Migrate device-provisioning-service to repository

plgd-dev · Aug 8, 2024 · 9d167fa · 9d167fa
1 parent ca707fa
commit 9d167fa
Show file tree

Hide file tree

Showing 100 changed files with 21,213 additions and 39 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -169,6 +169,9 @@ issues:
     - path: resource-aggregate/events/resourceLinks.*.go|resource-aggregate/client/sync.*.go|resource-aggregate/service/grpcApi.go|resource-aggregate/events/resource.*.go
       linters:
         - dupl
+    - path: device-provisioning-service/test/provisionHandler.go
+      linters:
+        - dupl
   # Fix found issues (if it's supported by the linter).
   # fix: true
 

diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -39,6 +39,10 @@
         "TEST_SNIPPET_SERVICE_LOG_DUMP_BODY": "false",
         "TEST_DATABASE": "mongoDB",
         "TEST_BRIDGE_DEVICE_CONFIG": "${workspaceFolder}/.tmp/bridge/config-test.yaml",
+        "TEST_DPS_ROOT_CA_CERT_ALT": "${workspaceFolder}/.tmp/certs/device/root_ca_alt.crt",
+        "TEST_DPS_ROOT_CA_KEY_ALT": "${workspaceFolder}/.tmp/certs/device/root_ca_alt.key",
+        "TEST_DPS_INTERMEDIATE_CA_CERT": "${workspaceFolder}/.tmp/certs/device/intermediatecacrt.pem",
+        "TEST_DPS_INTERMEDIATE_CA_KEY": "${workspaceFolder}/.tmp/certs/device/intermediatecakey.pem",
         // "TEST_LEAD_RESOURCE_TYPE_FILTER": "first",
         // "TEST_LEAD_RESOURCE_TYPE_REGEX_FILTER": "oic\\.wk\\..*,^/light/\\d+$",
         // "TEST_LEAD_RESOURCE_TYPE_USE_UUID": "true",

diff --git a/Makefile b/Makefile
@@ -13,6 +13,7 @@ ifneq ($(BRANCH_TAG),main)
 endif
 GOPATH ?= $(shell go env GOPATH)
 WORKING_DIRECTORY := $(shell pwd)
+CERT_PATH ?= $(WORKING_DIRECTORY)/.tmp/certs
 USER_ID := $(shell id -u)
 GROUP_ID := $(shell id -g)
 TEST_CHECK_RACE ?= false
@@ -47,7 +48,7 @@ CERT_TOOL_SIGN_ALG ?= ECDSA-SHA256
 CERT_TOOL_ELLIPTIC_CURVE ?= P256
 CERT_TOOL_IMAGE = ghcr.io/plgd-dev/hub/cert-tool:vnext
 
-SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway grpc-gateway resource-aggregate resource-directory http-gateway identity-store snippet-service test/oauth-server tools/cert-tool
+SUBDIRS := bundle certificate-authority cloud2cloud-connector cloud2cloud-gateway coap-gateway device-provisioning-service grpc-gateway resource-aggregate resource-directory http-gateway identity-store snippet-service test/oauth-server tools/cert-tool
 .PHONY: $(SUBDIRS) push proto/generate clean build test env mongo nats certificates hub-build http-gateway-www simulators
 
 default: build
@@ -60,29 +61,37 @@ hub-test:
 		.
 
