Remove extra logging.

Signed-off-by: Adam Capparelli <adam.capparelli@alumni.utoronto.ca>

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ defaults:
 
 jobs:
   docker:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     env:
       DOCKER_REGISTRY_URL: tip-tip-wlan-cloud-ucentral.jfrog.io
       DOCKER_REGISTRY_USERNAME: ucentral

.github/workflows/release.yml

@@ -11,7 +11,7 @@ defaults:
 
 jobs:
   helm-package:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     env:
       HELM_REPO_URL: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
       HELM_REPO_USERNAME: ucentral

CMakeLists.txt

@@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.13)
-project(owgw VERSION 4.1.0)
+project(owgw VERSION 3.2.1)
 
 set(CMAKE_CXX_STANDARD 20)
 set(CMAKE_CXX_STANDARD_REQUIRED True)

PROTOCOL.md

@@ -880,32 +880,6 @@ The device should answer:
 }
 ```
 
-#### Controller wants the device to perform re-enrollment
-Controller sends this command to trigger re-enrollment, i.e. update of operational certificate. Extreme care must be taken.
-```json
-{    "jsonrpc" : "2.0" , 
-     "method" : "reenroll" , 
-     "params" : {
-        "serial" : <serial number>,
-        "when" : Optional - <UTC time when to apply this config, 0 mean immediate, this is a suggestion>
-     },
-     "id" : <some number>
-}
-```
-
-The device should answer:
-```json
-{     "jsonrpc" : "2.0" , 
-      "result" : {
-          "serial" : <serial number> ,
-          "status" : {
-            "error" : <0 or the value of $? from the shell running the command, 255 signifies a timeout>,
-            "txt" : <text describing the error or success>
-      },
-  "id" : <same number as request>
-}
-```
-
 #### Controller wants the device to switch to another controller
 Controller sends this when the device should change the controller it connects to without looking up a new redirector.
 

openapi/owgw.yaml

@@ -1576,15 +1576,6 @@ components:
           format: base64
           description: This is a base64 encoded string of the certificate bundle (the current bundle .tar.gz file from the PKI portal)
 
-    ReenrollRequest:
-      type: object
-      properties:
-        serialNumber:
-          type: string
-        when:
-          type: integer
-          format: int64
-
     PowerCycleRequest:
       type: object
       properties:
@@ -3065,32 +3056,6 @@ paths:
         404:
           $ref: '#/components/responses/NotFound'
 
-  /device/{serialNumber}/reenroll:
-    post:
-      tags:
-        - Commands
-      summary: Reenroll operational certificate for the device.
-      operationId: reenrollCertificate
-      parameters:
-        - in: path
-          name: serialNumber
-          schema:
-            type: string
-          required: true
-      requestBody:
-        description: Reenroll operational certificate for the device
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/ReenrollRequest'
-      responses:
-        200:
-          $ref: '#/components/responses/Success'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'
-
   /device/{serialNumber}/powercycle:
     post:
       tags:

src/AP_WS_Connection.cpp

@@ -213,7 +213,6 @@ namespace OpenWifi {
 			}
 
 			State_.certificateExpiryDate = PeerCert.expiresOn().timestamp().epochTime();
-			State_.certificateIssuerName = PeerCert.issuerName();
 
 			poco_trace(Logger_,
 					   fmt::format("TLS-CONNECTION({}): Session={} CN={} Completed. (t={})", CId_,
@@ -562,14 +561,14 @@ namespace OpenWifi {
 	void AP_WS_Connection::OnSocketShutdown(
 		[[maybe_unused]] const Poco::AutoPtr<Poco::Net::ShutdownNotification> &pNf) {
