From bd6bf8b5319c5ce1949f6838fce1cf521cdaa779 Mon Sep 17 00:00:00 2001 From: PALASH MANISHKUMAR SHAH Date: Tue, 10 Nov 2020 17:07:32 -0600 Subject: [PATCH 1/2] Verified logging (#31) * Add verification key support in pep server and pep cli * make get-verification-key.sh executable * change interval of FSS * update swagger doc * recreate sealing key file if it already exists --- api-server/api/models/v3/identity.js | 3 + api-server/api/routes/v3/index.js | 23 ++++++++ cli/bash/commands/get-one-identity.sh | 31 +++++++++- cli/bash/commands/get-verification-key.sh | 69 +++++++++++++++++++++++ cli/bash/pep-cli.sh | 4 ++ docs/api-swagger-doc.yml | 22 ++++++++ 6 files changed, 149 insertions(+), 3 deletions(-) create mode 100755 cli/bash/commands/get-verification-key.sh diff --git a/api-server/api/models/v3/identity.js b/api-server/api/models/v3/identity.js index ebbb14a..715e52e 100644 --- a/api-server/api/models/v3/identity.js +++ b/api-server/api/models/v3/identity.js @@ -59,6 +59,9 @@ var IdentitySchema = new Schema({ type: String, required: true }, + verificationKey: { + type: String + }, apiAddress: { type: String }, diff --git a/api-server/api/routes/v3/index.js b/api-server/api/routes/v3/index.js index dd36042..42857cc 100644 --- a/api-server/api/routes/v3/index.js +++ b/api-server/api/routes/v3/index.js @@ -136,6 +136,7 @@ router.get('/identity', (req, res) => { req.query.gatewayServicesAddress = decodeURI(req.query.gatewayServicesAddress); req.query.apiAddress = decodeURI(req.query.apiAddress); req.query.cloudAddress = req.query.gatewayServicesAddress; + req.query.verificationKey = decodeURI(req.query.verificationKey); _create_a_new_identity(req.query).then((identityData) => { @@ -150,6 +151,7 @@ router.get('/identity', (req, res) => { IdentityCollection.findOneAndUpdate(req.query, updated_identity).then((data) => { var output = Object.assign(identityData, updated_identity.toObject()); + delete output.verificationKey; res.status(200).send(output); }, (err) => { @@ -204,6 +206,27 @@ router.get('/enrollment-id', function(req, res) { }); +router.get('/verification-key', function(req, res) { + + if(!req.query || !req.query.serialNumber) { + return res.status(400).send(); + } + + req.query.deployed = true; + req.query.serialNumber = decodeURI(req.query.serialNumber); + + IdentityCollection.findOne(req.query).then((data) => { + if(data) { + res.status(200).send(data.verificationKey); + } else { + res.status(404).send('Not found!'); + } + }, (err) => { + res.status(500).send(err); + }); + +}); + const DESCENDING = -1; const ASCENDING = 1; const DEFAULT_LIMIT = 50; diff --git a/cli/bash/commands/get-one-identity.sh b/cli/bash/commands/get-one-identity.sh index 418b5b5..00b2d18 100755 --- a/cli/bash/commands/get-one-identity.sh +++ b/cli/bash/commands/get-one-identity.sh @@ -25,9 +25,12 @@ fi API_URL="https://api.us-east-1.mbedcloud.com" GW_URL="https://gateways.us-east-1.mbedcloud.com" +VERIFICATION_KEY="verification-key-does-not-exist" RADIO_CONFIG="00" LED_CONFIG="01" CATEGORY="production" +FSS_INTERVAL="10s" +FSS="false" HW_VERSION="arm-pelion-edge-gateway" cli_help_get_one_identity() { @@ -47,16 +50,27 @@ Options: -i ip address of the gateway where factory-configurator-client is running -p port number at which factory-configurator-client listening -v verbose + -k Setup Forward secure sealing and generate verification key. interval can be specified with '-e' option. Default interval is 10s + -e Specify the change interval for the sealing key when generating an FSS key pair. -h output usage information" } +setup_fss() { + echo "sudo journalctl --setup-keys --interval=$FSS_INTERVAL" + VERIFICATION_KEY=$(sudo journalctl --setup-keys --force --interval=$FSS_INTERVAL | sed -n '1p') + if [ -z "$VERIFICATION_KEY" ]; then + cli_error "Error while generating verification key" + exit 1 + fi +} + [ ! -n "$2" ] && cli_help_get_one_identity && exit 1 OPTIND=2 QUERY="" -while getopts 'a:g:s:w:r:l:c:i:p:hv' opt; do +while getopts 'a:g:s:w:r:l:c:i:ke:p:hv' opt; do case "$opt" in h|-help) cli_help_get_one_identity @@ -86,6 +100,12 @@ while getopts 'a:g:s:w:r:l:c:i:p:hv' opt; do i) FCC_IP_ADDRESS="$OPTARG" ;; + k) + FSS="true" + ;; + e) + FSS_INTERVAL="$OPTARG" + ;; p) FCC_PORT="$OPTARG" ;; @@ -140,10 +160,15 @@ if [ ! -z "$FCC_PORT" ]; then QUERY="$QUERY&port=$FCC_PORT" fi +if [[ $FSS = "true" ]] +then + setup_fss +fi curl -G \ --data-urlencode "serialNumber=$SERIAL_NUMBER" \ --data-urlencode "apiAddress=$API_URL" \ --data-urlencode "gatewayServicesAddress=$GW_URL" \ - $PEP_SERVER_URL/$API_VERSION/identity?