Skip to content

Commit

Permalink
Removing default tokens/certs and change submodule reference
Browse files Browse the repository at this point in the history
  • Loading branch information
erikbosch committed Apr 30, 2024
1 parent e9c29e2 commit e3880a0
Show file tree
Hide file tree
Showing 12 changed files with 35 additions and 81 deletions.
9 changes: 3 additions & 6 deletions .gitmodules
Original file line number Diff line number Diff line change
@@ -1,6 +1,3 @@
[submodule "submodules/kuksa.val"]
path = submodules/kuksa.val
url = https://github.com/eclipse/kuksa.val
[submodule "submodules/kuksa-common"]
path = submodules/kuksa-common
url = https://github.com/eclipse-kuksa/kuksa-common
[submodule "submodules/kuksa-databroker"]
path = submodules/kuksa-databroker
url = https://github.com/eclipse-kuksa/kuksa-databroker
45 changes: 11 additions & 34 deletions docs/cli.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,47 +50,30 @@ kuksa-client ws://127.0.0.1:8090

## TLS with databroker

KUKSA Client uses TLS to connect to databroker when the schema part of the server URI is `grpcs`, i.e. a valid command to connect to a TLS enabled local databroker is
KUKSA Client uses TLS to connect to Databroker when the schema part of the server URI is `grpcs`.
The KUKSA Python SDK does not include any default certificates or keys.
The root certificate used to authenticate the Databroker must be specified with `--cacertificate <path>`.
If you want to use KUKSA example Root CA you need to provide it from [kuksa-common](https://github.com/eclipse-kuksa/kuksa-common/tree/main/tls).

```
kuksa-client grpcs://localhost:55555
```

By default the KUKSA example Root CA and Client keys are used, but client keys have no effect currently as mutual authentication is not supported by KUKSA Databroker or KUKSA Server.


This call with all parameters specified give same effect:

```
kuksa-client --certificate ../kuksa_certificates/Client.pem --keyfile ../kuksa_certificates/Client.key --cacertificate ./kuksa_certificates/CA.pem grpcs://localhost:55555
```

There is actually no reason to specify client key and certificate, as mutual authentication is not supported in KUKSA Databroker,
so the command can be simplified like this:

```
kuksa-client --cacertificate ./kuksa_certificates/CA.pem grpcs://localhost:55555
kuksa-client --cacertificate ~/kuksa-common/tls/CA.pem grpcs://localhost:55555
```

The example server protocol list 127.0.0.1 as an alternative name, but the TLS-client currently used does not accept it,
instead a valid server name must be given as argument.
Currently `Server` and `localhost` are valid names from the example certificates.

```
kuksa-client --cacertificate ../kuksa_certificates/CA.pem --tls-server-name Server grpcs://127.0.0.1:55555
kuksa-client --cacertificate ~/kuksa-common/tls/CA.pem --tls-server-name Server grpcs://127.0.0.1:55555
```

## TLS with val-server
Val-server also supports TLS. KUKSA Client uses TLS to connect to val-server when the schema part of the server URI is `wss`. A valid command to connect to a local TLS enabled val-server is
## TLS with Websocket
Websocket access also supports TLS. KUKSA Client uses TLS to connect to Weboscket when the schema part of the server URI is `wss`. A valid command to connect to a local TLS enabled VSS Server (KUKSA Databroker, VISSR, ...) supporting Websocket is

```
kuksa-client wss://localhost:8090
```

This corresponds to this call:

```
kuksa-client --cacertificate ../kuksa_certificates/CA.pem wss://localhost:8090
kuksa-client --cacertificate ~/kuksa-common/tls/CA.pem wss://localhost:8090
```

In some environments the `--tls-server-name` argument must be used to specify alternative server name
Expand All @@ -100,12 +83,8 @@ if connecting to the server by numerical IP address like `wss://127.0.0.1:8090`.

If the connected KUKSA Server or KUKSA Databroker require authorization the first step after a connection is made is to authorize. KUKSA Server and KUKSA Databroker use different token formats.

The jwt tokens for testing can either be found in the [kuksa.val repository](https://github.com/eclipse/kuksa.val/tree/master/kuksa_certificates/jwt)
or you can also use following command inside `kuksa-client` to find the via `pip` installed certificate directory.
The KUKSA jwt tokens for testing can be found in the [kuksa-common repository](https://github.com/eclipse/kuksa.val/tree/master/kuksa_certificates/jwt).

```console
Test Client> printTokenDir
```
Select one of the tokens and use the `authorize` command like below:

```console
Expand All @@ -114,8 +93,7 @@ Test Client> authorize /some/path/kuksa_certificates/jwt/super-admin.json.token

## Authorizing against KUKSA Databroker

If connecting to Databroker the command `printTokenDir` is not much help as it shows the default token directories
for KUKSA Server example tokens. If the KUKSA Databroker use default example tokens then one of the
If the KUKSA Databroker use default example tokens then one of the
tokens in [kuksa-common](https://github.com/eclipse-kuksa/kuksa-common/tree/main/jwt) can be used, like in the example below:

```console
Expand All @@ -141,7 +119,6 @@ getServerAddress Gets the IP Address for the VISS/gRPC Server
Info Commands
================================================================================
info Show summary info of the client
printTokenDir Show default token directory
version Show version of the client

