Merge pull request #80 from thin-edge/feat-support-basic-auth

feat: add support Cumulocity basic auth

Author: reubenmiller

Dockerfile

@@ -59,6 +59,8 @@ RUN wget -O - https://thin-edge.io/install-services.sh | sh -s -- s6_overlay \
 # TODO: Can thin-edge.io set permissions during installation?
 RUN usermod -u "$USERID" tedge \
     && groupmod -g "$GROUPID" tedge \
+    # create empty folder so basic auth credentials can be mounted to it
+    && mkdir -p /etc/tedge/credentials \
     && chown -R tedge:tedge /etc/tedge \
     && chown -R tedge:tedge /var/tedge \
     && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge, /etc/tedge/sm-plugins/[a-zA-Z0-9]*, /bin/sync, /sbin/init, /usr/bin/tedgectl, /bin/kill, /usr/bin/tedge-container, /usr/bin/docker, /usr/bin/podman, /usr/bin/podman-remote, /usr/bin/podman-compose" >/etc/sudoers.d/tedge \
@@ -90,6 +92,8 @@ COPY files/tedge/log_upload.toml /etc/tedge/operations/
 COPY files/tedge/log_upload_container.toml /etc/tedge/operations/
 # Script to fix the permissions / ownership which is called on container startup
 COPY files/tedge/fix-permissions.sh /usr/bin/
+# Helper script to set the Cumulocity Basic Auth more easily
+COPY files/tedge/set-c8y-basic-auth.sh /usr/bin/
 
 
 ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2

README.md

@@ -33,6 +33,8 @@ The following are required in order to deploy the container
 
 [Option 2b (Cumulocity Certificate Authority Preview): Container network (Recommended)](./docs/CONTAINER_OPTION2_with_ca.md)
 
+[Option 2c (Basic Auth): Container network (Recommended)](./docs/CONTAINER_OPTION2_with_basic_auth.md)
+
 
 ### Settings
 

cont-init.d/50_configure.sh

@@ -86,6 +86,55 @@ load_from_file() {
     echo "Loading device certificates from file (no-op)"
 }
 
+get_auth_mode() {
+    value=$(tedge config get c8y.auth_method ||:)
+    output=certificate
+    case "$value" in
+        auto)
+            if [ -f "$(tedge config get c8y.credentials_path)" ]; then
+                output=basic
+            fi
+            ;;
+        basic)
+            output=basic
+            ;;
+        certificate)
+            output=certificate
+            ;;
+    esac
+    echo "$output"
+}
+
+load_c8y_basic_auth_from_env() {
+    if [ -z "$C8Y_DEVICE_USER" ] && [ -z "$C8Y_DEVICE_PASSWORD" ]; then
+        return 1
+    fi
+
+    echo "Loading device basic auth credentials from environment variables" >&2
+    set-c8y-basic-auth.sh "$C8Y_DEVICE_USER" "$C8Y_DEVICE_PASSWORD"
+}
+
+load_c8y_basic_auth_from_secrets() {
+    if [ ! -f /run/secrets/credentials ]; then
+        return 1
+    fi
+
+    echo "Loading device basic auth credentials from docker secrets" >&2
+    CREDENTIALS_PATH=$(tedge config get c8y.credentials_path)
+    cat /run/secrets/credentials > "$CREDENTIALS_PATH"
+    chmod 600 "$CREDENTIALS_PATH"
+}
+
+load_c8y_basic_auth_from_file() {
+    CREDENTIALS_PATH=$(tedge config get c8y.credentials_path)
+    if [ ! -f "$CREDENTIALS_PATH" ]; then
+        return 1
+    fi
+
+    # Don't actually do anything, but confirm the presence of device credentials
+    echo "Loading device basic auth credentials from file (no-op)"
+}
+
 create_tedge_config_symlink() {
     # Store the tedge.toml under the data dir, and
     # use a symlink from /etc/tedge/tedge.toml to point to the data dir.
@@ -138,19 +187,24 @@ fi
 AGENT_STATE=$(tedge config get agent.state.path)
 mkdir -p "$AGENT_STATE"
 
