Merge pull request #3479 from Ruadhri17/basic-auth-fix-cert-warn

fix: skip chown for cert and key when using Basic Auth

Author: Ruadhri17

crates/common/tedge_config/src/tedge_toml/models/auth_method.rs

@@ -34,7 +34,7 @@ impl FromStr for AuthMethod {
     }
 }
 
-#[derive(PartialEq, Eq)]
+#[derive(PartialEq, Eq, Debug, Clone, Copy, Display)]
 pub enum AuthType {
     Certificate,
     Basic,

crates/core/tedge/src/bridge/aws.rs

@@ -6,6 +6,7 @@ use std::time::Duration;
 use tedge_api::mqtt_topics::Channel;
 use tedge_api::mqtt_topics::EntityTopicId;
 use tedge_api::mqtt_topics::MqttSchema;
+use tedge_config::models::auth_method::AuthType;
 use tedge_config::models::HostPort;
 use tedge_config::models::TopicPrefix;
 use tedge_config::models::MQTT_TLS_PORT;
@@ -108,7 +109,7 @@ impl From<BridgeConfigAwsParams> for BridgeConfig {
             // to create the "Thing", so the first connection attempt can fail, but retrying
             // will give it a higher chance of success
             connection_check_attempts: 5,
-            auth_method: None,
+            auth_type: AuthType::Certificate,
             mosquitto_version: None,
             keepalive_interval,
             use_cryptoki: false,
@@ -166,7 +167,7 @@ fn test_bridge_config_from_aws_params() -> anyhow::Result<()> {
         bridge_attempt_unsubscribe: false,
         bridge_location: BridgeLocation::Mosquitto,
         connection_check_attempts: 5,
-        auth_method: None,
+        auth_type: AuthType::Certificate,
         mosquitto_version: None,
         keepalive_interval: Duration::from_secs(60),
         use_cryptoki: false,
@@ -229,7 +230,7 @@ fn test_bridge_config_aws_custom_topic_prefix() -> anyhow::Result<()> {
         bridge_attempt_unsubscribe: false,
         bridge_location: BridgeLocation::Mosquitto,
         connection_check_attempts: 5,
-        auth_method: None,
+        auth_type: AuthType::Certificate,
         mosquitto_version: None,
         keepalive_interval: Duration::from_secs(60),
         use_cryptoki: false,

crates/core/tedge/src/bridge/azure.rs

@@ -6,6 +6,7 @@ use std::time::Duration;
 use tedge_api::mqtt_topics::Channel;
 use tedge_api::mqtt_topics::EntityTopicId;
 use tedge_api::mqtt_topics::MqttSchema;
+use tedge_config::models::auth_method::AuthType;
 use tedge_config::models::HostPort;
 use tedge_config::models::TopicPrefix;
 use tedge_config::models::MQTT_TLS_PORT;
@@ -104,7 +105,7 @@ impl From<BridgeConfigAzureParams> for BridgeConfig {
             ],
             bridge_location,
             connection_check_attempts: 1,
-            auth_method: None,
+            auth_type: AuthType::Certificate,
             mosquitto_version: None,
             keepalive_interval,
             use_cryptoki: false,
@@ -166,7 +167,7 @@ fn test_bridge_config_from_azure_params() -> anyhow::Result<()> {
         bridge_attempt_unsubscribe: false,
         bridge_location: BridgeLocation::Mosquitto,
         connection_check_attempts: 1,
-        auth_method: None,
+        auth_type: AuthType::Certificate,
         mosquitto_version: None,
         keepalive_interval: Duration::from_secs(60),
         use_cryptoki: false,
@@ -232,7 +233,7 @@ fn test_azure_bridge_config_with_custom_prefix() -> anyhow::Result<()> {
         bridge_attempt_unsubscribe: false,
         bridge_location: BridgeLocation::Mosquitto,
         connection_check_attempts: 1,
-        auth_method: None,
+        auth_type: AuthType::Certificate,
         mosquitto_version: None,
         keepalive_interval: Duration::from_secs(60),
         use_cryptoki: false,

crates/core/tedge/src/bridge/c8y.rs

@@ -7,7 +7,7 @@ use std::time::Duration;
 use tedge_api::mqtt_topics::Channel;
 use tedge_api::mqtt_topics::EntityTopicId;
 use tedge_api::mqtt_topics::MqttSchema;
-use tedge_config::models::auth_method::AuthMethod;
+use tedge_config::models::auth_method::AuthType;
 use tedge_config::models::AutoFlag;
 use tedge_config::models::HostPort;
 use tedge_config::models::TemplatesSet;
@@ -89,8 +89,13 @@ impl From<BridgeConfigC8yParams> for BridgeConfig {
             format!(r#"error in 1 {topic_prefix}/ """#),
         ];
 
