Add a new external provisioning mode that uses a hosting environment …

…endpoint for retrieving device specific information. (#1144) * Add a new external provisioning mode that uses a hosting environment endpoint for retrieving device specific information. * Use a sentinel while activating primary key in external mode. * Minor changes * Remove temporary change * Reverting changes made to other files with older version of rustfmt. * Fix spelling * Clippy fix * Set the hosting endpoint environment var before the crypto lib is initialized. * Pass hsm_lock param. * Allow cyclomatic complexity warning in method. * Incorporate review comments. * Rename to external provisioning from hosting. * Changing spec * Incorporating review comments. * Update external prov interface * Prov changes * New changes * With generics * draft * draft * Compiling * Working changes * Clippy fixes * Update tests * Add more tests * Fix other tests * Clippy fix * Incorporate review comments. * Incorporating review comments again.
Azure · Jun 4, 2019 · 539efad · 539efad
1 parent 1609e47
commit 539efad
Show file tree

Hide file tree

Showing 40 changed files with 1,831 additions and 63 deletions.
diff --git a/.gitignore b/.gitignore
@@ -313,6 +313,9 @@ stylecop.json
 # JetBrains Rider files
 .idea/
 
+# IntelliJ idea files
+*.iml
+
 # linux dev files
 *.swp
 *.swo

diff --git a/edgelet/Cargo.lock b/edgelet/Cargo.lock
diff --git a/edgelet/Cargo.toml b/edgelet/Cargo.toml
@@ -7,12 +7,14 @@ members = [
     "edgelet-docker",
     "edgelet-hsm",
     "edgelet-http",
+    "edgelet-http-external-provisioning",
     "edgelet-http-mgmt",
     "edgelet-http-workload",
     "edgelet-iothub",
     "edgelet-kube",
     "edgelet-test-utils",
     "edgelet-utils",
+    "external-provisioning",
     "kube-client",
     "hsm-rs",
     "hsm-sys",

diff --git a/edgelet/api/externalProvisioningVersion_2019_04_10.yaml b/edgelet/api/externalProvisioningVersion_2019_04_10.yaml
@@ -0,0 +1,100 @@
+swagger: '2.0'
+schemes:
+  - http
+info:
+  title: IoT Edge External Provisioning Environment API
+  version: '2019-04-10'
+tags:
+  - name: ExternalProvisioning
+    x-displayName: ExternalProvisioning
+    description: |
+
+paths:
+  '/device/provisioninginformation':
+    get:
+      tags:
+        - ExternalProvisioning
+      summary: Gets the IoT hub provisioning information of the device.
+      produces:
+        - application/json
+      description: |
+        This returns the IoT hub provisioning information of the device.
+      operationId: GetDeviceProvisioningInformation
+      parameters:
+        - $ref: '#/parameters/api-version'
+      responses:
+        '200':
+          description: Ok
+          schema:
+            $ref: '#/definitions/DeviceProvisioningInfo'
+        default:
+          description: Error
+          schema:
+            $ref: '#/definitions/ErrorResponse'
+
+definitions:
+  DeviceProvisioningInfo:
+    type: object
+    properties:
+      hubName:
+        type: string
+        description: The host name of the IoT hub.
+        example: mytesthub.azure-devices.net
+      deviceId:
+        type: string
+        description: The ID of the device in IoT hub.
+        example: device01
+      credentials:
+        $ref: '#/definitions/Credentials'
+    required:
+      - hubName
+      - deviceId
+      - credentials
+  Credentials:
+    type: object
+    properties:
+      authType:
+        type: string
+        description: Indicates the type of authentication credential used.
+        enum:
+          - symmetric-key
+          - x509
+      source:
+        type: string
+        description: Indicates the source of the authentication credential.
+        enum:
+          - payload
+          - hsm
+      key:
+        type: string
+        format: byte
+        description: The symmetric key used for authentication. Specified only if the 'authType' is 'symmetric-key' and the 'source' is 'payload'.
+      identityCert:
+        type: string
+        format: byte
+        description: The identity certificate. Should be a PEM formatted byte array if the 'authType' is 'x509' and the 'source' is 'payload' or should be a reference to the certificate if the 'authType' is 'x509' and the 'source' is 'hsm'.
+      identityPrivateKey:
+        type: string
+        format: byte
+        description: The identity private key. Should be a PEM formatted byte array if the 'authType' is 'x509' and the 'source' is 'payload' or should be a reference to the private key if the 'authType' is 'x509' and the 'source' is 'hsm'.
+
+    required:
+      - authType
+      - source
+
+  ErrorResponse:
+    type: object
+    properties:
+      message:
+        type: string
+    required:
+      - message
+
+parameters:
+  api-version:
+    name: api-version
+    in: query
+    description: The version of the API.
+    required: true
+    type: string
+    default: '2019-04-10'
diff --git a/edgelet/contrib/config/linux/config.yaml b/edgelet/contrib/config/linux/config.yaml
@@ -16,15 +16,18 @@
 # Configures the identity provisioning mode of the daemon.
 #
 # Supported modes:
-#     manual - using an iothub connection string
-#     dps    - using dps for provisioning
+#     manual   - using an iothub connection string
+#     dps      - using dps for provisioning
+#     external - the device has been provisioned externally. Uses an external provisioning endpoint to get device specific information.
 #
 # DPS Settings
 #     scope_id - Required. Value of a specific DPS instance's ID scope
 #     registration_id - Required. Registration ID of a specific device in DPS
 #     symmetric_key - Optional. This entry should only be specified when
 #                     provisioning devices configured for symmetric key
 #                     attestation
+# External Settings
+#     endpoint - Required. Value of the endpoint used to retrieve device specific information such as its IoT hub connection information.
 ###############################################################################
 
