search

eclipse-ankaios / ankaios

Eclipse Ankaios provides workload and container orchestration for automotive High Performance Computing (HPC) software.
https://eclipse-ankaios.github.io/ankaios/
Apache License 2.0
60 stars 18 forks source link

Improve mTLS error messages upon wrong field values in the Ankaios CLI #326

Open inf17101 opened 1 month ago

inf17101 commented 1 month ago

Description

Currently, if the user enters a wrong path for the certificates or key in an Ankaios CLI, then the error message is "Channel preliminary closed." which is not helpful to the user since it is an internal Rust channel error message. This is independent of using the environment variables or the cli arguments directly.

  1. Execute the script tools/certs/create_certs.sh to create certificates for development
  2. Start the server and agent with certificates
  3. Execute an ank cli command and provide an invalid file path to some of the arguments, e.g.: 
    ./ank -v --ca_pem .certs/ca.pem --crt_pem .certs/cli.pem --key_pem asdfg get workloads

You should see the following error message:

image

Goals

Enhance the Ankaios CLI to output helpful error messages when an mTLS setting has an invalid value.

Final result

Summary

To be filled when the final solution is sketched.

Tasks

inf17101 commented 1 month ago

The reason is that the polling in the cli does not know when certificates are rejected and the from_server channel object is in this case None since the channel is closed:

    // server_connection.rs:117
    let poll_complete_state_response = async {
            loop {
                match self.from_server.recv().await {
                    Some(FromServer::Response(Response {
                        request_id: received_request_id,
                        response_content: ResponseContent::CompleteState(res),
                    })) if received_request_id == request_id => return Ok(res),
                    None => return Err("Channel preliminary closed."),
                    Some(message) => {
                        // [impl->swdd~cli-stores-unexpected-message~1]
                        self.missed_from_server_messages.push(message);
                    }
                }
            }
        };

Maybe we need proper response handling so that the communication middleware can return a certificate error, then we can also distinguish in the CLI between the errors better and output the user any kind of certificate rejection error (invalid cipher set , what else ...) At a minimum we shall communicate to the user that the file path of the certificate is not valid if a wrong path is provided as argument and if there are some other issues with the certificates then we shall output at least that the communication has failed due to a certificate error (and optional some reason depending on the effort).

GabyUnalaq commented 1 week ago

Currently working on this.

The reason that I found is that the error is indeed produced, but ignored at a higher level, inside grpc/src/client.rs - GRPCCommunicationsClient::run().

GabyUnalaq commented 1 week ago

This issue was solved and solution merged. It can be closed now.