 certificates:
-	mkdir -p $(WORKING_DIRECTORY)/.tmp/certs
-	docker run \
-		--rm -v $(WORKING_DIRECTORY)/.tmp/certs:/certs \
-		--user $(USER_ID):$(GROUP_ID) \
-		${CERT_TOOL_IMAGE} \
+	mkdir -p $(CERT_PATH)
+	docker pull $(CERT_TOOL_IMAGE)
+	docker run --rm -v $(CERT_PATH):/certs --user $(USER_ID):$(GROUP_ID) ${CERT_TOOL_IMAGE} \
 		--cmd.generateRootCA --outCert=/certs/root_ca.crt --outKey=/certs/root_ca.key --cert.subject.cn=RootCA \
-				--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE)
-	docker run \
-		--rm -v $(WORKING_DIRECTORY)/.tmp/certs:/certs \
-		--user $(USER_ID):$(GROUP_ID) \
-		${CERT_TOOL_IMAGE} \
-		--cmd.generateCertificate --outCert=/certs/http.crt --outKey=/certs/http.key	--cert.subject.cn=localhost \
-				--cert.san.domain=localhost --cert.san.ip=127.0.0.1 --signerCert=/certs/root_ca.crt --signerKey=/certs/root_ca.key \
-				--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE)
-	docker run \
-		--rm -v $(WORKING_DIRECTORY)/.tmp/certs:/certs \
-		--user $(USER_ID):$(GROUP_ID) \
-		${CERT_TOOL_IMAGE} \
+		--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE) \
+		--cert.validFrom=2000-01-01T12:00:00Z --cert.validFor=876000h
+	docker run --rm -v $(CERT_PATH):/certs --user $(USER_ID):$(GROUP_ID) ${CERT_TOOL_IMAGE} \
+		--cmd.generateCertificate --outCert=/certs/http.crt --outKey=/certs/http.key --cert.subject.cn=localhost \
+		--cert.san.domain=localhost --cert.san.ip=127.0.0.1 --signerCert=/certs/root_ca.crt --signerKey=/certs/root_ca.key \
+		--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE)
+	docker run --rm -v $(CERT_PATH):/certs --user $(USER_ID):$(GROUP_ID) ${CERT_TOOL_IMAGE} \
 		--cmd.generateIdentityCertificate=$(CLOUD_SID) --outCert=/certs/coap.crt --outKey=/certs/coap.key \
-				--cert.san.domain=localhost --cert.san.ip=127.0.0.1 --signerCert=/certs/root_ca.crt --signerKey=/certs/root_ca.key \
-				--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE)
-	cat $(WORKING_DIRECTORY)/.tmp/certs/http.crt > $(WORKING_DIRECTORY)/.tmp/certs/mongo.key
-	cat $(WORKING_DIRECTORY)/.tmp/certs/http.key >> $(WORKING_DIRECTORY)/.tmp/certs/mongo.key
+		--cert.san.domain=localhost --cert.san.ip=127.0.0.1 --signerCert=/certs/root_ca.crt --signerKey=/certs/root_ca.key \
+		--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE)
+	cat $(CERT_PATH)/http.crt > $(CERT_PATH)/mongo.key
+	cat $(CERT_PATH)/http.key >> $(CERT_PATH)/mongo.key
+	mkdir -p $(CERT_PATH)/device
+	cp $(CERT_PATH)/root_ca.crt $(CERT_PATH)/device/dpsca.pem
+	cp $(CERT_PATH)/root_ca.key $(CERT_PATH)/device/dpscakey.pem
+	docker run --rm -v $(CERT_PATH)/device:/certs --user $(USER_ID):$(GROUP_ID) ${CERT_TOOL_IMAGE} \
+		--signerCert=/certs/dpsca.pem --signerKey=/certs/dpscakey.pem  --outCert=/certs/intermediatecacrt.pem --outKey=/certs/intermediatecakey.pem \
+		--cert.basicConstraints.maxPathLen=0 --cert.subject.cn="intermediateCA" --cmd.generateIntermediateCA \
+		--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE)
+	docker run --rm -v $(CERT_PATH)/device:/certs --user $(USER_ID):$(GROUP_ID) ${CERT_TOOL_IMAGE} \
+		--signerCert=/certs/intermediatecacrt.pem --signerKey=/certs/intermediatecakey.pem --outCert=/certs/mfgcrt.pem --outKey=/certs/mfgkey.pem \
+		--cert.san.domain=localhost --cert.san.ip=127.0.0.1 --cert.subject.cn="mfg" --cmd.generateCertificate \
+		--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE)
+	docker run --rm -v $(CERT_PATH)/device:/certs --user $(USER_ID):$(GROUP_ID) ${CERT_TOOL_IMAGE} \
+		--cmd.generateRootCA --outCert=/certs/root_ca_alt.crt --outKey=/certs/root_ca_alt.key --cert.subject.cn=RootCA \
+		--cert.signatureAlgorithm=$(CERT_TOOL_SIGN_ALG) --cert.ellipticCurve=$(CERT_TOOL_ELLIPTIC_CURVE) \
+		--cert.validFrom=2000-01-01T12:00:00Z --cert.validFor=876000h
 