 # Manual provisioning configuration
@@ -62,6 +65,11 @@ provisioning:
 #     identity_cert: "<REQUIRED PATH TO DEVICE IDENTITY CERTIFICATE HERE>"
 #     identity_pk: "<REQUIRED PATH TO DEVICE IDENTITY PRIVATE KEY HERE>"
 
+# External provisioning configuration
+# provisioning:
+#   source: "external"
+#   endpoint: "http://localhost:9999"
+
 ###############################################################################
 # Certificate settings
 ###############################################################################

diff --git a/edgelet/contrib/config/linux/debian/config.yaml b/edgelet/contrib/config/linux/debian/config.yaml
@@ -16,15 +16,18 @@
 # Configures the identity provisioning mode of the daemon.
 #
 # Supported modes:
-#     manual - using an iothub connection string
-#     dps    - using dps for provisioning
+#     manual   - using an iothub connection string
+#     dps      - using dps for provisioning
+#     external - the device has been provisioned externally. Uses an external provisioning endpoint to get device specific information.
 #
 # DPS Settings
 #     scope_id - Required. Value of a specific DPS instance's ID scope
 #     registration_id - Required. Registration ID of a specific device in DPS
 #     symmetric_key - Optional. This entry should only be specified when
 #                     provisioning devices configured for symmetric key
 #                     attestation
+# External Settings
+#     endpoint - Required. Value of the endpoint used to retrieve device specific information such as its IoT hub connection information.
 ###############################################################################
 
 # Manual provisioning configuration
@@ -62,6 +65,11 @@ provisioning:
 #     identity_cert: "<REQUIRED PATH TO DEVICE IDENTITY CERTIFICATE HERE>"
 #     identity_pk: "<REQUIRED PATH TO DEVICE IDENTITY PRIVATE KEY HERE>"
 
+# External provisioning configuration
+# provisioning:
+#   source: "external"
+#   endpoint: "http://localhost:9999"
+
 ###############################################################################
 # Certificate settings
 ###############################################################################

diff --git a/edgelet/contrib/config/windows/config.yaml b/edgelet/contrib/config/windows/config.yaml
@@ -16,15 +16,18 @@
 # Configures the identity provisioning mode of the daemon.
 #
 # Supported modes:
-#     manual - using an iothub connection string
-#     dps    - using dps for provisioning
+#     manual   - using an iothub connection string
+#     dps      - using dps for provisioning
+#     external - the device has been provisioned externally. Uses an external provisioning endpoint to get device specific information.
 #
 # DPS Settings
 #     scope_id - Required. Value of a specific DPS instance's ID scope
 #     registration_id - Required. Registration ID of a specific device in DPS
 #     symmetric_key - Optional. This entry should only be specified when
 #                     provisioning devices configured for symmetric key
 #                     attestation
+# External Settings
+#     endpoint - Required. Value of the endpoint used to retrieve device specific information such as its IoT hub connection information.
 ###############################################################################
 
