MF-1676 - Make Bootstrap fetch Certs data on demand #1669
Conversation
|
@mainflux/maintainers |
cmd/certs/main.go
Outdated
| defESURL = "localhost:6379" | ||
| defESPass = "" | ||
| defESDB = "0" |
There was a problem hiding this comment.
Looks like these are not used.
There was a problem hiding this comment.
Still Work in Progress for this variables, ES is used to get notification of deleted things
certs/bootstrap/certs.go
Outdated
| return c.token, nil | ||
| } | ||
|
|
||
| func (c *bootstrapClient) UpdateCerts(ctx context.Context, thingID, clientCert, clientKey, caCert string) error { |
There was a problem hiding this comment.
Why don't we use c.sdk.UpdateBootstrapCerts here?
There was a problem hiding this comment.
Okay I will try to use c.sdk.UpdateBootstrapCerts
There was a problem hiding this comment.
@dborovcanin, we can't use c.sdk.UpdateBootstrapCerts , since SDK simply reply with status , and we need more detailed about the response body
https://github.com/mainflux/mainflux/blob/d73a5d53fec0313a51ca933321ea75de7ad0c90e/pkg/sdk/go/bootstrap.go#L180
There was a problem hiding this comment.
@dborovcanin, we can't use c.sdk.UpdateBootstrapCerts , since SDK simply reply with status , and we need more detailed about the response body
Is this only because SDK does not return return error based on the reponse, but on status code? In that case, we should update SDK to return more specifc error.
There was a problem hiding this comment.
yes it use sdk now
certs/certs.go
Outdated
| ListExpiredCerts(ctx context.Context, timeBefore time.Duration, limit, offset uint64) (Page, error) | ||
|
|
||
| // AutoRetrieveByThingID retrieves list of certificate for a given thing ID without owner ID , used for AutoRenew process | ||
| AutoRetrieveByThingID(ctx context.Context, thingID string) (Cert, error) |
There was a problem hiding this comment.
No need for the Auto prefix, it sounds misleading (I know we don't take owner ID into account, but that's fine because we do not have another repo method that does).
There was a problem hiding this comment.
The repo method RetrieveByThing do the same but with owner ID
RetrieveByThing(ctx context.Context, ownerID, thingID string, offset, limit uint64) (Page, error)So to identify the function with name I kept like that way. I can't able to think for another name at that time , Could you suggest a better name or prefix ?
There was a problem hiding this comment.
You can make it a single method (RetrieveByThingID) and make it use userID only if present (i.e. ignore if empty, the same way search and filtering by some criteria usually work). On the service level, you decide how to handle authorization.
There was a problem hiding this comment.
the AutoRetrieveByThingID functions are no more need , the function are removed
the AutoRemoveByThingID function name changed to ThingCertsRevokeHandler
certs/postgres/certs.go
Outdated
| @@ -102,6 +102,31 @@ func (cr certsRepository) Save(ctx context.Context, cert certs.Cert) (string, er | |||
| return cert.Serial, nil | |||
| } | |||
|
|
|||
| func (cr certsRepository) Update(ctx context.Context, cert certs.Cert) error { | |||
| q := `UPDATE certs SET serial = :serial, expire = :expire WHERE thing_id = :thing_id AND owner_id = :owner_id` | |||
There was a problem hiding this comment.
I hope, I fixed the formatting
certs/postgres/certs.go
Outdated
| @@ -170,6 +195,77 @@ func (cr certsRepository) RetrieveBySerial(ctx context.Context, ownerID, serialI | |||
| return c, nil | |||
| } | |||
|
|
|||
| func (cr certsRepository) ListExpiredCerts(ctx context.Context, timeBefore time.Duration, limit, offset uint64) (certs.Page, error) { | |||
| whereClause := fmt.Sprintf("WHERE expire <= now() - interval '%s'", timeBefore) | |||
There was a problem hiding this comment.
Are you sure using Database server time is better than using service time? It's possible that those two are not the same and this can be a source of the sneaky errors.
There was a problem hiding this comment.
Okay I agree with your point, I will change the approch
There was a problem hiding this comment.
This one doesn't seem addressed.
There was a problem hiding this comment.
Done, expire calculate from service time
certs/service.go
Outdated
| // Renew the exipred certificate from certs repo | ||
| RenewCerts(ctx context.Context, bsUpdateRenewCert bool) error | ||
|
|
||
| // Automattically trigger RenewCert function for given renew interval time |
There was a problem hiding this comment.
Fix typo Automatically and add a comment for the next method.
There was a problem hiding this comment.
No more this function is needed in code. It was removed
Signed-off-by: dusanb94 <[email protected]> Signed-off-by: dusanb94 <[email protected]> Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
arvindh123
force-pushed
the
certs-auto-renew
branch
from
965534c to
a60bab3
Compare
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
certs/api/logging.go
Outdated
| @@ -90,3 +90,42 @@ func (lm *loggingMiddleware) RevokeCert(ctx context.Context, token, thingID stri | |||
|
|
|||
| return lm.svc.RevokeCert(ctx, token, thingID) | |||
| } | |||
|
|
|||
| func (lm *loggingMiddleware) RenewCerts(ctx context.Context, bsUpdateRenewCert bool) (err error) { | |||
There was a problem hiding this comment.
