mirror of
https://github.com/mainflux/mainflux.git
synced 2025-05-01 13:48:56 +08:00
55e09c1921
* Move Things and Users to Clients Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Update Add and Delete Policies (#1792) * Remove Policy Action Ranks Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Rebase Issues Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix CI Test Errors Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Adding Check on Subject For Clients Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove Check Client Exists Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Check When Sharing Clients Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Only Add User to Group When Sharing Things Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove clientType Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Minor Fix on ShareClient and Fix Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Policies Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Clean Up Things Authorization Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests on RetrieveAll Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Test ShareThing Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Merge Conflicts Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Remove Adding Policies. Only Use Ownership Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Check If Subject is same as Object Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Move Back To Union As Sometimes Policy is Empty and Fails to Evaluate on Ownership Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Entity Type For Failing Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix BUG in policy evaluation Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Comments Regarding checkAdmin Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests On Rebase Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Combine Authorize For Things and Users Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests On Rebase Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Error on Things SVC `unsupported protocol scheme` Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Fix Bug on Things Authorization Cache (#1810) Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Use Password instead of username in MQTT handler Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Simplify MQTT authorization Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * Fix MQTT tests Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Add More Functions to SDK (#1811) * Add More Functions to SDK Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Examples to GoDoc Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Update Unassign Interface Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Pass Subject as ID and Not Token on List Channels By Thing Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Bootstrap Errors For Element Check Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add empty line Before Return Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Reorder URLS in things mux Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Listing Things Policies Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Share Thing Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Examples to CLI Docs Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Update Identity To Update Another User Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Identify an Update Policies on Things Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Update Things Policies Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix GoDocs on Disconnect Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Change Authorize To Use AccessRequest Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * For Evaluate Policy Use AccessRequest (#1814) Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Add SDK Tests (#1812) * Add Things Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Channel Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Certs Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Consumer Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Enrich Group Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Tests For Health Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Tests For Tokens Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Rename SDK for Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Policies Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Linter Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Fix Tests Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Make Variable Defination Inline Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Make Cache Key Duration Configurable (#1815) * Make Cache Key Duration Configurable Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Rename ENV Var Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Update GoDocs (#1816) * Add GoDocs Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add Missing GoDoc Files Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Enable godot Signed-off-by: rodneyosodo <blackd0t@protonmail.com> * Add License Information Signed-off-by: rodneyosodo <blackd0t@protonmail.com> --------- Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> * NOISSUE - Add Call Home Client to Mainflux services (#1751) * Move Things and Users to Clients Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: SammyOina <sammyoina@gmail.com> * collect and send data package Signed-off-by: SammyOina <sammyoina@gmail.com> * create telemetry migrations Signed-off-by: SammyOina <sammyoina@gmail.com> * add telemetry endpoints Signed-off-by: SammyOina <sammyoina@gmail.com> * add transport Signed-off-by: SammyOina <sammyoina@gmail.com> * create service Signed-off-by: SammyOina <sammyoina@gmail.com> * remove homing server Signed-off-by: SammyOina <sammyoina@gmail.com> * add call home to adapters Signed-off-by: SammyOina <sammyoina@gmail.com> * add last seen Signed-off-by: SammyOina <sammyoina@gmail.com> * rename logger Signed-off-by: SammyOina <sammyoina@gmail.com> * remove homing client Signed-off-by: SammyOina <sammyoina@gmail.com> * use unmerged repo Signed-off-by: SammyOina <sammyoina@gmail.com> * use renamed module Signed-off-by: SammyOina <sammyoina@gmail.com> * update call home version Signed-off-by: SammyOina <sammyoina@gmail.com> * edit documentation Signed-off-by: SammyOina <sammyoina@gmail.com> * align table Signed-off-by: SammyOina <sammyoina@gmail.com> * use alias for call home client Signed-off-by: SammyOina <sammyoina@gmail.com> * update callhome Signed-off-by: SammyOina <sammyoina@gmail.com> * update call home pkg Signed-off-by: SammyOina <sammyoina@gmail.com> * update call home Signed-off-by: SammyOina <sammyoina@gmail.com> * fix modules Signed-off-by: SammyOina <sammyoina@gmail.com> * use mf build version Signed-off-by: SammyOina <sammyoina@gmail.com> * use mf build version Signed-off-by: SammyOina <sammyoina@gmail.com> * restore default Signed-off-by: SammyOina <sammyoina@gmail.com> * add call home for users and things Signed-off-by: SammyOina <sammyoina@gmail.com> * enable opting on call home Signed-off-by: SammyOina <sammyoina@gmail.com> * remove full stops Signed-off-by: SammyOina <sammyoina@gmail.com> * update callhome client Signed-off-by: SammyOina <sammyoina@gmail.com> * add call home to all services Signed-off-by: SammyOina <sammyoina@gmail.com> * fix build Signed-off-by: SammyOina <sammyoina@gmail.com> * restore sdk tests Signed-off-by: SammyOina <sammyoina@gmail.com> * remove unnecessary changes Signed-off-by: SammyOina <sammyoina@gmail.com> * restore health_test.go Signed-off-by: SammyOina <sammyoina@gmail.com> --------- Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: SammyOina <sammyoina@gmail.com> Co-authored-by: b1ackd0t <blackd0t@protonmail.com> Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> --------- Signed-off-by: dusanb94 <dusan.borovcanin@mainflux.com> Signed-off-by: rodneyosodo <blackd0t@protonmail.com> Signed-off-by: SammyOina <sammyoina@gmail.com> Co-authored-by: b1ackd0t <blackd0t@protonmail.com> Co-authored-by: Sammy Kerata Oina <44265300+SammyOina@users.noreply.github.com>
203 lines
5.9 KiB
Go
203 lines
5.9 KiB
Go
// Copyright (c) Mainflux
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
package certs
|
|
|
|
import (
|
|
"context"
|
|
"time"
|
|
|
|
"github.com/mainflux/mainflux/certs/pki"
|
|
"github.com/mainflux/mainflux/pkg/errors"
|
|
mfsdk "github.com/mainflux/mainflux/pkg/sdk/go"
|
|
"github.com/mainflux/mainflux/users/policies"
|
|
)
|
|
|
|
var (
|
|
// ErrFailedCertCreation failed to create certificate.
