test with secure device

.vscode/settings.json

@@ -15,6 +15,9 @@
 		"LISTEN_FILE_CERT_KEY_NAME": "http.key",
 		"TEST_COAP_GW_OVERWRITE_LISTEN_FILE_CERT_NAME": "coap.crt",
         "TEST_COAP_GW_OVERWRITE_LISTEN_FILE_KEY_NAME": "coap.key",
+        "TEST_ROOT_CA_CRT": "${workspaceFolder}/.tmp/certs/root_ca.crt",
+        "TEST_ROOT_CA_KEY": "${workspaceFolder}/.tmp/certs/root_ca.key",
+        "TEST_CLOUD_SID": "adebc667-1f2b-41e3-bf5c-6d6eabc68cc6",
         "ACME_DB_DIR": "${workspaceFolder}/.tmp/home/certificate-authority",
         // "GOMAXPROCS": 1,
         // "GOFLAGS":"-race",

Makefile

@@ -1,5 +1,6 @@
 SHELL = /bin/bash
 SIMULATOR_NAME_SUFFIX ?= $(shell hostname)
+CLOUD_SID ?= adebc667-1f2b-41e3-bf5c-6d6eabc68cc6
 
 SUBDIRS := resource-aggregate authorization resource-directory cloud2cloud-connector cloud2cloud-gateway coap-gateway grpc-gateway certificate-authority portal-webapi bundle http-gateway
 .PHONY: $(SUBDIRS) push proto/generate clean build test env mongo nats certificates cloud-build
@@ -26,7 +27,7 @@ certificates: cloud-test
 		-v $(shell pwd)/.tmp/certs:/certs \
 		--user $(shell id -u):$(shell id -g) \
 		cloud-test \
-		/bin/bash -c "cert-tool --cmd.generateRootCA --outCert=/certs/root_ca.crt --outKey=/certs/root_ca.key --cert.subject.cn=RootCA && cert-tool --cmd.generateCertificate --outCert=/certs/http.crt --outKey=/certs/http.key --cert.subject.cn=localhost --cert.san.domain=localhost --signerCert=/certs/root_ca.crt --signerKey=/certs/root_ca.key && cert-tool --cmd.generateIdentityCertificate=adebc667-1f2b-41e3-bf5c-6d6eabc68cc6 --outCert=/certs/coap.crt --outKey=/certs/coap.key --cert.san.domain=localhost --signerCert=/certs/root_ca.crt --signerKey=/certs/root_ca.key"
+		/bin/bash -c "cert-tool --cmd.generateRootCA --outCert=/certs/root_ca.crt --outKey=/certs/root_ca.key --cert.subject.cn=RootCA && cert-tool --cmd.generateCertificate --outCert=/certs/http.crt --outKey=/certs/http.key --cert.subject.cn=localhost --cert.san.domain=localhost --signerCert=/certs/root_ca.crt --signerKey=/certs/root_ca.key && cert-tool --cmd.generateIdentityCertificate=$(CLOUD_SID) --outCert=/certs/coap.crt --outKey=/certs/coap.key --cert.san.domain=localhost --signerCert=/certs/root_ca.crt --signerKey=/certs/root_ca.key"
 	cat $(shell pwd)/.tmp/certs/http.crt > $(shell pwd)/.tmp/certs/mongo.key
 	cat $(shell pwd)/.tmp/certs/http.key >> $(shell pwd)/.tmp/certs/mongo.key
 
@@ -84,6 +85,9 @@ test: env
 		-e LISTEN_FILE_CERT_KEY_NAME=http.key \
 		-e TEST_COAP_GW_OVERWRITE_LISTEN_FILE_CERT_NAME=coap.crt \
 		-e TEST_COAP_GW_OVERWRITE_LISTEN_FILE_KEY_NAME=coap.key \
+		-e TEST_CLOUD_SID=$(CLOUD_SID) \
+		-e TEST_ROOT_CA_CRT=/certs/root_ca.crt \
+        -e TEST_ROOT_CA_KEY=/certs/root_ca.key \
 		-e ACME_DB_DIR=/home/certificate-authority \
 		cloud-test \
 		go test -race -p 1 -v ./... -covermode=atomic -coverprofile=/home/coverage.txt

coap-gateway/service/clientUpdateHandler_test.go

@@ -18,7 +18,7 @@ func Test_clientUpdateHandler(t *testing.T) {
 	shutdown := setUp(t, true)
 	defer shutdown()
 