 # Manual provisioning configuration
@@ -62,6 +65,11 @@ provisioning:
 #     identity_cert: "<REQUIRED PATH TO DEVICE IDENTITY CERTIFICATE HERE>"
 #     identity_pk: "<REQUIRED PATH TO DEVICE IDENTITY PRIVATE KEY HERE>"
 
+# External provisioning configuration
+# provisioning:
+#   source: "external"
+#   endpoint: "http://localhost:9999"
+
 ###############################################################################
 # Certificate settings
 ###############################################################################

diff --git a/edgelet/edgelet-config/src/lib.rs b/edgelet/edgelet-config/src/lib.rs
@@ -258,12 +258,30 @@ impl Dps {
     }
 }
 
+#[derive(Debug, Deserialize, Serialize)]
+#[serde(rename_all = "lowercase")]
+pub struct External {
+    #[serde(with = "url_serde")]
+    endpoint: Url,
+}
+
+impl External {
+    pub fn new(endpoint: Url) -> Self {
+        External { endpoint }
+    }
+
+    pub fn endpoint(&self) -> &Url {
+        &self.endpoint
+    }
+}
+
 #[derive(Debug, Deserialize, Serialize)]
 #[serde(tag = "source")]
 #[serde(rename_all = "lowercase")]
 pub enum Provisioning {
     Manual(Manual),
     Dps(Dps),
+    External(External),
 }
 
 #[derive(Debug, Deserialize, Serialize)]
@@ -553,6 +571,8 @@ mod tests {
     static BAD_SETTINGS_DPS_X5091: &str = "test/linux/bad_settings.dps.x509.1.yaml";
     #[cfg(unix)]
     static BAD_SETTINGS_DPS_X5092: &str = "test/linux/bad_settings.dps.x509.2.yaml";
+    #[cfg(unix)]
+    static GOOD_SETTINGS_EXTERNAL: &str = "test/linux/sample_settings.external.yaml";
 
     #[cfg(windows)]
     static GOOD_SETTINGS: &str = "test/windows/sample_settings.yaml";
@@ -588,6 +608,8 @@ mod tests {
     static BAD_SETTINGS_DPS_X5091: &str = "test/windows/bad_settings.dps.x509.1.yaml";
     #[cfg(windows)]
     static BAD_SETTINGS_DPS_X5092: &str = "test/windows/bad_settings.dps.x509.2.yaml";
+    #[cfg(windows)]
+    static GOOD_SETTINGS_EXTERNAL: &str = "test/windows/sample_settings.external.yaml";
 
     fn unwrap_manual_provisioning(p: &Provisioning) -> String {
         match p {
@@ -786,6 +808,20 @@ mod tests {
         };
     }
 
+    #[test]
+    fn external_prov_get_settings() {
+        let settings = Settings::<DockerConfig>::new(Some(Path::new(GOOD_SETTINGS_EXTERNAL)));
+        println!("{:?}", settings);
+        assert!(settings.is_ok());
+        let s = settings.unwrap();
+        match s.provisioning() {
+            Provisioning::External(ref external) => {
+                assert_eq!(external.endpoint().as_str(), "http://localhost:9999/");
+            }
+            _ => unreachable!(),
+        };
+    }
+
     #[test]
     fn diff_with_same_cached_returns_false() {
         let tmp_dir = TempDir::new("blah").unwrap();

diff --git a/edgelet/edgelet-config/test/linux/sample_settings.external.yaml b/edgelet/edgelet-config/test/linux/sample_settings.external.yaml
@@ -0,0 +1,32 @@
+
+# Configures the provisioning mode
+provisioning:
+  source: 'external'
+  endpoint: 'http://localhost:9999'
+
+agent:
+  name: "edgeAgent"
+  type: "docker"
+  env:
+    abc: "value1"
+    acd: "value2"
+  config:
+    image: "microsoft/azureiotedge-agent:1.0"
+    auth: {}
+hostname: "localhost"
+
+# Sets the connection uris for clients
+connect:
+  workload_uri: "http://localhost:8081"
+  management_uri: "http://localhost:8080"
+
+# Sets the uris to listen on
+# These can be different than the connect uris.
+# For instance, when using the fd:// scheme for systemd
+listen:
+  workload_uri: "http://0.0.0.0:8081"
+  management_uri: "http://0.0.0.0:8080"
+homedir: "/tmp"
+moby_runtime:
+  uri: "http://localhost:2375"
+  network: "azure-iot-edge"