feat: adds support for E2E TLS connection between AMT and RPS#

Author: rsdmike

src/DataProcessor.ts

@@ -79,6 +79,10 @@ export class DataProcessor {
           await this.handleConnectionReset(clientMsg, clientId)
           break
         }
+        case ClientMethods.PORT_SWITCH_ACK: {
+          await this.handlePortSwitchAck(clientMsg, clientId)
+          break
+        }
         default: {
           const uuid = clientMsg.payload.uuid ? clientMsg.payload.uuid : devices[clientId].ClientData.payload.uuid
           throw new RPSError(`Device ${uuid} Not a supported method received from AMT device`)
@@ -253,6 +257,15 @@ export class DataProcessor {
     }
   }
 
+  async handlePortSwitchAck(clientMsg: ClientMsg, clientId: string): Promise<void> {
+    const clientObj = devices[clientId]
+    this.logger.info(`PORT_SWITCH_ACK received from rpc-go for device ${clientObj?.uuid}`)
+
+    if (clientObj?.pendingPromise != null && clientObj.resolve != null) {
+      clientObj.resolve('port_switch_ack')
+    }
+  }
+
   async handleConnectionReset(clientMsg: ClientMsg, clientId: string): Promise<void> {
     const clientObj = devices[clientId]
     this.logger.warn(`CONNECTION RESET from rpc-go`)

src/Validator.ts

@@ -80,6 +80,11 @@ export class Validator implements IValidator {
         this.logger.info(`Device ${payload.uuid} has TLS enforced - enabling TLS tunnel mode`)
       }
     }
+    // Extract TLS tunnel activation flag from payload
+    if (msg.payload.tlsTunnel === true) {
+      clientObj.tlsTunnelActivation = true
+      this.logger.info(`Device ${payload.uuid} requested TLS tunnel activation`)
+    }
     // Check for client requested action and profile activation
     const profile: AMTConfiguration | null = await this.configurator.profileManager.getAmtProfile(
       payload.profile,

src/interfaces/ISecretManagerService.ts

@@ -9,6 +9,8 @@ export interface DeviceCredentials {
   AMT_PASSWORD: string | null
   MPS_PASSWORD?: string // only required for CIRA
   MEBX_PASSWORD?: string | null
+  TLS_ROOT_CERTIFICATE?: string
+  TLS_ISSUED_CERTIFICATE?: string
   version?: string
 }
 

src/models/RCS.Config.ts

@@ -126,6 +126,7 @@ export interface ClientObject {
   resolve: (value: unknown) => void
   reject: (value: unknown) => void
   tlsEnforced?: boolean
+  tlsTunnelActivation?: boolean
   tlsTunnelManager?: TLSTunnelManager
   tlsTunnelNeedsReset?: boolean
   tlsTunnelSessionId?: string // Current TLS session ID for filtering stale data
@@ -200,6 +201,9 @@ export interface TLSConfigFlow {
   commitLocalTLS?: boolean
   getTimeSynch?: boolean
   setTimeSynch?: boolean
+  rootCertPEM?: string
+  rootCertKey?: any
+  issuedCertPEM?: string
 }
 
 export interface mpsServer {
@@ -240,6 +244,7 @@ export interface Payload {
   client: string
   profile?: any
   tlsEnforced?: boolean
+  tlsTunnel?: boolean
 }
 
 export interface ConnectionObject {
@@ -271,7 +276,9 @@ export enum ClientMethods {
   HEARTBEAT = 'heartbeat_response',
   MAINTENANCE = 'maintenance',
   TLS_DATA = 'tls_data',
-  CONNECTION_RESET = 'connection_reset'
+  CONNECTION_RESET = 'connection_reset',
+  PORT_SWITCH = 'port_switch',
+  PORT_SWITCH_ACK = 'port_switch_ack'
 }
 