-	co := testCoapDial(t, testCfg.GW_HOST, true)
+	co := testCoapDial(t, testCfg.GW_UNSECURE_HOST, true)
 	if co == nil {
 		return
 	}

coap-gateway/service/utils_test.go

@@ -235,7 +235,7 @@ func testPrepareDevice(t *testing.T, co *tcp.ClientConn) {
 	}
 }
 
-func testCoapDial(t *testing.T, host string, withTLS ...bool) *tcp.ClientConn {
+func testCoapDial(t *testing.T, host string, withoutTLS ...bool) *tcp.ClientConn {
 	var config certManager.OcfConfig
 	err := envconfig.Process("LISTEN", &config)
 	assert.NoError(t, err)
@@ -275,7 +275,7 @@ func testCoapDial(t *testing.T, host string, withTLS ...bool) *tcp.ClientConn {
 		return nil
 	}
 
-	if len(withTLS) == 0 {
+	if len(withoutTLS) > 0 {
 		tlsConfig = nil
 	}
 	conn, err := tcp.Dial(host, tcp.WithTLS(tlsConfig), tcp.WithHandlerFunc(func(w *tcp.ResponseWriter, r *pool.Message) {

coap-gateway/test/test.go

@@ -11,18 +11,20 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func MakeConfig(t *testing.T, withTLS ...bool) refImpl.Config {
+func MakeConfig(t *testing.T, withoutTLS ...bool) refImpl.Config {
 	var gwCfg refImpl.Config
 	err := envconfig.Process("", &gwCfg)
 	require.NoError(t, err)
-	if len(withTLS) > 0 {
-		gwCfg.ListenWithoutTLS = false
-	} else {
+	if len(withoutTLS) > 0 {
 		gwCfg.ListenWithoutTLS = true
+		gwCfg.Service.Addr = testCfg.GW_UNSECURE_HOST
+	} else {
+		gwCfg.ListenWithoutTLS = false
+		gwCfg.Service.Addr = testCfg.GW_HOST
 	}
 	gwCfg.Service.AuthServerAddr = testCfg.AUTH_HOST
 	gwCfg.Service.ResourceAggregateAddr = testCfg.RESOURCE_AGGREGATE_HOST
-	gwCfg.Service.Addr = testCfg.GW_HOST
+
 	gwCfg.Service.ResourceDirectoryAddr = testCfg.RESOURCE_DIRECTORY_HOST
 	gwCfg.Service.FQDN = "coap-gateway-" + t.Name()
 	gwCfg.Service.OAuth.ClientID = testCfg.OAUTH_MANAGER_CLIENT_ID
@@ -34,8 +36,8 @@ func MakeConfig(t *testing.T, withTLS ...bool) refImpl.Config {
 	return gwCfg
 }
 
-func SetUp(t *testing.T, withTLS ...bool) (TearDown func()) {
-	return New(t, MakeConfig(t, withTLS...))
+func SetUp(t *testing.T, withoutTLS ...bool) (TearDown func()) {
+	return New(t, MakeConfig(t, withoutTLS...))
 }
 
 // New creates test coap-gateway.

device-simulator/Dockerfile

@@ -4,7 +4,7 @@ RUN apk add --no-cache curl git build-base gcc linux-headers patch
 RUN git clone --recursive https://github.com/iotivity/iotivity-lite.git
 COPY ./patches/devsim.diff /devsim.diff
 RUN (cd /iotivity-lite && patch -p1 < /devsim.diff)
-RUN make -C /iotivity-lite/port/linux CLOUD=1 SECURE=0 DEBUG=1 MNT=1 cloud_server
+RUN make -C /iotivity-lite/port/linux CLOUD=1 SECURE=1 DEBUG=1 MNT=1 cloud_server
 
