Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introducing protobuf file for the new /uuid endpoint #1284

Merged
merged 1 commit into from
Aug 11, 2020
Merged

Introducing protobuf file for the new /uuid endpoint #1284

merged 1 commit into from
Aug 11, 2020

Conversation

cshari-zededa
Copy link
Contributor

@cshari-zededa cshari-zededa commented Aug 10, 2020
edited
Loading

  • Once attestation feature is enabled in Controller, the /config endpoint
    will fail incoming requests without an integrity token associated with the
    request. As a result, the initial getUuid() method in zedclient will fail,
    since it starts early before attestation, and at that point system will not
    have any integrity token available.

  • Since zedclient uses /config primarily for getting UUID of the device and other
    fields such as Manufacturer, Model etc, having a separate endpoint for that
    makes sense, and this PR adds protobuf fields for the same.

Signed-off-by: Hariharasubramanian C S cshari@zededa.com

eriknordmark
eriknordmark reviewed Aug 10, 2020
View reviewed changes
api/APIv2.md Outdated Show resolved Hide resolved
eriknordmark
eriknordmark reviewed Aug 10, 2020
View reviewed changes
Copy link
Contributor

@eriknordmark eriknordmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we also remove the ConfigRequest using a URL without the UUID? That is in the APIv4.md file

@eriknordmark
Copy link
Contributor

@kalyan-nidumolu are these protobuf errors you expect to see?
uuid/uuid.proto:8:1:Expected "uuidpb" for option "go_package" but was "github.com/lf-edge/eve/api/go/uuid".
uuid/uuid.proto:9:1:Expected "com.org.lfedge.eve.uuid" for option "java_package" but was "org.lfedge.eve.uuid".
uuid/uuid.proto:11:1:Expected "UuidProto" for option "java_outer_classname" but was "EveUuid".

I don't know if prototool would have the same complaints on our existing proto files in which case we can ignore them.

@cshari-zededa
Introducing protobuf file for the new /uuid endpoint
8a4d2c2 
- Once attestation feature is enabled in Controller, the /config endpoint
  will fail incoming requests without an integrity token associated with the
  request. As a result, the initial getUuid() method in zedclient will fail,
  since it starts early before attestation, and at that point system will not
  have any integrity token to use.

- Since zedclient uses /config primarily for getting UUID of the device and other
  fields such as Manufacturer, Model etc, having a separate endpoint for that
  makes sense, and this PR adds protobuf fields for the same.

Signed-off-by: Hariharasubramanian C S <cshari@zededa.com>
@cshari-zededa
Copy link
Contributor Author

@kalyan-nidumolu are these protobuf errors you expect to see?
uuid/uuid.proto:8:1:Expected "uuidpb" for option "go_package" but was "github.com/lf-edge/eve/api/go/uuid".
uuid/uuid.proto:9:1:Expected "com.org.lfedge.eve.uuid" for option "java_package" but was "org.lfedge.eve.uuid".
uuid/uuid.proto:11:1:Expected "UuidProto" for option "java_outer_classname" but was "EveUuid".

I don't know if prototool would have the same complaints on our existing proto files in which case we can ignore them.

@eriknordmark
When I ran "make yetus" on my local branch, I am getting the same lint errors for the existing files as well. e.g. for attest:

Hariharasubramanians-MacBook-Pro:eve cshari$ cat /private/tmp/yetus-out/diff-patch-prototool.txt | grep attest
attest/attest.proto:10:1:Expected "attestpb" for option "go_package" but was "github.com/lf-edge/eve/api/go/attest".
attest/attest.proto:11:1:Expected "com.org.lfedge.eve.attest" for option "java_package" but was "org.lfedge.eve.attest".
attest/attest.proto:13:1:Expected "AttestProto" for option "java_outer_classname" but was "EveAttest".

Now, either I can fix the lint errors or we can ignore the yetus errors (to keep the naming conventions consistent with existing files), please let me know what you prefer.

eriknordmark
eriknordmark approved these changes Aug 11, 2020
View reviewed changes
Copy link
Contributor

@eriknordmark eriknordmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Let's ignore the yetus/prototool complaints

@eriknordmark eriknordmark merged commit 82c8d66 into lf-edge:master Aug 11, 2020
@rvs
Copy link
Contributor

rvs commented Aug 12, 2020

Hey @cshari-zededa @nordmark @deitch -- one sentence here caught my eye "Once attestation feature is enabled in Controller, the /config endpoint will fail incoming requests without an integrity token associated with the request" -- that's fine from the controller's standpoint (IOW controller forcing this behavior) but I wanted to make sure that we don't accidentally break V1 API compatibility with this change.

We rely heavily on V1 API in Adam still (V2 work is getting delayed there) and making sure it keeps working is a pretty high priority. Please confirm.

On a related note @cshari-zededa those few paragraphs from the description of this PR is what I was suggesting you add to your integrity token PR as part of updating docs/SECURITY.md

@cshari-zededa
Copy link
Contributor Author

Hey @cshari-zededa @nordmark @deitch -- one sentence here caught my eye "Once attestation feature is enabled in Controller, the /config endpoint will fail incoming requests without an integrity token associated with the request" -- that's fine from the controller's standpoint (IOW controller forcing this behavior) but I wanted to make sure that we don't accidentally break V1 API compatibility with this change.

Yes @rvs, V1 compatibility is not disturbed. In fact, we have not started enforcing integrity-token yet in any of the Controller, including ZedControl. These PRs are just setting it up from EVE side. But even when we enforce integrity-token check, we will do it only for V2 /config endpoint.

But this also means that we should add /uuid support in Adam, before we can start replacing /config with /uuid in zedclient.

@rvs rvs mentioned this pull request Aug 13, 2020
Open
@rvs
Copy link
Contributor

rvs commented Aug 13, 2020

Got it! Filed lf-edge/adam#38 @giggsoff @deitch -- can you guys please take a look ASAP?

@cshari-zededa cshari-zededa deleted the integrity_token branch August 13, 2020 04:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eriknordmark eriknordmark eriknordmark approved these changes

@rvs rvs Awaiting requested review from rvs

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cshari-zededa @eriknordmark @rvs