Network connectivity: Add key management for EAP secured networks #2254
Conversation
The nmcli module is now fully typed
Codecov Report
@@ Coverage Diff @@
## edge #2254 +/- ##
==========================================
+ Coverage 29.67% 30.54% +0.86%
==========================================
Files 497 500 +3
Lines 7962 8253 +291
==========================================
+ Hits 2363 2521 +158
- Misses 5599 5732 +133
Continue to review full report at Codecov.
|
sfoster1
force-pushed
the
api_add-wifi-key-management
branch
from
1f448b1 to
55467b4
Compare
| hidden=hidden) | ||
| status = 201 if ok else 401 | ||
| try: | ||
| checked_sec = sec_translation[security] |
There was a problem hiding this comment.
I think this will overwrite the ssid missing error, which I think is the more pressing error. Also, to nitpick try/except blocks make me (irrationally?) nervous (thank you Scala). Maybe we could do something like this instead?
# ...
security = body.get('security_type')
# ...
if ssid is None:
# ...
elif security not in sec_translation:
# ...
#...There was a problem hiding this comment.
I'd prefer to avoid doing further work here if only because the next PR is going to be about eap configuration and will include a lot of overhauls of this endpoint - I can fold it in there.
| """ Add a key file (for later use in EAP config) to the system. | ||
|
|
||
| ``` | ||
| POST /wifi/keys with {'key': <file>} -> 201 Created |
There was a problem hiding this comment.
Docs nitpick: this kind of makes it seem like the request body should be JSON when it should actually be multipart form data
There was a problem hiding this comment.
Sure, how would you like me to specify it?
| return web.json_response({'message': "Must upload key file"}, | ||
| status=400) | ||
| data = await request.post() | ||
| if 'key' not in data: |
There was a problem hiding this comment.
Would data.get('key') + if keyfile is None: be preferable here?
| key_hash = hasher.hexdigest() | ||
| if key_hash in os.listdir(keys_dir): | ||
| return web.json_response( | ||
| {'message': 'Key file already present'}, status=409) |
There was a problem hiding this comment.
I wonder if it might be more helpful to respond with a 200 OK? The user wanted to upload a key, and that key is on the system. Regardless of if we change the status here, could we put the uri, id, and name in the response body?
| POST /wifi/keys with {'key': <file>} -> 201 Created | ||
| { | ||
| uri: '/wifi/keys/some-hex-digest', | ||
| hash: 'some-hex-digest', |
There was a problem hiding this comment.
hash changed to id in actual response
| """ Remove a key. | ||
|
|
||
| ``` | ||
| DELETE /wifi/keys/hex-digest |
There was a problem hiding this comment.
DELETE /wifi/keys/:id might make it a little easier to understand that the last part of the URL is a parameter
sfoster1
force-pushed
the
api_add-wifi-key-management
branch
3 times, most recently
from
02427b9 to
f51b91d
Compare
/wifi/keys allows GET to list and POST to add a new keyfile (of arbitrary type and size). These are hashed and stored in /data/user_storage/opentrons_data/network_keys in individual folders by sha256 hash of the contents. This hash is used as a URI for later deletion of the keys, or specification in /wifi/configure eapol options that require key files. Closes #2253
sfoster1
force-pushed
the
api_add-wifi-key-management
branch
from
f51b91d to
7e479de
Compare
| If a file with the same hash (regardless of filename) has already been | ||
| uploaded, returns | ||
| ``` | ||
| 200 OK |
| @@ -166,6 +166,9 @@ def init(loop=None): | |||
| '/wifi/configure', wifi.configure) | |||
| server.app.router.add_get( | |||
| '/wifi/status', wifi.status) | |||
| server.app.router.add_post('/wifi/keys', wifi.add_key) | |||
There was a problem hiding this comment.
Note to self about app state: the paths and responses of the /wifi/keys endpoints are completely correct (in my mind), but to date the app hasn't really had to deal with ID'd resources. This functionality (along with module firmware update by serial number) will mean we need to make a very considered refactor of the app's state w.r.t. API resources
mcous
added
api
Some EAP secured networks (in fact most kinds) either require or allow the use of key files for various tasks, such as client identity authentication through private keys or server identity authentication through x.509 certificates. In some cases, these keys can be large; so, rather than just adding them into the
/wifi/configurerequest, here are some new endpoints to manage wifi keys.They will be stored on disk in the new subdirectory
/data/user_storage/opentrons_data/network_keys, available inopentrons.util.environment.settingsasWIFI_KEYS_DIR. To allow upload of identically named keys, the key files will be stored in directories named by a hash of the key file itself. Identically-hashed keys are not allowed.The shape of the endpoints is:
If the key already exists:
In addition, add proper types to nmcli and wifi endpoints.
Closes #2253