 FROM alpine:3.12 AS service
 COPY --from=build /iotivity-lite/port/linux/cloud_server /usr/local/bin/cloud_server

device-simulator/patches/devsim.diff

@@ -1,25 +1,3 @@
-diff --git a/api/cloud/oc_cloud_resource.c b/api/cloud/oc_cloud_resource.c
-index c6b36d7..09b14c5 100644
---- a/api/cloud/oc_cloud_resource.c
-+++ b/api/cloud/oc_cloud_resource.c
-@@ -144,7 +144,7 @@ post_cloud(oc_request_t *request, oc_interface_mask_t interface,
-   }
-   OC_DBG("POST request received");
-   (void)interface;
--
-+/*
-   switch (ctx->store.cps) {
-   case OC_CPS_UNINITIALIZED:
-   case OC_CPS_READYTOREGISTER:
-@@ -155,7 +155,7 @@ post_cloud(oc_request_t *request, oc_interface_mask_t interface,
-     return;
-   }
-   }
--
-+*/
-   char *cps;
-   size_t cps_len = 0;
-   if (oc_rep_get_string(request->request_payload, "cps", &cps, &cps_len)) {
 diff --git a/apps/cloud_server.c b/apps/cloud_server.c
 index 6edd644..ceaff87 100644
 --- a/apps/cloud_server.c

go.sum

@@ -116,6 +116,7 @@ github.com/go-ocf/go-coap/v2 v2.0.2 h1:aPpKuu9uWBkNdozed5hpeAl5AlPAGpNfSY/NQdJlO
 github.com/go-ocf/go-coap/v2 v2.0.2/go.mod h1:X9wVKcaOSx7wBxKcvrWgMQq1R2DNeA7NBLW2osIb8TM=
 github.com/go-ocf/go-coap/v2 v2.0.4-0.20200727123524-5a1063fa65b2 h1:8Ib/QICE+KkwobmufbzeKpamvolRj+tgyF+6irYsZ+4=
 github.com/go-ocf/go-coap/v2 v2.0.4-0.20200727123524-5a1063fa65b2/go.mod h1:X9wVKcaOSx7wBxKcvrWgMQq1R2DNeA7NBLW2osIb8TM=
+github.com/go-ocf/go-coap/v2 v2.0.4-0.20200728125043-f38b86f047a7 h1:AKdudU3gkKJ+eoESnMWcdyH43liYFXmwva8EMlbmOqc=
 github.com/go-ocf/go-coap/v2 v2.0.4-0.20200728125043-f38b86f047a7/go.mod h1:X9wVKcaOSx7wBxKcvrWgMQq1R2DNeA7NBLW2osIb8TM=
 github.com/go-ocf/grpc-gateway v0.0.0-20191029150757-8ed2b7d67a67/go.mod h1:GuVJZHmSz7KGATOk0tqLPkgBJq2H12hZnG74CTJXOtI=
 github.com/go-ocf/grpc-gateway v0.0.0-20191128115804-9c2e8f77af08/go.mod h1:XBVeqnt2JEx0Z6SLEdjnjQ53jEpbAvcx+/CAC43eAb4=
@@ -147,6 +148,7 @@ github.com/go-ocf/kit v0.0.0-20200415134408-e0585e8eea21/go.mod h1:tnazqyziD6lz3
 github.com/go-ocf/kit v0.0.0-20200527091251-aa44b115a690/go.mod h1:VQ/L9+wU9EEddE6X0VIWtodORpT8WCapogWoR3jWhbM=
 github.com/go-ocf/kit v0.0.0-20200702075537-01631a881369 h1:jxNPzNd20ibh2T2fRIem/7CJp8tsw2xI/jrSU3dQhdQ=
 github.com/go-ocf/kit v0.0.0-20200702075537-01631a881369/go.mod h1:VQ/L9+wU9EEddE6X0VIWtodORpT8WCapogWoR3jWhbM=
+github.com/go-ocf/kit v0.0.0-20200728130040-4aebdb6982bc h1:VfEKBNg9m0rHO88jv/fOCXW1MN+Z4imfGZhYF0G8484=
 github.com/go-ocf/kit v0.0.0-20200728130040-4aebdb6982bc/go.mod h1:TIsoMT/iB7t9P6ahkcOnsmvS83SIJsv9qXRfz/yLf6M=
 github.com/go-ocf/resource-aggregate v0.0.0-20190610073816-ff5194c51d2a/go.mod h1:5G1FgzxCnQhETxlFMh2DYtGJrl82AK3MvHXW4MYpO08=
 github.com/go-ocf/resource-aggregate v0.0.0-20191001194720-f5aade86d89a/go.mod h1:5G1FgzxCnQhETxlFMh2DYtGJrl82AK3MvHXW4MYpO08=

