Add certificate authentication support in SDK (#2269)
Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -26,19 +26,24 @@ import org.eclipse.hawkbit.mgmt.rest.api.MgmtTargetRestApi;
|
||||
import org.eclipse.hawkbit.mgmt.rest.api.MgmtTenantManagementRestApi;
|
||||
import org.eclipse.hawkbit.sdk.HawkbitClient;
|
||||
import org.eclipse.hawkbit.sdk.Tenant;
|
||||
import org.eclipse.hawkbit.sdk.ca.CA;
|
||||
import org.springframework.util.ObjectUtils;
|
||||
|
||||
/**
|
||||
* Management Api Interface
|
||||
* Helper for authentication setup
|
||||
*/
|
||||
@Slf4j
|
||||
@AllArgsConstructor
|
||||
public class MgmtApi {
|
||||
public class AuthenticationSetupHelper {
|
||||
|
||||
private static final String AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY = "authentication.gatewaytoken.key";
|
||||
private static final String AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED = "authentication.gatewaytoken.enabled";
|
||||
private static final String AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED = "authentication.targettoken.enabled";
|
||||
private static final String AUTHENTICATION_MODE_HEADER_ENABLED = "authentication.header.enabled";
|
||||
private static final String AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME = "authentication.header.authority";
|
||||
|
||||
private static final Random RND = new SecureRandom();
|
||||
|
||||
@NonNull
|
||||
private final Tenant tenant;
|
||||
@NonNull
|
||||
@@ -50,42 +55,47 @@ public class MgmtApi {
|
||||
return Base64.getEncoder().encodeToString(rnd);
|
||||
}
|
||||
|
||||
// if gateway toke is configured then the gateway auth is enabled key is set
|
||||
// if gateway token is configured then the gateway auth is enabled key is set
|
||||
// so all devices use gateway token authentication
|
||||
// otherwise target token authentication is enabled. Then all devices shall be registerd
|
||||
// otherwise target token authentication is enabled. Then all devices shall be registered
|
||||
// and the target token shall be set to the one from the DDI controller instance
|
||||
public void setupTargetAuthentication() {
|
||||
final MgmtTenantManagementRestApi mgmtTenantManagementRestApi =
|
||||
hawkbitClient.mgmtService(MgmtTenantManagementRestApi.class, tenant);
|
||||
final MgmtTenantManagementRestApi mgmtTenantManagementRestApi = hawkbitClient.mgmtService(MgmtTenantManagementRestApi.class, tenant);
|
||||
final String gatewayToken = tenant.getGatewayToken();
|
||||
if (ObjectUtils.isEmpty(gatewayToken)) {
|
||||
if (!(Boolean.TRUE.equals(Objects.requireNonNull(mgmtTenantManagementRestApi
|
||||
.getTenantConfigurationValue(AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED)
|
||||
.getBody()).getValue()))) {
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(
|
||||
Map.of(AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED, true)
|
||||
);
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED, true));
|
||||
}
|
||||
} else {
|
||||
if (!(Boolean.TRUE.equals(Objects.requireNonNull(mgmtTenantManagementRestApi
|
||||
.getTenantConfigurationValue(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED)
|
||||
.getBody()).getValue()))) {
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(
|
||||
Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED, true)
|
||||
);
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED, true));
|
||||
}
|
||||
if (!gatewayToken.equals(
|
||||
Objects.requireNonNull(mgmtTenantManagementRestApi
|
||||
.getTenantConfigurationValue(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY)
|
||||
.getBody()).getValue())) {
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(
|
||||
Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, gatewayToken)
|
||||
);