-#
-# Try loading the device certificates from several locations, taking the first successful function
+# Try loading device and basic auth from multiple locations taking the first successful function
 # Don't fail as users are allowed to start up a container without a device certificate (e.g. when only running the tedge-agent)
-#
 load_from_env || load_from_secrets || load_from_file ||:
 
+load_c8y_basic_auth_from_env || load_c8y_basic_auth_from_secrets || load_c8y_basic_auth_from_file ||:
 
 # Support variable set by go-c8y-cli
 if [ -n "$C8Y_DOMAIN" ] && [ -z "${TEDGE_C8Y_URL:-}" ]; then
     echo "Setting c8y.url from C8Y_DOMAIN env variable. $C8Y_DOMAIN" >&2
     tedge config set c8y.url "$C8Y_DOMAIN"
 fi
 
+# set device.id for basic auth case which requires it, though when
+# using a device certificate, the device.id will take precedence
+if [ -n "$DEVICE_ID" ]; then
+    tedge config set device.id "$DEVICE_ID"
+fi
+
 random_sleep() {
     VALUE=$(awk "BEGIN { srand(); print int(rand()*32768 % $MAX_RANDOM_WAIT) }")
     echo "Sleeping ${VALUE}s" >&2
@@ -190,6 +244,9 @@ https://${TARGET_URL}/apps/devicemanagement/index.html#/deviceregistration?exter
 EOT
 }
 
+# Resolve which auth mode is being used
+AUTH_METHOD=$(get_auth_mode)
+
 #
 # Connect the mappers (if they are configured and not already connected)
 #
@@ -199,26 +256,30 @@ for MAPPER in $MAPPERS; do
 
         case "$MAPPER" in
             c8y)
-                if [ "$CA" = "c8y" ]; then
-                    # Register device using the Cumulocity certificate-authority feature
-                    PUBLIC_CERT=$(tedge config get device.cert_path 2>/dev/null ||:)
-                    if [ ! -f "$PUBLIC_CERT" ]; then
-                        if [ -z "$DEVICE_ONE_TIME_PASSWORD" ]; then
-                            DEVICE_ONE_TIME_PASSWORD=$(get_random_code)
-                            SHOW_REGISTRATION_BANNER=1
-                        fi
-
-                        if [ "$SHOW_REGISTRATION_BANNER" = 1 ]; then
-                            show_registration_banner
-                        fi
-
-                        # Download certificate
-                        echo "Downloading certificate. device-id=$DEVICE_ID" >&2
-                        if ! tedge cert download c8y --device-id "$DEVICE_ID" --one-time-password "$DEVICE_ONE_TIME_PASSWORD" --retry-every 5s --max-timeout 300s; then
-                            echo "WARNING: Failed to download certificate" >&2
+                case "$AUTH_METHOD" in
+                    certificate)
+                        if [ "$CA" = "c8y" ]; then
+                            # Register device using the Cumulocity certificate-authority feature
+                            PUBLIC_CERT=$(tedge config get device.cert_path 2>/dev/null ||:)
+                            if [ ! -f "$PUBLIC_CERT" ]; then
+                                if [ -z "$DEVICE_ONE_TIME_PASSWORD" ]; then
+                                    DEVICE_ONE_TIME_PASSWORD=$(get_random_code)
+                                    SHOW_REGISTRATION_BANNER=1
+                                fi
+
+                                if [ "$SHOW_REGISTRATION_BANNER" = 1 ]; then
+                                    show_registration_banner
+                                fi
+
+                                # Download certificate
+                                echo "Downloading certificate. device-id=$DEVICE_ID" >&2
+                                if ! tedge cert download c8y --device-id "$DEVICE_ID" --one-time-password "$DEVICE_ONE_TIME_PASSWORD" --retry-every 5s --max-timeout 300s; then
+                                    echo "WARNING: Failed to download certificate" >&2
+                                fi
+                            fi
                         fi
-                    fi
-                fi
+                    ;;
+                esac
                 ;;
         esac
 