|
|
ErrFailedCertCreation = errors.New("failed to create client certificate")
|
|
|
|
// ErrFailedCertRevocation failed to revoke certificate.
|
|
ErrFailedCertRevocation = errors.New("failed to revoke certificate")
|
|
|
|
ErrFailedToRemoveCertFromDB = errors.New("failed to remove cert serial from db")
|
|
)
|
|
|
|
var _ Service = (*certsService)(nil)
|
|
|
|
// Service specifies an API that must be fulfilled by the domain service
|
|
// implementation, and all of its decorators (e.g. logging & metrics).
|
|
type Service interface {
|
|
// IssueCert issues certificate for given thing id if access is granted with token
|
|
IssueCert(ctx context.Context, token, thingID, ttl string) (Cert, error)
|
|
|
|
// ListCerts lists certificates issued for a given thing ID
|
|
ListCerts(ctx context.Context, token, thingID string, offset, limit uint64) (Page, error)
|
|
|
|
// ListSerials lists certificate serial IDs issued for a given thing ID
|
|
ListSerials(ctx context.Context, token, thingID string, offset, limit uint64) (Page, error)
|
|
|
|
// ViewCert retrieves the certificate issued for a given serial ID
|
|
ViewCert(ctx context.Context, token, serialID string) (Cert, error)
|
|
|
|
// RevokeCert revokes a certificate for a given serial ID
|
|
RevokeCert(ctx context.Context, token, serialID string) (Revoke, error)
|
|
}
|
|
|
|
type certsService struct {
|
|
auth policies.AuthServiceClient
|
|
certsRepo Repository
|
|
sdk mfsdk.SDK
|
|
pki pki.Agent
|
|
}
|
|
|
|
// New returns new Certs service.
|
|
func New(auth policies.AuthServiceClient, certs Repository, sdk mfsdk.SDK, pki pki.Agent) Service {
|
|
return &certsService{
|
|
certsRepo: certs,
|
|
sdk: sdk,
|
|
auth: auth,
|
|
pki: pki,
|
|
}
|
|
}
|
|
|
|
// Revoke defines the conditions to revoke a certificate.
|
|
type Revoke struct {
|
|
RevocationTime time.Time `mapstructure:"revocation_time"`
|
|
}
|
|
|
|
// Cert defines the certificate paremeters.