grpc-gateway/client/observeDevices_test.go

@@ -61,7 +61,7 @@ func TestObserveDevices(t *testing.T) {
 	res = <-h.res
 	require.Equal(t, client.DevicesObservationEvent{
 		DeviceIDs: []string{deviceID},
-		Event:     client.DevicesObservationEvent_OFFLINE,
+		Event:     client.DevicesObservationEvent_UNREGISTERED,
 	}, res)
 }
 

http-gateway/service/observeDevices.go

@@ -64,8 +64,7 @@ func ToDevicesObservationEvent(e client.DevicesObservationEvent_type) string {
 }
 
 func (d *deviceObservation) Handle(ctx context.Context, event client.DevicesObservationEvent) error {
-	if event.Event == client.DevicesObservationEvent_REGISTERED ||
-		event.Event == client.DevicesObservationEvent_UNREGISTERED {
+	if len(event.DeviceIDs) == 0 {
 		return nil
 	}
 	evt := DeviceEvent{

http-gateway/service/observeDevices_test.go

@@ -37,7 +37,6 @@ func TestObserveDevices(t *testing.T) {
 }
 
 func testObserveDevices(ctx context.Context, t *testing.T, deviceID string) {
-
 	//first event
 	conn, err := grpc.Dial(testCfg.GRPC_HOST, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{
 		RootCAs: cloudTest.GetRootCertificatePool(t),
@@ -51,21 +50,21 @@ func testObserveDevices(ctx context.Context, t *testing.T, deviceID string) {
 	defer closeWebSocketConnection(t, wsConn)
 	expEvt := service.DeviceEvent{
 		DeviceIDs: []string{deviceID},
-		Status:    service.ToDevicesObservationEvent(client.DevicesObservationEvent_ONLINE),
+		Status:    service.ToDevicesObservationEvent(client.DevicesObservationEvent_REGISTERED),
 	}
 	testDeviceEvent(t, wsConn, expEvt)
 
 	expEvt = service.DeviceEvent{
-		DeviceIDs: nil,
-		Status:    service.ToDevicesObservationEvent(client.DevicesObservationEvent_OFFLINE),
+		DeviceIDs: []string{deviceID},
+		Status:    service.ToDevicesObservationEvent(client.DevicesObservationEvent_ONLINE),
 	}
 	testDeviceEvent(t, wsConn, expEvt)
 
 	//Second event
 	shutdownDevSim()
 	expEvt = service.DeviceEvent{
 		DeviceIDs: []string{deviceID},
-		Status:    service.ToDevicesObservationEvent(client.DevicesObservationEvent_OFFLINE),
+		Status:    service.ToDevicesObservationEvent(client.DevicesObservationEvent_UNREGISTERED),
 	}
 	testDeviceEvent(t, wsConn, expEvt)
 }
@@ -74,6 +73,7 @@ func testDeviceEvent(t *testing.T, conn *websocket.Conn, expect service.DeviceEv
 	_, message, err := conn.ReadMessage()
 	require.NoError(t, err)
 	evt := service.DeviceEvent{}
+	fmt.Printf("testDeviceEvent %v\n", string(message))
 	err = json.Decode(message, &evt)
 	require.NoError(t, err)
 	require.Equal(t, expect, evt)