Kuksa Interaction Commands
Expand Down
2 changes: 1 addition & 1 deletion kuksa-client/kuksa/val/v1/README.md
2 changes: 1 addition & 1 deletion kuksa-client/kuksa/val/v1/types.proto
2 changes: 1 addition & 1 deletion kuksa-client/kuksa/val/v1/val.proto
23 changes: 4 additions & 19 deletions kuksa-client/kuksa_client/__main__.py
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,6 @@
from cmd2.utils import basic_complete
from urllib.parse import urlparse

from kuksa_client import kuksa_server_certificates
from kuksa_client import KuksaClientThread
from kuksa_client import _metadata

Expand Down Expand Up @@ -351,7 +350,6 @@ def __init__(
with (pathlib.Path(scriptDir) / "logo").open("r", encoding="utf-8") as f:
logo = f.read()
print(logo.replace("%ver%", str(_metadata.__version__)))
print("Default tokens directory: " + self.getDefaultTokenDir())

print()
self.connect()
Expand Down Expand Up @@ -595,7 +593,10 @@ def connect(self):
config["port"] = srv.port

if srv.scheme in ["grpcs", "wss"]:
config["insecure"] = False
if self.cacertificate is None:
print("TLS cannot be used as no CA Certificate specifed!")
else:
config["insecure"] = False

if srv.hostname is None:
print("No hostname or IP given")
Expand Down Expand Up @@ -646,41 +647,25 @@ def do_connect(self, args):
self.server = args.server
self.connect()

def getDefaultTokenDir(self):
try:
return os.path.join(kuksa_server_certificates.__certificate_dir__, "jwt")
except AttributeError:
guessTokenDir = os.path.join(scriptDir, "kuksa_server_certificates/jwt")
if os.path.isdir(guessTokenDir):
return guessTokenDir
return "Unknown"

@with_category(INFO_COMMANDS)
def do_info(self, _args):
"""Show summary info of the client"""
print("kuksa-client version " + _metadata.__version__)
print("Uri: " + _metadata.__uri__)
print("Author: " + _metadata.__author__)
print("Copyright: " + _metadata.__copyright__)
print("Default tokens directory: " + self.getDefaultTokenDir())

@with_category(INFO_COMMANDS)
def do_version(self, _args):
"""Show version of the client"""
print(_metadata.__version__)

@with_category(INFO_COMMANDS)
def do_printTokenDir(self, _args):
"""Show default token directory"""
print(self.getDefaultTokenDir())


# pylint: enable=too-many-public-methods
# pylint: enable=too-many-instance-attributes

# Main Function


def main():
parser = argparse.ArgumentParser()
parser.add_argument(
Expand Down
19 changes: 7 additions & 12 deletions kuksa-client/kuksa_client/cli_backend/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,6 @@
# SPDX-License-Identifier: Apache-2.0
########################################################################

import pathlib
from kuksa_client import kuksa_server_certificates


class Backend:
def __init__(self, config):
Expand All @@ -28,16 +25,14 @@ def __init__(self, config):
self.insecure = config.getboolean('insecure', False)
except AttributeError:
self.insecure = config.get('insecure', False)
self.default_cert_path = pathlib.Path(kuksa_server_certificates.__path__[0])
self.cacertificate = config.get(
'cacertificate', str(self.default_cert_path / 'CA.pem'))
self.certificate = config.get('certificate', str(
self.default_cert_path / 'Client.pem'))
self.keyfile = config.get('keyfile', str(
self.default_cert_path / 'Client.key'))
self.cacertificate = config.get('cacertificate', None)
# If no CA Certificate is given we will use an insecure connection, requested or not
if self.cacertificate is None:
self.insecure = True
self.certificate = config.get('certificate', None)
self.keyfile = config.get('keyfile', None)
self.tls_server_name = config.get('tls_server_name', "")
self.token_or_tokenfile = config.get('token_or_tokenfile', str(
self.default_cert_path / 'jwt/all-read-write.json.token'))
self.token_or_tokenfile = config.get('token_or_tokenfile', None)

@staticmethod
def from_config(config):
Expand Down
9 changes: 6 additions & 3 deletions kuksa-client/kuksa_client/cli_backend/grpc.py
Original file line number Diff line number Diff line change
Expand Up @@ -57,9 +57,12 @@ def default(self, obj):
class Backend(cli_backend.Backend):
def __init__(self, config):
super().__init__(config)
self.cacertificate = pathlib.Path(self.cacertificate)
self.keyfile = pathlib.Path(self.keyfile)
self.certificate = pathlib.Path(self.certificate)
if self.cacertificate is not None:
self.cacertificate = pathlib.Path(self.cacertificate)
if self.keyfile is not None:
self.keyfile = pathlib.Path(self.keyfile)
if self.certificate is not None:
self.certificate = pathlib.Path(self.certificate)
if self.token_or_tokenfile is not None:
if os.path.isfile(self.token_or_tokenfile):
self.token_or_tokenfile = pathlib.Path(self.token_or_tokenfile)
Expand Down
2 changes: 0 additions & 2 deletions kuksa-client/setup.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -44,8 +44,6 @@ test =
kuksa_client =
logging.ini
logo
kuksa_server_certificates/*
kuksa_server_certificates/jwt/*

[options.packages.find]
where = .
Expand Down
1 change: 0 additions & 1 deletion submodules/kuksa-common
Submodule kuksa-common deleted from 495d62
1 change: 1 addition & 0 deletions submodules/kuksa-databroker
Submodule kuksa-databroker added at 7b2d79
1 change: 0 additions & 1 deletion submodules/kuksa.val
Submodule kuksa.val deleted from df6dcb

0 comments on commit e3880a0

Please sign in to comment.