search

xmidt-org / xmidt

Highly scalable pipes for communicating with devices all over the place.
Apache License 2.0
17 stars 19 forks source link

Talaria jwt token clarification #25

Closed thopewell closed 4 years ago

thopewell commented 4 years ago

Not an issue, but a request for help! Its not clear to me how to force Talaria to only accept registrations using jwt tokens (assuming I have understood correctly how xmidt works!).

I have set up xmidt using the docker-compose example and was expecting this config 

jwtValidators:
    -
      keys:
        Factory:
            uri: "http://themis:6500/keys/{keyId}"
        purpose: 0
        updateInterval: 604800000000000

to force the use of tokens to register to Talaria.

However, if I rebuild the docker-simulator and modify "token-server" to something that doesn't exist and rebuild, or simply shutdown themis, it seems I can still register to Talaria.

Here are my rdk simulator logs using themis:6501 as the token server:

# docker run --rm --network=e5ac3216e7d1 -e CMAC=998877665544 xmidt/rdkb-simulator            
[1588029390][PARODUS][Info]: RAND_MAX is 2147483647 (0x7fffffff)
[1588029390][PARODUS][Info]: ********** Starting component: Parodus **********
 [1588029390][PARODUS][Info]: Setting default values to parodusCfg
[1588029390][PARODUS][Info]:  cfg->webpa_protocol is PARODUS-2.0-1.1.3-37-g1d85742
[1588029390][PARODUS][Info]: Default cloud_status is offline
[1588029390][PARODUS][Info]: Parsing parodus command line arguments..
[1588029390][PARODUS][Info]: hw-model is aker-testing
[1588029390][PARODUS][Info]: cert_path is /etc/ssl/certs/ca-certificates.crt
[1588029390][PARODUS][Info]: client_cert_path is /etc/ssl/certs/ca-certificates.crt
[1588029390][PARODUS][Info]: hw_serial_number is mock-rdkb-simulator
[1588029390][PARODUS][Info]: hw_manufacturer is Example
[1588029390][PARODUS][Info]: hw_mac is 998877665544
[1588029390][PARODUS][Info]: hw_last_reboot_reason is unknown
[1588029390][PARODUS][Info]: fw_name is mock-rdkb-firmware
[1588029390][PARODUS][Info]: boot_time is 1588029390
[1588029390][PARODUS][Info]: partner_id is comcast
[1588029390][PARODUS][Info]: parodus local_url is tcp://127.0.0.1:16014
[1588029390][PARODUS][Info]: webpa_ping_timeout is 60
[1588029390][PARODUS][Info]: token_server_url is http://themis:6501/issue
[1588029390][PARODUS][Info]: webpa_backoff_max is 2
[1588029390][PARODUS][Info]: webpa_interface_used is eth0
[1588029390][PARODUS][Info]: webpa_url is http://petasos:6400
[1588029390][PARODUS][Info]: Force IPv4
[1588029390][PARODUS][Info]: Received reboot_reason as:unknown
[1588029390][PARODUS][Info]: Received reconnect_reason as:webpa_process_starts
[1588029390][PARODUS][Info]: User-Agent: PARODUS-2.0-1.1.3-37-g1d85742 (mock-rdkb-firmware; aker-testing/Example;)
[1588029390][PARODUS][Info]: X-WebPA-Convey Header: [316]{"hw-model":"aker-testing","hw-serial-number":"mock-rdkb-simulator","hw-manufacturer":"Example","fw-name":"mock-rdkb-firmware","boot-time":1588029390,"webpa-protocol":"PARODUS-2.0-1.1.3-37-g1d85742","webpa-interface-used":"eth0","hw-last-reboot-reason":"unknown","webpa-last-reconnect-reason":"webpa_process_starts"}
[1588029390][PARODUS][Info]: Device_id mac:998877665544
[1588029390][PARODUS][Info]: full url: http://petasos:6400
[1588029390][PARODUS][Info]: server address copied from url
[1588029390][PARODUS][Info]: server petasos, port 6400, http_match 1
[1588029390][PARODUS][Info]: default server_Address petasos
[1588029390][PARODUS][Info]: default port 6400
[1588029390][PARODUS][Info]: uuid_header formed X-Midt-Uuid: 19d59317-02c3-4014-a870-de67c3ac1620
[1588029390][PARODUS][Info]: curl Ip resolve option set as default mode
[1588029390][PARODUS][Info]: themis curl response 0 http_code 200
[1588029390][PARODUS][Info]: curl response Time: 0.0 seconds
[1588029390][PARODUS][Info]: cURL success
[1588029390][PARODUS][Info]: cfg->webpa_auth_token created successfully
[1588029390][PARODUS][Info]: nopoll_conn.c:331 IPv4 address of petasos is 172.25.0.6 
[1588029390][PARODUS][Info]: nopoll_conn.c:377 Create socket with non blocking-mode 
[1588029390][PARODUS][Info]: nopoll_conn.c:264 Result of wait after connect EINPROGRESS = 0
[1588029390][PARODUS][Error]: nopoll_conn.c:3067 websocket server denied connection with: 307 Temporary Redirect
[1588029390][PARODUS][Error]: nopoll_conn.c:2914 Received uncomplete listener handshake reply (0 0 0) 
[1588029390][PARODUS][Info]: nopoll_conn.c:5229 nopoll_conn_wait_for_status_until_connection_ready() response: message: Redirect:http://talaria-0:6200/api/v2/device 
[1588029390][PARODUS][Info]: Received temporary redirection response message Redirect:http://talaria-0:6200/api/v2/device
[1588029390][PARODUS][Info]: full url: http://talaria-0:6200/api/v2/device
[1588029390][PARODUS][Info]: server address copied from url
[1588029390][PARODUS][Info]: server talaria-0, port 6200, http_match 1
[1588029390][PARODUS][Info]: nopoll_ctx.c:338 Unregistered connection id 2 
[1588029390][PARODUS][Info]: cloud_status set as offline after connection close
[1588029390][PARODUS][Info]: nopoll_conn.c:331 IPv4 address of talaria-0 is 172.25.0.8 
[1588029390][PARODUS][Info]: nopoll_conn.c:377 Create socket with non blocking-mode 
[1588029390][PARODUS][Info]: nopoll_conn.c:264 Result of wait after connect EINPROGRESS = 0