-        let use_basic_auth = remote_username.is_some() && remote_password.is_some();
-        if !use_basic_auth {
+        let auth_type = if remote_username.is_some() {
+            AuthType::Basic
+        } else {
+            AuthType::Certificate
+        };
+
+        if auth_type == AuthType::Certificate {
             topics.extend(vec![
                 // c8y JWT token retrieval
                 format!(r#"s/uat out 0 {topic_prefix}/ """#),
@@ -148,12 +153,6 @@ impl From<BridgeConfigC8yParams> for BridgeConfig {
             AutoFlag::Auto => is_mosquitto_version_above_2(),
         };
 
-        let auth_method = if remote_username.is_some() {
-            AuthMethod::Basic
-        } else {
-            AuthMethod::Certificate
-        };
-
         let service_name = format!("mosquitto-{topic_prefix}-bridge");
         let health = mqtt_schema.topic_for(
             &EntityTopicId::default_main_service(&service_name).unwrap(),
@@ -193,7 +192,7 @@ impl From<BridgeConfigC8yParams> for BridgeConfig {
             topics,
             bridge_location,
             connection_check_attempts: 1,
-            auth_method: Some(auth_method),
+            auth_type,
             mosquitto_version,
             keepalive_interval,
             use_cryptoki,
@@ -326,7 +325,7 @@ mod tests {
             bridge_attempt_unsubscribe: false,
             bridge_location: BridgeLocation::Mosquitto,
             connection_check_attempts: 1,
-            auth_method: Some(AuthMethod::Certificate),
+            auth_type: AuthType::Certificate,
             mosquitto_version: None,
             keepalive_interval: Duration::from_secs(60),
             use_cryptoki: false,
@@ -432,7 +431,7 @@ mod tests {
             bridge_attempt_unsubscribe: false,
             bridge_location: BridgeLocation::Mosquitto,
             connection_check_attempts: 1,
-            auth_method: Some(AuthMethod::Basic),
+            auth_type: AuthType::Basic,
             mosquitto_version: None,
             keepalive_interval: Duration::from_secs(60),
             use_cryptoki: false,

crates/core/tedge/src/bridge/config.rs

@@ -2,7 +2,7 @@ use camino::Utf8PathBuf;
 use core::fmt;
 use std::borrow::Cow;
 use std::time::Duration;
-use tedge_config::models::auth_method::AuthMethod;
+use tedge_config::models::auth_method::AuthType;
 use tedge_config::models::HostPort;
 use tedge_config::models::MQTT_TLS_PORT;
 use tedge_config::TEdgeConfigLocation;
@@ -39,7 +39,7 @@ pub struct BridgeConfig {
     pub bridge_attempt_unsubscribe: bool,
     pub topics: Vec<String>,
     pub connection_check_attempts: i32,
-    pub auth_method: Option<AuthMethod>,
+    pub auth_type: AuthType,
     pub mosquitto_version: Option<String>,
     pub keepalive_interval: Duration,
     pub use_cryptoki: bool,
@@ -84,8 +84,8 @@ impl BridgeConfig {
         if let Some(name) = &self.remote_username {
             writeln_async!(writer, "remote_username {}", name)?;
         }
-        let use_basic_auth = self.remote_username.is_some() && self.remote_password.is_some();
-        if use_basic_auth {
+
+        if self.auth_type == AuthType::Basic {
             if let Some(password) = &self.remote_password {
                 writeln_async!(writer, "remote_password {}", password)?;
             }
@@ -190,7 +190,7 @@ mod test {
             bridge_attempt_unsubscribe: false,
             bridge_location: BridgeLocation::Mosquitto,
             connection_check_attempts: 1,
-            auth_method: None,
+            auth_type: AuthType::Certificate,
             mosquitto_version: None,
             keepalive_interval: Duration::from_secs(60),
             use_cryptoki: false,
@@ -263,7 +263,7 @@ keepalive_interval 60
             bridge_attempt_unsubscribe: false,
             bridge_location: BridgeLocation::Mosquitto,
             connection_check_attempts: 1,
-            auth_method: None,
+            auth_type: AuthType::Certificate,
             mosquitto_version: None,
             keepalive_interval: Duration::from_secs(60),
             use_cryptoki: false,
@@ -338,7 +338,7 @@ keepalive_interval 60
             bridge_attempt_unsubscribe: false,
             bridge_location: BridgeLocation::Mosquitto,
             connection_check_attempts: 1,
-            auth_method: None,
+            auth_type: AuthType::Certificate,
             mosquitto_version: None,
             keepalive_interval: Duration::from_secs(60),
             use_cryptoki: false,
@@ -413,7 +413,7 @@ keepalive_interval 60
             bridge_attempt_unsubscribe: false,
             bridge_location: BridgeLocation::Mosquitto,
             connection_check_attempts: 1,
-            auth_method: None,
+            auth_type: AuthType::Basic,
             mosquitto_version: None,
             keepalive_interval: Duration::from_secs(60),
             use_cryptoki: false,

