MF-1179 - Add a certificate service and certs endpoint to SDK #1188
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
drasko
reviewed
Jun 3, 2020
mteodor
force-pushed
the
add-certs
branch
2 times, most recently
from
0899715
to
dfa6fc3
Compare
manuio
reviewed
Jun 5, 2020
manuio
suggested changes
Jun 5, 2020
manuio
reviewed
Jun 5, 2020
manuio
suggested changes
Jun 5, 2020
drasko
requested changes
Jun 5, 2020
.env
Outdated
| MF_PROVISION_CERTS_CA=/etc/ssl/certs/ca.crt | ||
| MF_PROVISION_CERTS_CA_KEY=/etc/ssl/certs/ca.key | ||
| MF_PROVISION_CERTS_RSA_BITS=4096 | ||
| MF_PROVISION_CERTS_DAYS_VALID=2400h |
There was a problem hiding this comment.
ENV is called DAYS, but you put hours?
pkg/sdk/go/bootstrap.go
Outdated
| @@ -39,7 +39,7 @@ type BootstrapConfig struct { | |||
| State int `json:"state,omitempty"` | |||
| } | |||
|
|
|||
| func (sdk mfSDK) AddBootstrap(token string, cfg BootstrapConfig) (string, error) { | |||
| func (sdk *mfSDK) AddBootstrap(token string, cfg BootstrapConfig) (string, error) { | |||
There was a problem hiding this comment.
SDK is mutable? Something is probably strange...
|
CI is failing, @mteodor please take a look at this as well. |
|
@mteodor what do we do with this PR? Are you closing or moving it to draft for modifications? |
drasko
requested changes
Jun 26, 2020
certs/service.go
Outdated
| return "", "", errors.Wrap(ErrFailedCertCreation, ErrRsaBitsValueWrong) | ||
| } | ||
| var priv interface{} | ||
| // p224 := elliptic.P224() |
provision/api/endpoint.go
Outdated
| @@ -35,3 +35,24 @@ func doProvision(svc provision.Service) endpoint.Endpoint { | |||
|
|
|||
| } | |||
| } | |||
|
|
|||
| func doCert(svc provision.Service) endpoint.Endpoint { | |||
There was a problem hiding this comment.
What does this function do? Creates Cert? If yes, consider calling it createCert(). Or just Cert().
certs/postgres/setup_test.go
Outdated
|
|
||
| code := m.Run() | ||
|
|
||
| // defers will not be run when using os.Exit |
There was a problem hiding this comment.
Comments start with capital letter
manuio
suggested changes
Jun 30, 2020
certs/api/metrics.go
Outdated
|
|
||
| func (ms *metricsMiddleware) IssueCert(ctx context.Context, token, thingID string, daysValid string, keyBits int, keyType string) (certs.Cert, error) { | ||
| defer func(begin time.Time) { | ||
| ms.counter.With("method", "issue").Add(1) |
manuio
reviewed
Jun 30, 2020
.env
Outdated
| @@ -116,13 +115,44 @@ MF_PROVISION_THINGS_LOCATION=http://things:8182 | |||
| MF_PROVISION_USER= | |||
| MF_PROVISION_PASS= | |||
| MF_PROVISION_API_KEY= | |||
| MF_PROVISION_CERTS_SVC_URL=http://localhost/certs | |||
| MF_PROVISION_CERTS_SVC_URL= | |||
certs/postgres/certs.go
Outdated
|
|
||
| var ( | ||
| errSaveDB = errors.New("failed to save certs to database") | ||
| errRetrieve = errors.New("failed to retrieve certs from database") |
There was a problem hiding this comment.
