fix(sharing): share OOB devices only using fingerprint

Otherwise IMEI could be guessed.

Author: coderbyheart

.github/workflows/test-and-release.yaml

@@ -205,6 +205,7 @@ jobs:
         run: |
           ./cli.sh configure-nrfcloud-account apiEndpoint ${{ env.HTTP_API_MOCK_API_URL }}api.nrfcloud.com/
           ./cli.sh configure-nrfcloud-account apiKey apiKey_Nordic
+          ./cli.sh configure-hello apiEndpoint ${{ env.HTTP_API_MOCK_API_URL }}hello-api/
 
       - name: Deploy solution stack
         env:

cdk/resources/ShareAPI.ts

@@ -8,6 +8,7 @@ import { Construct } from 'constructs'
 import type { PublicDevices } from './PublicDevices.js'
 import { LambdaLogGroup } from '@bifravst/aws-cdk-lambda-helpers/cdk'
 import type { BackendLambdas } from '../BackendLambdas.js'
+import { Permissions } from '@hello.nrfcloud.com/nrfcloud-api-helpers/cdk'
 
 export class ShareAPI extends Construct {
 	public readonly shareFn: Lambda.IFunction
@@ -47,6 +48,7 @@ export class ShareAPI extends Construct {
 				FROM_EMAIL: `notification@${domain}`,
 				NODE_NO_WARNINGS: '1',
 				IS_TEST: this.node.getContext('isTest') === true ? '1' : '0',
+				STACK_NAME: Stack.of(this).stackName,
 			},
 			...new LambdaLogGroup(this, 'shareFnLogs'),
 			initialPolicy: [
@@ -63,6 +65,7 @@ export class ShareAPI extends Construct {
 						},
 					},
 				}),
+				Permissions(Stack.of(this)),
 			],
 		})
 		publicDevices.publicDevicesTable.grantWriteData(this.shareFn)

cli/cli.ts

@@ -16,6 +16,7 @@ import { env } from '../aws/env.js'
 import { configureNrfCloudAccount } from './commands/configure-nrfcloud-account.js'
 import { logsCommand } from './commands/logs.js'
 import { CloudWatchLogsClient } from '@aws-sdk/client-cloudwatch-logs'
+import { configureHello } from './commands/configure-hello.js'
 
 const ssm = new SSMClient({})
 const db = new DynamoDBClient({})
@@ -49,6 +50,7 @@ const CLI = async ({ isCI }: { isCI: boolean }) => {
 		buildContainersCommand({
 			ecr,
 		}),
+		configureHello({ ssm }),
 		configureNrfCloudAccount({ ssm }),
 		logsCommand({
 			stackName: STACK_NAME,

cli/commands/configure-hello.ts

@@ -0,0 +1,64 @@
+import { SSMClient } from '@aws-sdk/client-ssm'
+import chalk from 'chalk'
+import { STACK_NAME } from '../../cdk/stacks/stackConfig.js'
+import type { CommandDefinition } from './CommandDefinition.js'
+import {
+	deleteSettings,
+	putSetting,
+	type Settings,
+} from '../../settings/hello.js'
+
+export const configureHello = ({
+	ssm,
+}: {
+	ssm: SSMClient
+}): CommandDefinition => ({
+	command: 'configure-hello <property> [value]',
+	options: [
+		{
+			flags: '-d, --deleteBeforeUpdate',
+			description: `Useful when depending on the parameter having version 1, e.g. for use in CloudFormation`,
+		},
+		{
+			flags: '-X, --deleteParameter',
+			description: 'Deletes the parameter.',
+		},
+	],
+	action: async (
+		property: keyof Settings,
+		value: string | undefined,
+		{ deleteBeforeUpdate, deleteParameter },
+	) => {
+		if (deleteParameter !== undefined) {
+			// Delete
+			const { name } = await deleteSettings({
+				ssm,
+				stackName: STACK_NAME,
+			})(property)
+			console.log()
+			console.log(
+				chalk.green('Deleted the parameters from'),
+				chalk.blueBright(name),
+			)
+			return
+		}
+
+		if (value === undefined || value.length === 0) {
+			throw new Error(`Must provide value!`)
+		}
+
+		const { name } = await putSetting({
+			ssm,
+			stackName: STACK_NAME,
+		})(property as keyof Settings, new URL(value), deleteBeforeUpdate)
+
+		console.log()
+		console.log(
+			chalk.green('Updated the configuration'),
+			chalk.blueBright(name),
+			chalk.green('to'),
+			chalk.yellow(value),
+		)
+	},
+	help: 'Configure the system.',
+})

