Add upload certificate command to adam #927
Conversation
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
from
bca0d6d to
7af8df6
Compare
|
It looks like the last part of the puzzle before moving to tests is to have some function, that will re-sign all config objects derived from the signing certificate here, at least modify ControllerCertHash and ContextId, of CipherContexts correct? |
|
@giggsoff wouldn't it be enough just to change Eden's path to signing certificate to the new certificate, so it only affects the newly issued expectation objects? Also just fyi - rn I'm not planning to change the signing key, just the certificate. |
|
Well, I am not sure will EVE-OS work fine with old certificate in CipherContexts and new certificate in Adam (attestation). I think we need some action to re-calculate old CipherContexts as we will potentially have a test with deploying of some app and check how it works after modification of certificate. I see, but ControllerCertHash in CipherContext is about cert, not key. |
|
@giggsoff I tried the following:
I kept the old signing cert and key here. Tbh I don't fully understand yet how the Expectation structures and package is used. My understanding now is that they are used to build the config that is sent to Adam to be later relayed to EVE. But that would mean that in this case we are signing the structures with the old key, while we sign the message (envelope) with the new key. This likely doesn't make the difference since the key stays the same in my scenario - only the certificate changes. Please tell me if I'm missing something. |
|
@giggsoff I went on a roller-coaster ride through the code and found out that we don't use the signing certificate to generate the symmetric key for the encryption, we only use the signing key I'm not yet sure where EVE gets cipher context from (does it come with every message or independently of the messages), but I will check. I will also do the tests that you suggested 👍 But also I just thought maybe it's a good idea not to re-sign the old configs after changing the signing certificate - if EVE cannot deal with that this might just show a flaw in our design, since we the cloud might change the certificates frequently to ensure forward secrecy and we cannot expect it to re-sign all configs since the beginning of time. What do you think? |
@europaul but that means if I have any previous certificate I can use it to sign configuration and send it, is it not? So potentially if I get any old certificate I can use it to change configuration, which sounds not secure. Or am I missing something? |
@uncleDecart you'll need the controllers (old) private key to sign the configuration, the certificate is meant to be public and available to everybody - it's just our choice if we choose to remember the old certificates in EVE or not. |
|
@giggsoff you were right, I re-did the same test with applications with userdata and reboot like you suggested - after reboot EVE cannot decipher the userdata from the first application, because it is missing the old certificate that is required in the old cipherContext. The reason is that EVE only stores the latest signing certificate from the controller in persistent storage. |
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
from
7af8df6 to
1de4ce9
Compare
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
2 times, most recently
from
266987f to
371b3d7
Compare
| test eden.app.test -test.v -timewait 20m RUNNING eclient1 | ||
|
|
||
| # generate new controller certificate | ||
| eden utils gen-ctrl-cert -o /home/paul/.eden/certs/signing-new.pem |
There was a problem hiding this comment.
You seem to have absolute paths here referring to your home folder. Use eden.root variable instead to store it somewhere under ./dist directory.
There was a problem hiding this comment.
This is embarrassing 🤦
I wanted to put the certificate next to the the old signing cert, which is in $HOME/.eden/certs, so I created a new config variable eden.cert-dir for it now.
There was a problem hiding this comment.
I think it would be better to put the certificate under eden.tests. This is a temporary directory used by running tests.
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
from
371b3d7 to
8fb7358
Compare
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
from
8fb7358 to
17cb2b3
Compare
|
@europaul LGTM but lets wait for the adam side to be merged: lf-edge/adam#120 |
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
2 times, most recently
from
c457e6c to
fc2f5dc
Compare
@milan-zededa on my system the test takes around 4 mins to complete |
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
from
fc2f5dc to
f0b9831
Compare
|
Adam used to get it's certificates and keys through envs. To unify the UX I switched this mechanism to getting paths to files with certificates and keys through the CLI parameters only. This way it doesn't require a POST API anymore. This PR needs lf-edge/adam#123 to work. Tell me how you like this solution! P.S.: I will fix the commits later once we agree on the code. |
To be clear, those path-based CLI flags already existed in Adam, correct? You are just taking advantage of them? And Adam already reads those files with each request, rather than cache them in memory, so there is no need to tell Adam to reload the files, correct?
Does it? I think lf-edge/adam#123 just gets rid of something that was confusing there. But this should not be blocked by it (unless I misunderstood)?
Like! |
yes, the flags are already part of Adam, so no changes in Adam are required. The referenced commit is more of a clean-up.
yes, that is the case for the signing certificate which is relevant for this test |
There was a problem hiding this comment.
LGTM, you can add the test into the "smoke" test suite: https://github.com/lf-edge/eden/blob/master/tests/workflow/smoke.tests.txt
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
2 times, most recently
from
79fa91d to
abb1ae6
Compare
|
added the test to the smoke test suite. ready to merge! |
|
once lf-edge/adam#120 is merged and we pull latest adam we can merge this |
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
from
abb1ae6 to
cf7cc33
Compare
|
@giggsoff @uncleDecart thanks for the great comments!
lf-edge/adam#120 was superseded by lf-edge/adam#123, so I'm gonna close it. However the current PR doesn't require any changes in Adam and can be merged independently |
|
Some yetus complains, and some eden tests failing. Are those failures because of this, because of the other changes, or transient? |
I'd say they fail, because Eden workflows still run with an older EVE version. This PR is here to fix it And the yetus complains are in accordance to what we discussed above. |
|
@europaul can you rebase to master so that we can rerun tests? |
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
from
cf7cc33 to
1d0232b
Compare
To unify the UX and make sure that the certs and keys can be changed during the runtime of Adam while preserving them through Adam's restart we move from setting certs and keys through envs to cli args. Signed-off-by: Paul Gaiduk <[email protected]>
A new CLI option is added: on `eden adam change-signing-cert` the provided certificate is used to overwrite the current signing certificate file and re-encrypt the encrypted objects in config. Signed-off-by: Paul Gaiduk <[email protected]>
Signed-off-by: Paul Gaiduk <[email protected]>
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
2 times, most recently
from
9440875 to
c476acc
Compare
|
There's a failure on rebooting device on ZFS filesystem. Problem is persistent and also occurred before, need to investigate zfs failure before merging this |
The test does the following: 1. deploy first app with userdata to EVE 2. create new signing certificate for controller 3. update controller's certificate and resign old config 4. deploy second app with userdata 5. reboot EVE 6. deploy third app with userdata 7. make sure all apps are running correclty Signed-off-by: Paul Gaiduk <[email protected]>
europaul
force-pushed
the
add-ctrl-sign-cert-test
branch
from
c476acc to
6290f1b
Compare
I removed the test for the app being in HALTED state after the reboot, because it's is sometimes skipped and the app goes from HALTING to INITIAL. This fixed the tests. We still check for the app to be RUNNING after the reboot. @uncleDecart this PR is ready to be merged |
A new CLI option is added: on eden adam upload-cert the provided certificate is uploaded to /admin/certs via an HTTP POST
NOTE: the new EDEN test needs to be run with an EVE version that includes this fix and with the Adam version that includes this change.
Closes #896