test/config/config.go

@@ -10,6 +10,7 @@ import (
 const AUTH_HOST = "localhost:20000"
 const AUTH_HTTP_HOST = "localhost:20001"
 const GW_HOST = "localhost:20002"
+const GW_UNSECURE_HOST = "localhost:20008"
 const RESOURCE_AGGREGATE_HOST = "localhost:20003"
 const RESOURCE_DIRECTORY_HOST = "localhost:20004"
 const GRPC_HOST = "localhost:20005"

test/sdkclient.go

@@ -0,0 +1,156 @@
+package test
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"os"
+
+	"github.com/go-ocf/sdk/local"
+)
+
+type testSetupSecureClient struct {
+	ca      []*x509.Certificate
+	mfgCA   []*x509.Certificate
+	mfgCert tls.Certificate
+}
+
+func (c *testSetupSecureClient) GetManufacturerCertificate() (tls.Certificate, error) {
+	if c.mfgCert.PrivateKey == nil {
+		return c.mfgCert, fmt.Errorf("not set")
+	}
+	return c.mfgCert, nil
+}
+
+func (c *testSetupSecureClient) GetManufacturerCertificateAuthorities() ([]*x509.Certificate, error) {
+	if len(c.mfgCA) == 0 {
+		return nil, fmt.Errorf("not set")
+	}
+	return c.mfgCA, nil
+}
+
+func (c *testSetupSecureClient) GetRootCertificateAuthorities() ([]*x509.Certificate, error) {
+	if len(c.ca) == 0 {
+		return nil, fmt.Errorf("not set")
+	}
+	return c.ca, nil
+}
+
+func NewSDKClient() (*local.Client, error) {
+	mfgTrustedCABlock, _ := pem.Decode(MfgTrustedCA)
+	if mfgTrustedCABlock == nil {
+		return nil, fmt.Errorf("mfgTrustedCABlock is empty")
+	}
+	mfgCA, err := x509.ParseCertificates(mfgTrustedCABlock.Bytes)
+	if err != nil {
+		return nil, err
+	}
+
+	identityIntermediateCA, err := ioutil.ReadFile(os.Getenv("TEST_ROOT_CA_CRT"))
+	if err != nil {
+		return nil, err
+	}
+
+	identityIntermediateCAKey, err := ioutil.ReadFile(os.Getenv("TEST_ROOT_CA_KEY"))
+	if err != nil {
+		return nil, err
+	}
+
+	identityTrustedCA, err := ioutil.ReadFile(os.Getenv("TEST_ROOT_CA_CRT"))
+	if err != nil {
+		return nil, err
+	}
+
+	identityIntermediateCABlock, _ := pem.Decode(identityIntermediateCA)
+	if identityIntermediateCABlock == nil {
+		return nil, fmt.Errorf("identityIntermediateCABlock is empty")
+	}
+	identityIntermediateCAKeyBlock, _ := pem.Decode(identityIntermediateCAKey)
+	if identityIntermediateCAKeyBlock == nil {
+		return nil, fmt.Errorf("identityIntermediateCAKeyBlock is empty")
+	}
+
+	identityTrustedCABlock, _ := pem.Decode(identityTrustedCA)
+	if identityTrustedCABlock == nil {
+		return nil, fmt.Errorf("identityTrustedCABlock is empty")
+	}
+	identityTrustedCACert, err := x509.ParseCertificates(identityTrustedCABlock.Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("cannot parse cert: %w", err)
+	}
+	mfgCert, err := tls.X509KeyPair(MfgCert, MfgKey)
+	if err != nil {