cli/commands/configure-nrfcloud-account.ts

@@ -46,7 +46,7 @@ export const configureNrfCloudAccount = ({
 		}
 
 		if (value === undefined || value.length === 0) {
-			throw new Error(`Must provide value either as argument or via stdin!`)
+			throw new Error(`Must provide value!`)
 		}
 
 		const { name } = await putSetting({

feature-runner/run-features.ts

@@ -6,14 +6,13 @@ import path from 'node:path'
 import type { StackOutputs as BackendStackOutputs } from '../cdk/stacks/BackendStack.js'
 import { STACK_NAME } from '../cdk/stacks/stackConfig.js'
 import { steps as storageSteps } from '@hello.nrfcloud.com/bdd-markdown-steps/storage'
-import {
-	steps as randomSteps,
-	email,
-	IMEI,
-} from '@hello.nrfcloud.com/bdd-markdown-steps/random'
+import { steps as randomSteps } from '@hello.nrfcloud.com/bdd-markdown-steps/random'
 import { steps as deviceSteps } from './steps/device.js'
 import { steps as RESTSteps } from '@hello.nrfcloud.com/bdd-markdown-steps/REST'
 import { IoTDataPlaneClient } from '@aws-sdk/client-iot-data-plane'
+import { fromEnv } from '@nordicsemiconductor/from-env'
+import { mock as httpApiMock } from '@bifravst/http-api-mock/mock'
+import { DynamoDBClient } from '@aws-sdk/client-dynamodb'
 import { slashless } from '@hello.nrfcloud.com/nrfcloud-api-helpers/api'
 
 /**
@@ -24,11 +23,18 @@ import { slashless } from '@hello.nrfcloud.com/nrfcloud-api-helpers/api'
  */
 
 const iotData = new IoTDataPlaneClient({})
+const db = new DynamoDBClient({})
 
 const backendConfig = await stackOutput(
 	new CloudFormationClient({}),
 )<BackendStackOutputs>(STACK_NAME)
 
+const { mockApiEndpoint, responsesTableName } = fromEnv({
+	mockApiEndpoint: 'HTTP_API_MOCK_API_URL',
+	responsesTableName: 'HTTP_API_MOCK_RESPONSES_TABLE_NAME',
+	requestsTableName: 'HTTP_API_MOCK_REQUESTS_TABLE_NAME',
+})(process.env)
+
 const print = (arg: unknown) =>
 	typeof arg === 'object' ? JSON.stringify(arg) : arg
 const start = Date.now()
@@ -74,23 +80,25 @@ const runner = await runFolder({
 
 const cleaners: (() => Promise<void>)[] = []
 
+const helloAPIBasePath = 'hello-api'
 runner
 	.addStepRunners(...storageSteps)
-	.addStepRunners(
-		...randomSteps({
-			email,
-			'device ID': () => `oob-${IMEI()}`,
-		}),
-	)
+	.addStepRunners(...randomSteps())
 	.addStepRunners(...RESTSteps)
 	.addStepRunners(
 		...deviceSteps({
 			iotData,
+			httpApiMock: httpApiMock({
+				db,
+				responsesTable: responsesTableName,
+			}),
+			helloAPIBasePath,
 		}),
 	)
 
 const res = await runner.run({
 	API: slashless(new URL(backendConfig.APIURL)),
+	helloAPI: new URL(`${mockApiEndpoint}${helloAPIBasePath}`),
 })
 
 await Promise.all(cleaners.map(async (fn) => fn()))

