thin-edge/thin-edge.io

Cumulocity IoT urls fail to download when using custom domain name

Closed this issue · 2 comments

reubenmiller commented

Describe the bug

When using a custom Cumulocity IoT domain (a enterprise tenant feature), installing software packages with binaries uploaded to Cumulocity IoT via the UI fail with a 401 error as the tedge-agent only checks the c8y.http value to see if the local c8y proxy service should be used or not.

Jun 27 15:22:26 b9cdad7c25fe tedge-agent[1017]: 2024-06-27T15:22:26.603900183Z  INFO tedge_agent::tedge_operation_converter::actor: Processing software_update operation executing step
Jun 27 15:22:27 b9cdad7c25fe tedge-agent[1017]: 2024-06-27T15:22:27.568984292Z ERROR plugin_sm::plugin: Download error: DownloadError {
Jun 27 15:22:27 b9cdad7c25fe tedge-agent[1017]:     reason: "HTTP status client error (401 Unauthorized) for url (https://t123456.cumulocity.com/inventory/binaries/12520)",
Jun 27 15:22:27 b9cdad7c25fe tedge-agent[1017]:     url: "https://t123456.cumulocity.com/inventory/binaries/12520",
Jun 27 15:22:27 b9cdad7c25fe tedge-agent[1017]:     source_err: "",
Jun 27 15:22:27 b9cdad7c25fe tedge-agent[1017]: }
Jun 27 15:22:27 b9cdad7c25fe sudo[2397]:    tedge : PWD=/tmp ; USER=root ; COMMAND=/etc/tedge/sm-plugins/apt finalize

This is caused because when binaries uploaded to Cumulocity IoT use the underlying tenant url, and not the custom domain to store a reference to itself, and this URL is sent to thin-edge.io via the Software Update operation.

To Reproduce

This requires an enterprise tenant and a custom domain.

  1. Configure thin-edge.io with different c8y.http and c8y.mqtt urls

    tedge config set c8y.http dashboard.customer.com:443
tedge config set c8y.mqtt t123456.cumulocity.com:8883

  2. Upload a binary to the Software repository (any binary will do)

  3. Install the software via the Cumulocity IoT Software tab

Inspect the tedge-agent logs to see if the file was successfully downloaded or not.

Expected behavior

The c8y.mqtt domain name should also be used to determine whether a URL received by any operation is a "c8y" URL or not (in additional to the current c8y.http check)

Screenshots

Environment (please complete the following information):

Property Value
OS [incl. version] Debian GNU/Linux 12 (bookworm)
Hardware [incl. revision] unknown
System-Architecture Linux b9cdad7c25fe 6.8.0-31-generic #31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 02:32:42 UTC 2024 aarch64 GNU/Linux
thin-edge.io version tedge 1.1.1

Additional context

Workaround

You can use go-c8y-cli to translate the "internal" binary urls, to the custom domain urls using the following one-liner:

c8y inventory find --query "type eq c8y_SoftwareBinary and c8y_Software.url eq 'https://${C8Y_TENANT}*'" --includeAll \
| c8y inventory update --template "{
    c8y_Software: input.value.c8y_Software + {
        url: 'https://$C8Y_DOMAIN' + _.GetURLPath(input.value.c8y_Software.url)
    }
}"
reubenmiller commented

Related ticket #2804

gligorisaev commented

QA tested the bug and it is not reproducable.