Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Secure MQTT Bus Credentials #4142

Merged

Conversation

joshua-silverio
Copy link
Contributor

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/main/.github/Contributing.md

PR Checklist

Please check if your PR fulfills the following requirements:

  • I am not introducing a breaking change (if you are, flag in conventional commit message with BREAKING CHANGE: describing the break)
  • I am not introducing a new dependency (add notes below if you are)
  • I have added unit tests for the new feature or bug fix (if not, why?)
  • I have fully tested (add details below) this the new feature or bug fix (if not, why?)
  • I have opened a PR for the related docs change (if not, why?)

Testing Instructions

  1. Use compose-builder on https://github.com/joshua-silverio/edgex-compose/tree/secure-mqtt-bus to
  2. "make gen dev mqtt-bus
  3. docker-compose up to view logs of mqtt broker or device/app service
    (should see mqtt broker connection w/ authmode:usernamepassword secretname: mqtt-bus"

New Dependency Instructions (If applicable)

@joshua-silverio joshua-silverio added enhancement New feature or request security-services 2-medium priority denoting issues with cross-cutting project impact labels Sep 1, 2022
@jim-wang-intel jim-wang-intel added this to QA/Code Review in Security WG Sep 1, 2022
@jim-wang-intel jim-wang-intel linked an issue Sep 1, 2022 that may be closed by this pull request
CLOSES: edgexfoundry#3934

Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
@bnevis-i
Copy link
Collaborator

bnevis-i commented Sep 1, 2022

Unit test failed (run make test)


[2022-09-01T18:29:25.963Z] ?   	github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/messagebus/container	[no test files]
[2022-09-01T18:29:25.963Z] --- FAIL: TestHandler_SetupPasswordFile (0.00s)
[2022-09-01T18:29:25.963Z]     --- FAIL: TestHandler_SetupPasswordFile/SetupPasswordFile_ok (0.00s)
[2022-09-01T18:29:25.963Z]         handlers_test.go:277: Handler.GetCredentials() = false, want true
[2022-09-01T18:29:25.963Z] FAIL
[2022-09-01T18:29:25.963Z] coverage: 88.2% of statements

@joshua-silverio
Copy link
Contributor Author

Unit test failed (run make test)


[2022-09-01T18:29:25.963Z] ?   	github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/messagebus/container	[no test files]
[2022-09-01T18:29:25.963Z] --- FAIL: TestHandler_SetupPasswordFile (0.00s)
[2022-09-01T18:29:25.963Z]     --- FAIL: TestHandler_SetupPasswordFile/SetupPasswordFile_ok (0.00s)
[2022-09-01T18:29:25.963Z]         handlers_test.go:277: Handler.GetCredentials() = false, want true
[2022-09-01T18:29:25.963Z] FAIL
[2022-09-01T18:29:25.963Z] coverage: 88.2% of statements

Changed unit test since mosquitto_password binary was available on dev system but not build server...currently being rebuilt

Signed-off-by: intel <joshua.silverio@intel.com>
…edback

Signed-off-by: intel <joshua.silverio@intel.com>
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
…mment feedback

Signed-off-by: intel <joshua.silverio@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
bnevis-i
bnevis-i previously approved these changes Sep 2, 2022
Copy link
Collaborator

@bnevis-i bnevis-i left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All my comments were addressed. I have no further feedback.

Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

Just need to make it more flexible for future support of NATS or other MQTT brokers. I don't expect the support for future to be perfect, but close so minimal changes are needed.

internal/security/bootstrapper/messagebus_factory.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/mosquitto/README.md Outdated Show resolved Hide resolved
internal/security/bootstrapper/mosquitto/config/config.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
…ment feedback

Signed-off-by: intel <joshua.silverio@intel.com>
…sing feedback

Signed-off-by: intel <joshua.silverio@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
…back

Signed-off-by: intel <joshua.silverio@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
@@ -53,11 +53,13 @@
const (
addKnownSecretsEnv = "ADD_KNOWN_SECRETS"
redisSecretName = "redisdb"
messagebusSecretName = "message-bus"

Check failure

Code scanning / CodeQL

Hard-coded credentials

Hard-coded [secret](1).
switch messageBusType {
case redisSecureMessageBusType:
creds = redisCredentials
secretName = redisSecretName

Check failure

Code scanning / CodeQL

Hard-coded credentials

Hard-coded [secret](1).
internal/security/secretstore/init.go Fixed Show fixed Hide fixed
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor log messages tweaks.

internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
Signed-off-by: intel <joshua.silverio@intel.com>
lenny-goodell
lenny-goodell previously approved these changes Sep 7, 2022
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Great Job!

secretName = redisSecretName
case mqttSecureMessageBusType:
creds = msgBusCredentials
secretName = messagebusSecretName

Check failure

Code scanning / CodeQL

Hard-coded credentials

Hard-coded [secret](1).
Signed-off-by: intel <joshua.silverio@intel.com>
@sonarcloud
Copy link

sonarcloud bot commented Sep 7, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@joshua-silverio joshua-silverio merged commit 21503d9 into edgexfoundry:main Sep 8, 2022
Security WG automation moved this from QA/Code Review to Done Sep 8, 2022
@joshua-silverio joshua-silverio deleted the mqtt-bus-cred-store branch September 8, 2022 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
2-medium priority denoting issues with cross-cutting project impact enhancement New feature or request security-services
Projects
Security WG
  
Done
Development

Successfully merging this pull request may close these issues.

Generate security credential for Mosquitto broker
4 participants