feature-runner/steps/device.ts

@@ -9,6 +9,63 @@ import {
 	type StepRunner,
 } from '@nordicsemiconductor/bdd-markdown'
 import { Type } from '@sinclair/typebox'
+import { fingerprintGenerator } from '@hello.nrfcloud.com/proto/fingerprint'
+import { IMEI } from '@hello.nrfcloud.com/bdd-markdown-steps/random'
+import type { HttpAPIMock } from '@bifravst/http-api-mock/mock'
+
+const getCurrentWeekNumber = (): number => {
+	const now = new Date()
+	const firstOfJanuary = new Date(now.getFullYear(), 0, 1)
+	return Math.ceil(
+		((now.getTime() - firstOfJanuary.getTime()) / 86400000 +
+			firstOfJanuary.getDay() +
+			1) /
+			7,
+	)
+}
+
+const oobDeviceWithFingerprint = (
+	httpApiMock: HttpAPIMock,
+	helloAPIBasePath: string,
+) =>
+	regExpMatchedStep(
+		{
+			regExp:
+				/^I have the fingerprint for my device in `(?<storageName>[^`]+)`$/,
+			schema: Type.Object({
+				storageName: Type.String({ minLength: 1 }),
+			}),
+		},
+		async ({ match: { storageName }, log: { progress }, context }) => {
+			const now = new Date()
+			const fingerprint = fingerprintGenerator(
+				parseInt(
+					`${(now.getFullYear() - 2000).toString()}${getCurrentWeekNumber()}`,
+					10,
+				),
+			)()
+			progress(`Fingerprint: ${fingerprint}`)
+			context[storageName] = fingerprint
+			const deviceId = `oob-${IMEI()}`
+			progress(`DeviceID: ${deviceId}`)
+
+			await httpApiMock.response(
+				`GET ${helloAPIBasePath}/device?fingerprint=${fingerprint}`,
+				{
+					status: 200,
+					headers: new Headers({
+						'content-type': 'application/json; charset=utf-8',
+					}),
+					body: JSON.stringify({
+						'@context':
+							'https://github.com/hello-nrfcloud/proto/deviceIdentity',
+						id: deviceId,
+						model: 'PCA20035+solar',
+					}),
+				},
+			)
+		},
+	)
 
 const publishDeviceMessage = (iotData: IoTDataPlaneClient) =>
 	regExpMatchedStep(
@@ -40,6 +97,13 @@ const publishDeviceMessage = (iotData: IoTDataPlaneClient) =>
 
 export const steps = ({
 	iotData,
+	httpApiMock,
+	helloAPIBasePath,
 }: {
 	iotData: IoTDataPlaneClient
-}): Array<StepRunner<Record<string, any>>> => [publishDeviceMessage(iotData)]
+	httpApiMock: HttpAPIMock
+	helloAPIBasePath: string
+}): Array<StepRunner<Record<string, any>>> => [
+	publishDeviceMessage(iotData),
+	oobDeviceWithFingerprint(httpApiMock, helloAPIBasePath),
+]

features/OOBMapShare.feature.md

@@ -1,5 +1,6 @@
 ---
 exampleContext:
+  fingerprint: 92b.y7i24q
   deviceId: oob-352656108602296
   publicDeviceId: outfling-swanherd-attaghan
   API: "https://iiet67bnlmbtuhiblik4wcy4ni0oujot.execute-api.eu-west-1.amazonaws.com/2024-04-12"
@@ -16,26 +17,25 @@ exampleContext:
 > This works for the Thingy:91 X because they have credentials that already tie
 > them to the nRF Cloud account that is used by `hello.nrfcloud.com/map`. The
 > only thing the user needs to do is to consent to the sharing.
+>
+> Note: Users need to know the fingerprint of the device in order to prevent
+> them sharing devices they don't have access to by guessing the IMEI.
 
 ## Background
 
-> The `deviceId` and `model` is provided in a link from the device page on
-> `hello.nrfcloud.com`.
-
-Given I have a random device ID in `deviceId`
+Given I have the fingerprint for my device in `fingerprint`
 
 And I have a random email in `email`
 
 ## Share the device
 
-> Using the device ID I can share the device
+> Using the device fingerprint I can share the device
 
 When I `POST` to `${API}/share` with
 
 ```json
 {
-  "deviceId": "${deviceId}",
-  "model": "PCA20035+solar",
+  "fingerprint": "${fingerprint}",
   "email": "${email}"
 }
 ```
@@ -45,6 +45,8 @@ Then I should receive a
 
 And I store `id` of the last response into `publicDeviceId`
 
+And I store `deviceId` of the last response into `deviceId`
+
 ## Confirm the email
 
 When I `POST` to `${API}/share/confirm` with