From bfa9205d02db0a5d3cbdbd14f4c42e1a37c340ad Mon Sep 17 00:00:00 2001 From: Erik Jaegervall Date: Wed, 3 Apr 2024 12:48:21 +0200 Subject: [PATCH] Removing default tokens/certs and change submodule reference --- .gitmodules | 9 ++-- docs/cli.md | 45 +++++-------------- kuksa-client/kuksa/val/v1/README.md | 2 +- kuksa-client/kuksa/val/v1/types.proto | 2 +- kuksa-client/kuksa/val/v1/val.proto | 2 +- kuksa-client/kuksa_client/__main__.py | 23 ++-------- .../kuksa_client/cli_backend/__init__.py | 19 +++----- kuksa-client/kuksa_client/cli_backend/grpc.py | 9 ++-- kuksa-client/setup.cfg | 2 - submodules/kuksa-common | 1 - submodules/kuksa-databroker | 1 + submodules/kuksa.val | 1 - 12 files changed, 35 insertions(+), 81 deletions(-) delete mode 160000 submodules/kuksa-common create mode 160000 submodules/kuksa-databroker delete mode 160000 submodules/kuksa.val diff --git a/.gitmodules b/.gitmodules index e6afa8a..ade3e35 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,3 @@ -[submodule "submodules/kuksa.val"] - path = submodules/kuksa.val - url = https://github.com/eclipse/kuksa.val -[submodule "submodules/kuksa-common"] - path = submodules/kuksa-common - url = https://github.com/eclipse-kuksa/kuksa-common +[submodule "submodules/kuksa-databroker"] + path = submodules/kuksa-databroker + url = https://github.com/eclipse-kuksa/kuksa-databroker diff --git a/docs/cli.md b/docs/cli.md index 68c1d86..c1f6c8a 100644 --- a/docs/cli.md +++ b/docs/cli.md @@ -50,26 +50,14 @@ kuksa-client ws://127.0.0.1:8090 ## TLS with databroker -KUKSA Client uses TLS to connect to databroker when the schema part of the server URI is `grpcs`, i.e. a valid command to connect to a TLS enabled local databroker is +KUKSA Client uses TLS to connect to Databroker when the schema part of the server URI is `grpcs`. +The KUKSA Python SDK does not include any default certificates or keys. +The root certificate used to authenticate the Databroker must be specified with `--cacertificate `. +If you want to use KUKSA example Root CA you need to provide it from [kuksa-common](https://github.com/eclipse-kuksa/kuksa-common/tree/main/tls). -``` -kuksa-client grpcs://localhost:55555 -``` - -By default the KUKSA example Root CA and Client keys are used, but client keys have no effect currently as mutual authentication is not supported by KUKSA Databroker or KUKSA Server. - - -This call with all parameters specified give same effect: - -``` -kuksa-client --certificate ../kuksa_certificates/Client.pem --keyfile ../kuksa_certificates/Client.key --cacertificate ./kuksa_certificates/CA.pem grpcs://localhost:55555 -``` - -There is actually no reason to specify client key and certificate, as mutual authentication is not supported in KUKSA Databroker, -so the command can be simplified like this: ``` -kuksa-client --cacertificate ./kuksa_certificates/CA.pem grpcs://localhost:55555 +kuksa-client --cacertificate ~/kuksa-common/tls/CA.pem grpcs://localhost:55555 ``` The example server protocol list 127.0.0.1 as an alternative name, but the TLS-client currently used does not accept it, @@ -77,20 +65,15 @@ instead a valid server name must be given as argument. Currently `Server` and `localhost` are valid names from the example certificates. ``` -kuksa-client --cacertificate ../kuksa_certificates/CA.pem --tls-server-name Server grpcs://127.0.0.1:55555 +kuksa-client --cacertificate ~/kuksa-common/tls/CA.pem --tls-server-name Server grpcs://127.0.0.1:55555 ``` -## TLS with val-server -Val-server also supports TLS. KUKSA Client uses TLS to connect to val-server when the schema part of the server URI is `wss`. A valid command to connect to a local TLS enabled val-server is +## TLS with Websocket +Websocket access also supports TLS. KUKSA Client uses TLS to connect to Weboscket when the schema part of the server URI is `wss`. A valid command to connect to a local TLS enabled VSS Server (KUKSA Databroker, VISSR, ...) supporting Websocket is -``` -kuksa-client wss://localhost:8090 -``` - -This corresponds to this call: ``` -kuksa-client --cacertificate ../kuksa_certificates/CA.pem wss://localhost:8090 +kuksa-client --cacertificate ~/kuksa-common/tls/CA.pem wss://localhost:8090 ``` In some environments the `--tls-server-name` argument must be used to specify alternative server name @@ -100,12 +83,8 @@ if connecting to the server by numerical IP address like `wss://127.0.0.1:8090`. If the connected KUKSA Server or KUKSA Databroker require authorization the first step after a connection is made is to authorize. KUKSA Server and KUKSA Databroker use different token formats. -The jwt tokens for testing can either be found in the [kuksa.val repository](https://github.com/eclipse/kuksa.val/tree/master/kuksa_certificates/jwt) -or you can also use following command inside `kuksa-client` to find the via `pip` installed certificate directory. +The KUKSA jwt tokens for testing can be found in the [kuksa-common repository](https://github.com/eclipse/kuksa.val/tree/master/kuksa_certificates/jwt). -```console -Test Client> printTokenDir -``` Select one of the tokens and use the `authorize` command like below: ```console @@ -114,8 +93,7 @@ Test Client> authorize /some/path/kuksa_certificates/jwt/super-admin.json.token ## Authorizing against KUKSA Databroker -If connecting to Databroker the command `printTokenDir` is not much help as it shows the default token directories -for KUKSA Server example tokens. If the KUKSA Databroker use default example tokens then one of the +If the KUKSA Databroker use default example tokens then one of the tokens in [kuksa-common](https://github.com/eclipse-kuksa/kuksa-common/tree/main/jwt) can be used, like in the example below: ```console @@ -141,7 +119,6 @@ getServerAddress Gets the IP Address for the VISS/gRPC Server Info Commands ================================================================================ info Show summary info of the client -printTokenDir Show default token directory version Show version of the client Kuksa Interaction Commands diff --git a/kuksa-client/kuksa/val/v1/README.md b/kuksa-client/kuksa/val/v1/README.md index e3c7451..07f51a3 120000 --- a/kuksa-client/kuksa/val/v1/README.md +++ b/kuksa-client/kuksa/val/v1/README.md @@ -1 +1 @@ -../../../../submodules/kuksa.val/proto/kuksa/val/v1/README.md \ No newline at end of file +../../../../submodules/kuksa-databroker/proto/kuksa/val/v1/README.md \ No newline at end of file diff --git a/kuksa-client/kuksa/val/v1/types.proto b/kuksa-client/kuksa/val/v1/types.proto index c006b2d..446f09c 120000 --- a/kuksa-client/kuksa/val/v1/types.proto +++ b/kuksa-client/kuksa/val/v1/types.proto @@ -1 +1 @@ -../../../../submodules/kuksa.val/proto/kuksa/val/v1/types.proto \ No newline at end of file +../../../../submodules/kuksa-databroker/proto/kuksa/val/v1/types.proto \ No newline at end of file diff --git a/kuksa-client/kuksa/val/v1/val.proto b/kuksa-client/kuksa/val/v1/val.proto index a5c8ed0..3b80543 120000 --- a/kuksa-client/kuksa/val/v1/val.proto +++ b/kuksa-client/kuksa/val/v1/val.proto @@ -1 +1 @@ -../../../../submodules/kuksa.val/proto/kuksa/val/v1/val.proto \ No newline at end of file +../../../../submodules/kuksa-databroker/proto/kuksa/val/v1/val.proto \ No newline at end of file diff --git a/kuksa-client/kuksa_client/__main__.py b/kuksa-client/kuksa_client/__main__.py index fcac43d..2f76afe 100755 --- a/kuksa-client/kuksa_client/__main__.py +++ b/kuksa-client/kuksa_client/__main__.py @@ -39,7 +39,6 @@ from cmd2.utils import basic_complete from urllib.parse import urlparse -from kuksa_client import kuksa_server_certificates from kuksa_client import KuksaClientThread from kuksa_client import _metadata @@ -351,7 +350,6 @@ def __init__( with (pathlib.Path(scriptDir) / "logo").open("r", encoding="utf-8") as f: logo = f.read() print(logo.replace("%ver%", str(_metadata.__version__))) - print("Default tokens directory: " + self.getDefaultTokenDir()) print() self.connect() @@ -595,7 +593,10 @@ def connect(self): config["port"] = srv.port if srv.scheme in ["grpcs", "wss"]: - config["insecure"] = False + if self.cacertificate is None: + print("TLS cannot be used as no CA Certificate specifed!") + else: + config["insecure"] = False if srv.hostname is None: print("No hostname or IP given") @@ -646,15 +647,6 @@ def do_connect(self, args): self.server = args.server self.connect() - def getDefaultTokenDir(self): - try: - return os.path.join(kuksa_server_certificates.__certificate_dir__, "jwt") - except AttributeError: - guessTokenDir = os.path.join(scriptDir, "kuksa_server_certificates/jwt") - if os.path.isdir(guessTokenDir): - return guessTokenDir - return "Unknown" - @with_category(INFO_COMMANDS) def do_info(self, _args): """Show summary info of the client""" @@ -662,25 +654,18 @@ def do_info(self, _args): print("Uri: " + _metadata.