feat: Added reneroll command handler.

https://telecominfraproject.atlassian.net/browse/PKI2-132

Signed-off-by: Ivan Chvets <ivan.chvets@kinarasystems.com>

.github/workflows/ci.yml

@@ -21,7 +21,7 @@ defaults:
 
 jobs:
   docker:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     env:
       DOCKER_REGISTRY_URL: tip-tip-wlan-cloud-ucentral.jfrog.io
       DOCKER_REGISTRY_USERNAME: ucentral

.github/workflows/release.yml

@@ -11,7 +11,7 @@ defaults:
 
 jobs:
   helm-package:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     env:
       HELM_REPO_URL: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
       HELM_REPO_USERNAME: ucentral

CMakeLists.txt

@@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.13)
-project(owgw VERSION 3.2.1)
+project(owgw VERSION 4.1.0)
 
 set(CMAKE_CXX_STANDARD 20)
 set(CMAKE_CXX_STANDARD_REQUIRED True)

PROTOCOL.md

@@ -880,6 +880,32 @@ The device should answer:
 }
 ```
 
+#### Controller wants the device to perform re-enrollment
+Controller sends this command to trigger re-enrollment, i.e. update of operational certificate. Extreme care must be taken.
+```json
+{    "jsonrpc" : "2.0" , 
+     "method" : "reenroll" , 
+     "params" : {
+        "serial" : <serial number>,
+        "when" : Optional - <UTC time when to apply this config, 0 mean immediate, this is a suggestion>
+     },
+     "id" : <some number>
+}
+```
+
+The device should answer:
+```json
+{     "jsonrpc" : "2.0" , 
+      "result" : {
+          "serial" : <serial number> ,
+          "status" : {
+            "error" : <0 or the value of $? from the shell running the command, 255 signifies a timeout>,
+            "txt" : <text describing the error or success>
+      },
+  "id" : <same number as request>
+}
+```
+
 #### Controller wants the device to switch to another controller
 Controller sends this when the device should change the controller it connects to without looking up a new redirector.
 

src/AP_WS_Connection.cpp

@@ -213,6 +213,7 @@ namespace OpenWifi {
 			}
 
 			State_.certificateExpiryDate = PeerCert.expiresOn().timestamp().epochTime();
+			State_.certificateIssuerName = PeerCert.issuerName();
 
 			poco_trace(Logger_,
 					   fmt::format("TLS-CONNECTION({}): Session={} CN={} Completed. (t={})", CId_,

src/AP_WS_Server.cpp

@@ -71,14 +71,18 @@ namespace OpenWifi {
 	bool AP_WS_Server::ValidateCertificate(const std::string &ConnectionId,
 										   const Poco::Crypto::X509Certificate &Certificate) {
 		if (IsCertOk()) {
-			if (!Certificate.issuedBy(*IssuerCert_)) {
+			// validate certificate agains trusted chain
-				poco_warning(
+			for (const auto &cert : ClientCasCerts_) {
-					Logger(),
+				if (Certificate.issuedBy(cert)) {
-					fmt::format("CERTIFICATE({}): issuer mismatch. Local='{}' Incoming='{}'",
+					return true;
-								ConnectionId, IssuerCert_->issuerName(), Certificate.issuerName()));
+				}
-				return false;
 			}
-			return true;
+			poco_warning(
+					Logger(),
+					fmt::format(
+						"CERTIFICATE({}): issuer mismatch. Certificate not issued by any trusted CA",
+						ConnectionId)
+					);
 		}
 		return false;
 	}
@@ -133,6 +137,13 @@ namespace OpenWifi {
 			Context->addChainCertificate(Issuing);
 			Context->addCertificateAuthority(Issuing);
 
+			// add certificates from clientcas to trust chain
+			ClientCasCerts_ = Poco::Net::X509Certificate::readPEM(Svr.ClientCas());
+			for (const auto &cert : ClientCasCerts_) {
+				Context->addChainCertificate(cert);
+				Context->addCertificateAuthority(cert);
+			}
+
 			Poco::Crypto::RSAKey Key("", Svr.KeyFile(), Svr.KeyFilePassword());
 			Context->usePrivateKey(Key);
 

src/AP_WS_Server.h

@@ -223,6 +223,7 @@ namespace OpenWifi {
 		mutable std::array<std::mutex,MACHashMax>		SerialNumbersMutex_;
 
