-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renew certificate fix #159
base: develop
Are you sure you want to change the base?
Renew certificate fix #159
Conversation
48a3f86
to
3498eee
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #159 +/- ##
===========================================
+ Coverage 86.56% 88.30% +1.74%
===========================================
Files 85 109 +24
Lines 7448 9310 +1862
Branches 0 1018 +1018
===========================================
+ Hits 6447 8221 +1774
- Misses 1001 1089 +88 ☔ View full report in Codecov by Sentry. |
0e89bcb
to
4b10802
Compare
include/aos/iam/certhandler.hpp
Outdated
* | ||
* 1 per client & server + cIAMCertModulesMaxCount for message proxy | ||
*/ | ||
constexpr auto cIAMCertSubsMaxCount = cIAMCertModulesMaxCount * 2 + cIAMCertModulesMaxCount; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be private of CertHandler const. Also unclear why we need +cIAMCertModulesMaxCount
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1 per client & server + cIAMCertModulesMaxCount for message proxy
Comment updated, constant moved to private section.
src/iam/certhandler/certhandler.cpp
Outdated
return ErrorEnum::eNone; | ||
} | ||
|
||
Error CertHandler::UnsubscribeCertReceiver(CertReceiverItf& certReceiver) | ||
{ | ||
LockGuard lock(mMutex); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LockGuard lock {mMutex};
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated in a separate pr for all the files.
include/aos/iam/certhandler.hpp
Outdated
* | ||
* @param info certificate info. | ||
*/ | ||
void UpdateCert(const CertInfo& info) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should not be part of interface. The client should have access only to required methods.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
interface updated
7b9694e
to
218e614
Compare
src/iam/certhandler/certhandler.cpp
Outdated
CertInfo certInfo; | ||
|
||
for (auto& subscription : mCertReceiverSubscriptions) { | ||
auto err = certModule.GetCertificate(Array<uint8_t>(), Array<uint8_t>(), certInfo); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Didn't get why GetCertificate is called on each iteration, not before the loop
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, it's not needed, fixed. also added a filter for certype in the method
src/iam/certhandler/certhandler.cpp
Outdated
{ | ||
LockGuard lock(mMutex); | ||
|
||
LOG_DBG() << "Create self signed cert: type = " << certType; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove spaces, so
`Create self signed cert: type='
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed in a separate commit for the file
@@ -145,4 +145,18 @@ Error ProvisionManager::GetCert( | |||
return AOS_ERROR_WRAP(mCertHandler->GetCertificate(certType, issuer, serial, resCert)); | |||
} | |||
|
|||
Error ProvisionManager::SubscribeCertReceiver(const String& certType, certhandler::CertReceiverItf& certReceiver) | |||
{ | |||
LOG_DBG() << "Subscribe cert receiver: type = " << certType; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove spaces surrounding =
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
218e614
to
685eb60
Compare
include/aos/iam/certhandler.hpp
Outdated
class CertReceiverItf { | ||
public: | ||
/** | ||
* Process certificate updates. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Processes
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
include/aos/iam/certhandler.hpp
Outdated
* @param certReceiver certificate receiver. | ||
* @returns Error. | ||
*/ | ||
virtual Error SubscribeCertReceiver(const String& certType, CertReceiverItf& certReceiver) = 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SubscribeCertChanged?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it would be more uniform. changed
include/aos/iam/certhandler.hpp
Outdated
@@ -221,16 +271,34 @@ class CertHandler : public CertHandlerItf, private NonCopyable { | |||
virtual ~CertHandler(); | |||
|
|||
private: | |||
// (Two subscriptions for grpc client & server in iam/sm/cm/um) * modules count + | |||
// (one subscription for grpc client in message proxy) * modules count | |||
static constexpr auto cIAMCertSubsMaxCount = cIAMCertModulesMaxCount * 2 + cIAMCertModulesMaxCount; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like in general we need only one subscription per storage. So cIAMCertModulesMaxCount should be enough. Also, we can't have this option as const. Add dedicated define to config.hpp with default value equals to modules max count.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need cIAMCertModulesMaxCount * 2 : one per aos service for client & service, because it looks like message-proxy doesn't use IAMServer to receive certificates.
Also there is a correlation between required number of subscriptions & aos-modules, so we don't need additional config value.. the less configuration values we have - the better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still do not understand why we need 3*cIAMCertModulesMaxCount subscriptions. Could you provide the example?
Please add dedicated configuration into config and set it to appropriate default value. Having config value doesn't mean configuring it all the time. But it make either to change this value in the feature.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one for sm/um/cm grpc server in communication manager + one for iam grpc server in iammanager
one for grpc client in sm/um/iam manager
And I was expected that message proxy also requested certificates using iam public interface. But it looks like it's not.
So we only require 2*cert-modules-max-count.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see. MP uses SM and IAM client certificates and probably will use UM client certificates as well. We can't predict future client configuration. That's why config option is REQUIRED. And should be set to 3*AOS_CONFIG_CERTHANDLER_MODULES_MAX_COUNT.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add dedicated configuration into config and set it to appropriate default value.
Added in a separate commit
91fca3c
to
278ade4
Compare
278ade4
to
b409986
Compare
CertInfo certInfo; | ||
|
||
auto err = module->GetCertificate(Array<uint8_t>(), Array<uint8_t>(), certInfo); | ||
if (!err.IsNone()) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider this change
if (!err.IsNone()) { | |
if (!err.IsNone() && !err.Is(ErrorEnum::eNotFound)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed not to do that
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
bd4b593
to
21b58da
Compare
No description provided.