 privateKeys:
 	mkdir -p $(WORKING_DIRECTORY)/.tmp/privKeys
@@ -97,15 +106,15 @@ nats: certificates
 	    -d \
 		--network=host \
 		--name=nats \
-		-v $(WORKING_DIRECTORY)/.tmp/certs:/certs \
+		-v $(CERT_PATH):/certs \
 		-v $(WORKING_DIRECTORY)/.tmp/jetstream/cloud:/data \
 		--user $(USER_ID):$(GROUP_ID) \
 		nats --jetstream --store_dir /data --tls --tlsverify --tlscert=/certs/http.crt --tlskey=/certs/http.key --tlscacert=/certs/root_ca.crt
 	docker run \
 	    -d \
 		--network=host \
 		--name=nats-cloud-connector \
-		-v $(WORKING_DIRECTORY)/.tmp/certs:/certs \
+		-v $(CERT_PATH):/certs \
 		-v $(WORKING_DIRECTORY)/.tmp/jetstream/cloud-connector:/data \
 		--user $(USER_ID):$(GROUP_ID) \
 		nats --jetstream --store_dir /data --port 34222 --tls --tlsverify --tlscert=/certs/http.crt --tlskey=/certs/http.key --tlscacert=/certs/root_ca.crt
@@ -150,12 +159,12 @@ scylla: scylla/clean
 		--name=scylla \
 		-v $(WORKING_DIRECTORY)/.tmp/scylla/etc/scylla.yaml:/etc/scylla/scylla.yaml \
 		-v $(WORKING_DIRECTORY)/.tmp/scylla:/var/lib/scylla \
-		-v $(WORKING_DIRECTORY)/.tmp/certs:/certs \
+		-v $(CERT_PATH):/certs \
 		scylladb/scylla --developer-mode 1 --listen-address 127.0.0.1
 
 	while true; do \
 		i=$$((i+1)); \
-		if openssl s_client -connect 127.0.0.1:9142 -cert $(WORKING_DIRECTORY)/.tmp/certs/http.crt -key $(WORKING_DIRECTORY)/.tmp/certs/http.key <<< "Q" 2>/dev/null > /dev/null; then \
+		if openssl s_client -connect 127.0.0.1:9142 -cert $(CERT_PATH)/http.crt -key $(CERT_PATH)/http.key <<< "Q" 2>/dev/null > /dev/null; then \
 			break; \
 		fi; \
 		echo "Try to reconnect to scylla(127.0.0.1:9142) $$i"; \
@@ -164,15 +173,55 @@ scylla: scylla/clean
 