You have 2 white space in this log. I would maybe use failed to read certs from database
mteodor
changed the title
Codecov Report
@@ Coverage Diff @@
## master #1188 +/- ##
==========================================
- Coverage 77.44% 76.32% -1.12%
==========================================
Files 104 106 +2
Lines 6875 6909 +34
==========================================
- Hits 5324 5273 -51
- Misses 1164 1253 +89
+ Partials 387 383 -4
Continue to review full report at Codecov.
|
dborovcanin
changed the title
dborovcanin
requested changes
Jul 1, 2020
certs/api/endpoint.go
Outdated
| if err := req.validate(); err != nil { | ||
| return nil, err | ||
| } | ||
| fmt.Println(fmt.Sprintf("request %v", req)) |
There was a problem hiding this comment.
Please remove debug code.
certs/api/endpoint.go
Outdated
| } | ||
|
|
||
| return svc.RevokeCert(ctx, req.token, req.ThingID, req.CertSerial) | ||
|
|
There was a problem hiding this comment.
Please remove an empty line.
certs/api/logging.go
Outdated
|
|
||
| func (lm *loggingMiddleware) RevokeCert(ctx context.Context, token, thingID, certSerial string) (c certs.Revoke, err error) { | ||
| defer func(begin time.Time) { | ||
| message := fmt.Sprintf("Method revoke_certificates for token: %s and thing: %s took %s to complete", token, thingID, time.Since(begin)) |
certs/postgres/certs.go
Outdated
Comment on lines
46
to
48
| if thingID == "" { | ||
| return certs.Page{}, errEmptyThingID | ||
| } |
There was a problem hiding this comment.
You can move this check to the service layer.
certs/postgres/init.go
Outdated
| thing_id TEXT NOT NULL, | ||
| expire TIMESTAMPTZ NOT NULL, | ||
| serial TEXT NOT NULL, | ||
| PRIMARY KEY (thing_id, serial) |
There was a problem hiding this comment.
We can have multiple certificates for one Thing. If there are no practical examples where this can be useful, I would stick with one cert per Thing.
certs/service.go
Outdated
| certsRepo Repository | ||
| sdk mfsdk.SDK | ||
| conf Config | ||
| PKIClient *api.Client |
There was a problem hiding this comment.
Can we create a wrapper around this client and use it as a lib? Move custom requests and responses to a separate package and import it in certs service? Also, wrap HTTP requests and responses to make it transparent from the service layer.
There was a problem hiding this comment.
@mteodor Can you, please, take a look at this remark?
certs/service.go
Outdated
Comment on lines
273
to
172
| r := cs.PKIClient.NewRequest("POST", cs.getRevokeURL()) | ||
| if err := r.SetJSONBody(cReq); err != nil { | ||
| return Revoke{}, err | ||
| } | ||
|
|
||
| resp, err := cs.PKIClient.RawRequest(r) | ||
| if resp != nil { | ||
| defer resp.Body.Close() | ||
| } | ||
|
|
||
| if err != nil { | ||
| return Revoke{}, err | ||
| } | ||
|
|
||
| if resp.StatusCode >= http.StatusBadRequest { | ||
| _, err := ioutil.ReadAll(resp.Body) | ||
| if err != nil { | ||
| return Revoke{}, err | ||
| } | ||
| return Revoke{}, errors.Wrap(ErrFailedCertCreation, err) | ||
| } |
There was a problem hiding this comment.
For example, this code would be in the Vault client wrapper.
manuio
suggested changes
Jul 1, 2020
certs/api/endpoint.go
Outdated
| } | ||
| } | ||
|
|
||
| func revokeCertificate(svc certs.Service) endpoint.Endpoint { |
certs/api/endpoint.go
Outdated
| } | ||
| } | ||
|
|
||
| func listCertificates(svc certs.Service) endpoint.Endpoint { |
certs/api/logging.go
Outdated
| return lm.svc.IssueCert(ctx, token, thingID, daysValid, keyBits, keyType) | ||
| } | ||
|
|
||
| func (lm *loggingMiddleware) ListCertificates(ctx context.Context, token, thingID string, offset, limit uint64) (cp certs.Page, err error) { |
manuio
reviewed
Jul 2, 2020
certs/postgres/certs.go
Outdated
Comment on lines
81
to
82
| q := `INSERT INTO certs (thing_id, serial, expire) | ||
| VALUES (:thing_id, :serial, :expire)` |
There was a problem hiding this comment.