[1588029390][PARODUS][Info]: nopoll_conn.c:5246 *****End nopoll_conn_wait_for_status_until_connection_ready **** 
[1588029390][PARODUS][Info]: Connected to server
[1588029390][PARODUS][Info]: cloud_status set as online after successful connection
[1588029390][PARODUS][Info]: connect_time-diff-boot_time=0
[1588029390][PARODUS][Info]: libseshat disabled, Hence proceeding without registration
[1588029390][PARODUS][Info]: nanomsg server gone into the listening mode...
[1588029390][PARODUS][Info]: No clients are registered, waiting ..
[1588029391][PARODUS][Info]: Upstream message received from nanomsg client
[1588029391][PARODUS][Info]: 
 Nanomsg client Registration for Upstream
[1588029391][PARODUS][Info]: Adding first client to list
[1588029391][PARODUS][Info]: client service aker is added to list with url: tcp://127.0.0.1:16015
[1588029391][PARODUS][Info]: sending auth status to reg client
[1588029391][PARODUS][Info]: Client aker Registered successfully. Sending Acknowledgement... 
 [1588029391][PARODUS][Info]: Sending ack:new_node->sock 1 service:aker

And as expected, I can see the device in the devices api:

# curl -s  -H "Authorization: Basic dXNlcjpwYXNz" http://localhost:6200/api/v2/devices |jq
{
  "devices": [
    {
      "id": "mac:998877665544",
      "pending": 0,
      "statistics": {
        "bytesSent": 0,
        "messagesSent": 0,
        "bytesReceived": 0,
        "messagesReceived": 0,
        "duplications": 0,
        "connectedAt": "2020-04-27T23:16:30.937257801Z",
        "upTime": "16.626220638s"
      }
    }
  ]
}

and here is my rdk simulator having run "docker stop themis-image-id"

# docker run --rm --network=e5ac3216e7d1 -e CMAC=998877665544 xmidt/rdkb-simulator
[1588029729][PARODUS][Info]: RAND_MAX is 2147483647 (0x7fffffff)
[1588029729][PARODUS][Info]: ********** Starting component: Parodus **********
 [1588029729][PARODUS][Info]: Setting default values to parodusCfg
[1588029729][PARODUS][Info]:  cfg->webpa_protocol is PARODUS-2.0-1.1.3-37-g1d85742
[1588029729][PARODUS][Info]: Default cloud_status is offline
[1588029729][PARODUS][Info]: Parsing parodus command line arguments..
[1588029729][PARODUS][Info]: hw-model is aker-testing
[1588029729][PARODUS][Info]: cert_path is /etc/ssl/certs/ca-certificates.crt
[1588029729][PARODUS][Info]: client_cert_path is /etc/ssl/certs/ca-certificates.crt
[1588029729][PARODUS][Info]: hw_serial_number is mock-rdkb-simulator
[1588029729][PARODUS][Info]: hw_manufacturer is Example
[1588029729][PARODUS][Info]: hw_mac is 998877665544
[1588029729][PARODUS][Info]: hw_last_reboot_reason is unknown
[1588029729][PARODUS][Info]: fw_name is mock-rdkb-firmware
[1588029729][PARODUS][Info]: boot_time is 1588029729
[1588029729][PARODUS][Info]: partner_id is comcast
[1588029729][PARODUS][Info]: parodus local_url is tcp://127.0.0.1:16014
[1588029729][PARODUS][Info]: webpa_ping_timeout is 60
[1588029729][PARODUS][Info]: token_server_url is http://themis:6501/issue
[1588029729][PARODUS][Info]: webpa_backoff_max is 2
[1588029729][PARODUS][Info]: webpa_interface_used is eth0
[1588029729][PARODUS][Info]: webpa_url is http://petasos:6400
[1588029729][PARODUS][Info]: Force IPv4