 		std::unique_ptr<Poco::Crypto::X509Certificate> IssuerCert_;
+		std::vector<Poco::Crypto::X509Certificate> ClientCasCerts_;
 		std::list<std::unique_ptr<Poco::Net::HTTPServer>> WebServers_;
 		Poco::ThreadPool DeviceConnectionPool_{"ws:dev-pool", 4, 256};
 		Poco::Net::SocketReactor Reactor_;

src/RESTAPI/RESTAPI_device_commandHandler.cpp

@@ -170,6 +170,7 @@ namespace OpenWifi {
 		{APCommands::Commands::powercycle, false, true, &RESTAPI_device_commandHandler::PowerCycle, 60000ms},
 		{APCommands::Commands::fixedconfig, false, true, &RESTAPI_device_commandHandler::FixedConfig, 120000ms},
 		{APCommands::Commands::cablediagnostics, false, true, &RESTAPI_device_commandHandler::CableDiagnostics, 120000ms},
+		{APCommands::Commands::reenroll, false, true, &RESTAPI_device_commandHandler::ReEnroll, 120000ms},
 
 	};
 
@@ -1651,4 +1652,45 @@ namespace OpenWifi {
 										   *ParsedBody_, *Request, *Response, timeout, nullptr, this,
 										   Logger_);
 	}
+
+	void RESTAPI_device_commandHandler::ReEnroll(
+		const std::string &CMD_UUID, uint64_t CMD_RPC,
+		[[maybe_unused]] std::chrono::milliseconds timeout,
+		[[maybe_unused]] const GWObjects::DeviceRestrictions &Restrictions) {
+
+		if(UserInfo_.userinfo.userRole != SecurityObjects::ROOT &&
+			UserInfo_.userinfo.userRole != SecurityObjects::ADMIN) {
+			CallCanceled("REENROLL", CMD_UUID, CMD_RPC, RESTAPI::Errors::ACCESS_DENIED);
+			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+		}
+
+		poco_debug(Logger_, fmt::format("REENROLL({},{}): TID={} user={} serial={}", CMD_UUID,
+										CMD_RPC, TransactionId_, Requester(), SerialNumber_));
+
+		if(IsDeviceSimulated(SerialNumber_)) {
+			CallCanceled("REENROLL", CMD_UUID, CMD_RPC, RESTAPI::Errors::SimulatedDeviceNotSupported);
+			return BadRequest(RESTAPI::Errors::SimulatedDeviceNotSupported);
+		}
+
+		GWObjects::ReEnroll PR;
+		if(!PR.from_json(ParsedBody_)) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+
+		GWObjects::CommandDetails Cmd;
+		Cmd.SerialNumber = SerialNumber_;
+		Cmd.SubmittedBy = Requester();
+		Cmd.UUID = CMD_UUID;
+		Cmd.Command = uCentralProtocol::REENROLL;
+		std::ostringstream os;
+		ParsedBody_->stringify(os);
+		Cmd.Details = os.str();
+		Cmd.RunAt = PR.when;
+		Cmd.ErrorCode = 0;
+		Cmd.WaitingForFile = 0;
+
+		return RESTAPI_RPC::WaitForCommand(CMD_RPC, APCommands::Commands::reenroll, false, Cmd,
+										   *ParsedBody_, *Request, *Response, timeout, nullptr, this,
+										   Logger_);
+	}
 } // namespace OpenWifi

src/RESTAPI/RESTAPI_device_commandHandler.h

@@ -74,6 +74,8 @@ namespace OpenWifi {
 					  const GWObjects::DeviceRestrictions &R);
 		void CableDiagnostics(const std::string &UUID, uint64_t RPC, std::chrono::milliseconds timeout,
 					  const GWObjects::DeviceRestrictions &R);
+		void ReEnroll(const std::string &UUID, uint64_t RPC, std::chrono::milliseconds timeout,
+					  const GWObjects::DeviceRestrictions &R);
 
 		static auto PathName() {
 			return std::list<std::string>{"/api/v1/device/{serialNumber}/{command}"};

src/RESTObjects/RESTAPI_GWobjects.cpp

@@ -297,6 +297,7 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj, "connectionCompletionTime", connectionCompletionTime);
 		field_to_json(Obj, "totalConnectionTime", Utils::Now() - started);
 		field_to_json(Obj, "certificateExpiryDate", certificateExpiryDate);
+		field_to_json(Obj, "certificateIssuerName", certificateIssuerName);
 		field_to_json(Obj, "connectReason", connectReason);
 		field_to_json(Obj, "uptime", uptime);
         field_to_json(Obj, "compatible", Compatible);
@@ -358,6 +359,7 @@ namespace OpenWifi::GWObjects {
             field_from_json(Obj, "connectionCompletionTime", connectionCompletionTime);