 export interface apiResponse {

src/stateMachines/activation.test.ts

@@ -133,6 +133,7 @@ describe('Activation State Machine', () => {
       canActivate: true,
       shbcCCMComplete: false,
       shbcACMComplete: false,
+      tlsTunnelCCMComplete: false,
       message: '',
       clientId,
       xmlMessage: '',
@@ -259,7 +260,11 @@ describe('Activation State Machine', () => {
         tls: fromPromise(async ({ input }) => await Promise.resolve({ clientId })),
         cira: fromPromise(async ({ input }) => await Promise.resolve({ clientId })),
         setMEBxPassword: fromPromise(async ({ input }) => await Promise.resolve({ clientId })),
-        initializeTLSTunnel: fromPromise(async () => await Promise.resolve(true))
+        initializeTLSTunnel: fromPromise(async () => await Promise.resolve(true)),
+        saveTlsTunnelCerts: fromPromise(async () => await Promise.resolve(true)),
+        signalPortSwitch: fromPromise(async () => await Promise.resolve(true)),
+        initializeTlsTunnelConnection: fromPromise(async () => await Promise.resolve(true)),
+        tlsTunnelProvisioning: fromPromise(async () => await Promise.resolve({ clientId }))
       },
       actions: {
         'Read General Settings': () => {},
@@ -2097,4 +2102,120 @@ describe('Activation State Machine', () => {
       expect(devices[clientId].tlsTunnelManager).toBeUndefined()
     })
   })
+
+  describe('TLS Tunnel Activation', () => {
+    describe('saveTlsTunnelCerts', () => {
+      it('should save certs to vault for ACM', async () => {
+        const clientObj = devices[clientId]
+        clientObj.uuid = 'test-uuid'
+        clientObj.amtPassword = 'testAMTpw'
+        clientObj.mebxPassword = 'testMEBXpw'
+        clientObj.action = ClientAction.ADMINCTLMODE
+        clientObj.tls = { rootCertPEM: 'rootCert', issuedCertPEM: 'issuedCert' } as any
+
+        const insertSpy = spyOn(activation.configurator.secretsManager, 'writeSecretWithObject').mockImplementation(
+          async () => true
+        )
+        const result = await activation.saveTlsTunnelCerts({ input: context } as any)
+        expect(result).toBe(true)
+        expect(insertSpy).toHaveBeenCalledWith('devices/test-uuid', {
+          AMT_PASSWORD: 'testAMTpw',
+          MEBX_PASSWORD: 'testMEBXpw',
+          TLS_ROOT_CERTIFICATE: 'rootCert',
+          TLS_ISSUED_CERTIFICATE: 'issuedCert'
+        })
+      })
+
+      it('should save certs to vault for CCM (mebxPassword null)', async () => {
+        const clientObj = devices[clientId]
+        clientObj.uuid = 'test-uuid'
+        clientObj.amtPassword = 'testAMTpw'
+        clientObj.mebxPassword = null
+        clientObj.action = ClientAction.CLIENTCTLMODE as any
+        clientObj.tls = { rootCertPEM: 'rootCert', issuedCertPEM: 'issuedCert' } as any
+
+        const insertSpy = spyOn(activation.configurator.secretsManager, 'writeSecretWithObject').mockImplementation(
+          async () => true
+        )
+        const result = await activation.saveTlsTunnelCerts({ input: context } as any)
+        expect(result).toBe(true)
+        expect(insertSpy).toHaveBeenCalledWith('devices/test-uuid', {
+          AMT_PASSWORD: 'testAMTpw',
+          MEBX_PASSWORD: null,
+          TLS_ROOT_CERTIFICATE: 'rootCert',
+          TLS_ISSUED_CERTIFICATE: 'issuedCert'
+        })
+      })
+
+      it('should throw when amtPassword is null', async () => {
+        const clientObj = devices[clientId]
+        clientObj.uuid = 'test-uuid'
+        clientObj.amtPassword = null
+        clientObj.mebxPassword = 'testMEBXpw'
+        clientObj.action = ClientAction.ADMINCTLMODE
+
+        await expect(activation.saveTlsTunnelCerts({ input: context } as any)).rejects.toThrow(
+          'Missing prerequisites for saving TLS tunnel certs'
+        )
+      })
+
+      it('should throw when mebxPassword is null for ACM', async () => {
+        const clientObj = devices[clientId]
+        clientObj.uuid = 'test-uuid'
+        clientObj.amtPassword = 'testAMTpw'
+        clientObj.mebxPassword = null
+        clientObj.action = ClientAction.ADMINCTLMODE
+
+        await expect(activation.saveTlsTunnelCerts({ input: context } as any)).rejects.toThrow(
+          'Missing prerequisites for saving TLS tunnel certs'
+        )
+      })
+    })
+
+    describe('signalPortSwitch', () => {
+      it('should send port_switch message and resolve on ACK', async () => {
+        const clientObj = devices[clientId]
+        clientObj.uuid = 'test-uuid'
+        clientObj.tls = { rootCertPEM: 'rootCert' } as any
+        responseMessageSpy.mockRestore()
+        sendSpy.mockRestore()
+        sendSpy = spyOn(devices[clientId].ClientSocket, 'send').mockReturnValue()
+
+        const promise = activation.signalPortSwitch({ input: context } as any)
+
+        // Simulate PORT_SWITCH_ACK by resolving the pending promise
+        await new Promise((r) => setTimeout(r, 10))
+        clientObj.resolve('port_switch_ack')
+
+        const result = await promise
+        expect(result).toBe(true)
+        expect(sendSpy).toHaveBeenCalled()
+      })
+
+      it('should reject on ACK timeout', async () => {
+        jest.useFakeTimers()
+        const clientObj = devices[clientId]
+        clientObj.uuid = 'test-uuid'
+        clientObj.tls = { rootCertPEM: 'rootCert' } as any
+        Environment.Config.delay_tls_timer = 1
+
+        const promise = activation.signalPortSwitch({ input: context } as any)
+        jest.advanceTimersByTime(61 * 1000 + 1)
+
+        await expect(promise).rejects.toThrow('PORT_SWITCH_ACK timeout')
+        jest.useRealTimers()
+      })
+    })
+
+    describe('initializeTlsTunnelConnection', () => {
+      it('should set tlsEnforced on the client object', () => {
+        // initializeTlsTunnelConnection creates a TLSTunnelManager and sets tlsEnforced = true on success.
+        // We verify that the state machine correctly routes failures via onError by checking the state definition.
+        const states = activation.machine.config.states as any
+        expect(states.INIT_TLS_TUNNEL_CONNECTION).toBeDefined()
+        expect(states.INIT_TLS_TUNNEL_CONNECTION.invoke.onError.target).toBe('FAILED')
+        expect(states.INIT_TLS_TUNNEL_CONNECTION.invoke.src).toBe('initializeTlsTunnelConnection')
+      })
+    })
+  })
 })