Merge branch 'main' into feature/enforce-credo-code-quality

Author: taras-tyshko

.cspell.json

@@ -130,6 +130,7 @@
     "sockname",
     "spex",
     "ssljson",
+    "statename",
     "statsd",
     "strftime",
     "stylesheet",

lib/nerves_hub/application.ex

@@ -15,13 +15,7 @@ defmodule NervesHub.Application do
     end
 
     setup_open_telemetry()
-
-    _ =
-      :logger.add_handler(:my_sentry_handler, Sentry.LoggerHandler, %{
-        config: %{metadata: [:file, :line]}
-      })
-
-    NervesHub.Logger.attach()
+    setup_logging()
 
     children =
       [{Finch, name: Swoosh.Finch}] ++
@@ -50,6 +44,18 @@ defmodule NervesHub.Application do
     Supervisor.start_link(children, opts)
   end
 
+  defp setup_logging() do
+    :ok =
+      :logger.add_handler(:sentry_handler, Sentry.LoggerHandler, %{
+        config: %{metadata: [:file, :line]}
+      })
+
+    :ok =
+      :logger.add_primary_filter(:filter_ssl_handshake, {&NervesHub.Logger.ssl_log_filter/2, []})
+
+    NervesHub.Logger.attach()
+  end
+
   defp setup_open_telemetry() do
     if System.get_env("ECTO_IPV6") do
       :ok = :httpc.set_option(:ipfamily, :inet6fb4)

lib/nerves_hub/logger.ex

@@ -35,7 +35,8 @@ defmodule NervesHub.Logger do
       [:nerves_hub, :devices, :update, :successful],
       [:nerves_hub, :managed_deployments, :set_deployment_group, :none_found],
       [:nerves_hub, :managed_deployments, :set_deployment_group, :one_found],
-      [:nerves_hub, :managed_deployments, :set_deployment_group, :multiple_found]
+      [:nerves_hub, :managed_deployments, :set_deployment_group, :multiple_found],
+      [:nerves_hub, :ssl, :fail]
     ]
 
     Enum.each(events, fn event ->
@@ -165,6 +166,40 @@ defmodule NervesHub.Logger do
     )
   end
 
+  def log_event([:nerves_hub, :ssl, :fail], _, metadata, _) do
+    Logger.info("SSL certificate verification failed",
+      event: "nerves_hub.ssl.fail",
+      reason: metadata[:reason],
+      cert_serial: metadata[:cert_serial],
+      cert_subject: metadata[:cert_subject]
+    )
+  end
+
+  @doc """
+  The Erlang SSL application will log issues or failures related to verification of certificates.
+
+  This filter is designed to ignore SSL handshake errors that occur during the `:certify` state that are not helpful or hard to understand.
+
+  eg. TLS :server: In state :certify at ssl_handshake.erl:2201 generated SERVER ALERT: Fatal - Handshake Failure - :unknown_ca
+  """
+  def ssl_log_filter(log_event, _opts) do
+    case log_event do
+      %{
+        msg:
+          {:report,
+           %{
+             alert: {:alert, _, _, %{file: ~c"ssl_handshake.erl"}, _, _},
+             role: :server,
+             statename: :certify
+           }}
+      } ->
+        :stop
+
+      _ ->
+        :ignore
+    end
+  end
+
   # Helper functions
 
   defp ignore_list() do

lib/nerves_hub/ssl.ex

@@ -85,24 +85,16 @@ defmodule NervesHub.SSL do
         {:valid, state}
 
       {:error, {:bad_cert, reason}} ->
-        :telemetry.execute([:nerves_hub, :ssl, :fail], %{count: 1})
-
-        {:fail, reason}
+        verify_failed(reason, otp_cert)
 
       {:error, _} ->
-        :telemetry.execute([:nerves_hub, :ssl, :fail], %{count: 1})
-
-        {:fail, :registration_failed}
+        verify_failed(:registration_failed, otp_cert)
 
       reason when is_atom(reason) ->
-        :telemetry.execute([:nerves_hub, :ssl, :fail], %{count: 1})
-
-        {:fail, reason}
+        verify_failed(reason, otp_cert)
 
       _ ->
-        :telemetry.execute([:nerves_hub, :ssl, :fail], %{count: 1})
-
-        {:fail, :unknown_server_error}
+        verify_failed(:unknown_server_error, otp_cert)
     end
   end
 
@@ -283,4 +275,17 @@ defmodule NervesHub.SSL do
       ski: Certificate.get_ski(otp_cert)
     }
   end
+
+  defp verify_failed(reason, otp_cert) do
+    cert_serial = Certificate.get_serial_number(otp_cert)
+    cert_subject = Certificate.get_common_name(otp_cert)
+
+    :telemetry.execute([:nerves_hub, :ssl, :fail], %{count: 1}, %{
+      reason: reason,
+      cert_serial: cert_serial,
+      cert_subject: cert_subject
+    })
+
+    {:fail, reason}
+  end
 end

lib/nerves_hub_web/channels/device_events_stream_channel.ex

@@ -48,7 +48,7 @@ defmodule NervesHubWeb.DeviceEventsStreamChannel do
         false
 
       org_user ->
-        Authorization.authorized?(:"device:console", org_user)
+        Authorization.authorized?(:"device:view", org_user)
     end
   end
 end

lib/nerves_hub_web/channels/device_socket.ex

@@ -114,6 +114,17 @@ defmodule NervesHubWeb.DeviceSocket do
 
         {:error, :invalid_auth}
     end
+  rescue
+    e in ArgumentError ->
+      headers = Map.new(x_headers)
+
+      :telemetry.execute([:nerves_hub, :devices, :invalid_auth], %{count: 1}, %{
+        auth: :shared_secrets,
+        reason: e,
+        product_key: Map.get(headers, "x-nh-key", "*empty*")
+      })
+
+      {:error, :invalid_auth}
   end
 
   def connect(_params, _socket, _connect_info) do

lib/nerves_hub_web/helpers/authorization.ex

@@ -30,6 +30,7 @@ defmodule NervesHubWeb.Helpers.Authorization do
 
   def authorized?(:"device:create", %OrgUser{role: role}), do: role_check(:manage, role)
   def authorized?(:"device:update", %OrgUser{role: role}), do: role_check(:manage, role)
+  def authorized?(:"device:view", %OrgUser{role: role}), do: role_check(:view, role)
 
   def authorized?(:"device:set-deployment-group", %OrgUser{role: role}),
     do: role_check(:manage, role)