Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Secure MQTT Bus Credentials #4142

Merged
merged 17 commits into from
Sep 8, 2022
Merged

feat: Secure MQTT Bus Credentials #4142

merged 17 commits into from
Sep 8, 2022

Conversation

joshua-silverio
Copy link
Contributor

If your build fails due to your commit message not passing the build checks, please review the guidelines here: https://github.com/edgexfoundry/edgex-go/blob/main/.github/Contributing.md

PR Checklist

Please check if your PR fulfills the following requirements:

  • I am not introducing a breaking change (if you are, flag in conventional commit message with BREAKING CHANGE: describing the break)
  • I am not introducing a new dependency (add notes below if you are)
  • I have added unit tests for the new feature or bug fix (if not, why?)
  • I have fully tested (add details below) this the new feature or bug fix (if not, why?)
  • I have opened a PR for the related docs change (if not, why?)

Testing Instructions

  1. Use compose-builder on https://github.com/joshua-silverio/edgex-compose/tree/secure-mqtt-bus to
  2. "make gen dev mqtt-bus
  3. docker-compose up to view logs of mqtt broker or device/app service
    (should see mqtt broker connection w/ authmode:usernamepassword secretname: mqtt-bus"

New Dependency Instructions (If applicable)

@joshua-silverio joshua-silverio added enhancement New feature or request security-services 2-medium priority denoting issues with cross-cutting project impact labels Sep 1, 2022
@jim-wang-intel jim-wang-intel added this to QA/Code Review in Security WG Sep 1, 2022
@jim-wang-intel jim-wang-intel linked an issue Sep 1, 2022 that may be closed by this pull request
Generate security credential for Mosquitto broker #3934
Closed
@jim-wang-intel @joshua-silverio
feat: Add implementation for securing mqtt bus with username password
b3312ac 
CLOSES: edgexfoundry#3934

Signed-off-by: Jim Wang (Intel) <yutsung.jim.wang@intel.com>
Signed-off-by: intel <joshua.silverio@intel.com>
@bnevis-i
Copy link
Collaborator

bnevis-i commented Sep 1, 2022

Unit test failed (run make test)


[2022-09-01T18:29:25.963Z] ?   	github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/messagebus/container	[no test files]
[2022-09-01T18:29:25.963Z] --- FAIL: TestHandler_SetupPasswordFile (0.00s)
[2022-09-01T18:29:25.963Z]     --- FAIL: TestHandler_SetupPasswordFile/SetupPasswordFile_ok (0.00s)
[2022-09-01T18:29:25.963Z]         handlers_test.go:277: Handler.GetCredentials() = false, want true
[2022-09-01T18:29:25.963Z] FAIL
[2022-09-01T18:29:25.963Z] coverage: 88.2% of statements

@joshua-silverio
Copy link
Contributor Author

Unit test failed (run make test)


[2022-09-01T18:29:25.963Z] ?   	github.com/edgexfoundry/edgex-go/internal/security/bootstrapper/messagebus/container	[no test files]
[2022-09-01T18:29:25.963Z] --- FAIL: TestHandler_SetupPasswordFile (0.00s)
[2022-09-01T18:29:25.963Z]     --- FAIL: TestHandler_SetupPasswordFile/SetupPasswordFile_ok (0.00s)
[2022-09-01T18:29:25.963Z]         handlers_test.go:277: Handler.GetCredentials() = false, want true
[2022-09-01T18:29:25.963Z] FAIL
[2022-09-01T18:29:25.963Z] coverage: 88.2% of statements

Changed unit test since mosquitto_password binary was available on dev system but not build server...currently being rebuilt

@joshua-silverio
fix: Remove Custom Policy addressing comment feedback
0448d23 
Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: Refactor get credentials using pointer obj addressing comment fe…
8c3620d 
…edback

Signed-off-by: intel <joshua.silverio@intel.com>
lenny-goodell
lenny-goodell requested changes Sep 1, 2022
View reviewed changes
cmd/security-bootstrapper/entrypoint-scripts/messagebus_wait_install.sh Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/messagebus_wait_install.sh Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/messagebus_wait_install.sh Show resolved Hide resolved
cmd/security-bootstrapper/entrypoint-scripts/messagebus_wait_install.sh Outdated Show resolved Hide resolved
cmd/security-bootstrapper/res-bootstrap-messagebus/configuration.toml Outdated Show resolved Hide resolved
internal/security/bootstrapper/messagebus/handlers/handlers.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
@joshua-silverio
fix: Use Local MessageQueueInfo struct for bootstrapper to address co…
2204304 
…mment feedback

Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: Make message bus configure more generic addressing comment feedback
4e62cb0 
Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: check if type is mqtt before setting up secrets
b43f507 
Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
docs: Add README for how to add a new broker type
f1438ce 
Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: Remove msg queue type code
5d60433 
Signed-off-by: intel <joshua.silverio@intel.com>
bnevis-i
bnevis-i previously approved these changes Sep 2, 2022
View reviewed changes
Copy link
Collaborator