IMO No need for 2 lines here
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
dborovcanin
requested changes
Jul 16, 2020
certs/pki/vault.go
Outdated
Comment on lines
161
to
167
| func (p *pkiAgent) getIssueURL() string { | ||
| return "/" + apiVer + "/" + p.path + "/" + issue + "/" + p.role | ||
| } | ||
|
|
||
| func (p *pkiAgent) getRevokeURL() string { | ||
| return "/" + apiVer + "/" + p.path + "/" + revoke | ||
| } |
There was a problem hiding this comment.
Can we use these as fields in pkiAgent? Can we set okiAgent.issueURL and pkiAgent.revokeURL in the NewVaultClient method?
certs/pki/vault.go
Outdated
| // Copyright (c) Mainflux | ||
| // SPDX-License-Identifier: Apache-2.0 | ||
|
|
||
| // Package postgres contains repository implementations using PostgreSQL as |
There was a problem hiding this comment.
Wrong package description.
certs/postgres/certs_test.go
Outdated
| ) | ||
|
|
||
| func TestIssueCert(t *testing.T) { | ||
|
|
There was a problem hiding this comment.
Either delete file or add a test.
| MF_CERTS_VAULT_ROLE: ${MF_CERTS_VAULT_ROLE} | ||
| volumes: | ||
| - ../../ssl/certs/ca.key:/etc/ssl/certs/ca.key | ||
| - ../../ssl/certs/ca.crt:/etc/ssl/certs/ca.crt |
There was a problem hiding this comment.
Please add an empty line at the end of the file.
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
dborovcanin
approved these changes
Jul 16, 2020
manuio
pushed a commit
that referenced
this pull request
Oct 12, 2020
* adding certificate issuing Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * adding cert endpoint Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * update envs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * update envs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * move certs creation to sdk Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * move certs creation to sdk Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * move certs creation to sdk Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix env vars Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add comment Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * update sdk Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix vars Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add volumes Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix merge config for int Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove env Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix error handling Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add cert test, change receiver to pointer Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add docs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix var naming Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * correct error naming Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * adding certs service Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add certs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add certs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * change func receiever Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add default cert issue method Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add config Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * small fix Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove some testing code Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add cert issue Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add vault api client Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * additional endpoints Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add swagger for certs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove certs from provision Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * clean provision from certs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add list certificates endpoint Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add vault api in vendor Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add certs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add revoke, fix bugs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix sdk for certs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * minor changes, add env, doc Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * minor changes, add env, doc Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * minor changes, add env, doc Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * small changes Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove CA for signing from provision Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add docker file for certs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix mock sdk Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add line Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix RevokeCert Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * renam ENV Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove tests temporarily Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix naming Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * renam vars Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add cli for issue cert Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add cli for issue cert Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add cli for issue cert Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add cli for issue cert Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove not needed envs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix linter errors, add cli Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix linter errors, add cli, var rename Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix reviews, add viewcert, fix view all certs Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove view cert, as it will be retrieved from PKI Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * change endpoints Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add default env val Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove some errors Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * refactor, make wrapper lib for vault Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * refactor, make wrapper lib for vault Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * refactor, make wrapper lib for vault Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix revoking Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * refactor, make wrapper lib for vault Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * update vendor Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix comment Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * add comments Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove unused Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove unused field Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * update vendor Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * refactor pki Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * refactor pki Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * refactor pki, update vendor Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * refactor pki Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix comment Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * minor fix Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * remove methods, use fields Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix comments and package desc Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com> * fix comments and package desc Signed-off-by: Mirko Teodorovic <mirko.teodorovic@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Mirko Teodorovic mirko.teodorovic@gmail.com
Resolves #1179