 .PHONY: scylla
 
-mongo: certificates
-	mkdir -p $(WORKING_DIRECTORY)/.tmp/mongo
+# Pull latest mongo and start its in replica set
+#
+# Parameters:
+#   $(1): name, used for:
+#          - name of working directory for the device simulator (.tmp/$(1))
+#          - name of the docker container
+#   $(2): listen port
+define RUN-DOCKER-MONGO
+	mkdir -p $(WORKING_DIRECTORY)/.tmp/$(1) ; \
 	docker run \
 		-d \
 		--network=host \
-		--name=mongo \
-		-v $(WORKING_DIRECTORY)/.tmp/mongo:/data/db \
-		-v $(WORKING_DIRECTORY)/.tmp/certs:/certs --user $(USER_ID):$(GROUP_ID) \
-		mongo --tlsMode requireTLS --wiredTigerCacheSizeGB 1 --tlsCAFile  /certs/root_ca.crt --tlsCertificateKeyFile /certs/mongo.key
+		--name=$(1) \
+		-v $(WORKING_DIRECTORY)/.tmp/$(1):/data/db \
+		-v $(CERT_PATH):/certs --user $(USER_ID):$(GROUP_ID) \
+		mongo mongod -vvvvv --tlsMode requireTLS --wiredTigerCacheSizeGB 1 --tlsCAFile /certs/root_ca.crt --tlsCertificateKeyFile /certs/mongo.key \
+			--replSet myReplicaSet --bind_ip localhost --port $(2)
+endef
+
+MONGODB_REPLICA_0 := mongo0
+MONGODB_REPLICA_0_PORT := 27017
+MONGODB_REPLICA_1 := mongo1
+MONGODB_REPLICA_1_PORT := 27018
+MONGODB_REPLICA_2 := mongo2
+MONGODB_REPLICA_2_PORT := 27019
+
+mongo: certificates
+	$(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_0),$(MONGODB_REPLICA_0_PORT))
+	$(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_1),$(MONGODB_REPLICA_1_PORT))
+	$(call RUN-DOCKER-MONGO,$(MONGODB_REPLICA_2),$(MONGODB_REPLICA_2_PORT))
+	COUNTER=0; \
+	while [[ $${COUNTER} -lt 30 ]]; do \
+		echo "Checking mongodb connection ($${COUNTER}):"; \
+		if docker exec $(MONGODB_REPLICA_0) mongosh --quiet --tls --tlsCAFile /certs/root_ca.crt \
+			--tlsCertificateKeyFile /certs/mongo.key --eval "db.adminCommand('ping')"; then \
+			break; \
+		fi ; \
+		sleep 1; \
+		let COUNTER+=1; \
+	done; \
+	docker exec $(MONGODB_REPLICA_0) mongosh --tls --tlsCAFile /certs/root_ca.crt --tlsCertificateKeyFile /certs/mongo.key \
+		--eval "rs.initiate({ \
+		_id: \"myReplicaSet\", \
+		members: [ \
+			{_id: 0, host: \"localhost:$(MONGODB_REPLICA_0_PORT)\"}, \
+			{_id: 1, host: \"localhost:$(MONGODB_REPLICA_1_PORT)\"}, \
+			{_id: 2, host: \"localhost:$(MONGODB_REPLICA_2_PORT)\"} \
+		] \
+	})"
 
 http-gateway-www:
 	@mkdir -p $(WORKING_DIRECTORY)/.tmp/usr/local/www
@@ -194,6 +243,7 @@ DEVICE_SIMULATOR_RES_OBSERVABLE_IMG := ghcr.io/iotivity/iotivity-lite/cloud-serv
 #          - name of working directory for the device simulator (.tmp/$(1))
 #          - name of the docker container
 #          - name of the simulator ("$(1)-$(SIMULATOR_NAME_SUFFIX)")
+#   $(2): docker image
 define RUN-DOCKER-DEVICE
 	mkdir -p "$(WORKING_DIRECTORY)/.tmp/$(1)" ; \
 	mkdir -p "$(WORKING_DIRECTORY)/.tmp/$(1)/cloud_server_creds" ; \
@@ -210,12 +260,12 @@ define RUN-DOCKER-DEVICE
 endef
 
 define CLEAN-DOCKER-DEVICE
-	sudo rm -rf $(WORKING_DIRECTORY)/.tmp/$(1) || true
+	sudo rm -rf $(WORKING_DIRECTORY)/.tmp/$(1) || :
 endef
 
 define REMOVE-DOCKER-DEVICE
-	docker stop --time 300 $(1) || true
-	docker rm -f $(1) || true
+	docker stop --time 300 $(1) || :
+	docker rm -f $(1) || :
 endef
 
