Renew certificate fix #159
Conversation
mykola-kobets-epam
force-pushed
the
renew-cert-fix
branch
from
48a3f86
to
3498eee
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## develop #159 +/- ##
===========================================
+ Coverage 86.56% 88.30% +1.74%
===========================================
Files 85 109 +24
Lines 7448 9310 +1862
Branches 0 1018 +1018
===========================================
+ Hits 6447 8221 +1774
- Misses 1001 1089 +88 ☔ View full report in Codecov by Sentry. |
mykola-kobets-epam
force-pushed
the
renew-cert-fix
branch
2 times, most recently
from
0e89bcb
to
4b10802
Compare
include/aos/iam/certhandler.hpp
Outdated
| * | ||
| * 1 per client & server + cIAMCertModulesMaxCount for message proxy | ||
| */ | ||
| constexpr auto cIAMCertSubsMaxCount = cIAMCertModulesMaxCount * 2 + cIAMCertModulesMaxCount; |
There was a problem hiding this comment.
It should be private of CertHandler const. Also unclear why we need +cIAMCertModulesMaxCount
There was a problem hiding this comment.
1 per client & server + cIAMCertModulesMaxCount for message proxy
Comment updated, constant moved to private section.
src/iam/certhandler/certhandler.cpp
Outdated
| return ErrorEnum::eNone; | ||
| } | ||
|
|
||
| Error CertHandler::UnsubscribeCertReceiver(CertReceiverItf& certReceiver) | ||
| { | ||
| LockGuard lock(mMutex); |
There was a problem hiding this comment.
updated in a separate pr for all the files.
include/aos/iam/certhandler.hpp
Outdated
| * | ||
| * @param info certificate info. | ||
| */ | ||
| void UpdateCert(const CertInfo& info) |
There was a problem hiding this comment.
It should not be part of interface. The client should have access only to required methods.
There was a problem hiding this comment.
interface updated
mykola-kobets-epam
force-pushed
the
renew-cert-fix
branch
4 times, most recently
from
7b9694e
to
218e614
Compare
src/iam/certhandler/certhandler.cpp
Outdated
| CertInfo certInfo; | ||
|
|
||
| for (auto& subscription : mCertReceiverSubscriptions) { | ||
| auto err = certModule.GetCertificate(Array<uint8_t>(), Array<uint8_t>(), certInfo); |
There was a problem hiding this comment.
Didn't get why GetCertificate is called on each iteration, not before the loop
There was a problem hiding this comment.
right, it's not needed, fixed. also added a filter for certype in the method
src/iam/certhandler/certhandler.cpp
Outdated
| { | ||
| LockGuard lock(mMutex); | ||
|
|
||
| LOG_DBG() << "Create self signed cert: type = " << certType; |
There was a problem hiding this comment.
Remove spaces, so
`Create self signed cert: type='
There was a problem hiding this comment.
removed in a separate commit for the file
| @@ -145,4 +145,18 @@ Error ProvisionManager::GetCert( | |||
| return AOS_ERROR_WRAP(mCertHandler->GetCertificate(certType, issuer, serial, resCert)); | |||
| } | |||
|
|
|||
| Error ProvisionManager::SubscribeCertReceiver(const String& certType, certhandler::CertReceiverItf& certReceiver) | |||
| { | |||
| LOG_DBG() << "Subscribe cert receiver: type = " << certType; | |||
There was a problem hiding this comment.
Remove spaces surrounding =
mykola-kobets-epam
force-pushed
the
renew-cert-fix
branch
from
218e614
to
685eb60
Compare
include/aos/iam/certhandler.hpp
Outdated
| class CertReceiverItf { | ||
| public: | ||
| /** | ||
| * Process certificate updates. |
include/aos/iam/certhandler.hpp
Outdated
| * @param certReceiver certificate receiver. | ||
| * @returns Error. | ||
| */ | ||
| virtual Error SubscribeCertReceiver(const String& certType, CertReceiverItf& certReceiver) = 0; |
There was a problem hiding this comment.
yes, it would be more uniform. changed
include/aos/iam/certhandler.hpp
Outdated
| @@ -221,16 +271,34 @@ class CertHandler : public CertHandlerItf, private NonCopyable { | |||
| virtual ~CertHandler(); | |||
|
|
|||
| private: | |||
| // (Two subscriptions for grpc client & server in iam/sm/cm/um) * modules count + | |||
| // (one subscription for grpc client in message proxy) * modules count | |||
| static constexpr auto cIAMCertSubsMaxCount = cIAMCertModulesMaxCount * 2 + cIAMCertModulesMaxCount; | |||
There was a problem hiding this comment.
Looks like in general we need only one subscription per storage. So cIAMCertModulesMaxCount should be enough. Also, we can't have this option as const. Add dedicated define to config.hpp with default value equals to modules max count.
There was a problem hiding this comment.
I think we need cIAMCertModulesMaxCount * 2 : one per aos service for client & service, because it looks like message-proxy doesn't use IAMServer to receive certificates.
Also there is a correlation between required number of subscriptions & aos-modules, so we don't need additional config value.. the less configuration values we have - the better.
There was a problem hiding this comment.
I still do not understand why we need 3*cIAMCertModulesMaxCount subscriptions. Could you provide the example?
Please add dedicated configuration into config and set it to appropriate default value. Having config value doesn't mean configuring it all the time. But it make either to change this value in the feature.
There was a problem hiding this comment.
one for sm/um/cm grpc server in communication manager + one for iam grpc server in iammanager
one for grpc client in sm/um/iam manager
And I was expected that message proxy also requested certificates using iam public interface. But it looks like it's not.
So we only require 2*cert-modules-max-count.
There was a problem hiding this comment.
I see. MP uses SM and IAM client certificates and probably will use UM client certificates as well. We can't predict future client configuration. That's why config option is REQUIRED. And should be set to 3*AOS_CONFIG_CERTHANDLER_MODULES_MAX_COUNT.
There was a problem hiding this comment.
Please add dedicated configuration into config and set it to appropriate default value.
Added in a separate commit
mykola-kobets-epam
force-pushed
the
renew-cert-fix
branch
3 times, most recently
from
91fca3c
to
278ade4
Compare
mykola-kobets-epam
force-pushed
the
renew-cert-fix
branch
from
278ade4
to
b409986
Compare
| CertInfo certInfo; | ||
|
|
||
| auto err = module->GetCertificate(Array<uint8_t>(), Array<uint8_t>(), certInfo); | ||
| if (!err.IsNone()) { |
There was a problem hiding this comment.
Consider this change
| if (!err.IsNone()) { | |
| if (!err.IsNone() && !err.Is(ErrorEnum::eNotFound)) { |
There was a problem hiding this comment.
agreed not to do that
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
Signed-off-by: Mykola Kobets <[email protected]>
mykola-kobets-epam
force-pushed
the
renew-cert-fix
branch
from
bd4b593
to
21b58da
Compare
No description provided.