 		poco_trace(Logger_, fmt::format("SOCKET-SHUTDOWN({}): Closing.", CId_));
-//		std::lock_guard	G(ConnectionMutex_);
+		std::lock_guard	G(ConnectionMutex_);
 		return EndConnection();
 	}
 
 	void AP_WS_Connection::OnSocketError(
 		[[maybe_unused]] const Poco::AutoPtr<Poco::Net::ErrorNotification> &pNf) {
 		poco_trace(Logger_, fmt::format("SOCKET-ERROR({}): Closing.", CId_));
-//		std::lock_guard	G(ConnectionMutex_);
+		std::lock_guard	G(ConnectionMutex_);
 		return EndConnection();
 	}
 
@@ -656,6 +655,7 @@ namespace OpenWifi {
 						fmt::format("FRAME({}): Frame received (length={}, flags={}). Msg={}",
 									CId_, IncomingSize, flags, IncomingFrame.begin()));
 
+					
 					Poco::JSON::Parser parser;
 					auto ParsedMessage = parser.parse(IncomingFrame.begin());
 					auto IncomingJSON = ParsedMessage.extract<Poco::JSON::Object::Ptr>();

src/AP_WS_Server.cpp

@@ -57,8 +57,9 @@ namespace OpenWifi {
 			if (request.find("Upgrade") != request.end() &&
 				Poco::icompare(request["Upgrade"], "websocket") == 0) {
 				Utils::SetThreadName("ws:conn-init");
-				session_id_++;
-				return new AP_WS_RequestHandler(Logger_, session_id_);
+				//session_id_++;
+				auto new_session_id =  session_id_.fetch_add(1, std::memory_order_seq_cst) + 1;
+				return new AP_WS_RequestHandler(Logger_, new_session_id);
 			} else {
 				return nullptr;
 			}
@@ -71,18 +72,14 @@ namespace OpenWifi {
 	bool AP_WS_Server::ValidateCertificate(const std::string &ConnectionId,
 										   const Poco::Crypto::X509Certificate &Certificate) {
 		if (IsCertOk()) {
-			// validate certificate agains trusted chain
-			for (const auto &cert : ClientCasCerts_) {
-				if (Certificate.issuedBy(cert)) {
-					return true;
-				}
-			}
+			if (!Certificate.issuedBy(*IssuerCert_)) {
 				poco_warning(
 					Logger(),
-					fmt::format(
-						"CERTIFICATE({}): issuer mismatch. Certificate not issued by any trusted CA",
-						ConnectionId)
-					);
+					fmt::format("CERTIFICATE({}): issuer mismatch. Local='{}' Incoming='{}'",
+								ConnectionId, IssuerCert_->issuerName(), Certificate.issuerName()));
+				return false;
+			}
+			return true;
 		}
 		return false;
 	}
@@ -137,13 +134,6 @@ namespace OpenWifi {
 			Context->addChainCertificate(Issuing);
 			Context->addCertificateAuthority(Issuing);
 
-			// add certificates from clientcas to trust chain
-			ClientCasCerts_ = Poco::Net::X509Certificate::readPEM(Svr.ClientCas());
-			for (const auto &cert : ClientCasCerts_) {
-				Context->addChainCertificate(cert);
-				Context->addCertificateAuthority(cert);
-			}
-
 			Poco::Crypto::RSAKey Key("", Svr.KeyFile(), Svr.KeyFilePassword());
 			Context->usePrivateKey(Key);
 
@@ -525,11 +515,28 @@ namespace OpenWifi {
 			Connection = SessionHint->second;
 			Sessions_[sessionHash].erase(SessionHint);
 		}
-
+		std::atomic_bool duplicate_session = false;
+		{
 			auto deviceHash = MACHash::Hash(SerialNumber);
 			std::lock_guard DeviceLock(SerialNumbersMutex_[deviceHash]);
+			auto DeviceHint = SerialNumbers_[deviceHash].find(SerialNumber);
+            if (DeviceHint == SerialNumbers_[deviceHash].end()) {
+                // No duplicate connection go ahead and add new connection
 		        SerialNumbers_[deviceHash][SerialNumber] = Connection;
             }
+            else {
+                // Mark a duplicate session
+                duplicate_session = true;
+				poco_information(Logger(), fmt::format("[session ID: {}] Found a duplicate connection for device serial: {}", session_id, Utils::IntToSerialNumber(SerialNumber)));
+            }
+		}
+		if (duplicate_session.load()){