 simulators/remove:
@@ -272,7 +322,7 @@ define RUN-BRIDGE-DOCKER-DEVICE
 		-d \
 		--name=$(BRIDGE_DEVICE_NAME) \
 		--network=host \
-		-v $(WORKING_DIRECTORY)/.tmp/certs:/certs \
+		-v $(CERT_PATH):/certs \
 		-v $(WORKING_DIRECTORY)/.tmp/bridge:/bridge \
 		$(BRIDGE_DEVICE_IMAGE) -config /bridge/config-docker.yaml
 endef
@@ -291,6 +341,55 @@ simulators/bridge/clean:
 simulators: simulators/bridge
 simulators/clean: simulators/bridge/clean
 
+# device provisioning service
+DPS_ENDPOINT ?= coaps+tcp://127.0.0.1:20030
+DPS_DEVICE_LOG_LEVEL ?= debug
+DPS_DEVICE_OC_LOG_LEVEL ?= info
+DPS_DEVICE_SIMULATOR_OBT_NAME := dps-devsim-obt
+DPS_DEVICE_SIMULATOR_NAME := dps-devsim
+# TODO: switch to iotivity-lite repository
+DPS_DEVICE_SIMULATOR_IMG := ghcr.io/plgd-dev/device-provisioning-client/dps-cloud-server-debug:main
+
+# Pull latest DPS device simulator with given name and run it
+#
+# Parameters:
+#   $(1): name, used for:
+#          - name of working directory for the device simulator (.tmp/$(1))
+#          - name of the docker container
+#          - name of the simulator ("$(1)-$(SIMULATOR_NAME_SUFFIX)")
+#   $(2): docker image
+#   $(3): endpoint
+define RUN-DPS-DOCKER-DEVICE
+	mkdir -p "$(WORKING_DIRECTORY)/.tmp/$(1)" ; \
+	docker pull $(2) ; \
+	docker run \
+		-d \
+		--privileged \
+		--name=$(1) \
+		--network=host \
+		-v $(WORKING_DIRECTORY)/.tmp/$(1):/tmp \
+		-v $(CERT_PATH)/device:/dps/bin/pki_certs \
+		$(2) \
+		$(1)-$(SIMULATOR_NAME_SUFFIX) --create-conf-resource --cloud-observer-max-retry 10 --expiration-limit 10 --retry-configuration 5 \
+			--log-level $(DPS_DEVICE_LOG_LEVEL) --oc-log-level $(DPS_DEVICE_OC_LOG_LEVEL) $(3)
+endef
+
+
+simulators/dps/clean:
+	$(call REMOVE-DOCKER-DEVICE,$(DPS_DEVICE_SIMULATOR_NAME))
+	$(call CLEAN-DOCKER-DEVICE,$(DPS_DEVICE_SIMULATOR_NAME))
+	$(call REMOVE-DOCKER-DEVICE,$(DPS_DEVICE_SIMULATOR_OBT_NAME))
+	$(call CLEAN-DOCKER-DEVICE,$(DPS_DEVICE_SIMULATOR_OBT_NAME))
+.PHONY: simulators/dps/clean
+
+simulators/dps: simulators/dps/clean
+	$(call RUN-DPS-DOCKER-DEVICE,$(DPS_DEVICE_SIMULATOR_NAME),$(DPS_DEVICE_SIMULATOR_IMG),--wait-for-reset $(DPS_ENDPOINT))
+	$(call RUN-DPS-DOCKER-DEVICE,$(DPS_DEVICE_SIMULATOR_OBT_NAME),$(DPS_DEVICE_SIMULATOR_IMG),"")
+.PHONY: simulators/dps
+
+simulators/clean: simulators/dps/clean
+simulators: simulators/dps
+
 env/test/mem: clean certificates nats mongo privateKeys scylla
 .PHONY: env/test/mem
 