crates/core/tedge/src/cli/connect/command.rs

@@ -1022,6 +1022,11 @@ async fn new_bridge(
 }
 
 pub async fn chown_certificate_and_key(bridge_config: &BridgeConfig) {
+    // Skip chown when using Basic Auth
+    if bridge_config.auth_type == AuthType::Basic {
+        return;
+    }
+
     let (user, group) = match bridge_config.bridge_location {
         BridgeLocation::BuiltIn => ("tedge", "tedge"),
         BridgeLocation::Mosquitto => (crate::BROKER_USER, crate::BROKER_GROUP),

crates/core/tedge/src/cli/log.rs

@@ -9,7 +9,6 @@ use std::time::Instant;
 use crate::system_services::SystemServiceError;
 use crate::system_services::SystemServiceManager;
 use camino::Utf8Path;
-use tedge_config::models::auth_method::AuthMethod;
 use tedge_config::models::auth_method::AuthType;
 use tedge_config::tedge_toml::MultiError;
 use yansi::Paint as _;
@@ -251,7 +250,7 @@ pub struct ConfigLogger<'a> {
     cloud_host: String,
     cert_path: &'a Utf8Path,
     bridge_location: BridgeLocation,
-    auth_method: Option<AuthMethod>,
+    auth_type: AuthType,
     service_manager: &'a dyn SystemServiceManager,
     mosquitto_version: Option<&'a str>,
     cloud: &'a MaybeBorrowedCloud<'a>,
@@ -275,7 +274,7 @@ impl<'a> ConfigLogger<'a> {
                 cloud_host: config.address.to_string(),
                 cert_path: &config.bridge_certfile,
                 bridge_location: config.bridge_location,
-                auth_method: config.auth_method,
+                auth_type: config.auth_type,
                 credentials_path,
                 service_manager,
                 mosquitto_version: config.mosquitto_version.as_deref(),
@@ -309,18 +308,11 @@ impl fmt::Display for ConfigLogger<'_> {
             self.log_single_entry(f, "cloud profile", &"<none>")?;
         }
         self.log_single_entry(f, "cloud host", &self.cloud_host)?;
-        let mut auth_type = AuthType::Certificate;
-        if let Some(auth_method) = self.auth_method {
-            self.log_single_entry(f, "auth method", &auth_method)?;
-            if let Some(path) = self.credentials_path {
-                auth_type = auth_method.to_type(path);
-                if AuthType::Basic == auth_type {
-                    self.log_single_entry(f, "credentials path", &path)?
-                }
-            }
-        }
-        if AuthType::Certificate == auth_type {
+        self.log_single_entry(f, "auth type", &self.auth_type)?;
+        if self.auth_type == AuthType::Certificate {
             self.log_single_entry(f, "certificate file", &self.cert_path)?;
+        } else if let Some(path) = self.credentials_path {
+            self.log_single_entry(f, "credentials path", &path)?
         }
         self.log_single_entry(f, "bridge", &self.bridge_location)?;
         self.log_single_entry(f, "service manager", &self.service_manager.name())?;