+            // This is only called if we have a duplicate session
+            // We remove the new incoming session that we just added a few lines above, forcing the destructor for this new session while not impacting the pointers to the old session.
+            std::lock_guard SessionLock(SessionMutex_[sessionHash]);
+			Sessions_[sessionHash].erase(session_id);
+        }
+	}
 
 	bool AP_WS_Server::EndSession(uint64_t session_id, uint64_t SerialNumber) {
 		{

src/AP_WS_Server.h

@@ -223,7 +223,6 @@ namespace OpenWifi {
 		mutable std::array<std::mutex,MACHashMax>		SerialNumbersMutex_;
 
 		std::unique_ptr<Poco::Crypto::X509Certificate> IssuerCert_;
-		std::vector<Poco::Crypto::X509Certificate> ClientCasCerts_;
 		std::list<std::unique_ptr<Poco::Net::HTTPServer>> WebServers_;
 		Poco::ThreadPool DeviceConnectionPool_{"ws:dev-pool", 4, 256};
 		Poco::Net::SocketReactor Reactor_;

src/RESTAPI/RESTAPI_device_commandHandler.cpp

@@ -170,7 +170,6 @@ namespace OpenWifi {
 		{APCommands::Commands::powercycle, false, true, &RESTAPI_device_commandHandler::PowerCycle, 60000ms},
 		{APCommands::Commands::fixedconfig, false, true, &RESTAPI_device_commandHandler::FixedConfig, 120000ms},
 		{APCommands::Commands::cablediagnostics, false, true, &RESTAPI_device_commandHandler::CableDiagnostics, 120000ms},
-		{APCommands::Commands::reenroll, false, true, &RESTAPI_device_commandHandler::ReEnroll, 120000ms},
 
 	};
 
@@ -1652,45 +1651,4 @@ namespace OpenWifi {
 										   *ParsedBody_, *Request, *Response, timeout, nullptr, this,
 										   Logger_);
 	}
-
-	void RESTAPI_device_commandHandler::ReEnroll(
-		const std::string &CMD_UUID, uint64_t CMD_RPC,
-		[[maybe_unused]] std::chrono::milliseconds timeout,
-		[[maybe_unused]] const GWObjects::DeviceRestrictions &Restrictions) {
-
-		if(UserInfo_.userinfo.userRole != SecurityObjects::ROOT &&
-			UserInfo_.userinfo.userRole != SecurityObjects::ADMIN) {
-			CallCanceled("REENROLL", CMD_UUID, CMD_RPC, RESTAPI::Errors::ACCESS_DENIED);
-			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
-		}
-
-		poco_debug(Logger_, fmt::format("REENROLL({},{}): TID={} user={} serial={}", CMD_UUID,
-										CMD_RPC, TransactionId_, Requester(), SerialNumber_));
-
-		if(IsDeviceSimulated(SerialNumber_)) {
-			CallCanceled("REENROLL", CMD_UUID, CMD_RPC, RESTAPI::Errors::SimulatedDeviceNotSupported);
-			return BadRequest(RESTAPI::Errors::SimulatedDeviceNotSupported);
-		}
-
-		GWObjects::ReEnroll PR;
-		if(!PR.from_json(ParsedBody_)) {
-			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-		}
-
-		GWObjects::CommandDetails Cmd;
-		Cmd.SerialNumber = SerialNumber_;
-		Cmd.SubmittedBy = Requester();
-		Cmd.UUID = CMD_UUID;
-		Cmd.Command = uCentralProtocol::REENROLL;
-		std::ostringstream os;
-		ParsedBody_->stringify(os);
-		Cmd.Details = os.str();
-		Cmd.RunAt = PR.when;
-		Cmd.ErrorCode = 0;
-		Cmd.WaitingForFile = 0;
-
-		return RESTAPI_RPC::WaitForCommand(CMD_RPC, APCommands::Commands::reenroll, false, Cmd,
-										   *ParsedBody_, *Request, *Response, timeout, nullptr, this,
-										   Logger_);
-	}
 } // namespace OpenWifi

src/RESTAPI/RESTAPI_device_commandHandler.h

@@ -74,8 +74,6 @@ namespace OpenWifi {
 					  const GWObjects::DeviceRestrictions &R);
 		void CableDiagnostics(const std::string &UUID, uint64_t RPC, std::chrono::milliseconds timeout,
 					  const GWObjects::DeviceRestrictions &R);
-		void ReEnroll(const std::string &UUID, uint64_t RPC, std::chrono::milliseconds timeout,
-					  const GWObjects::DeviceRestrictions &R);
 
 		static auto PathName() {
 			return std::list<std::string>{"/api/v1/device/{serialNumber}/{command}"};

