Talaria jwt token clarification
thopewell opened this issue · 1 comments
Not an issue, but a request for help!
Its not clear to me how to force Talaria to only accept registrations using jwt tokens (assuming I have understood correctly how xmidt works!).
I have set up xmidt using the docker-compose example and was expecting this config
jwtValidators:
-
keys:
Factory:
uri: "http://themis:6500/keys/{keyId}"
purpose: 0
updateInterval: 604800000000000
to force the use of tokens to register to Talaria.
However, if I rebuild the docker-simulator and modify "token-server" to something that doesn't exist and rebuild, or simply shutdown themis, it seems I can still register to Talaria.
Here are my rdk simulator logs using themis:6501 as the token server:
# docker run --rm --network=e5ac3216e7d1 -e CMAC=998877665544 xmidt/rdkb-simulator
[1588029390][PARODUS][Info]: RAND_MAX is 2147483647 (0x7fffffff)
[1588029390][PARODUS][Info]: ********** Starting component: Parodus **********
[1588029390][PARODUS][Info]: Setting default values to parodusCfg
[1588029390][PARODUS][Info]: cfg->webpa_protocol is PARODUS-2.0-1.1.3-37-g1d85742
[1588029390][PARODUS][Info]: Default cloud_status is offline
[1588029390][PARODUS][Info]: Parsing parodus command line arguments..
[1588029390][PARODUS][Info]: hw-model is aker-testing
[1588029390][PARODUS][Info]: cert_path is /etc/ssl/certs/ca-certificates.crt
[1588029390][PARODUS][Info]: client_cert_path is /etc/ssl/certs/ca-certificates.crt
[1588029390][PARODUS][Info]: hw_serial_number is mock-rdkb-simulator
[1588029390][PARODUS][Info]: hw_manufacturer is Example
[1588029390][PARODUS][Info]: hw_mac is 998877665544
[1588029390][PARODUS][Info]: hw_last_reboot_reason is unknown
[1588029390][PARODUS][Info]: fw_name is mock-rdkb-firmware
[1588029390][PARODUS][Info]: boot_time is 1588029390
[1588029390][PARODUS][Info]: partner_id is comcast
[1588029390][PARODUS][Info]: parodus local_url is tcp://127.0.0.1:16014
[1588029390][PARODUS][Info]: webpa_ping_timeout is 60
[1588029390][PARODUS][Info]: token_server_url is http://themis:6501/issue
[1588029390][PARODUS][Info]: webpa_backoff_max is 2
[1588029390][PARODUS][Info]: webpa_interface_used is eth0
[1588029390][PARODUS][Info]: webpa_url is http://petasos:6400
[1588029390][PARODUS][Info]: Force IPv4
[1588029390][PARODUS][Info]: Received reboot_reason as:unknown
[1588029390][PARODUS][Info]: Received reconnect_reason as:webpa_process_starts
[1588029390][PARODUS][Info]: User-Agent: PARODUS-2.0-1.1.3-37-g1d85742 (mock-rdkb-firmware; aker-testing/Example;)
[1588029390][PARODUS][Info]: X-WebPA-Convey Header: [316]{"hw-model":"aker-testing","hw-serial-number":"mock-rdkb-simulator","hw-manufacturer":"Example","fw-name":"mock-rdkb-firmware","boot-time":1588029390,"webpa-protocol":"PARODUS-2.0-1.1.3-37-g1d85742","webpa-interface-used":"eth0","hw-last-reboot-reason":"unknown","webpa-last-reconnect-reason":"webpa_process_starts"}
[1588029390][PARODUS][Info]: Device_id mac:998877665544
[1588029390][PARODUS][Info]: full url: http://petasos:6400
[1588029390][PARODUS][Info]: server address copied from url
[1588029390][PARODUS][Info]: server petasos, port 6400, http_match 1
[1588029390][PARODUS][Info]: default server_Address petasos
[1588029390][PARODUS][Info]: default port 6400
[1588029390][PARODUS][Info]: uuid_header formed X-Midt-Uuid: 19d59317-02c3-4014-a870-de67c3ac1620
[1588029390][PARODUS][Info]: curl Ip resolve option set as default mode
[1588029390][PARODUS][Info]: themis curl response 0 http_code 200
[1588029390][PARODUS][Info]: curl response Time: 0.0 seconds
