Skip to content

Commit

Permalink
[iamclient] Restart iamclient after certificate renewed
Browse files Browse the repository at this point in the history 
Signed-off-by: Mykola Kobets <[email protected]>
  • Loading branch information
@mykola-kobets-epam
mykola-kobets-epam committed Sep 30, 2024
1 parent 821b50f commit e514390
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 21 deletions.
54 changes: 40 additions & 14 deletions src/iamclient/iamclient.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,19 @@ aos::Error IAMClient::Init(const Config& config, aos::iam::identhandler::IdentHa
aos::crypto::x509::ProviderItf& cryptoProvider, aos::iam::nodeinfoprovider::NodeInfoProviderItf& nodeInfoProvider,
bool provisioningMode)
{
mIdentHandler = identHandler;
mNodeInfoProvider = &nodeInfoProvider;
mCertLoader = &certLoader;
mCryptoProvider = &cryptoProvider;
mProvisionManager = &provisionManager;

mStartProvisioningCmdArgs = config.mStartProvisioningCmdArgs;
mDiskEncryptionCmdArgs = config.mDiskEncryptionCmdArgs;
mFinishProvisioningCmdArgs = config.mFinishProvisioningCmdArgs;
mDeprovisionCmdArgs = config.mDeprovisionCmdArgs;
mReconnectInterval = config.mNodeReconnectInterval;
mCACert = config.mCACert;

if (provisioningMode) {
mCredentialList.push_back(grpc::InsecureChannelCredentials());
if (!config.mCACert.empty()) {
Expand All @@ -36,28 +49,16 @@ aos::Error IAMClient::Init(const Config& config, aos::iam::identhandler::IdentHa
} else {
aos::iam::certhandler::CertInfo certInfo;

auto err = provisionManager.GetCert(aos::String(config.mCertStorage.c_str()), {}, {}, certInfo);
auto err = provisionManager.SubscribeCertReceiver(aos::String(config.mCertStorage.c_str()), {}, {}, *this);
if (!err.IsNone()) {
LOG_ERR() << "Get certificates failed: error=" << err.Message();
LOG_ERR() << "Subscribe certificate receiver failed: error=" << err.Message();

return AOS_ERROR_WRAP(aos::ErrorEnum::eInvalidArgument);
}

mCredentialList.push_back(
aos::common::utils::GetMTLSClientCredentials(certInfo, config.mCACert.c_str(), certLoader, cryptoProvider));
mServerURL = config.mMainIAMProtectedServerURL;
}

mIdentHandler = identHandler;
mNodeInfoProvider = &nodeInfoProvider;
mProvisionManager = &provisionManager;

mStartProvisioningCmdArgs = config.mStartProvisioningCmdArgs;
mDiskEncryptionCmdArgs = config.mDiskEncryptionCmdArgs;
mFinishProvisioningCmdArgs = config.mFinishProvisioningCmdArgs;
mDeprovisionCmdArgs = config.mDeprovisionCmdArgs;
mReconnectInterval = config.mNodeReconnectInterval;

mConnectionThread = std::thread(&IAMClient::ConnectionLoop, this);

return aos::ErrorEnum::eNone;
Expand All @@ -71,6 +72,8 @@ IAMClient::~IAMClient()
mShutdown = true;
mShutdownCV.notify_all();

mProvisionManager->UnsubscribeCertReceiver(*this);

if (mRegisterNodeCtx) {
mRegisterNodeCtx->TryCancel();
}
Expand All @@ -85,6 +88,17 @@ IAMClient::~IAMClient()
* Private
**********************************************************************************************************************/

void IAMClient::OnCertChanged(const aos::iam::certhandler::CertInfo& info)
{
std::unique_lock lock {mShutdownLock};

mCredentialList.clear();
mCredentialList.push_back(
aos::common::utils::GetMTLSClientCredentials(info, mCACert.c_str(), *mCertLoader, *mCryptoProvider));

mCredentialListUpdated = true;
}

std::unique_ptr<grpc::ClientContext> IAMClient::CreateClientContext()
{
return std::make_unique<grpc::ClientContext>();
Expand Down Expand Up @@ -134,6 +148,7 @@ bool IAMClient::RegisterNode(const std::string& url)
}

LOG_DBG() << "Connection established";
mCredentialListUpdated = false;

return true;
}
Expand Down Expand Up @@ -196,6 +211,17 @@ void IAMClient::HandleIncomingMessages() noexcept
if (!ok) {
break;
}

{
std::unique_lock lock {mShutdownLock};

if (mCredentialListUpdated) {
LOG_DBG() << "Credential list updated: closing connection";
mRegisterNodeCtx->TryCancel();

break;
}
}
}

} catch (const std::exception& e) {
Expand Down
21 changes: 14 additions & 7 deletions src/iamclient/iamclient.hpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ using PublicNodeServiceStubPtr = std::unique_ptr<PublicNodeService::StubInterfac
/**
* GRPC IAM client.
*/
class IAMClient {
class IAMClient : private aos::iam::certhandler::CertReceiverItf {
public:
/**
* Initializes IAM client instance.
Expand All @@ -57,6 +57,8 @@ class IAMClient {
~IAMClient();

private:
void OnCertChanged(const aos::iam::certhandler::CertInfo& info) override;

using StreamPtr = std::unique_ptr<
grpc::ClientReaderWriterInterface<iamanager::v5::IAMOutgoingMessages, iamanager::v5::IAMIncomingMessages>>;

Expand Down Expand Up @@ -89,15 +91,20 @@ class IAMClient {

aos::iam::identhandler::IdentHandlerItf* mIdentHandler = nullptr;
aos::iam::provisionmanager::ProvisionManagerItf* mProvisionManager = nullptr;
aos::cryptoutils::CertLoaderItf* mCertLoader = nullptr;
aos::crypto::x509::ProviderItf* mCryptoProvider = nullptr;
aos::iam::nodeinfoprovider::NodeInfoProviderItf* mNodeInfoProvider = nullptr;

std::vector<std::string> mStartProvisioningCmdArgs;
std::vector<std::string> mDiskEncryptionCmdArgs;
std::vector<std::string> mFinishProvisioningCmdArgs;
std::vector<std::string> mDeprovisionCmdArgs;
aos::common::utils::Duration mReconnectInterval;
std::string mServerURL;
std::vector<std::shared_ptr<grpc::ChannelCredentials>> mCredentialList;
bool mCredentialListUpdated = false;

std::vector<std::string> mStartProvisioningCmdArgs;
std::vector<std::string> mDiskEncryptionCmdArgs;
std::vector<std::string> mFinishProvisioningCmdArgs;
std::vector<std::string> mDeprovisionCmdArgs;
aos::common::utils::Duration mReconnectInterval;
std::string mServerURL;
std::string mCACert;

std::unique_ptr<grpc::ClientContext> mRegisterNodeCtx;
StreamPtr mStream;
Expand Down

0 comments on commit e514390

Please sign in to comment.