Merge #111 with modifications.

It contains a couple of fixes and simplifications:

* Rebased on v3 refactor
* CA certificate is embedded (like with the other Azure libraries)
* Connection string can be used and is parsed by LoRa Gateway Bridge
* Couple of minor fixes / changes

Thanks @asanchezdelc for the initial work on this.

Closes #111.

Author: brocaar

cmd/lora-gateway-bridge/cmd/configfile.go

@@ -262,6 +262,26 @@ marshaler="{{ .Integration.Marshaler }}"
     jwt_key_file="{{ .Integration.MQTT.Auth.GCPCloudIoTCore.JWTKeyFile }}"
 
 
+    # Azure IoT Hub
+    #
+    # This setting will preset uplink and downlink topics that will only
+    # work with Azure IoT Hub service.
+    [integation.mqtt.auth.azure_iot_hub]
+
+    # Device connection string.
+    #
+    # This connection string can be retrieved from the Azure IoT Hub device
+    # details.
+    device_connection_string="{{ .Integration.MQTT.Auth.AzureIoTHub.DeviceConnectionString }}"
+
+    # Token expiration.
+    #
+    # LoRa Gateway Bridge will generate a SAS token with the given expiration.
+    # After the token has expired, it will generate a new one and trigger a
+    # re-connect.
+    sas_token_expiration="{{ .Integration.MQTT.Auth.AzureIoTHub.SASTokenExpiration }}"
+
+
 # Metrics configuration.
 [metrics]
 

cmd/lora-gateway-bridge/cmd/root.go

@@ -60,6 +60,8 @@ func init() {
 	viper.SetDefault("integration.mqtt.auth.gcp_cloud_iot_core.server", "ssl://mqtt.googleapis.com:8883")
 	viper.SetDefault("integration.mqtt.auth.gcp_cloud_iot_core.jwt_expiration", time.Hour*24)
 
+	viper.SetDefault("integration.mqtt.auth.azure_iot_hub.sas_token_expiration", 24*time.Hour)
+
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(configCmd)
 }

docs/content/install/config.md

@@ -101,12 +101,15 @@ type="semtech_udp"
   # the time would otherwise be unset.
   fake_rx_time=false
 
-    # # Managed packet-forwarder configuration.
-    # #
-    # # By configuring one or multiple managed packet-forwarder sections, the
-    # # LoRa Gateway Bridge updates the configuration when the backend receives
-    # # a configuration change, after which it will restart the packet-forwarder.
-    # [[packet_forwarder.configuration]]
+    # Managed packet-forwarder configuration.
+    #
+    # By configuring one or multiple managed packet-forwarder sections, the
+    # LoRa Gateway Bridge updates the configuration when the backend receives
+    # a configuration change, after which it will restart the packet-forwarder.
+    #
+    # Example (this configuration can be repeated):
+    #
+    # [[backend.semtech_udp.configuration]]
     # # Gateway ID.
     # #
     # # The LoRa Gateway Bridge will only apply the configuration updates for this
@@ -135,6 +138,7 @@ type="semtech_udp"
     # # permissions to execute this command.
     # restart_command="/etc/init.d/lora-packet-forwarder restart"
 
+
   # Basic Station backend.
   [backend.basic_station]
 
@@ -304,6 +308,26 @@ marshaler="protobuf"
     jwt_key_file=""
 
 
+    # Azure IoT Hub
+    #
+    # This setting will preset uplink and downlink topics that will only
+    # work with Azure IoT Hub service.
+    [integation.mqtt.auth.azure_iot_hub]
+
+    # Device connection string.
+    #
+    # This connection string can be retrieved from the Azure IoT Hub device
+    # details.
+    device_connection_string=""
+
+    # Token expiration.
+    #
+    # LoRa Gateway Bridge will generate a SAS token with the given expiration.
+    # After the token has expired, it will generate a new one and trigger a
+    # re-connect.
+    sas_token_expiration="24h0m0s"
+
+
 # Metrics configuration.
 [metrics]
 