@@ -301,22 +400,26 @@ define RUN-DOCKER
 	docker run \
 		--rm \
 		--network=host \
+		-v $(CERT_PATH):/certs \
 		-v $(WORKING_DIRECTORY)/.tmp/bridge:/bridge \
-		-v $(WORKING_DIRECTORY)/.tmp/certs:/certs \
 		-v $(WORKING_DIRECTORY)/.tmp/coverage:/coverage \
 		-v $(WORKING_DIRECTORY)/.tmp/report:/report \
 		-v $(WORKING_DIRECTORY)/.tmp/privKeys:/privKeys \
 		-v $(WORKING_DIRECTORY)/.tmp/usr/local/www:/usr/local/www \
 		-v /var/run/docker.sock:/var/run/docker.sock \
+		-e TEST_CLOUD_SID=$(CLOUD_SID) \
 		-e LISTEN_FILE_CA_POOL=/certs/root_ca.crt \
 		-e LISTEN_FILE_CERT_DIR_PATH=/certs \
 		-e LISTEN_FILE_CERT_NAME=http.crt \
 		-e LISTEN_FILE_CERT_KEY_NAME=http.key \
 		-e TEST_COAP_GW_CERT_FILE=/certs/coap.crt \
 		-e TEST_COAP_GW_KEY_FILE=/certs/coap.key \
-		-e TEST_CLOUD_SID=$(CLOUD_SID) \
 		-e TEST_ROOT_CA_CERT=/certs/root_ca.crt \
 		-e TEST_ROOT_CA_KEY=/certs/root_ca.key \
+		-e TEST_DPS_ROOT_CA_CERT_ALT=/certs/device/root_ca_alt.crt \
+		-e TEST_DPS_ROOT_CA_KEY_ALT=/certs/device/root_ca_alt.key \
+		-e TEST_DPS_INTERMEDIATE_CA_CERT=/certs/device/intermediatecacrt.pem \
+		-e TEST_DPS_INTERMEDIATE_CA_KEY=/certs/device/intermediatecakey.pem \
 		-e TEST_OAUTH_SERVER_ID_TOKEN_PRIVATE_KEY=/privKeys/idTokenKey.pem \
 		-e TEST_OAUTH_SERVER_ACCESS_TOKEN_PRIVATE_KEY=/privKeys/accessTokenKey.pem \
 		-e M2M_OAUTH_SERVER_PRIVATE_KEY=/privKeys/m2mAccessTokenKey.pem \
@@ -456,9 +559,14 @@ $(test-targets): %: env hub-test
 build: $(SUBDIRS)
 
 clean: simulators/clean scylla/clean
-	docker rm -f mongo || true
 	docker rm -f nats || true
 	docker rm -f nats-cloud-connector || true
+	$(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_0))
+	$(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_0))
+	$(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_1))
+	$(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_1))
+	$(call REMOVE-DOCKER-DEVICE,$(MONGODB_REPLICA_2))
+	$(call CLEAN-DOCKER-DEVICE,$(MONGODB_REPLICA_2))
 	sudo rm -rf ./.tmp/certs || true
 	sudo rm -rf ./.tmp/mongo || true
 	sudo rm -rf ./.tmp/home || true