             field_from_json(Obj, "totalConnectionTime", totalConnectionTime);
             field_from_json(Obj, "certificateExpiryDate", certificateExpiryDate);
+			field_from_json(Obj, "certificateIssuerName", certificateIssuerName);
             field_from_json(Obj, "connectReason", connectReason);
             field_from_json(Obj, "uptime", uptime);
             field_from_json(Obj, "hasRADIUSSessions", hasRADIUSSessions );
@@ -819,4 +821,14 @@ namespace OpenWifi::GWObjects {
 		}
 		return false;
 	}
+
+	bool ReEnroll::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj, "serial", serialNumber);
+			field_from_json(Obj, "when", when);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
 } // namespace OpenWifi::GWObjects

src/RESTObjects/RESTAPI_GWobjects.h

@@ -42,6 +42,7 @@ namespace OpenWifi::GWObjects {
 		uint64_t sessionId = 0;
 		double connectionCompletionTime = 0.0;
 		std::uint64_t certificateExpiryDate = 0;
+		std::string certificateIssuerName;
 		std::uint64_t hasRADIUSSessions = 0;
 		bool hasGPS = false;
 		std::uint64_t sanity=0;
@@ -545,6 +546,12 @@ namespace OpenWifi::GWObjects {
 		std::uint64_t 	when;
 		std::vector<std::string> ports;
 
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+	struct ReEnroll {
+		std::string 	serialNumber;
+		std::uint64_t 	when;
+
 		bool from_json(const Poco::JSON::Object::Ptr &Obj);
 	};
 } // namespace OpenWifi::GWObjects

src/framework/SubSystemServer.cpp

@@ -68,6 +68,16 @@ namespace OpenWifi {
 				Context->addCertificateAuthority(Issuing);
 			}
 
+			if (!client_cas_.empty()) {
+				// add certificates specified in clientcas
+				std::vector<Poco::Crypto::X509Certificate> Certs =
+					Poco::Net::X509Certificate::readPEM(client_cas_);
+				for (const auto &cert : Certs) {
+					Context->addChainCertificate(cert);
+					Context->addCertificateAuthority(cert);
+				}
+			}
+
 			Poco::Crypto::RSAKey Key("", key_file_, key_file_password_);
 			Context->usePrivateKey(Key);
 

src/framework/SubSystemServer.h

@@ -45,6 +45,7 @@ namespace OpenWifi {
 		[[nodiscard]] inline auto KeyFile() const { return key_file_; };
 		[[nodiscard]] inline auto CertFile() const { return cert_file_; };
 		[[nodiscard]] inline auto RootCA() const { return root_ca_; };
+		[[nodiscard]] inline auto ClientCas() const { return client_cas_; };
 		[[nodiscard]] inline auto KeyFilePassword() const { return key_file_password_; };
 		[[nodiscard]] inline auto IssuerCertFile() const { return issuer_cert_file_; };
 		[[nodiscard]] inline auto Name() const { return name_; };

src/framework/ow_constants.h

@@ -583,6 +583,7 @@ namespace OpenWifi::RESTAPI::Protocol {
 
 	static const char *FIXEDCONFIG = "fixedconfig";
 	static const char *CABLEDIAGNOSTICS = "cable-diagnostics";
+	static const char *REENROLL = "re-enroll";
 } // namespace OpenWifi::RESTAPI::Protocol
 
 namespace OpenWifi::uCentralProtocol {
@@ -698,6 +699,8 @@ namespace OpenWifi::uCentralProtocol {
 
 	static const char *FIXEDCONFIG = "fixedconfig";
 	static const char *CABLEDIAGNOSTICS = "cable-diagnostics";
+	static const char *REENROLL = "re-enroll";
+
 
 } // namespace OpenWifi::uCentralProtocol
 
@@ -797,6 +800,7 @@ namespace OpenWifi::APCommands {
 		powercycle,
 		fixedconfig,
 		cablediagnostics,
+		reenroll,
 		unknown
 	};
 
@@ -812,7 +816,8 @@ namespace OpenWifi::APCommands {
 		RESTAPI::Protocol::PING,		 RESTAPI::Protocol::SCRIPT,
 		RESTAPI::Protocol::RRM,		 	 RESTAPI::Protocol::CERTUPDATE,
 		RESTAPI::Protocol::TRANSFER,	 RESTAPI::Protocol::POWERCYCLE,
-		RESTAPI::Protocol::FIXEDCONFIG,  RESTAPI::Protocol::CABLEDIAGNOSTICS
+		RESTAPI::Protocol::FIXEDCONFIG,  RESTAPI::Protocol::CABLEDIAGNOSTICS,
+		RESTAPI::Protocol::REENROLL
 	};
 
 	inline const char *to_string(Commands Cmd) { return uCentralAPCommands[(uint8_t)Cmd]; }