Please align the log message with the rest of the service: Method <method name> <other useful info> took <duration> to complete <errors if any>.
There was a problem hiding this comment.
The method returns only error
The error contains all the details,
certs/bootstrap/certs.go
Outdated
| // ErrUnexpectedBSResponse indicates unexpected response from Bootstrap service. | ||
| ErrUnexpectedBSResponse = errors.New("unexpected Bootstrap service response") | ||
|
|
||
| ErrUnableToAccess = errors.New("unable to access bootstrap service") |
There was a problem hiding this comment.
Add comments for exported errors.
There was a problem hiding this comment.
Please don't forget to address this one.
certs/bootstrap/certs.go
Outdated
| return c.token, nil | ||
| } | ||
|
|
||
| func (c *bootstrapClient) UpdateCerts(ctx context.Context, thingID, clientCert, clientKey, caCert string) error { |
certs/bootstrap/certs.go
Outdated
| } | ||
| return errors.New(string(b)) | ||
| } | ||
| func request(ctx context.Context, method, url string, data []byte, header map[string]string) (*http.Response, error) { |
There was a problem hiding this comment.
Add an empty line between methods.
certs/certs.go
Outdated
| // // AutoRetrieveByThingID retrieves list of certificate for a given thing ID without owner ID , used for AutoRenew process | ||
| // AutoRetrieveByThingID(ctx context.Context, thingID string) (Cert, error) | ||
|
|
||
| // // AutoRemoveByThingID removes certificate from DB for a given thing ID without owner ID , used for AutoRenew process | ||
| // AutoRemoveByThingID(ctx context.Context, thingID string) error |
There was a problem hiding this comment.
Remove commented code.
There was a problem hiding this comment.
The functions no more needed removed
certs/postgres/certs.go
Outdated
| @@ -170,6 +195,77 @@ func (cr certsRepository) RetrieveBySerial(ctx context.Context, ownerID, serialI | |||
| return c, nil | |||
| } | |||
|
|
|||
| func (cr certsRepository) ListExpiredCerts(ctx context.Context, timeBefore time.Duration, limit, offset uint64) (certs.Page, error) { | |||
| whereClause := fmt.Sprintf("WHERE expire <= now() - interval '%s'", timeBefore) | |||
There was a problem hiding this comment.
This one doesn't seem addressed.
certs/postgres/certs.go
Outdated
| // func (cr certsRepository) AutoRetrieveByThingID(ctx context.Context, thingID string) (certs.Cert, error) { | ||
| // q := `SELECT thing_id, owner_id, serial, expire FROM certs WHERE thing_id = $1` | ||
| // var dbcrt dbCert | ||
| // var c certs.Cert | ||
| // if err := cr.db.QueryRowxContext(ctx, q, thingID).StructScan(&dbcrt); err != nil { | ||
| // pqErr, ok := err.(*pq.Error) | ||
| // if err == sql.ErrNoRows || ok && errInvalid == pqErr.Code.Name() { | ||
| // return c, errors.Wrap(errors.ErrNotFound, err) | ||
| // } | ||
|
|
||
| // return c, errors.Wrap(errors.ErrViewEntity, err) | ||
| // } | ||
| // c = toCert(dbcrt) | ||
| // return c, nil | ||
| // } | ||
|
|
||
| // func (cr certsRepository) AutoRemoveByThingID(ctx context.Context, thingID string) error { | ||
| // if _, err := cr.AutoRetrieveByThingID(ctx, thingID); err != nil { | ||
| // return errors.Wrap(errors.ErrRemoveEntity, err) | ||
| // } | ||
| // q := `DELETE FROM certs WHERE thing_id = :thingID` | ||
| // var c certs.Cert | ||
| // c.ThingID = thingID | ||
| // dbcrt := toDBCert(c) | ||
| // if _, err := cr.db.NamedExecContext(ctx, q, dbcrt); err != nil { | ||
| // return errors.Wrap(errors.ErrRemoveEntity, err) | ||
| // } | ||
| // return nil | ||
| // } | ||
|
|
There was a problem hiding this comment.
Remove commented code.
certs/redis/consumer/event.go
Outdated
| type updateChannelEvent struct { | ||
| id string | ||
| name string | ||
| metadata map[string]interface{} | ||
| } |
certs/service.go
Outdated
| ErrFailedCertRevocation = errors.New("failed to revoke certificate") | ||
| ErrFailedCertRevocation = errors.New("failed to revoke certificate in PKI") | ||
|
|
||
| errThingNotInBS = errors.New("Thing not found in bootstrap service") |
There was a problem hiding this comment.
Comment exported errors.
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
dborovcanin
changed the title
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
arvindh123
changed the title
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
dborovcanin
changed the title
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
Signed-off-by: Arvindh <[email protected]>
What does this do?
Renew the expired cert, If the cert is not available in bootstrap and thing service, then it will remove all the certs.
Which issue(s) does this PR fix/relate to?
Resolves #1677 and partially #1678.
List any changes that modify/break current functionality
Have you included tests for your changes?
Did you document any new/modified functionality?
Notes