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, gatewayToken));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// returns target token
|
||||
// set gateway token authentication (generate and sets gateway token to tenant, if not set up)
|
||||
// return the gateway token
|
||||
public String setupGatewayToken() {
|
||||
String gatewayToken = tenant.getGatewayToken();
|
||||
if (ObjectUtils.isEmpty(gatewayToken)) {
|
||||
gatewayToken = randomToken();
|
||||
tenant.setGatewayToken(gatewayToken);
|
||||
}
|
||||
setupTargetAuthentication();
|
||||
return gatewayToken;
|
||||
}
|
||||
|
||||
// sets up a target token and returns it
|
||||
public String setupTargetToken(final String controllerId, String securityTargetToken) {
|
||||
if (ObjectUtils.isEmpty(tenant.getGatewayToken())) {
|
||||
final MgmtTargetRestApi mgmtTargetRestApi = hawkbitClient.mgmtService(MgmtTargetRestApi.class, tenant);
|
||||
@@ -96,15 +106,13 @@ public class MgmtApi {
|
||||
if (ObjectUtils.isEmpty(target.getSecurityToken())) {
|
||||
// generate random to set to tha existing target without configured security token
|
||||
securityTargetToken = randomToken();
|
||||
mgmtTargetRestApi.updateTarget(controllerId,
|
||||
new MgmtTargetRequestBody().setSecurityToken(securityTargetToken));
|
||||
mgmtTargetRestApi.updateTarget(controllerId, new MgmtTargetRequestBody().setSecurityToken(securityTargetToken));
|
||||
} else {
|
||||
securityTargetToken = target.getSecurityToken();
|
||||
}
|
||||
} else if (!securityTargetToken.equals(target.getSecurityToken())) {
|
||||
// update target's with the security token (since it doesn't match)
|
||||
mgmtTargetRestApi.updateTarget(controllerId,
|
||||
new MgmtTargetRequestBody().setSecurityToken(securityTargetToken));
|
||||
mgmtTargetRestApi.updateTarget(controllerId, new MgmtTargetRequestBody().setSecurityToken(securityTargetToken));
|
||||
}
|
||||
} catch (final FeignException.NotFound e) {
|
||||
if (ObjectUtils.isEmpty(securityTargetToken)) {
|
||||
@@ -112,16 +120,35 @@ public class MgmtApi {
|
||||
}
|
||||
// create target with the security token
|
||||
mgmtTargetRestApi.createTargets(List.of(
|
||||
new MgmtTargetRequestBody()
|
||||
.setControllerId(controllerId)
|
||||
.setSecurityToken(securityTargetToken)));
|
||||
new MgmtTargetRequestBody().setControllerId(controllerId).setSecurityToken(securityTargetToken)));
|
||||
}
|
||||
}
|
||||
|
||||
return securityTargetToken;
|
||||
}
|
||||
|
||||
public void deleteController(final String controllerId) {
|
||||
hawkbitClient.mgmtService(MgmtTargetRestApi.class, tenant).deleteTarget(controllerId);
|
||||
// sets up a target token and returns it
|
||||
public void setupCertificateFingerprint() {
|
||||
final MgmtTenantManagementRestApi mgmtTenantManagementRestApi = hawkbitClient.mgmtService(MgmtTenantManagementRestApi.class, tenant);
|
||||
final CA ddiCA = tenant.getDdiCA();
|
||||
final Object enabled = Objects.requireNonNull(mgmtTenantManagementRestApi
|
||||
.getTenantConfigurationValue(AUTHENTICATION_MODE_HEADER_ENABLED)
|
||||
.getBody()).getValue();
|
||||
if (ddiCA == null) {
|
||||
if (Boolean.TRUE.equals(enabled)) {
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_HEADER_ENABLED, false));
|
||||
}
|
||||
} else {
|
||||
if (!Boolean.TRUE.equals(enabled)) {
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_HEADER_ENABLED, true));
|
||||
}
|
||||
final String fingerprint = ddiCA.getFingerprint();
|
||||
if (!fingerprint.equals(
|
||||
Objects.requireNonNull(mgmtTenantManagementRestApi
|
||||
.getTenantConfigurationValue(AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME)
|
||||
.getBody()).getValue())) {
|
||||
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME, fingerprint));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user