub/v2/test/oauth-server/test" "github.com/plgd-dev/hub/v2/test/sdk" hubTestService "github.com/plgd-dev/hub/v2/test/service" @@ -106,7 +106,7 @@ func TestProvisioning(t *testing.T) { var got []*pb.ProvisioningRecord for { var dev pb.ProvisioningRecord - err := httpTest.Unmarshal(resp.StatusCode, resp.Body, &dev) + err := pkgHttpPb.Unmarshal(resp.StatusCode, resp.Body, &dev) if errors.Is(err, io.EOF) { break } @@ -387,7 +387,7 @@ func TestProvisioningWithPSK(t *testing.T) { var got []*pb.ProvisioningRecord for { var dev pb.ProvisioningRecord - err := httpTest.Unmarshal(resp.StatusCode, resp.Body, &dev) + err := pkgHttpPb.Unmarshal(resp.StatusCode, resp.Body, &dev) if errors.Is(err, io.EOF) { break } diff --git a/device-provisioning-service/uri/uri.go b/device-provisioning-service/uri/uri.go index 76e2e8d50..e8b3e3617 100644 --- a/device-provisioning-service/uri/uri.go +++ b/device-provisioning-service/uri/uri.go @@ -2,12 +2,12 @@ package uri // COAP Service URIs. const ( - API = "/api" - APIV1 = API + "/v1" + Base = "/device-provisioning-service" + API = Base + "/api/v1" CoAPsTCPSchemePrefix = "coaps+tcp://" - Provisioning = APIV1 + "/provisioning" + Provisioning = API + "/provisioning" Resources = Provisioning + "/resources" ACLs = Provisioning + "/acls" Credentials = Provisioning + "/credentials" diff --git a/http-gateway/web/packages/shared-ui b/http-gateway/web/packages/shared-ui index 2b72225d9..7b292e90c 160000 --- a/http-gateway/web/packages/shared-ui +++ b/http-gateway/web/packages/shared-ui @@ -1 +1 @@ -Subproject commit 2b72225d968c1ecb82e79af045086d61228bba26 +Subproject commit 7b292e90c5e4d5f68dabd1dbf122c8dd27d65305