Add certificate authentication support in SDK (#2269)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
This commit is contained in:
Avgustin Marinov
2025-02-12 13:53:08 +02:00
committed by GitHub
parent 1e4e45f7bb
commit 6675163a5d
13 changed files with 380 additions and 61 deletions

View File

@@ -26,19 +26,24 @@ import org.eclipse.hawkbit.mgmt.rest.api.MgmtTargetRestApi;
import org.eclipse.hawkbit.mgmt.rest.api.MgmtTenantManagementRestApi;
import org.eclipse.hawkbit.sdk.HawkbitClient;
import org.eclipse.hawkbit.sdk.Tenant;
import org.eclipse.hawkbit.sdk.ca.CA;
import org.springframework.util.ObjectUtils;
/**
* Management Api Interface
* Helper for authentication setup
*/
@Slf4j
@AllArgsConstructor
public class MgmtApi {
public class AuthenticationSetupHelper {
private static final String AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY = "authentication.gatewaytoken.key";
private static final String AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED = "authentication.gatewaytoken.enabled";
private static final String AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED = "authentication.targettoken.enabled";
private static final String AUTHENTICATION_MODE_HEADER_ENABLED = "authentication.header.enabled";
private static final String AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME = "authentication.header.authority";
private static final Random RND = new SecureRandom();
@NonNull
private final Tenant tenant;
@NonNull
@@ -50,42 +55,47 @@ public class MgmtApi {
return Base64.getEncoder().encodeToString(rnd);
}
// if gateway toke is configured then the gateway auth is enabled key is set
// if gateway token is configured then the gateway auth is enabled key is set
// so all devices use gateway token authentication
// otherwise target token authentication is enabled. Then all devices shall be registerd
// otherwise target token authentication is enabled. Then all devices shall be registered
// and the target token shall be set to the one from the DDI controller instance
public void setupTargetAuthentication() {
final MgmtTenantManagementRestApi mgmtTenantManagementRestApi =
hawkbitClient.mgmtService(MgmtTenantManagementRestApi.class, tenant);
final MgmtTenantManagementRestApi mgmtTenantManagementRestApi = hawkbitClient.mgmtService(MgmtTenantManagementRestApi.class, tenant);
final String gatewayToken = tenant.getGatewayToken();
if (ObjectUtils.isEmpty(gatewayToken)) {
if (!(Boolean.TRUE.equals(Objects.requireNonNull(mgmtTenantManagementRestApi
.getTenantConfigurationValue(AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED)
.getBody()).getValue()))) {
mgmtTenantManagementRestApi.updateTenantConfiguration(
Map.of(AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED, true)
);
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_TARGET_SECURITY_TOKEN_ENABLED, true));
}
} else {
if (!(Boolean.TRUE.equals(Objects.requireNonNull(mgmtTenantManagementRestApi
.getTenantConfigurationValue(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED)
.getBody()).getValue()))) {
mgmtTenantManagementRestApi.updateTenantConfiguration(
Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED, true)
);
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_ENABLED, true));
}
if (!gatewayToken.equals(
Objects.requireNonNull(mgmtTenantManagementRestApi
.getTenantConfigurationValue(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY)
.getBody()).getValue())) {
mgmtTenantManagementRestApi.updateTenantConfiguration(
Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, gatewayToken)
);
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_GATEWAY_SECURITY_TOKEN_KEY, gatewayToken));
}
}
}
// returns target token
// set gateway token authentication (generate and sets gateway token to tenant, if not set up)
// return the gateway token
public String setupGatewayToken() {
String gatewayToken = tenant.getGatewayToken();
if (ObjectUtils.isEmpty(gatewayToken)) {
gatewayToken = randomToken();
tenant.setGatewayToken(gatewayToken);
}
setupTargetAuthentication();
return gatewayToken;
}
// sets up a target token and returns it
public String setupTargetToken(final String controllerId, String securityTargetToken) {
if (ObjectUtils.isEmpty(tenant.getGatewayToken())) {
final MgmtTargetRestApi mgmtTargetRestApi = hawkbitClient.mgmtService(MgmtTargetRestApi.class, tenant);
@@ -96,15 +106,13 @@ public class MgmtApi {
if (ObjectUtils.isEmpty(target.getSecurityToken())) {
// generate random to set to tha existing target without configured security token
securityTargetToken = randomToken();
mgmtTargetRestApi.updateTarget(controllerId,
new MgmtTargetRequestBody().setSecurityToken(securityTargetToken));
mgmtTargetRestApi.updateTarget(controllerId, new MgmtTargetRequestBody().setSecurityToken(securityTargetToken));
} else {
securityTargetToken = target.getSecurityToken();
}
} else if (!securityTargetToken.equals(target.getSecurityToken())) {
// update target's with the security token (since it doesn't match)
mgmtTargetRestApi.updateTarget(controllerId,
new MgmtTargetRequestBody().setSecurityToken(securityTargetToken));
mgmtTargetRestApi.updateTarget(controllerId, new MgmtTargetRequestBody().setSecurityToken(securityTargetToken));
}
} catch (final FeignException.NotFound e) {
if (ObjectUtils.isEmpty(securityTargetToken)) {
@@ -112,16 +120,35 @@ public class MgmtApi {
}
// create target with the security token
mgmtTargetRestApi.createTargets(List.of(
new MgmtTargetRequestBody()
.setControllerId(controllerId)
.setSecurityToken(securityTargetToken)));
new MgmtTargetRequestBody().setControllerId(controllerId).setSecurityToken(securityTargetToken)));
}
}
return securityTargetToken;
}
public void deleteController(final String controllerId) {
hawkbitClient.mgmtService(MgmtTargetRestApi.class, tenant).deleteTarget(controllerId);
// sets up a target token and returns it
public void setupCertificateFingerprint() {
final MgmtTenantManagementRestApi mgmtTenantManagementRestApi = hawkbitClient.mgmtService(MgmtTenantManagementRestApi.class, tenant);
final CA ddiCA = tenant.getDdiCA();
final Object enabled = Objects.requireNonNull(mgmtTenantManagementRestApi
.getTenantConfigurationValue(AUTHENTICATION_MODE_HEADER_ENABLED)
.getBody()).getValue();
if (ddiCA == null) {
if (Boolean.TRUE.equals(enabled)) {
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_HEADER_ENABLED, false));
}
} else {
if (!Boolean.TRUE.equals(enabled)) {
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_HEADER_ENABLED, true));
}
final String fingerprint = ddiCA.getFingerprint();
if (!fingerprint.equals(
Objects.requireNonNull(mgmtTenantManagementRestApi
.getTenantConfigurationValue(AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME)
.getBody()).getValue())) {
mgmtTenantManagementRestApi.updateTenantConfiguration(Map.of(AUTHENTICATION_MODE_HEADER_AUTHORITY_NAME, fingerprint));
}
}
}
}