diff --git a/device-provisioning-service/Makefile b/device-provisioning-service/Makefile
@@ -0,0 +1,65 @@
+SHELL = /bin/bash
+SERVICE_NAME = $(notdir $(CURDIR))
+LATEST_TAG ?= vnext
+BRANCH_TAG ?= $(shell git rev-parse --abbrev-ref HEAD | sed 's/[^a-zA-Z0-9]/-/g')
+ifneq ($(BRANCH_TAG),main)
+	LATEST_TAG = $(BRANCH_TAG)
+endif
+VERSION_TAG ?= $(LATEST_TAG)-$(shell git rev-parse --short=7 --verify HEAD)
+GOPATH ?= $(shell go env GOPATH)
+WORKING_DIRECTORY := $(shell pwd)
+REPOSITORY_DIRECTORY := $(shell cd .. && pwd)
+BUILD_COMMIT_DATE ?= $(shell date -u +%FT%TZ --date=@`git show --format='%ct' HEAD --quiet`)
+BUILD_SHORT_COMMIT ?= $(shell git show --format=%h HEAD --quiet)
+BUILD_DATE ?= $(shell date -u +%FT%TZ)
+BUILD_VERSION ?= $(shell git tag --sort version:refname | tail -1 | sed -e "s/^v//")
+
+default: build
+
+define build-docker-image
+	cd .. && \
+		mkdir -p .tmp/docker/$(SERVICE_NAME) && \
+		awk '{gsub("@NAME@","$(SERVICE_NAME)")} {gsub("@DIRECTORY@","$(SERVICE_NAME)")} {print}' tools/docker/Dockerfile.in > .tmp/docker/$(SERVICE_NAME)/Dockerfile && \
+		docker build \
+		--network=host \
+		--tag ghcr.io/plgd-dev/hub/$(SERVICE_NAME):$(VERSION_TAG) \
+		--tag ghcr.io/plgd-dev/hub/$(SERVICE_NAME):$(LATEST_TAG) \
+		--tag ghcr.io/plgd-dev/hub/$(SERVICE_NAME):$(BRANCH_TAG) \
+		--build-arg COMMIT_DATE="$(BUILD_COMMIT_DATE)" \
+		--build-arg SHORT_COMMIT="$(BUILD_SHORT_COMMIT)" \
+		--build-arg DATE="$(BUILD_DATE)" \
+		--build-arg VERSION="$(BUILD_VERSION)" \
+		--target $(1) \
+		-f .tmp/docker/$(SERVICE_NAME)/Dockerfile \
+		.
+endef
+
+build-servicecontainer:
+	$(call build-docker-image,service)
+
+build: build-servicecontainer
+
+push: build-servicecontainer
+	docker push plgd/$(SERVICE_NAME):$(VERSION_TAG)
+	docker push plgd/$(SERVICE_NAME):$(LATEST_TAG)
+
+GOOGLEAPIS_PATH := $(REPOSITORY_DIRECTORY)/dependency/googleapis
+GRPCGATEWAY_MODULE_PATH := $(shell go list -m -f '{{.Dir}}' github.com/grpc-ecosystem/grpc-gateway/v2 | head -1)
+
+proto/generate:
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src --go_out=$(GOPATH)/src $(WORKING_DIRECTORY)/pb/provisioningRecords.proto
+	protoc-go-inject-tag -input=$(WORKING_DIRECTORY)/pb/provisioningRecords.pb.go
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src --go_out=$(GOPATH)/src $(WORKING_DIRECTORY)/pb/enrollmentGroup.proto
+	protoc-go-inject-tag -input=$(WORKING_DIRECTORY)/pb/enrollmentGroup.pb.go
+	protoc -I=. -I=$(GOPATH)/src --go_out=$(GOPATH)/src $(WORKING_DIRECTORY)/pb/hub.proto
+	protoc-go-inject-tag -input=$(WORKING_DIRECTORY)/pb/hub.pb.go
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --go-grpc_out=$(GOPATH)/src $(WORKING_DIRECTORY)/pb/service.proto
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --openapiv2_out=$(GOPATH)/src \
+		--openapiv2_opt logtostderr=true \
+		$(WORKING_DIRECTORY)/pb/service.proto
+	protoc -I=. -I=$(REPOSITORY_DIRECTORY) -I=$(GOPATH)/src -I=$(GOOGLEAPIS_PATH) -I=$(GRPCGATEWAY_MODULE_PATH) --grpc-gateway_out $(GOPATH)/src \
+		--grpc-gateway_opt logtostderr=true \
+		--grpc-gateway_opt paths=source_relative \
+		$(WORKING_DIRECTORY)/pb/service.proto
+
+.PHONY: build-servicecontainer build push proto/generate