[1588029729][PARODUS][Info]: Received reboot_reason as:unknown
[1588029729][PARODUS][Info]: Received reconnect_reason as:webpa_process_starts
[1588029729][PARODUS][Info]: User-Agent: PARODUS-2.0-1.1.3-37-g1d85742 (mock-rdkb-firmware; aker-testing/Example;)
[1588029729][PARODUS][Info]: X-WebPA-Convey Header: [316]{"hw-model":"aker-testing","hw-serial-number":"mock-rdkb-simulator","hw-manufacturer":"Example","fw-name":"mock-rdkb-firmware","boot-time":1588029729,"webpa-protocol":"PARODUS-2.0-1.1.3-37-g1d85742","webpa-interface-used":"eth0","hw-last-reboot-reason":"unknown","webpa-last-reconnect-reason":"webpa_process_starts"}
[1588029729][PARODUS][Info]: Device_id mac:998877665544
[1588029729][PARODUS][Info]: full url: http://petasos:6400
[1588029729][PARODUS][Info]: server address copied from url
[1588029729][PARODUS][Info]: server petasos, port 6400, http_match 1
[1588029729][PARODUS][Info]: default server_Address petasos
[1588029729][PARODUS][Info]: default port 6400
[1588029729][PARODUS][Info]: uuid_header formed X-Midt-Uuid: a0c60c1c-77e3-4961-93c2-d4c657b677f2
[1588029729][PARODUS][Info]: curl Ip resolve option set as default mode
[1588029735][PARODUS][Info]: themis curl response 6 http_code 0
[1588029735][PARODUS][Info]: curl response Time: 4.9 seconds
[1588029735][PARODUS][Error]: curl_easy_perform() failed: Couldn't resolve host name
[1588029735][PARODUS][Error]: Failed to create new token
[1588029735][PARODUS][Error]: Curl execution is failed, retry attempt: 1
[1588029735][PARODUS][Info]: uuid_header formed X-Midt-Uuid: afc5acd7-badb-40dd-bd64-08f012b936da
[1588029735][PARODUS][Info]: curl Ip resolve option set as V4 mode
[1588029740][PARODUS][Info]: themis curl response 6 http_code 0
[1588029740][PARODUS][Info]: curl response Time: 4.9 seconds
[1588029740][PARODUS][Error]: curl_easy_perform() failed: Couldn't resolve host name
[1588029740][PARODUS][Error]: Failed to create new token
[1588029740][PARODUS][Error]: Curl execution is failed, retry attempt: 2
[1588029740][PARODUS][Info]: uuid_header formed X-Midt-Uuid: d86b7998-cbc3-436a-a38a-4535c1700ba0
[1588029740][PARODUS][Info]: curl Ip resolve option set as V6 mode
[1588029745][PARODUS][Info]: themis curl response 6 http_code 0
[1588029745][PARODUS][Info]: curl response Time: 4.9 seconds
[1588029745][PARODUS][Error]: curl_easy_perform() failed: Couldn't resolve host name
[1588029745][PARODUS][Error]: Failed to create new token
[1588029745][PARODUS][Error]: Curl execution is failed, retry attempt: 3
[1588029745][PARODUS][Error]: Curl retry is reached to max 3 attempts, proceeding without token
[1588029745][PARODUS][Info]: nopoll_conn.c:331 IPv4 address of petasos is 172.25.0.6 

[1588029745][PARODUS][Info]: nopoll_conn.c:377 Create socket with non blocking-mode 
[1588029745][PARODUS][Info]: nopoll_conn.c:264 Result of wait after connect EINPROGRESS = 0

[1588029745][PARODUS][Error]: nopoll_conn.c:3067 websocket server denied connection with: 307 Temporary Redirect

[1588029745][PARODUS][Error]: nopoll_conn.c:2914 Received uncomplete listener handshake reply (0 0 0) 
[1588029745][PARODUS][Info]: nopoll_conn.c:5229 nopoll_conn_wait_for_status_until_connection_ready() response: message: Redirect:http://talaria-0:6200/api/v2/device 
[1588029745][PARODUS][Info]: Received temporary redirection response message Redirect:http://talaria-0:6200/api/v2/device
[1588029745][PARODUS][Info]: full url: http://talaria-0:6200/api/v2/device
[1588029745][PARODUS][Info]: server address copied from url
[1588029745][PARODUS][Info]: server talaria-0, port 6200, http_match 1
[1588029745][PARODUS][Info]: nopoll_ctx.c:338 Unregistered connection id 2 
[1588029745][PARODUS][Info]: cloud_status set as offline after connection close
[1588029745][PARODUS][Info]: uuid_header formed X-Midt-Uuid: 71747b8a-5ae5-4928-8aea-48e867dcbb53

I can still see the device when I curl Talaria devices api. I'm expecting somewhere in Talaria configuration to be able to block clients that "proceed without token"?

[1588029745][PARODUS][Error]: Curl retry is reached to max 3 attempts, proceeding without token
joe94 commented 4 years ago

@TomJoons responded to this our forum: https://discussion.xmidt.io/t/questions-around-themis-talaira-jwt/52/2 Thanks! 👍