-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: Untangle certificate request, creation and renewal #3268
refactor: Untangle certificate request, creation and renewal #3268
Conversation
Codecov ReportAttention: Patch coverage is Additional details and impacted files📢 Thoughts on this report? Let us know! |
Robot Results
|
|
||
let not_after = not_before + Duration::days(config.validity_period_days.into()); | ||
params.not_before = not_before; | ||
params.not_after = not_after; | ||
|
||
params.is_ca = rcgen::IsCa::Ca(rcgen::BasicConstraints::Unconstrained); // IsCa::SelfSignedOnly is rejected by C8Y |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the change failing the system tests.
I forgot to inject this back to self-signed certificate creation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed by 950ebcb
ddff773
to
950ebcb
Compare
/// Create self-signed device certificate and signing request | ||
pub struct CreateCertCmd { | ||
/// The device identifier | ||
pub id: String, | ||
|
||
/// The path where the device certificate will be stored | ||
/// The path where the device certificate / request will be stored | ||
pub cert_path: Utf8PathBuf, | ||
|
||
/// The path where the device private key will be stored | ||
pub key_path: Utf8PathBuf, | ||
|
||
/// The path where the device CSR file will be stored | ||
pub csr_path: Option<Utf8PathBuf>, | ||
|
||
/// The component that is configured to host the MQTT bridge logic | ||
pub bridge_location: BridgeLocation, | ||
/// The owner of the private key | ||
pub user: String, | ||
pub group: String, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: if CreateCertCmd
creates certificate signing requests, what does the CreateCsrCmd
do?
Is this a leftover of some previous changes, or am I not understanding something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops. This is a leftover. CreateCertCmd
is now only used to create self signed certificate.
This now confusing comment has been added during an intermediate step and has to be removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed: 4cf7c88
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And improved: 0de8244
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
|
||
create_cmd.renew_test_certificate(config) | ||
override_public_key(cert_path, cert.certificate_pem_string()?) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The explicit removal of the certificate in line. 40 seems redundant now, because of this "override" mechanism. But not harm either.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought the same but it is not. Indeed, a certificate is in practice write protected (0o444
).
Signed-off-by: Didier Wenzek <[email protected]>
Signed-off-by: Didier Wenzek <[email protected]>
This field was used to hack the CreateCertCmd making it creating a CSR instead of a self-signed certificate. Signed-off-by: Didier Wenzek <[email protected]>
Previously, this user was derived from the bridge type introducing an unrelated domain, even if in practice thin-edge mainly uses certificates to authenticate the bridge. Signed-off-by: Didier Wenzek <[email protected]>
Signed-off-by: Didier Wenzek <[email protected]>
Two fields were used to pass a device id to a CSR command, one being only used if the other was not suitable. Now the device id is provided by the caller. Signed-off-by: Didier Wenzek <[email protected]>
0de8244
to
88bcaad
Compare
Proposed changes
Prepare the integration with Cumulocity CA, by putting apart the code to create self-signed certificate, to create signing request and to renew a certificate.
These different tasks was implemented by a single structure using misc flags to drive checks and file generation.
Now each PEM operation is control by a specific flow.
Types of changes
Paste Link to the issue
#3248
Checklist
cargo fmt
as mentioned in CODING_GUIDELINEScargo clippy
as mentioned in CODING_GUIDELINESFurther comments