docs/content/integrate/azure-iot-hub.md

@@ -0,0 +1,48 @@
+---
+title: Azure IoT Hub
+menu:
+  main:
+    parent: integrate
+    weight: 3
+description: Setting up the LoRa Gateway Bridge using the Azure IoT Hub MQTT protocol.
+---
+
+# Azure IoT Hub
+
+The Azure [IoT Hub](https://azure.microsoft.com/en-us/services/iot-hub/)
+authentication thype must be used when connecting with the
+[IoT Hub MQTT interface](https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-mqtt-support).
+
+## Limitations
+
+* Please note that this authentication type is only available for the `json` or
+  `protobuf` marshaler.
+* As you need to setup the device ID (in this case the device is the gateway)
+  when provisioning the device (LoRa gateway) in Cloud IoT Core,
+  this does not allow to connect multiple LoRa gateways to a single LoRa Gateway
+  Bridge instance.
+
+## Conventions
+
+### Device ID naming
+
+The IoT Hub Device ID must match the Gateway ID (e.g. `0102030405060708`).
+
+### MQTT topics
+
+When the Azure IoT Hub authentication type has been configured, LoRa Gateway
+Bridge will use MQTT topics which are expected by Azure IoT Hub and will
+ignore the MQTT topic configuration from the `lora-gateway-bridge.toml`
+configuration file.
+
+#### Uplink topics
+
+* `devices/[GATEWAY_ID]/messages/events/up`: uplink frame
+* `devices/[GATEWAY_ID]/messages/events/stats`: gateway statistics
+* `devices/[GATEWAY_ID]/messages/events/ack`: downlink frame acknowledgements (scheduling)
+
+#### Downlink topics
+
+* `devices/[GATEWAY_ID]/messages/devicebound/down`: scheduling downlink frame transmission
+* `devices/[GATEWAY_ID]/messages/devicebound/config`: gateway configuration
+

docs/content/integrate/gcp-cloud-iot-core.md

@@ -4,6 +4,7 @@ menu:
     main:
         parent: integrate
         weight: 3
+description: Setting up the LoRa Gateway Bridge using the GCP Cloud IoT Core MQTT Bridge.
 ---
 
 # Google Cloud Platform Cloud IoT Core

docs/content/integrate/generic-mqtt.md

@@ -4,6 +4,7 @@ menu:
     main:
         parent: integrate
         weight: 2
+description: Setting up the LoRa Gateway Bridge using a generic MQTT broker.
 ---
 
 # Generic MQTT authentication

internal/config/config.go

@@ -73,6 +73,14 @@ type Config struct {
 					JWTExpiration time.Duration `mapstructure:"jwt_expiration"`
 					JWTKeyFile    string        `mapstructure:"jwt_key_file"`
 				} `mapstructure:"gcp_cloud_iot_core"`
+
+				AzureIoTHub struct {
+					DeviceConnectionString string        `mapstructure:"device_connection_string"`
+					DeviceID               string        `mapstructure:"-"`
+					Hostname               string        `mapstructure:"-"`
+					DeviceKey              string        `mapstructure:"-"`
+					SASTokenExpiration     time.Duration `mapstructure:"sas_token_expiration"`
+				} `mapstructure:"azure_iot_hub"`
 			} `mapstructure:"auth"`
 		} `mapstructure:"mqtt"`
 	} `mapstructure:"integration"`