|
|
type Cert struct {
|
|
OwnerID string `json:"owner_id" mapstructure:"owner_id"`
|
|
ThingID string `json:"thing_id" mapstructure:"thing_id"`
|
|
ClientCert string `json:"client_cert" mapstructure:"certificate"`
|
|
IssuingCA string `json:"issuing_ca" mapstructure:"issuing_ca"`
|
|
CAChain []string `json:"ca_chain" mapstructure:"ca_chain"`
|
|
ClientKey string `json:"client_key" mapstructure:"private_key"`
|
|
PrivateKeyType string `json:"private_key_type" mapstructure:"private_key_type"`
|
|
Serial string `json:"serial" mapstructure:"serial_number"`
|
|
Expire time.Time `json:"expire" mapstructure:"-"`
|
|
}
|
|
|
|
func (cs *certsService) IssueCert(ctx context.Context, token, thingID string, ttl string) (Cert, error) {
|
|
owner, err := cs.auth.Identify(ctx, &policies.Token{Value: token})
|
|
if err != nil {
|
|
return Cert{}, err
|
|
}
|
|
|
|
thing, err := cs.sdk.Thing(thingID, token)
|
|
if err != nil {
|
|
return Cert{}, errors.Wrap(ErrFailedCertCreation, err)
|
|
}
|
|
|
|
cert, err := cs.pki.IssueCert(thing.Credentials.Secret, ttl)
|
|
if err != nil {
|
|
return Cert{}, errors.Wrap(ErrFailedCertCreation, err)
|
|
}
|
|
|
|
c := Cert{
|
|
ThingID: thingID,
|
|
OwnerID: owner.GetId(),
|
|
ClientCert: cert.ClientCert,
|
|
IssuingCA: cert.IssuingCA,
|
|
CAChain: cert.CAChain,
|
|
ClientKey: cert.ClientKey,
|
|
PrivateKeyType: cert.PrivateKeyType,
|
|
Serial: cert.Serial,
|
|
Expire: time.Unix(0, int64(cert.Expire)*int64(time.Second)),
|
|
}
|
|
|
|
_, err = cs.certsRepo.Save(context.Background(), c)
|
|
return c, err
|
|
}
|
|
|
|
func (cs *certsService) RevokeCert(ctx context.Context, token, thingID string) (Revoke, error) {
|
|
var revoke Revoke
|
|
u, err := cs.auth.Identify(ctx, &policies.Token{Value: token})
|
|
if err != nil {
|
|
return revoke, err
|
|
}
|
|
thing, err := cs.sdk.Thing(thingID, token)
|
|
if err != nil {
|
|
return revoke, errors.Wrap(ErrFailedCertRevocation, err)
|
|
}
|
|
|
|
// TODO: Replace offset and limit
|
|
offset, limit := uint64(0), uint64(10000)
|
|
cp, err := cs.certsRepo.RetrieveByThing(ctx, u.GetId(), thing.ID, offset, limit)
|
|
if err != nil {
|
|
return revoke, errors.Wrap(ErrFailedCertRevocation, err)
|
|
}
|
|
|
|
for _, c := range cp.Certs {
|
|
revTime, err := cs.pki.Revoke(c.Serial)
|
|
if err != nil {
|
|
return revoke, errors.Wrap(ErrFailedCertRevocation, err)
|
|
}
|
|
revoke.RevocationTime = revTime
|
|
if err = cs.certsRepo.Remove(context.Background(), u.GetId(), c.Serial); err != nil {
|
|
return revoke, errors.Wrap(ErrFailedToRemoveCertFromDB, err)
|
|
}
|
|
}
|
|
|
|
return revoke, nil
|
|
}
|
|
|
|
func (cs *certsService) ListCerts(ctx context.Context, token, thingID string, offset, limit uint64) (Page, error) {
|
|
u, err := cs.auth.Identify(ctx, &policies.Token{Value: token})
|
|
if err != nil {
|
|
return Page{}, err
|
|
}
|
|
|
|
cp, err := cs.certsRepo.RetrieveByThing(ctx, u.GetId(), thingID, offset, limit)
|
|
if err != nil {
|
|
return Page{}, err
|
|
}
|
|
|
|
for i, cert := range cp.Certs {
|
|
vcert, err := cs.pki.Read(cert.Serial)
|
|
if err != nil {
|
|
return Page{}, err
|
|
}
|
|
cp.Certs[i].ClientCert = vcert.ClientCert
|
|
cp.Certs[i].ClientKey = vcert.ClientKey
|
|
}
|
|
|
|
return cp, nil
|
|
}
|
|
|
|
func (cs *certsService) ListSerials(ctx context.Context, token, thingID string, offset, limit uint64) (Page, error) {
|
|
u, err := cs.auth.Identify(ctx, &policies.Token{Value: token})
|
|
if err != nil {
|
|
return Page{}, err
|
|
}
|
|
|
|
return cs.certsRepo.RetrieveByThing(ctx, u.GetId(), thingID, offset, limit)
|
|
}
|
|
|
|
func (cs *certsService) ViewCert(ctx context.Context, token, serialID string) (Cert, error) {
|
|
u, err := cs.auth.Identify(ctx, &policies.Token{Value: token})
|
|
if err != nil {
|
|
return Cert{}, err
|
|
}
|
|
|
|
cert, err := cs.certsRepo.RetrieveBySerial(ctx, u.GetId(), serialID)
|
|
if err != nil {
|
|
return Cert{}, err
|
|
}
|
|
|
|
vcert, err := cs.pki.Read(serialID)
|
|
if err != nil {
|
|
return Cert{}, err
|
|
}
|
|
|
|
c := Cert{
|
|
ThingID: cert.ThingID,
|
|
ClientCert: vcert.ClientCert,
|
|
Serial: cert.Serial,
|
|
Expire: cert.Expire,
|
|
}
|
|
|
|
return c, nil
|
|
}
|