Merge pull request #33 from PelionIoT/dev

Release v2.3.0 - Verified logging

CHANGELOG.md

@@ -1,11 +1,26 @@
 # Release notes
 
+## Pelion Edge provisioner v2.3.0
+
+### Features
+- Allows gateways to setup Journald's Forward Secure Sealing (FSS) feature. When creating gateway identity using `get-one-identity` provide `-k` command line flag to also generate FSS sealing key which is used by `journald` to perform periodic cryptographic operation on the log data. The output of that operation also generates a verfication key which is then exported and saved in the pep API server database. To know more about the Journald FSS feature, refer [this article](https://lwn.net/Articles/512895/).
+- Added `GET /v3/verification-key` REST API to read FSS verification key of a dispatched gateway.
+- Added `get-verification-key` command to pep command-line interface (CLI).
+- By default, the FSS_INTERVAL is set to 10 seconds. To change it add `-e <interval>` to `get-one-identity` command.
+
+### Out of scope
+- Gateway provisioning in developer mode.
+- Injection of identity certificates and configuration information over IP only.
+- You must use FCU to sign your device certificates (setting `device-key-generation-mode` parameter to `externally_supplied` in fcu.yml is not supported).
+- You must provision gateways in first to claim mode only (setting `first-to-claim` parameter to `false` in fcu.yml is not supported).
+- You must provide the PEP_SERVER_URL env variable manually as part of the CLI commands. Auto-discovery of the IP address of the machine running the pep API server is not supported.
+
 ## Pelion Edge provisioner v2.2.0
 
 ### Additions
 - Added `GET /enrollment-ids` REST API to export enrollment identites of the dispatched gateways.
 - Added `list-enrollment-ids` command to pep command-line interface (CLI).
-- Addded URL encoding to REST API parameters, which can contain reserve characters.
+- Added URL encoding to REST API parameters, which can contain reserve characters.
 
 ### Bug fix
 If Factory Configurator Utility (FCU) fails to provision the gateway, the identity is not saved in the database or marked as deployed, which allows the user to re-request the identity with the same serial number.

Jenkinsfile

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
 @Library('edge-ci') _
 
-// Function is implemented in https://github.com/armPelionEdge/edge-ci/blob/master/vars/pelionEdgeProvisioner.groovy
+// Function is implemented in https://github.com/PelionIoT/edge-ci/blob/master/vars/pelionEdgeProvisioner.groovy
 pelionEdgeProvisioner()

README.md

@@ -1,10 +1,10 @@
 # Pelion Edge provisioning (pep) tool
 
-The Pelion Edge provisioning (pep) tool lets you automate the gateway provisioning flow. For more information, please see the [documentation](https://www.pelion.com/docs/device-management-edge/2.0/provisioning/index.html).
+The Pelion Edge provisioning (pep) tool lets you automate the gateway provisioning flow. For more information, please see the [documentation](https://developer.pelion.com/docs/device-management-edge/2.1/provisioning/index.html).
 
 ## Issues
 
-We use [GitHub issues](https://github.com/armPelionEdge/pelion-edge-provisioner/issues) to track requests and bugs.
+We use [GitHub issues](https://github.com/PelionIoT/pelion-edge-provisioner/issues) to track requests and bugs.
 
 ## License
 

api-server/api/models/v3/identity.js

@@ -59,6 +59,9 @@ var IdentitySchema = new Schema({
         type: String,
         required: true
     },
+    verificationKey: {
+        type: String
+    },
     apiAddress: {
         type: String
     },

api-server/api/routes/v3/index.js

@@ -136,6 +136,7 @@ router.get('/identity', (req, res) => {
     req.query.gatewayServicesAddress = decodeURI(req.query.gatewayServicesAddress);
     req.query.apiAddress = decodeURI(req.query.apiAddress);
     req.query.cloudAddress = req.query.gatewayServicesAddress;
+    req.query.verificationKey = decodeURI(req.query.verificationKey);
 
