Collaborate?

[jarlah]

Hi

I recently found this repo. I had previously started to implement my own acs in rust, in a private repo, and when I saw this (luckily before I had come too far) it occurred to me that we could collaborate on this project.

In my own acs I have done things a bit differently, or should I say, I have started in the other end of the spectrum. I have started to think about the bigger problems like how to do database and (maybe) caching. And how to authenticate a user solely with TLS for example. A peer certificates common name could be a unit ID. If the common name is something shared between all CPEs of a type, basic auth is required. One might say its the wrong end of the spectrum, but for me there is too many insecure acs servers out there, and we don't need another one.

I did some work many years ago on freeacs, which im actually not too proud of now really atm, but hey we learn right. I archived it, because I didn't see anyone picking it up after me. What im saying is that I have a lot of knowledge about how freeacs worked and its implementation details. Same with the TR-069 spec.

Do you want to collaborate?

Im specifically thinking about making a web managed acs with security as top priority. I see you have management api and thats cool. But if we could make a web based management ui in web assembly in rust right, for ex with leptos or yew or sycamore, then we would eliminate 90% of bugs that occur in most modern device orchestration solutions.

[guillaumepellegrino]

Hi jarlah,
Glad you find this repo interesting !
It's a bit of toy project to me but if you wish to extend this project with a nice frontend or database, I am open to it.
However, that's not a part I know very well.
My needs on this project was more to have a simple cli to do some tests with GPV/SPV. No needs to manage a park :)

From a security point of view, the CPE authentication is indeed missing. Today, CPE1 could very well be passing for CPE2.
That's something which can be fixed:

• Either with TLS double authentication as you suggest, with a unique certificate per CPE
• Either with a better password policy. Ex: To register a new CPE, you must first ask the acs to generate you a new unique password for your SerialNumber via cli or webui.
  It maybe good to have both possibilities in function of the level of security you are looking for.

Regarding the Frontend, I guess the management APIs probably need to be refactored. Maybe with a well-defined API in JSON.

[jarlah]

Thanks for replying 😃

From a systems engineer standpoint, implementing a frontend is simple. However, simple is not always easy. Sorry for using that old cliché ;)

I think we should focus on bringing up a simple frontend in a rust wasm web framework that calls a rest api. Authentication is the least of my worries right now. If we can search for a unit, see its last reported parameter values and set new values which will trigger on next inform, then we have something bare minimum that is usable and worthy of protecting. And that also includes handling the logic of how to know if the acs wants a unit to set new parameters. With some strategy pattern, i dont know, we will figure it out.

So:

• setup github actions, formatting, tests and building.
  • chore: adding workflow file for fmt, build and test with caching #2
  • fix clippy warnings and add clippy to workflow #3
• Implement a simple database schema for units and session unitparameters (in future we need unit type and profile and unit parameters as well, but not right now)
• Implement looking up a unit, its parameters and saving updated parameters.
• Implement a simple wasm frontend in rust. Then we can reuse code and logic on frontend and api.
• Implement unit search that brings up a list of units, letting us click on one and brings up a page that displays the units parameters and values.
• Implement saving new parameter values on a unit.
• Enable authenticating a device based on its unique certificate (multiple steps)
  • add SessionSecurity with peer certificate #6

Something like that ? If you make me a contributor, or possibly move it to a free organisation if you dont want to manage it on your own profile, i can start making a project kanban board and begin hacking. Or I can just make PRs to this project ;) no stress

[guillaumepellegrino]

Okay, I have added you to the list of collaborators. My only demand: don't break the cli :)

[jarlah]

this issue will be closed when we have added a project board and I have moved the issues/tasks above into it

[jarlah]

Closing this as all tasks have been added to the project