internal/integration/mqtt/auth/azure_iot_hub.go

@@ -0,0 +1,171 @@
+package auth
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/base64"
+	"fmt"
+	"net/url"
+	"strings"
+	"time"
+
+	mqtt "github.com/eclipse/paho.mqtt.golang"
+	"github.com/pkg/errors"
+
+	"github.com/brocaar/lora-gateway-bridge/internal/config"
+)
+
+// See:
+// https://docs.microsoft.com/en-us/azure/iot-hub/iot-hub-mqtt-support#tlsssl-configuration
+// https://github.com/Azure/azure-iot-sdk-c/blob/master/certs/certs.c
+const digiCertBaltimoreRootCA = `
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+-----END CERTIFICATE-----
+`
+
+// AzureIoTHubAuthentication implements the Azure IoT Hub authentication.
+type AzureIoTHubAuthentication struct {
+	clientID           string
+	username           string
+	deviceKey          []byte
+	hostname           string
+	sasTokenExpiration time.Duration
+
+	tlsConfig *tls.Config
+}
+
+// NewAzureIoTHubAuthentication creates an AzureIoTHubAuthentication.
+func NewAzureIoTHubAuthentication(c config.Config) (Authentication, error) {
+	conf := c.Integration.MQTT.Auth.AzureIoTHub
+
+	certpool := x509.NewCertPool()
+	if !certpool.AppendCertsFromPEM([]byte(digiCertBaltimoreRootCA)) {
+		return nil, errors.New("append ca cert from pem error")
+	}
+
+	if conf.DeviceConnectionString != "" {
+		kvMap, err := parseConnectionString(conf.DeviceConnectionString)
+		if err != nil {
+			return nil, errors.Wrap(err, "parse connection string error")
+		}
+
+		for k, v := range kvMap {
+			switch k {
+			case "HostName":
+				conf.Hostname = v
+			case "DeviceId":
+				conf.DeviceID = v
+			case "SharedAccessKey":
+				conf.DeviceKey = v
+			}
+		}
+	}
+
+	username := fmt.Sprintf("%s/%s",
+		conf.Hostname,
+		conf.DeviceID,
+	)
+
+	deviceKeyB, err := base64.StdEncoding.DecodeString(conf.DeviceKey)
+	if err != nil {
+		return nil, errors.Wrap(err, "decode device key error")
+	}
+
+	return &AzureIoTHubAuthentication{
+		clientID:  conf.DeviceID,
+		username:  username,
+		deviceKey: deviceKeyB,
+		hostname:  conf.Hostname,
+		tlsConfig: &tls.Config{
+			RootCAs: certpool,
+		},
+	}, nil
+}
+
+// Init applies the initial configuration.
+func (a *AzureIoTHubAuthentication) Init(opts *mqtt.ClientOptions) error {
+	broker := fmt.Sprintf("ssl://%s:8883", a.hostname)
+	opts.AddBroker(broker)
+	opts.SetClientID(a.clientID)
+	opts.SetUsername(a.username)
+
+	return nil
+}
+
+// Update updates the authentication options.
+func (a *AzureIoTHubAuthentication) Update(opts *mqtt.ClientOptions) error {
+	resourceURI := fmt.Sprintf("%s/devices/%s",
+		a.hostname,
+		a.clientID,
+	)
+	token, err := createSASToken(resourceURI, a.deviceKey, a.sasTokenExpiration)
+	if err != nil {
+		return errors.Wrap(err, "create SAS token error")
+	}
+
+	opts.SetPassword(token)
+
+	return nil
+}
+
+// ReconnectAfter returns a time.Duration after which the MQTT client must re-connect.
+// Note: return 0 to disable the periodical re-connect feature.
+func (a *AzureIoTHubAuthentication) ReconnectAfter() time.Duration {
+	return a.sasTokenExpiration
+}
+
+func createSASToken(uri string, deviceKey []byte, expiration time.Duration) (string, error) {
+	encoded := url.QueryEscape(uri)
+	exp := time.Now().Add(expiration).Unix()
+
+	signature := fmt.Sprintf("%s\n%d", encoded, exp)
+
+	mac := hmac.New(sha256.New, deviceKey)
+	mac.Write([]byte(signature))
+	hash := url.QueryEscape(base64.StdEncoding.EncodeToString(mac.Sum(nil)))
+
+	// IoT Hub SAS Token only needs `sr`, `sig` and `se` unlike other Azure services
+	token := fmt.Sprintf("SharedAccessSignature sr=%s&sig=%s&se=%d",
+		encoded,
+		hash,
+		exp,
+	)
+
+	return token, nil
+}
+
+func parseConnectionString(str string) (map[string]string, error) {
+	out := make(map[string]string)
+	pairs := strings.Split(str, ";")
+	for _, pair := range pairs {
+		kv := strings.SplitN(pair, "=", 2)
+		if len(kv) != 2 {
+			return nil, fmt.Errorf("expected two items in: %+v", kv)
+		}
+
+		out[kv[0]] = kv[1]
+	}
+
+	return out, nil
+}

internal/integration/mqtt/auth/azure_iot_hub_test.go

@@ -0,0 +1,46 @@
+package auth
+
+import (
+	"errors"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestParseConnectionString(t *testing.T) {
+	tests := []struct {
+		Name             string
+		ConnectionString string
+		ExpectedKV       map[string]string
+		ExpectedError    error
+	}{
+		{
+			Name:             "valid string",
+			ConnectionString: "HostName=gateways-eu868.azure-devices.net;DeviceId=00800000a00016b6;SharedAccessKey=WWVQv+auegGaG2mm2/0FIS24xqkmZW/z5cYBO898+8I=",
+			ExpectedKV: map[string]string{
+				"HostName":        "gateways-eu868.azure-devices.net",
+				"DeviceId":        "00800000a00016b6",
+				"SharedAccessKey": "WWVQv+auegGaG2mm2/0FIS24xqkmZW/z5cYBO898+8I=",
+			},
+		},
+		{
+			Name:             "invalid string",
+			ConnectionString: "HostName;gateways-eu868.azure-devices.net;DeviceId=00800000a00016b6;SharedAccessKey=WWVQv+auegGaG2mm2/0FIS24xqkmZW/z5cYBO898+8I=",
+			ExpectedError:    errors.New("expected two items in: [HostName]"),
+		},
+	}
+
+	for _, tst := range tests {
+		t.Run(tst.Name, func(t *testing.T) {
+			assert := require.New(t)
+
+			kv, err := parseConnectionString(tst.ConnectionString)
+			assert.Equal(tst.ExpectedError, err)
+			if err != nil {
+				return
+			}
+
+			assert.EqualValues(tst.ExpectedKV, kv)
+		})
+	}
+}