     _create_a_new_identity(req.query).then((identityData) => {
 
@@ -150,6 +151,7 @@ router.get('/identity', (req, res) => {
                 IdentityCollection.findOneAndUpdate(req.query, updated_identity).then((data) => {
 
                     var output = Object.assign(identityData, updated_identity.toObject());
+                    delete output.verificationKey;
                     res.status(200).send(output);
 
                 }, (err) => {
@@ -204,6 +206,27 @@ router.get('/enrollment-id', function(req, res) {
 
 });
 
+router.get('/verification-key', function(req, res) {
+
+    if(!req.query || !req.query.serialNumber) {
+        return res.status(400).send();
+    }
+
+    req.query.deployed = true;
+    req.query.serialNumber = decodeURI(req.query.serialNumber);
+
+    IdentityCollection.findOne(req.query).then((data) => {
+        if(data) {
+            res.status(200).send(data.verificationKey);
+        } else {
+            res.status(404).send('Not found!');
+        }
+    }, (err) => {
+        res.status(500).send(err);
+    });
+
+});
+
 const DESCENDING = -1;
 const ASCENDING = 1;
 const DEFAULT_LIMIT = 50;

cli/bash/VERSION

@@ -1 +1 @@
-2.2.0
+2.3.0

cli/bash/commands/get-one-identity.sh

@@ -25,9 +25,12 @@ fi
 
 API_URL="https://api.us-east-1.mbedcloud.com"
 GW_URL="https://gateways.us-east-1.mbedcloud.com"
+VERIFICATION_KEY="verification-key-does-not-exist"
 RADIO_CONFIG="00"
 LED_CONFIG="01"
 CATEGORY="production"
+FSS_INTERVAL="10s"
+FSS="false"
 HW_VERSION="arm-pelion-edge-gateway"
 
 cli_help_get_one_identity() {
@@ -47,16 +50,27 @@ Options:
   -i <ip>                   ip address of the gateway where factory-configurator-client is running
   -p <port_number>          port number at which factory-configurator-client listening
   -v                        verbose
+  -k                        Setup Forward secure sealing and generate verification key. interval can be specified with '-e' option. Default interval is 10s
+  -e <interval>             Specify the change interval for the sealing key when generating an FSS key pair.
   -h                        output usage information"
 }
 
+setup_fss() {
+    echo "sudo journalctl --setup-keys --interval=$FSS_INTERVAL"
+    VERIFICATION_KEY=$(sudo journalctl --setup-keys --force --interval=$FSS_INTERVAL | sed -n '1p')
+    if [ -z "$VERIFICATION_KEY" ]; then
+        cli_error "Error while generating verification key"
+        exit 1
+    fi
+}
+
 [ ! -n "$2" ] && cli_help_get_one_identity && exit 1
 
 OPTIND=2
 
 QUERY=""
 
-while getopts 'a:g:s:w:r:l:c:i:p:hv' opt; do
+while getopts 'a:g:s:w:r:l:c:i:ke:p:hv' opt; do
     case "$opt" in
         h|-help)
             cli_help_get_one_identity
@@ -86,6 +100,12 @@ while getopts 'a:g:s:w:r:l:c:i:p:hv' opt; do
         i)
             FCC_IP_ADDRESS="$OPTARG"
             ;;
+        k)
+            FSS="true"
+            ;;    
+        e)  
+            FSS_INTERVAL="$OPTARG"
+            ;;   
         p)
             FCC_PORT="$OPTARG"
             ;;
@@ -140,10 +160,15 @@ if [ ! -z "$FCC_PORT" ]; then
     QUERY="$QUERY&port=$FCC_PORT"
 fi
 
+if [[ $FSS = "true" ]]
+then
+    setup_fss
+fi
 
 curl -G \
     --data-urlencode "serialNumber=$SERIAL_NUMBER" \
     --data-urlencode "apiAddress=$API_URL" \
     --data-urlencode "gatewayServicesAddress=$GW_URL" \
-    $PEP_SERVER_URL/$API_VERSION/identity?$QUERY $VERBOSE > "identity.json"
-cat ./identity.json
+    --data-urlencode "verificationKey=$VERIFICATION_KEY" \
+    $PEP_SERVER_URL/$API_VERSION/identity?$QUERY $VERBOSE > "identity.json" 
+cat ./identity.json