src/RESTObjects/RESTAPI_GWobjects.cpp

@@ -297,7 +297,6 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj, "connectionCompletionTime", connectionCompletionTime);
 		field_to_json(Obj, "totalConnectionTime", Utils::Now() - started);
 		field_to_json(Obj, "certificateExpiryDate", certificateExpiryDate);
-		field_to_json(Obj, "certificateIssuerName", certificateIssuerName);
 		field_to_json(Obj, "connectReason", connectReason);
 		field_to_json(Obj, "uptime", uptime);
         field_to_json(Obj, "compatible", Compatible);
@@ -359,7 +358,6 @@ namespace OpenWifi::GWObjects {
             field_from_json(Obj, "connectionCompletionTime", connectionCompletionTime);
             field_from_json(Obj, "totalConnectionTime", totalConnectionTime);
             field_from_json(Obj, "certificateExpiryDate", certificateExpiryDate);
-			field_from_json(Obj, "certificateIssuerName", certificateIssuerName);
             field_from_json(Obj, "connectReason", connectReason);
             field_from_json(Obj, "uptime", uptime);
             field_from_json(Obj, "hasRADIUSSessions", hasRADIUSSessions );
@@ -821,14 +819,4 @@ namespace OpenWifi::GWObjects {
 		}
 		return false;
 	}
-
-	bool ReEnroll::from_json(const Poco::JSON::Object::Ptr &Obj) {
-		try {
-			field_from_json(Obj, "serial", serialNumber);
-			field_from_json(Obj, "when", when);
-			return true;
-		} catch (const Poco::Exception &E) {
-		}
-		return false;
-	}
 } // namespace OpenWifi::GWObjects

src/RESTObjects/RESTAPI_GWobjects.h

@@ -42,7 +42,6 @@ namespace OpenWifi::GWObjects {
 		uint64_t sessionId = 0;
 		double connectionCompletionTime = 0.0;
 		std::uint64_t certificateExpiryDate = 0;
-		std::string certificateIssuerName;
 		std::uint64_t hasRADIUSSessions = 0;
 		bool hasGPS = false;
 		std::uint64_t sanity=0;
@@ -546,12 +545,6 @@ namespace OpenWifi::GWObjects {
 		std::uint64_t 	when;
 		std::vector<std::string> ports;
 
-		bool from_json(const Poco::JSON::Object::Ptr &Obj);
-	};
-	struct ReEnroll {
-		std::string 	serialNumber;
-		std::uint64_t 	when;
-
 		bool from_json(const Poco::JSON::Object::Ptr &Obj);
 	};
 } // namespace OpenWifi::GWObjects

src/framework/ConfigurationValidator.cpp

@@ -3952,9 +3952,7 @@ static std::string DefaultAPSchema = R"foo(
                             "inactive-deauth",
                             "key-mismatch",
                             "beacon-report",
-                            "radar-detected",
-                            "ft-finish",
-                            "sta-authorized"
+                            "radar-detected"
                         ]
                     }
                 }
@@ -7922,9 +7920,7 @@ static std::string DefaultSWITCHSchema = R"foo(
                             "inactive-deauth",
                             "key-mismatch",
                             "beacon-report",
-                            "radar-detected",
-                            "ft-finish",
-                            "sta-authorized"
+                            "radar-detected"
                         ]
                     }
                 }

src/framework/SubSystemServer.cpp

@@ -68,16 +68,6 @@ namespace OpenWifi {
 				Context->addCertificateAuthority(Issuing);
 			}
 
-			if (!client_cas_.empty()) {
-				// add certificates specified in clientcas
-				std::vector<Poco::Crypto::X509Certificate> Certs =
-					Poco::Net::X509Certificate::readPEM(client_cas_);
-				for (const auto &cert : Certs) {
-					Context->addChainCertificate(cert);
-					Context->addCertificateAuthority(cert);
-				}
-			}
-
 			Poco::Crypto::RSAKey Key("", key_file_, key_file_password_);
