Multiple JITP CA per product

[jeanparpaillon]

Hi all,
If I understand correctly (https://github.com/nerves-hub/nerves_hub_web/blob/main/apps/nerves_hub_web_core/priv/repo/migrations/20210511162245_add_jitp_to_ca_certificates.exs#L12 ), only one CA per product can be JITP-enabled.

I would like to be able to have multiple CA per product, with JITP enabled.

[fhunleth]

The relation is the other way. @jjcarstens can comment on that line. However, it should be many CAs to one product.

A CA can only JITP for one product, though. You can't have one CA JITP'ing for multiple products since NH wouldn't know which product to assign to the device when it first authenticates.

[jeanparpaillon]

I understand a CA can only JITP for one product.
I may be wrong, but on line 12, create unique_index(:jitp, [:product_id]) enforces a single JITP enabled CA per product.
From https://github.com/nerves-hub/nerves_hub_web/blob/main/apps/nerves_hub_web_core/lib/nerves_hub_web_core/products/product.ex#L22 , we have in Product : has_one :jitp

@jjcarstens can you explain this limitation ?

[jjcarstens]

Right now there is a hard limitation of one JITP CA per product because of that unique index (as @jeanparpaillon said). But we should probably remove that so unique index so that many CAs can JITP one product (as @fhunleth said). The way CAs are structured already enforces that a CA can only JITP for one product

FWIW, we had discussed this need for our internal instance, but then moved away from using JITP entirely and hadn't circled back to it. I believe we can simply just remove the linked index for :product_id on JITP records

[fhunleth]

Got it. I forgot the discussion and just assumed that it was working for us internally at one time. The restriction doesn't make sense, and if it's as simple as removing the linked index for :product_id, then I'm definitely for it.