TLS support in KUKSA.val Client

Update tonic
Make --insecure (or tls config) mandatory for databroker
Remove server hack

.github/workflows/kuksa-client.yml

@@ -23,7 +23,6 @@ on:
     - "kuksa-client/**"
   workflow_dispatch:
 
-
 jobs:
   checkrights:
     uses: ./.github/workflows/check_push_rights.yml
@@ -95,3 +94,28 @@ jobs:
         push: false
         tags: "ttl.sh/kuksa.val/kuksa-client-${{github.sha}}:1h"
         labels: ${{ steps.meta.outputs.labels }}
+
+
+  dbc2val-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout kuksa.val
+        uses: actions/checkout@v3
+      - name: Install pip
+        run: |
+          python -m pip --quiet --no-input install --upgrade pip
+      - name: Install dependencies with pip
+        run: |
+          cd kuksa-client
+          pip install -r requirements.txt -e .
+          pip install -r test-requirements.txt
+      - name: Run tests
+        run: |
+          cd kuksa-client
+          pytest
+      - name: Build pypi package
+        run: |
+          cd kuksa-client
+          pip install --upgrade build
+          python -m build
+

Cargo.toml

@@ -31,7 +31,7 @@ prost-types = "0.11"
 tokio = "1.17.0"
 # tokio-stream has no features
 tokio-stream = "0.1.8"
-tonic = { version = "0.8", default-features = false }
+tonic = { version = "0.9.1", default-features = false }
 tonic-build = { version = "0.8", default-features = false }
 
 [profile.release]

README.md

@@ -28,5 +28,7 @@ KUKSA.val contains several components
 | [Examples](./kuksa_apps) | Multiple example apps for different programming languages and frameworks
 | [Feeders](https://github.com/eclipse/kuksa.val.feeders/) | Multiple feeders to gathering vehicle data and transforming it to VSS suitable for kuksa-val-server
 
+## More information
 
+* [KUKSA.val TLS Concept](doc/tls.md)
 

doc/quickstart.md

@@ -2,11 +2,13 @@
 
 The quickest possible way to get KUKSA.val up and running
 
+*Note: The examples in this document do not use TLS or access control.*
+
 ## Starting broker
 First we want to run KUKSA.val databroker
 
 ```
-docker run -it --rm --net=host ghcr.io/eclipse/kuksa.val/databroker:master 
+docker run -it --rm --net=host ghcr.io/eclipse/kuksa.val/databroker:master --insecure
 ```
 
 
@@ -16,7 +18,7 @@ You can interact with the VSS datapoints using the cli clients. The first option
 This is, how you start it:
 
 ```
-docker run -it --rm --net=host ghcr.io/eclipse/kuksa.val/databroker-cli:master       
+docker run -it --rm --net=host ghcr.io/eclipse/kuksa.val/databroker-cli:master
 ```
 
 Here is how you can use it:
@@ -91,7 +93,10 @@ print("Finished.")
 ```
 
 Do a `pip install kuksa-client` and start with
+
+```
 python ./speed_provider.py
+```
 
 ### Subscribing data:
 Create a file `speed_subscriber.py` with the following content
@@ -109,26 +114,29 @@ with VSSClient('127.0.0.1', 55555) as client:
 ```
 
 Do a `pip install kuksa-client` and start with
-python ./speed_subscriber.py
 
+```
+python ./speed_subscriber.py
+```
 
 ## FAQ & Notes
-Frequently anticipated questions and tipps.
+Frequently anticipated questions and tips.
 
 ### This is not working on OS X
-Unfortunately OS X has a bug that does not allow you to use the databroker default 55555. To change when starting the server:
+Unfortunately OS X has a bug that does not allow you to use the Databroker default port 55555. To change when starting the server:
 
 ```
-docker run -it --rm --net=host ghcr.io/eclipse/kuksa.val/databroker:master  --port 55556
+docker run -it --rm --net=host ghcr.io/eclipse/kuksa.val/databroker:master  --port 55556 --insecure
 ```
 
 Using the databroker-cli
 
 ```
-docker run -it --rm --net=host -e KUKSA_DATA_BROKER_PORT=55556 ghcr.io/eclipse/kuksa.val/databroker-cli:master                   
+docker run -it --rm --net=host -e KUKSA_DATA_BROKER_PORT=55556 ghcr.io/eclipse/kuksa.val/databroker-cli:master
 ```
 
 Using kuksa-client CLI
+
 ```
 docker run -it --rm --net=host ghcr.io/eclipse/kuksa.val/kuksa-client:master --port 55556 --protocol grpc --insecure 
 ```
@@ -143,7 +151,7 @@ One alternative is using a Docker distribution, that does support it even on Mac
 With Docker Desktop you can still forward ports, so this should work:
 
 ```
-docker run -it --rm  --publish 55556:55556 ghcr.io/eclipse/kuksa.val/databroker:master  --port 55556
+docker run -it --rm  --publish 55556:55556 ghcr.io/eclipse/kuksa.val/databroker:master  --port 55556 --insecure
 ```
 
 From your host computer you can now reach databroker at `127.0.0.1:55556`. To connect from another container, you need to use your computers IP address (**not** 127.0.0.1), i.e. to use the client
@@ -162,7 +170,7 @@ docker run -it --rm   ghcr.io/eclipse/kuksa.val/databroker-cli:master  --server
 