$QUERY $VERBOSE > "identity.json" -cat ./identity.json + --data-urlencode "verificationKey=$VERIFICATION_KEY" \ + $PEP_SERVER_URL/$API_VERSION/identity?$QUERY $VERBOSE > "identity.json" +cat ./identity.json \ No newline at end of file diff --git a/cli/bash/commands/get-verification-key.sh b/cli/bash/commands/get-verification-key.sh new file mode 100755 index 0000000..299a155 --- /dev/null +++ b/cli/bash/commands/get-verification-key.sh @@ -0,0 +1,69 @@ +# Copyright (c) 2020, Arm Limited and affiliates. +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +#!/bin/bash + +set -e + +if [ ! -z "$DEBUG" ]; then + set -x +fi + +. "$PEP_CLI_DIR/common.sh" + +cli_help_get_verification_key() { + echo " +Usage: pep get-verification-key [] + +Options: + -s get verification-key of the gateway based on its serial number + -v verbose + -h output usage information" +} + +[ ! -n "$2" ] && cli_help_get_verification_key && exit 1 + +OPTIND=2 + +while getopts 's:hv' opt; do + case "$opt" in + h|-help) + cli_help_get_verification_key + exit 0 + ;; + s) + SERIAL_NUMBER="$OPTARG" + ;; + v) + VERBOSE="-v" + ;; + *) + cli_help_get_verification_key + exit 1 + ;; + esac +done + +shift "$(($OPTIND-1))" + +if [ -z "$SERIAL_NUMBER" ]; then + cli_error "-s not specified!" + exit 1 +fi + + +curl -G \ + --data-urlencode "serialNumber=$SERIAL_NUMBER" \ + $PEP_SERVER_URL/$API_VERSION/verification-key $VERBOSE \ No newline at end of file diff --git a/cli/bash/pep-cli.sh b/cli/bash/pep-cli.sh index 6db22bf..98147ac 100755 --- a/cli/bash/pep-cli.sh +++ b/cli/bash/pep-cli.sh @@ -39,6 +39,7 @@ Options: Commands: get-one-identity [] get a gateway identity based on the provided filters get-enrollment-id [] get enrollment identity of dispatched gateway + get-verification-key [] get verification key for verifying logs on a gateway list-enrollment-ids [] get a list of enrollment identities of dispatched gateways help display help" exit 1 @@ -54,6 +55,9 @@ case "$1" in get-enrollment-id) "$PEP_CLI_DIR/commands/get-enrollment-id.sh" $@ ;; + get-verification-key) + "$PEP_CLI_DIR/commands/get-verification-key.sh" $@ + ;; list-enrollment-ids) "$PEP_CLI_DIR/commands/list-enrollment-ids.sh" $@ ;; diff --git a/docs/api-swagger-doc.yml b/docs/api-swagger-doc.yml index aa0fd0f..30a82ff 100644 --- a/docs/api-swagger-doc.yml +++ b/docs/api-swagger-doc.yml @@ -102,6 +102,28 @@ paths: description: Bad request "500": description: An unexpected error occurred + /v3/verification-key: + get: + description: Get verification key for a gateway + parameters: + - name: serialNumber + in: query + required: true + description: Retreive verifivation key for a gateway of this specific serial number + allowReserved: false + schema: + type: string + responses: + "200": + description: Success + content: + text/plain: + schema: + type: string + "400": + description: Bad request + "500": + description: An unexpected error occurred /v3/enrollment-ids: get: description: Get list of enrollment identites of the dispatched gateways From 094bf1e34dd87f874ea5e6ce6d2dd0ae91eca180 Mon Sep 17 00:00:00 2001 From: Yash Goyal Date: Tue, 26 Jan 2021 19:38:20 -0600 Subject: [PATCH 2/2] Updated Changelog, renamed armPelionEdge to PelionIoT, increase version to 2.3.0 --- CHANGELOG.md | 17 ++++++++++++++++- Jenkinsfile | 2 +- README.md | 4 ++-- cli/bash/VERSION | 2 +- package.json | 8 ++++---- 5 files changed, 24 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5618e73..a4378ac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,11 +1,26 @@ # Release notes +## Pelion Edge provisioner v2.3.0 + +### Features +- Allows gateways to setup Journald's Forward Secure Sealing (FSS) feature. When creating gateway identity using `get-one-identity` provide `-k` command line flag to also generate FSS sealing key which is used by `journald` to perform periodic cryptographic operation on the log data. The output of