[1588029390][PARODUS][Info]: cURL success
[1588029390][PARODUS][Info]: cfg->webpa_auth_token created successfully
[1588029390][PARODUS][Info]: nopoll_conn.c:331 IPv4 address of petasos is 172.25.0.6
[1588029390][PARODUS][Info]: nopoll_conn.c:377 Create socket with non blocking-mode
[1588029390][PARODUS][Info]: nopoll_conn.c:264 Result of wait after connect EINPROGRESS = 0
[1588029390][PARODUS][Error]: nopoll_conn.c:3067 websocket server denied connection with: 307 Temporary Redirect
[1588029390][PARODUS][Error]: nopoll_conn.c:2914 Received uncomplete listener handshake reply (0 0 0)
[1588029390][PARODUS][Info]: nopoll_conn.c:5229 nopoll_conn_wait_for_status_until_connection_ready() response: message: Redirect:http://talaria-0:6200/api/v2/device
[1588029390][PARODUS][Info]: Received temporary redirection response message Redirect:http://talaria-0:6200/api/v2/device
[1588029390][PARODUS][Info]: full url: http://talaria-0:6200/api/v2/device
[1588029390][PARODUS][Info]: server address copied from url
[1588029390][PARODUS][Info]: server talaria-0, port 6200, http_match 1
[1588029390][PARODUS][Info]: nopoll_ctx.c:338 Unregistered connection id 2
[1588029390][PARODUS][Info]: cloud_status set as offline after connection close
[1588029390][PARODUS][Info]: nopoll_conn.c:331 IPv4 address of talaria-0 is 172.25.0.8
[1588029390][PARODUS][Info]: nopoll_conn.c:377 Create socket with non blocking-mode
[1588029390][PARODUS][Info]: nopoll_conn.c:264 Result of wait after connect EINPROGRESS = 0
[1588029390][PARODUS][Info]: nopoll_conn.c:5246 *****End nopoll_conn_wait_for_status_until_connection_ready ****
[1588029390][PARODUS][Info]: Connected to server
[1588029390][PARODUS][Info]: cloud_status set as online after successful connection
[1588029390][PARODUS][Info]: connect_time-diff-boot_time=0
[1588029390][PARODUS][Info]: libseshat disabled, Hence proceeding without registration
[1588029390][PARODUS][Info]: nanomsg server gone into the listening mode...
[1588029390][PARODUS][Info]: No clients are registered, waiting ..
[1588029391][PARODUS][Info]: Upstream message received from nanomsg client
[1588029391][PARODUS][Info]:
Nanomsg client Registration for Upstream
[1588029391][PARODUS][Info]: Adding first client to list
[1588029391][PARODUS][Info]: client service aker is added to list with url: tcp://127.0.0.1:16015
[1588029391][PARODUS][Info]: sending auth status to reg client
[1588029391][PARODUS][Info]: Client aker Registered successfully. Sending Acknowledgement...
[1588029391][PARODUS][Info]: Sending ack:new_node->sock 1 service:aker
And as expected, I can see the device in the devices api:
# curl -s -H "Authorization: Basic dXNlcjpwYXNz" http://localhost:6200/api/v2/devices |jq
{
"devices": [
{
"id": "mac:998877665544",
"pending": 0,
"statistics": {
"bytesSent": 0,
"messagesSent": 0,
"bytesReceived": 0,
"messagesReceived": 0,
"duplications": 0,
"connectedAt": "2020-04-27T23:16:30.937257801Z",
"upTime": "16.626220638s"
}
}
]
}
and here is my rdk simulator having run "docker stop themis-image-id"
# docker run --rm --network=e5ac3216e7d1 -e CMAC=998877665544 xmidt/rdkb-simulator
[1588029729][PARODUS][Info]: RAND_MAX is 2147483647 (0x7fffffff)
[1588029729][PARODUS][Info]: ********** Starting component: Parodus **********
[1588029729][PARODUS][Info]: Setting default values to parodusCfg
[1588029729][PARODUS][Info]: cfg->webpa_protocol is PARODUS-2.0-1.1.3-37-g1d85742
[1588029729][PARODUS][Info]: Default cloud_status is offline
[1588029729][PARODUS][Info]: Parsing parodus command line arguments..