 ### feed/set: Why is my data not updated?
 Some VSS points are "sensors", e.g. Vehicle.Speed. You can read/get Vehicle speed, but we are not expecting to be able to influence it via VSS.
-Historically components, that gather the actual vehicle speed from some sensors/busses in a vehicle and providing a VSS  representation to kuksa.val have been called `feeders`. Hence, to update the current speed in the Rust-cli, you use
+Historically components, that gather the actual vehicle speed from some sensors/busses in a vehicle and providing a VSS representation to kuksa.val have been called `feeders`. Hence, to update the current speed in the Rust-cli, you use
 
 ```
 feed Vehicle.Speed 200

doc/tls.md

@@ -0,0 +1,111 @@
+# KUKSA.val TLS concept
+
+This page describes the TLS support in KUKSA.val
+
+## Security concept
+
+KUKSA.val supports TLS for connection between KUKSA.val Databroker/Server and clients.
+
+General design concept in short:
+
+* KUKSA.val Server and KUKSA.val Databroker by default only accept TLS connection. Insecure connections can be allowed by a configuration setting
+* Mutual authentication not supported, i.e. KUKSA.val Server and KUKSA.val Databroker does not authenticate clients
+* A set of example certificates and keys exist in the [kuksa_certificates](kuksa_certificates) repository
+* The example certificates are used as default by some applications
+* The example certificates shall only be used during development and re not suitable for production use
+* KUKSA.val does not put any additional requirements on what certificates that are accepted, default settings as defined by OpenSSL and gRPC are typically used
+
+## Example certificates
+
+For more information see the [README.md](kuksa_certificates/README.md).
+
+**NOTE: The example keys and certificates shall not be used in your production environment!  **
+
+## Examples using example certificates
+
+This section intends to give guidelines on how you can verify TLS functionality with KUKSA.val.
+It is based on using the example certificates.
+
+
+## KUKSA.val databroker
+
+KUKSA.val Databroker supports TLS, but not mutual authentication.
+You cannot start KUKSA.val Databroker just using default arguments as you either must specify that insecure connections
+shall be used (`--insecure`) or provide data for a secure connection.
+To use a secure connection specify `--tls-cert`and `--tls-private-key`
+
+```
+~/kuksa.val/kuksa_databroker$ cargo run --bin databroker -- --metadata ../data/vss-core/vss_release_4.0.json --tls-cert ../kuksa_certificates/Server.pem --tls-private-key ../kuksa_certificates/Server.key
+```
+
+Default certificates and keys are not included in the default KUKSA.val Databroker container,
+so if running KUKSA.val Databroker from a default container you need to mount the directory containing the keys and certificates.
+
+```
+~/kuksa.val/kuksa_databroker$ docker run --rm -it  -p 55555:55555/tcp -v /home/user/kuksa.val/kuksa_certificates:/certs databroker --tls-cert /certs/Server.pem --tls-private-key /certs/Server.key
+```
+
+## KUKSA.val databroker-cli
+
+Can be run in TLS mode like below.
+Note that [databroker-cli](kuksa_databroker/databroker-cli/src/main.rs) currently expects the certificate
+to have "Server" as subjectAltName.
+
+```
+~/kuksa.val/kuksa_databroker$ cargo run --bin databroker-cli -- --ca-cert ../kuksa_certificates/CA.pem
+```
+
+Default certificates and keys are not included in the default KUKSA.val Databroker-cli container,
+so if running KUKSA.val Databroker-cli from a default container you need to mount the directory containing the keys and certificates.
+
+```
+docker run --rm -it --net=host -v /home/user/kuksa.val/kuksa_certificates:/certs databroker-cli --ca-cert /certs/CA.pem
+```
+
+## KUKSA.val Server
+
+Uses TLS by default, but doe not support mutual TLS. By default it uses KUKSA.val example certificates/keys `Server.key`, `Server.pem` and `CA.pem`.
+
+```
+~/kuksa.val/kuksa-val-server/build/src$ ./kuksa-val-server  --vss ./vss_release_4.0.json
+```
+
+It is posible to specify a different certificate path, but the file names must be the same as listed above.
+
+```
+~/kuksa.val/kuksa-val-server/build/src$ ./kuksa-val-server  --vss ./vss_release_4.0.json -cert-path ../../../kuksa_certificates
+```
+
+In KUKSA.val Server the default certificates and keys are included in the container, so no need to
+mount a directory if you want to use default certificates and keys.
+
+```
+docker run -it --rm -p 127.0.0.1:8090:8090 -e LOG_LEVEL=ALL kuksa-val:latest
+```
+
+If using the default KUKSA.val Server Docker container there is no mechanism to use different certificates,
+as the [Dockerfile](../kuksa-val-server/docker/Dockerfile) specifies that the default shall be used.
+
+## KUKSA.val Client (command line)
+
+See [KUKSA.val Client Documentation](../kuksa-client/README.md).
+
+## KUKSA.val Client (library)
+
+Clients like [KUKSA.val CAN Feeder](https://github.com/eclipse/kuksa.val.feeders/tree/main/dbc2val)
+that use KUKSA.val Client library must typically set the path to the root CA certificate.
+If the path is set the VSSClient will try to establish a secure connection.
+
+```
+# Shall TLS be used (default False for Databroker, True for KUKSA.val Server)
+# tls = False
+tls = True
+
+# TLS-related settings
+# Path to root CA, needed if using TLS
+root_ca_path=../../kuksa.val/kuksa_certificates/CA.pem
+# Server name, typically only needed if accessing server by IP address like 127.0.0.1
+# and typically only if connection to KUKSA.val Databroker
+# If using KUKSA.val example certificates the names "Server" or "localhost" can be used.
+# tls_server_name=Server
+```