that operation also generates a verfication key which is then exported and saved in the pep API server database. To know more about the Journald FSS feature, refer [this article](https://lwn.net/Articles/512895/). +- Added `GET /v3/verification-key` REST API to read FSS verification key of a dispatched gateway. +- Added `get-verification-key` command to pep command-line interface (CLI). +- By default, the FSS_INTERVAL is set to 10 seconds. To change it add `-e ` to `get-one-identity` command. + +### Out of scope +- Gateway provisioning in developer mode. +- Injection of identity certificates and configuration information over IP only. +- You must use FCU to sign your device certificates (setting `device-key-generation-mode` parameter to `externally_supplied` in fcu.yml is not supported). +- You must provision gateways in first to claim mode only (setting `first-to-claim` parameter to `false` in fcu.yml is not supported). +- You must provide the PEP_SERVER_URL env variable manually as part of the CLI commands. Auto-discovery of the IP address of the machine running the pep API server is not supported. + ## Pelion Edge provisioner v2.2.0 ### Additions - Added `GET /enrollment-ids` REST API to export enrollment identites of the dispatched gateways. - Added `list-enrollment-ids` command to pep command-line interface (CLI). -- Addded URL encoding to REST API parameters, which can contain reserve characters. +- Added URL encoding to REST API parameters, which can contain reserve characters. ### Bug fix If Factory Configurator Utility (FCU) fails to provision the gateway, the identity is not saved in the database or marked as deployed, which allows the user to re-request the identity with the same serial number. diff --git a/Jenkinsfile b/Jenkinsfile index b8383fd..4539d60 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,5 +1,5 @@ #!/usr/bin/env groovy @Library('edge-ci') _ -// Function is implemented in https://github.com/armPelionEdge/edge-ci/blob/master/vars/pelionEdgeProvisioner.groovy +// Function is implemented in https://github.com/PelionIoT/edge-ci/blob/master/vars/pelionEdgeProvisioner.groovy pelionEdgeProvisioner() \ No newline at end of file diff --git a/README.md b/README.md index e070735..cfad144 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ # Pelion Edge provisioning (pep) tool -The Pelion Edge provisioning (pep) tool lets you automate the gateway provisioning flow. For more information, please see the [documentation](https://www.pelion.com/docs/device-management-edge/2.0/provisioning/index.html). +The Pelion Edge provisioning (pep) tool lets you automate the gateway provisioning flow. For more information, please see the [documentation](https://developer.pelion.com/docs/device-management-edge/2.1/provisioning/index.html). ## Issues -We use [GitHub issues](https://github.com/armPelionEdge/pelion-edge-provisioner/issues) to track requests and bugs. +We use [GitHub issues](https://github.com/PelionIoT/pelion-edge-provisioner/issues) to track requests and bugs. ## License diff --git a/cli/bash/VERSION b/cli/bash/VERSION index e3a4f19..cc6612c 100644 --- a/cli/bash/VERSION +++ b/cli/bash/VERSION @@ -1 +1 @@ -2.2.0 \ No newline at end of file +2.3.0 \ No newline at end of file diff --git a/package.json b/package.json index 4fa6175..b9dd2fa 100644 --- a/package.json +++ b/package.json @@ -1,19 +1,19 @@ { "name": "pelion-edge-provisioner", - "version": "2.2.0", + "version": "2.3.0", "description": "It provisions the gateway for Pelion Edge solution to successfully and securely communicate with cloud", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "repository": { "type": "git", - "url": "git+https://github.com/armPelionEdge/pelion-edge-provisioner.git" + "url": "git+https://github.com/PelionIoT/pelion-edge-provisioner.git" }, "bugs": { - "url": "https://github.com/armPelionEdge/pelion-edge-provisioner/issues" + "url": "https://github.com/PelionIoT/pelion-edge-provisioner/issues" }, "license": "SEE LICENSE IN LICENSE", - "homepage": "https://github.com/armPelionEdge/pelion-edge-provisioner#readme", + "homepage": "https://github.com/PelionIoT/pelion-edge-provisioner#readme", "dependencies": { "body-parser": "^1.18.2", "colors": "^1.1.2",