__uri__) print("Author: " + _metadata.__author__) print("Copyright: " + _metadata.__copyright__) - print("Default tokens directory: " + self.getDefaultTokenDir()) @with_category(INFO_COMMANDS) def do_version(self, _args): """Show version of the client""" print(_metadata.__version__) - @with_category(INFO_COMMANDS) - def do_printTokenDir(self, _args): - """Show default token directory""" - print(self.getDefaultTokenDir()) - # pylint: enable=too-many-public-methods # pylint: enable=too-many-instance-attributes # Main Function - def main(): parser = argparse.ArgumentParser() parser.add_argument( diff --git a/kuksa-client/kuksa_client/cli_backend/__init__.py b/kuksa-client/kuksa_client/cli_backend/__init__.py index 2cfe51e..4d1936a 100644 --- a/kuksa-client/kuksa_client/cli_backend/__init__.py +++ b/kuksa-client/kuksa_client/cli_backend/__init__.py @@ -16,9 +16,6 @@ # SPDX-License-Identifier: Apache-2.0 ######################################################################## -import pathlib -from kuksa_client import kuksa_server_certificates - class Backend: def __init__(self, config): @@ -28,16 +25,14 @@ def __init__(self, config): self.insecure = config.getboolean('insecure', False) except AttributeError: self.insecure = config.get('insecure', False) - self.default_cert_path = pathlib.Path(kuksa_server_certificates.__path__[0]) - self.cacertificate = config.get( - 'cacertificate', str(self.default_cert_path / 'CA.pem')) - self.certificate = config.get('certificate', str( - self.default_cert_path / 'Client.pem')) - self.keyfile = config.get('keyfile', str( - self.default_cert_path / 'Client.key')) + self.cacertificate = config.get('cacertificate', None) + # If no CA Certificate is given we will use an insecure connection, requested or not + if self.cacertificate is None: + self.insecure = True + self.certificate = config.get('certificate', None) + self.keyfile = config.get('keyfile', None) self.tls_server_name = config.get('tls_server_name', "") - self.token_or_tokenfile = config.get('token_or_tokenfile', str( - self.default_cert_path / 'jwt/all-read-write.json.token')) + self.token_or_tokenfile = config.get('token_or_tokenfile', None) @staticmethod def from_config(config): diff --git a/kuksa-client/kuksa_client/cli_backend/grpc.py b/kuksa-client/kuksa_client/cli_backend/grpc.py index bd1d8c4..92efcc9 100644 --- a/kuksa-client/kuksa_client/cli_backend/grpc.py +++ b/kuksa-client/kuksa_client/cli_backend/grpc.py @@ -57,9 +57,12 @@ def default(self, obj): class Backend(cli_backend.Backend): def __init__(self, config): super().__init__(config) - self.cacertificate = pathlib.Path(self.cacertificate) - self.keyfile = pathlib.Path(self.keyfile) - self.certificate = pathlib.Path(self.certificate) + if self.cacertificate is not None: + self.cacertificate = pathlib.Path(self.cacertificate) + if self.keyfile is not None: + self.keyfile = pathlib.Path(self.keyfile) + if self.certificate is not None: + self.certificate = pathlib.Path(self.certificate) if self.token_or_tokenfile is not None: if os.path.isfile(self.token_or_tokenfile): self.token_or_tokenfile = pathlib.Path(self.token_or_tokenfile) diff --git a/kuksa-client/setup.cfg b/kuksa-client/setup.cfg index d0d18e2..c90a109 100644 --- a/kuksa-client/setup.cfg +++ b/kuksa-client/setup.cfg @@ -44,8 +44,6 @@ test = kuksa_client = logging.ini logo - kuksa_server_certificates/* - kuksa_server_certificates/jwt/* [options.packages.find] where = . diff --git a/submodules/kuksa-common b/submodules/kuksa-common deleted file mode 160000 index 495d627..0000000 --- a/submodules/kuksa-common +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 495d627225dc09d8171afd13970da152ce8a2cf8 diff --git a/submodules/kuksa-databroker b/submodules/kuksa-databroker new file mode 160000 index 0000000..7b2d798 --- /dev/null +++ b/submodules/kuksa-databroker @@ -0,0 +1 @@ +Subproject commit 7b2d798b54f90da02eff6d8ae27972d840c08df5 diff --git a/submodules/kuksa.val b/submodules/kuksa.val deleted file mode 160000 index df6dcb0..0000000 --- a/submodules/kuksa.val +++ /dev/null @@ -1 +0,0 @@ -Subproject commit df6dcb0fafd651d5e9bec037194c352a822cd3f9