 			Context->usePrivateKey(Key);
 

src/framework/SubSystemServer.h

@@ -45,7 +45,6 @@ namespace OpenWifi {
 		[[nodiscard]] inline auto KeyFile() const { return key_file_; };
 		[[nodiscard]] inline auto CertFile() const { return cert_file_; };
 		[[nodiscard]] inline auto RootCA() const { return root_ca_; };
-		[[nodiscard]] inline auto ClientCas() const { return client_cas_; };
 		[[nodiscard]] inline auto KeyFilePassword() const { return key_file_password_; };
 		[[nodiscard]] inline auto IssuerCertFile() const { return issuer_cert_file_; };
 		[[nodiscard]] inline auto Name() const { return name_; };

src/framework/ow_constants.h

@@ -583,7 +583,6 @@ namespace OpenWifi::RESTAPI::Protocol {
 
 	static const char *FIXEDCONFIG = "fixedconfig";
 	static const char *CABLEDIAGNOSTICS = "cable-diagnostics";
-	static const char *REENROLL = "reenroll";
 } // namespace OpenWifi::RESTAPI::Protocol
 
 namespace OpenWifi::uCentralProtocol {
@@ -699,8 +698,6 @@ namespace OpenWifi::uCentralProtocol {
 
 	static const char *FIXEDCONFIG = "fixedconfig";
 	static const char *CABLEDIAGNOSTICS = "cable-diagnostics";
-	static const char *REENROLL = "reenroll";
-
 
 } // namespace OpenWifi::uCentralProtocol
 
@@ -800,7 +797,6 @@ namespace OpenWifi::APCommands {
 		powercycle,
 		fixedconfig,
 		cablediagnostics,
-		reenroll,
 		unknown
 	};
 
@@ -816,8 +812,7 @@ namespace OpenWifi::APCommands {
 		RESTAPI::Protocol::PING,		 RESTAPI::Protocol::SCRIPT,
 		RESTAPI::Protocol::RRM,		 	 RESTAPI::Protocol::CERTUPDATE,
 		RESTAPI::Protocol::TRANSFER,	 RESTAPI::Protocol::POWERCYCLE,
-		RESTAPI::Protocol::FIXEDCONFIG,  RESTAPI::Protocol::CABLEDIAGNOSTICS,
-		RESTAPI::Protocol::REENROLL
+		RESTAPI::Protocol::FIXEDCONFIG,  RESTAPI::Protocol::CABLEDIAGNOSTICS
 	};
 
 	inline const char *to_string(Commands Cmd) { return uCentralAPCommands[(uint8_t)Cmd]; }

src/rttys/RTTYS_server.cpp

@@ -14,7 +14,6 @@
 #include "nlohmann/json.hpp"
 
 #include "Poco/NObserver.h"
-#include <Poco/Net/Context.h>
 #include "Poco/Net/SocketNotification.h"
 #include "Poco/Net/NetException.h"
 #include "Poco/Net/WebSocketImpl.h"
@@ -72,7 +71,6 @@ namespace OpenWifi {
 				const auto &RootCas =
 					MicroServiceConfigPath("ucentral.websocket.host.0.rootca", "");
 				const auto &Cas = MicroServiceConfigPath("ucentral.websocket.host.0.cas", "");
-				const auto &ClientCasFile = MicroServiceConfigPath("ucentral.websocket.host.0.clientcas", "");
 
 				Poco::Net::Context::Params P;
 
@@ -88,7 +86,6 @@ namespace OpenWifi {
 				Poco::Crypto::X509Certificate Cert(CertFileName);
 				Poco::Crypto::X509Certificate Root(RootCaFileName);
 				Poco::Crypto::X509Certificate Issuing(IssuerFileName);
-                std::vector<Poco::Crypto::X509Certificate> ClientCasCerts;
 				Poco::Crypto::RSAKey Key("", KeyFileName, KeyPassword);
 
 				DeviceSecureContext->useCertificate(Cert);
@@ -96,11 +93,7 @@ namespace OpenWifi {
 				DeviceSecureContext->addCertificateAuthority(Root);
 				DeviceSecureContext->addChainCertificate(Issuing);
 				DeviceSecureContext->addCertificateAuthority(Issuing);
-                ClientCasCerts = Poco::Net::X509Certificate::readPEM(ClientCasFile);
-                for (const auto &cert : ClientCasCerts) {
-                    DeviceSecureContext->addChainCertificate(cert);
-                    DeviceSecureContext->addCertificateAuthority(cert);
-                }
+				DeviceSecureContext->addCertificateAuthority(Root);
 				DeviceSecureContext->enableSessionCache(true);
 				DeviceSecureContext->setSessionCacheSize(0);
 				DeviceSecureContext->setSessionTimeout(120);