@bnevis-i bnevis-i left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All my comments were addressed. I have no further feedback.

lenny-goodell
lenny-goodell requested changes Sep 6, 2022
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

Just need to make it more flexible for future support of NATS or other MQTT brokers. I don't expect the support for future to be perfect, but close so minimal changes are needed.

cmd/security-bootstrapper/res-bootstrap-messagebus/configuration.toml Outdated Show resolved Hide resolved
internal/security/bootstrapper/messagebus_factory.go Show resolved Hide resolved
internal/security/bootstrapper/messagebus_factory.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/mosquitto/README.md Outdated Show resolved Hide resolved
internal/security/bootstrapper/mosquitto/config/config.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/mosquitto/handlers/handlers_test.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/mosquitto/handlers/handlers_test.go Outdated Show resolved Hide resolved
internal/security/bootstrapper/mosquitto/handlers/handlers_test.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
@joshua-silverio
fix: refactor messagequeueinfo to securemessagebusinfo addressing com…
4488a23 
…ment feedback

Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: Refactor ConfigureMessageBus to ConfigureSecureMessageBus addres…
dd6fb8f 
…sing feedback

Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
docs: move readme to bootstrapper from mosquitto folder
c250bfd 
Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: Refactor configure.go to use const for Mosquitto broker
98b5421 
Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: refactor mosquitto handlers.go to be more mosquitto specific
df7707b 
Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: Removed args from tt in mosquitto handler_test.go adressing feed…
1563001 
…back

Signed-off-by: intel <joshua.silverio@intel.com>
@joshua-silverio
fix: refactor secretstore setup to be more generic addressing feedback
1739131 
Signed-off-by: intel <joshua.silverio@intel.com>
github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 7, 2022
View reviewed changes
internal/security/secretstore/init.go
@@ -53,11 +53,13 @@
const (
addKnownSecretsEnv = "ADD_KNOWN_SECRETS"
redisSecretName = "redisdb"
messagebusSecretName = "message-bus"

Check failure

Code scanning / CodeQL

Hard-coded credentials

Hard-coded [secret](1).
internal/security/secretstore/init.go
switch messageBusType {
case redisSecureMessageBusType:
creds = redisCredentials
secretName = redisSecretName

Check failure

Code scanning / CodeQL

Hard-coded credentials

Hard-coded [secret](1).
internal/security/secretstore/init.go Fixed Show fixed Hide fixed
lenny-goodell
lenny-goodell requested changes Sep 7, 2022
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few minor log messages tweaks.

internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
internal/security/secretstore/init.go Outdated Show resolved Hide resolved
@joshua-silverio
fix: minor log message changes addressing feedback
ad8244c 
Signed-off-by: intel <joshua.silverio@intel.com>
lenny-goodell
lenny-goodell previously approved these changes Sep 7, 2022
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, Great Job!

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 7, 2022
View reviewed changes
internal/security/secretstore/init.go
secretName = redisSecretName
case mqttSecureMessageBusType:
creds = msgBusCredentials
secretName = messagebusSecretName

Check failure

Code scanning / CodeQL

Hard-coded credentials

Hard-coded [secret](1).
@joshua-silverio
fix: refactor messagebus install script to be more generic
25887df 
Signed-off-by: intel <joshua.silverio@intel.com>
@sonarcloud
Copy link

sonarcloud bot commented Sep 7, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 1 Code Smell

No Coverage information No Coverage information
0.0% 0.0% Duplication

lenny-goodell
lenny-goodell approved these changes Sep 7, 2022
View reviewed changes
Copy link
Member

@lenny-goodell lenny-goodell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@joshua-silverio joshua-silverio merged commit 21503d9 into edgexfoundry:main Sep 8, 2022
Security WG automation moved this from QA/Code Review to Done Sep 8, 2022
@joshua-silverio joshua-silverio deleted the mqtt-bus-cred-store branch September 8, 2022 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jim-wang-intel jim-wang-intel jim-wang-intel approved these changes

@lenny-goodell lenny-goodell lenny-goodell approved these changes

@farshidtz farshidtz Awaiting requested review from farshidtz

@cloudxxx8 cloudxxx8 Awaiting requested review from cloudxxx8

@bnevis-i bnevis-i Awaiting requested review from bnevis-i

Assignees

@jim-wang-intel jim-wang-intel

@joshua-silverio joshua-silverio

Labels
2-medium priority denoting issues with cross-cutting project impact enhancement New feature or request security-services
Projects
Security WG
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generate security credential for Mosquitto broker
4 participants
@joshua-silverio @bnevis-i @jim-wang-intel @lenny-goodell