+		return nil, fmt.Errorf("cannot X509KeyPair: %w", err)
+	}
+	cfg := local.Config{
+		DisablePeerTCPSignalMessageCSMs: true,
+		DeviceOwnershipSDK: &local.DeviceOwnershipSDKConfig{
+			ID:      CertIdentity,
+			Cert:    identityIntermediateCA,
+			CertKey: identityIntermediateCAKey,
+		},
+	}
+
+	client, err := local.NewClientFromConfig(&cfg, &testSetupSecureClient{
+		mfgCA:   mfgCA,
+		mfgCert: mfgCert,
+		ca:      append(identityTrustedCACert),
+	}, func(err error) { fmt.Print(err) },
+	)
+	if err != nil {
+		return nil, err
+	}
+	err = client.Initialization(context.Background())
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+var (
+	CertIdentity = "00000000-0000-0000-0000-000000000001"
+
+	MfgCert = []byte(`-----BEGIN CERTIFICATE-----
+MIIB9zCCAZygAwIBAgIRAOwIWPAt19w7DswoszkVIEIwCgYIKoZIzj0EAwIwEzER
+MA8GA1UEChMIVGVzdCBPUkcwHhcNMTkwNTAyMjAwNjQ4WhcNMjkwMzEwMjAwNjQ4
+WjBHMREwDwYDVQQKEwhUZXN0IE9SRzEyMDAGA1UEAxMpdXVpZDpiNWEyYTQyZS1i
+Mjg1LTQyZjEtYTM2Yi0wMzRjOGZjOGVmZDUwWTATBgcqhkjOPQIBBggqhkjOPQMB
+BwNCAAQS4eiM0HNPROaiAknAOW08mpCKDQmpMUkywdcNKoJv1qnEedBhWne7Z0jq
+zSYQbyqyIVGujnI3K7C63NRbQOXQo4GcMIGZMA4GA1UdDwEB/wQEAwIDiDAzBgNV
+HSUELDAqBggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMBBgorBgEEAYLefAEG
+MAwGA1UdEwEB/wQCMAAwRAYDVR0RBD0wO4IJbG9jYWxob3N0hwQAAAAAhwR/AAAB
+hxAAAAAAAAAAAAAAAAAAAAAAhxAAAAAAAAAAAAAAAAAAAAABMAoGCCqGSM49BAMC
+A0kAMEYCIQDuhl6zj6gl2YZbBzh7Th0uu5izdISuU/ESG+vHrEp7xwIhANCA7tSt
+aBlce+W76mTIhwMFXQfyF3awWIGjOcfTV8pU
+-----END CERTIFICATE-----
+`)
+
+	MfgKey = []byte(`-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMPeADszZajrkEy4YvACwcbR0pSdlKG+m8ALJ6lj/ykdoAoGCCqGSM49
+AwEHoUQDQgAEEuHojNBzT0TmogJJwDltPJqQig0JqTFJMsHXDSqCb9apxHnQYVp3
+u2dI6s0mEG8qsiFRro5yNyuwutzUW0Dl0A==
+-----END EC PRIVATE KEY-----
+`)
+
+	MfgTrustedCA = []byte(`-----BEGIN CERTIFICATE-----
+MIIBaTCCAQ+gAwIBAgIQR33gIB75I7Vi/QnMnmiWvzAKBggqhkjOPQQDAjATMREw
+DwYDVQQKEwhUZXN0IE9SRzAeFw0xOTA1MDIyMDA1MTVaFw0yOTAzMTAyMDA1MTVa
+MBMxETAPBgNVBAoTCFRlc3QgT1JHMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+xbwMaS8jcuibSYJkCmuVHfeV3xfYVyUq8Iroz7YlXaTayspW3K4hVdwIsy/5U+3U
+vM/vdK5wn2+NrWy45vFAJqNFMEMwDgYDVR0PAQH/BAQDAgEGMBMGA1UdJQQMMAoG
+CCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0RBAQwAoIAMAoGCCqGSM49
+BAMCA0gAMEUCIBWkxuHKgLSp6OXDJoztPP7/P5VBZiwLbfjTCVRxBvwWAiEAnzNu
+6gKPwtKmY0pBxwCo3NNmzNpA6KrEOXE56PkiQYQ=
+-----END CERTIFICATE-----
+`)
+	MfgTrustedCAKey = []byte(`-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICzfC16AqtSv3wt+qIbrgM8dTqBhHANJhZS5xCpH6P2roAoGCCqGSM49
+AwEHoUQDQgAExbwMaS8jcuibSYJkCmuVHfeV3xfYVyUq8Iroz7YlXaTayspW3K4h
+VdwIsy/5U+3UvM/vdK5wn2+NrWy45vFAJg==
+-----END EC PRIVATE KEY-----
+`)
+)