docs/CONTAINER_OPTION2_with_basic_auth.md

@@ -0,0 +1,185 @@
+## Option 2: Container network and using Cumulocity Basic Auth
+
+**When to use it?**
+
+* Familiar with containers
+* Basic understanding of container networking
+* You can't use certificate based auth for reason
+
+## Getting Started
+
+
+### Option 1: Using docker run
+
+1. Pull the latest image
+
+    ```sh
+    docker pull ghcr.io/thin-edge/tedge-container-bundle
+    ```
+
+1. Create Cumulocity basic auth credentials for your new device. For convenience, you can use go-c8y-cli to do this
+
+    ```sh
+    c8y deviceregistration register-basic --id tedge_abcdef
+    ```
+
+1. Set some environment variable based on the Cumulocity instance you wish to connect to, and the device id
+
+    ```sh
+    export TEDGE_C8Y_URL="example-demo.eu-latest.cumulocity.com"
+    export DEVICE_ID="tedge_abcdef"
+    export C8Y_DEVICE_USER="t12345/device_${DEVICE_ID}"
+    export C8Y_DEVICE_PASSWORD="<<code_max_32_chars>>"
+    ```
+
+    **Note** The username must be in the form of `{tenant}/device_{name}`.
+
+1. Create a docker volume which will be used to store the device credentials, and a volume for the tedge and mosquitto data
+
+    ```sh
+    docker network create tedge
+    docker volume create device-creds
+    docker volume create tedge
+    ```
+
+3. Create a new device credentials
+
+    ```sh
+    docker run --rm -it \
+        -v "device-creds:/etc/tedge/credentials" \
+        -e "TEDGE_C8Y_CREDENTIALS_PATH=/etc/tedge/credentials/credentials.toml" \
+        ghcr.io/thin-edge/tedge-container-bundle:latest \
+        /usr/bin/set-c8y-basic-auth.sh "$C8Y_DEVICE_USER" "$C8Y_DEVICE_PASSWORD"
+    ```
+
+    Alternatively, you can set the Cumulocity device username and password using environment variables, however be aware that they could then be read by anyone with access to the container engine.
+
+    ```sh
+    -e "C8Y_DEVICE_USER=$C8Y_DEVICE_USER" \
+    -e "C8Y_DEVICE_PASSWORD=$C8Y_DEVICE_PASSWORD" \
+    ```
+
+1. Start the container
+
+    ```sh
+    docker run -d \
+        --name tedge \
+        --restart always \
+        --add-host host.docker.internal:host-gateway \
+        --network tedge \
+        -p "127.0.0.1:1883:1883" \
+        -p "127.0.0.1:8000:8000" \
+        -p "127.0.0.1:8001:8001" \
+        -v device-creds:/etc/tedge/credentials \
+        -v tedge:/data/tedge \
+        -v /var/run/docker.sock:/var/run/docker.sock:rw \
+        -e TEDGE_C8Y_OPERATIONS_AUTO_LOG_UPLOAD=always \
+        -e "DEVICE_ID=${DEVICE_ID}" \
+        -e "TEDGE_C8Y_URL=${TEDGE_C8Y_URL}" \
+        -e "TEDGE_C8Y_AUTH_METHOD=auto" \
+        -e "TEDGE_C8Y_CREDENTIALS_PATH=/etc/tedge/credentials/credentials.toml" \
+        ghcr.io/thin-edge/tedge-container-bundle:latest
+    ```
+
+    With this option, you can change the host port mapping in case it conflicts with any other services running on the host, e.g. other services which are already using the ports that thin-edge.io wants to use.
+
+    ```sh
+    docker run -d \
+        --name tedge \
+        --restart always \
+        --add-host host.docker.internal:host-gateway \
+        --network tedge \
+        -p "127.0.0.1:1884:1883" \
+        -p "127.0.0.1:9000:8000" \
+        -p "127.0.0.1:9001:8001" \
+        -v device-creds:/etc/tedge/credentials \