[1588029729][PARODUS][Info]: hw-model is aker-testing
[1588029729][PARODUS][Info]: cert_path is /etc/ssl/certs/ca-certificates.crt
[1588029729][PARODUS][Info]: client_cert_path is /etc/ssl/certs/ca-certificates.crt
[1588029729][PARODUS][Info]: hw_serial_number is mock-rdkb-simulator
[1588029729][PARODUS][Info]: hw_manufacturer is Example
[1588029729][PARODUS][Info]: hw_mac is 998877665544
[1588029729][PARODUS][Info]: hw_last_reboot_reason is unknown
[1588029729][PARODUS][Info]: fw_name is mock-rdkb-firmware
[1588029729][PARODUS][Info]: boot_time is 1588029729
[1588029729][PARODUS][Info]: partner_id is comcast
[1588029729][PARODUS][Info]: parodus local_url is tcp://127.0.0.1:16014
[1588029729][PARODUS][Info]: webpa_ping_timeout is 60
[1588029729][PARODUS][Info]: token_server_url is http://themis:6501/issue
[1588029729][PARODUS][Info]: webpa_backoff_max is 2
[1588029729][PARODUS][Info]: webpa_interface_used is eth0
[1588029729][PARODUS][Info]: webpa_url is http://petasos:6400
[1588029729][PARODUS][Info]: Force IPv4
[1588029729][PARODUS][Info]: Received reboot_reason as:unknown
[1588029729][PARODUS][Info]: Received reconnect_reason as:webpa_process_starts
[1588029729][PARODUS][Info]: User-Agent: PARODUS-2.0-1.1.3-37-g1d85742 (mock-rdkb-firmware; aker-testing/Example;)
[1588029729][PARODUS][Info]: X-WebPA-Convey Header: [316]{"hw-model":"aker-testing","hw-serial-number":"mock-rdkb-simulator","hw-manufacturer":"Example","fw-name":"mock-rdkb-firmware","boot-time":1588029729,"webpa-protocol":"PARODUS-2.0-1.1.3-37-g1d85742","webpa-interface-used":"eth0","hw-last-reboot-reason":"unknown","webpa-last-reconnect-reason":"webpa_process_starts"}
[1588029729][PARODUS][Info]: Device_id mac:998877665544
[1588029729][PARODUS][Info]: full url: http://petasos:6400
[1588029729][PARODUS][Info]: server address copied from url
[1588029729][PARODUS][Info]: server petasos, port 6400, http_match 1
[1588029729][PARODUS][Info]: default server_Address petasos
[1588029729][PARODUS][Info]: default port 6400
[1588029729][PARODUS][Info]: uuid_header formed X-Midt-Uuid: a0c60c1c-77e3-4961-93c2-d4c657b677f2
[1588029729][PARODUS][Info]: curl Ip resolve option set as default mode
[1588029735][PARODUS][Info]: themis curl response 6 http_code 0
[1588029735][PARODUS][Info]: curl response Time: 4.9 seconds
[1588029735][PARODUS][Error]: curl_easy_perform() failed: Couldn't resolve host name
[1588029735][PARODUS][Error]: Failed to create new token
[1588029735][PARODUS][Error]: Curl execution is failed, retry attempt: 1
[1588029735][PARODUS][Info]: uuid_header formed X-Midt-Uuid: afc5acd7-badb-40dd-bd64-08f012b936da
[1588029735][PARODUS][Info]: curl Ip resolve option set as V4 mode
[1588029740][PARODUS][Info]: themis curl response 6 http_code 0
[1588029740][PARODUS][Info]: curl response Time: 4.9 seconds
[1588029740][PARODUS][Error]: curl_easy_perform() failed: Couldn't resolve host name
[1588029740][PARODUS][Error]: Failed to create new token
[1588029740][PARODUS][Error]: Curl execution is failed, retry attempt: 2
[1588029740][PARODUS][Info]: uuid_header formed X-Midt-Uuid: d86b7998-cbc3-436a-a38a-4535c1700ba0
[1588029740][PARODUS][Info]: curl Ip resolve option set as V6 mode
[1588029745][PARODUS][Info]: themis curl response 6 http_code 0
[1588029745][PARODUS][Info]: curl response Time: 4.9 seconds
[1588029745][PARODUS][Error]: curl_easy_perform() failed: Couldn't resolve host name
[1588029745][PARODUS][Error]: Failed to create new token
[1588029745][PARODUS][Error]: Curl execution is failed, retry attempt: 3
[1588029745][PARODUS][Error]: Curl retry is reached to max 3 attempts, proceeding without token
[1588029745][PARODUS][Info]: nopoll_conn.c:331 IPv4 address of petasos is 172.25.0.6
[1588029745][PARODUS][Info]: nopoll_conn.c:377 Create socket with non blocking-mode
[1588029745][PARODUS][Info]: nopoll_conn.c:264 Result of wait after connect EINPROGRESS = 0
[1588029745][PARODUS][Error]: nopoll_conn.c:3067 websocket server denied connection with: 307 Temporary Redirect
[1588029745][PARODUS][Error]: nopoll_conn.c:2914 Received uncomplete listener handshake reply (0 0 0)
[1588029745][PARODUS][Info]: nopoll_conn.c:5229 nopoll_conn_wait_for_status_until_connection_ready() response: message: Redirect:http://talaria-0:6200/api/v2/device
[1588029745][PARODUS][Info]: Received temporary redirection response message Redirect:http://talaria-0:6200/api/v2/device
[1588029745][PARODUS][Info]: full url: http://talaria-0:6200/api/v2/device
[1588029745][PARODUS][Info]: server address copied from url
[1588029745][PARODUS][Info]: server talaria-0, port 6200, http_match 1
[1588029745][PARODUS][Info]: nopoll_ctx.c:338 Unregistered connection id 2
[1588029745][PARODUS][Info]: cloud_status set as offline after connection close
[1588029745][PARODUS][Info]: uuid_header formed X-Midt-Uuid: 71747b8a-5ae5-4928-8aea-48e867dcbb53
I can still see the device when I curl Talaria devices api.
I'm expecting somewhere in Talaria configuration to be able to block clients that "proceed without token"?
[1588029745][PARODUS][Error]: Curl retry is reached to max 3 attempts, proceeding without token
@TomJoons responded to this our forum: https://discussion.xmidt.io/t/questions-around-themis-talaira-jwt/52/2 Thanks! 👍