cli/bash/commands/get-verification-key.sh

@@ -0,0 +1,69 @@
+# Copyright (c) 2020, Arm Limited and affiliates.
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+#!/bin/bash
+
+set -e
+
+if [ ! -z "$DEBUG" ]; then
+    set -x
+fi
+
+. "$PEP_CLI_DIR/common.sh"
+
+cli_help_get_verification_key() {
+  echo "
+Usage: pep get-verification-key [<options>]
+
+Options:
+  -s <string_value>  get verification-key of the gateway based on its serial number
+  -v                 verbose
+  -h                 output usage information"
+}
+
+[ ! -n "$2" ] && cli_help_get_verification_key && exit 1
+
+OPTIND=2
+
+while getopts 's:hv' opt; do
+    case "$opt" in
+        h|-help)
+            cli_help_get_verification_key
+            exit 0
+            ;;
+        s)
+            SERIAL_NUMBER="$OPTARG"
+            ;;
+        v)
+            VERBOSE="-v"
+            ;;
+        *)
+            cli_help_get_verification_key
+            exit 1
+            ;;
+    esac
+done
+
+shift "$(($OPTIND-1))"
+
+if [ -z "$SERIAL_NUMBER" ]; then
+    cli_error "-s <serial_number> not specified!"
+    exit 1
+fi
+
+
+curl -G \
+    --data-urlencode "serialNumber=$SERIAL_NUMBER" \
+    $PEP_SERVER_URL/$API_VERSION/verification-key $VERBOSE

cli/bash/pep-cli.sh

@@ -39,6 +39,7 @@ Options:
 Commands:
   get-one-identity [<options>]     get a gateway identity based on the provided filters
   get-enrollment-id [<options>]    get enrollment identity of dispatched gateway
+  get-verification-key [<options>] get verification key for verifying logs on a gateway
   list-enrollment-ids [<options>]  get a list of enrollment identities of dispatched gateways
   help                             display help"
   exit 1
@@ -54,6 +55,9 @@ case "$1" in
   get-enrollment-id)
     "$PEP_CLI_DIR/commands/get-enrollment-id.sh" $@
     ;;
+  get-verification-key)
+    "$PEP_CLI_DIR/commands/get-verification-key.sh" $@
+    ;;
   list-enrollment-ids)
     "$PEP_CLI_DIR/commands/list-enrollment-ids.sh" $@
     ;;

docs/api-swagger-doc.yml

@@ -102,6 +102,28 @@ paths:
           description: Bad request
         "500":
           description: An unexpected error occurred
+  /v3/verification-key:
+    get:
+      description: Get verification key for a gateway
+      parameters:
+        - name: serialNumber
+          in: query
+          required: true
+          description: Retreive verifivation key for a gateway of this specific serial number
+          allowReserved: false
+          schema:
+            type: string
+      responses:
+        "200":
+          description: Success
+          content:
+            text/plain:
+              schema:
+                type: string
+        "400":
+          description: Bad request
+        "500":
+          description: An unexpected error occurred
   /v3/enrollment-ids:
     get:
       description: Get list of enrollment identites of the dispatched gateways

package.json

@@ -1,19 +1,19 @@
 {
   "name": "pelion-edge-provisioner",
-  "version": "2.2.0",
+  "version": "2.3.0",
   "description": "It provisions the gateway for Pelion Edge solution to successfully and securely communicate with cloud",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/armPelionEdge/pelion-edge-provisioner.git"
+    "url": "git+https://github.com/PelionIoT/pelion-edge-provisioner.git"
   },
   "bugs": {
-    "url": "https://github.com/armPelionEdge/pelion-edge-provisioner/issues"
+    "url": "https://github.com/PelionIoT/pelion-edge-provisioner/issues"
   },
   "license": "SEE LICENSE IN LICENSE",
-  "homepage": "https://github.com/armPelionEdge/pelion-edge-provisioner#readme",
+  "homepage": "https://github.com/PelionIoT/pelion-edge-provisioner#readme",
   "dependencies": {
     "body-parser": "^1.18.2",
     "colors": "^1.1.2",