+        -v tedge:/data/tedge \
+        -v /var/run/docker.sock:/var/run/docker.sock:rw \
+        -e TEDGE_C8Y_OPERATIONS_AUTO_LOG_UPLOAD=always \
+        -e "DEVICE_ID=${DEVICE_ID}" \
+        -e "TEDGE_C8Y_URL=${TEDGE_C8Y_URL}" \
+        -e "TEDGE_C8Y_AUTH_METHOD=auto" \
+        -e "TEDGE_C8Y_CREDENTIALS_PATH=/etc/tedge/credentials/credentials.toml" \
+        ghcr.io/thin-edge/tedge-container-bundle:latest
+    ```
+
+
+### Option 2: Using docker compose
+
+Note: This docker compose example uses environment variable to set the basic auth. Ideally you would not set the credentials this ways as it makes them readable to anyone whom has access to the container engine.
+
+1. In a shell, create a new folder and change directory into it. The name of the folder will be your docker compose project name
+
+1. Create a `.env` file with the following contents
+
+    ```sh
+    TEDGE_C8Y_URL="example-demo.eu-latest.cumulocity.com"
+    export DEVICE_ID="tedge_abcdef"
+    export C8Y_DEVICE_USER="t12345/device_${DEVICE_ID}"
+    export C8Y_DEVICE_PASSWORD="<<code_max_32_chars>>"
+
+    # any other custom thin-edge.io configuration that you want
+    TEDGE_C8Y_OPERATIONS_AUTO_LOG_UPLOAD=always
+    ```
+
+1. Create a `docker-compose.yaml` file with the following contents
+
+    ```yaml
+    services:
+      tedge:
+        image: ghcr.io/thin-edge/tedge-container-bundle
+        restart: always
+        environment:
+          - TEDGE_C8Y_AUTH_METHOD=auto
+          - TEDGE_C8Y_CREDENTIALS_PATH=/etc/tedge/credentials/credentials.toml
+        env_file:
+          - .env
+        ports:
+         - 127.0.0.1:1883:1883
+         - 127.0.0.1:8000:8000
+         - 127.0.0.1:8001:8001
+        # When using docker, add access to the host
+        # if you want to be able to ssh into the host from the container
+        extra_hosts:
+          - host.docker.internal:host-gateway
+        tmpfs:
+          - /tmp
+        volumes:
+          - device-creds:/etc/tedge/credentials
+          - tedge:/data/tedge
+          # Enable docker from docker
+          - /var/run/docker.sock:/var/run/docker.sock:rw
+
+    volumes:
+      device-creds:
+      tedge:
+    ```
+
+1. Start the container using docker compose
+
+    ```sh
+    docker compose up -d
+    ```
+
+## Using the tedge-container-bundle
+
+### Subscribing to the MQTT broker
+
+Assuming the container network is called `tedge`, then you can subscribe to the MQTT broker using the following command:
+
+```sh
+docker run --rm -it \
+    --network tedge \
+    -e TEDGE_MQTT_CLIENT_HOST=tedge \
+    ghcr.io/thin-edge/tedge-container-bundle \
+    tedge mqtt sub '#'
+```
+
+Or you can access the MQTT broker directly from the host using the port mappings:
+
+```sh
+mosquitto_sub -h 127.0.0.1 -p 1883 -t '#'
+
+# or if you used another port
+mosquitto_sub -h 127.0.0.1 -p 1884 -t '#'
+```

files/tedge/set-c8y-basic-auth.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+set -e
+if [ $# -lt 2 ]; then
+    echo "ERROR: Expected 2 arguments." >&2
+    echo "USAGE: $0 <C8Y_DEVICE_USER> <C8Y_DEVICE_PASSWORD>" >&2
+    exit 1
+fi
+CREDENTIALS_PATH=$(tedge config get c8y.credentials_path)
+printf '[c8y]\nusername = "%s"\npassword = "%s"\n' "$1" "$2" > "$CREDENTIALS_PATH"
+chmod 600 "$CREDENTIALS_PATH"