1054972315

Committed 30 Oct 2023 02:22PM UTC coverage: 80.208%. Remained the same

Build # 1054972315

Build Type

push

gitlab-ci

Committed by

lluiscampos

Commit Message

chore: Add info log line on successful authentication

On regular operation, `mender-auth` will log errors until accepted by
the server and then it will just keep silent. This log should not be
very noisy and will give the user a confirmation that the device is
has been accepted.

Signed-off-by: Lluis Campos <lluis.campos@northern.tech>

Run Details

1 of 1 new or added line in 1 file covered. (100.0%)

6873 of 8569 relevant lines covered (80.21%)

9387.87 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

73.18

/api/auth/auth.cpp

// Copyright 2023 Northern.tech AS
//
//    Licensed under the Apache License, Version 2.0 (the "License");
//    you may not use this file except in compliance with the License.
//    You may obtain a copy of the License at
//
//        http://www.apache.org/licenses/LICENSE-2.0
//
//    Unless required by applicable law or agreed to in writing, software
//    distributed under the License is distributed on an "AS IS" BASIS,
//    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//    See the License for the specific language governing permissions and
//    limitations under the License.

#include <api/auth.hpp>

#include <mutex>
#include <string>
#include <vector>

#include <common/common.hpp>
#include <common/crypto.hpp>
#include <common/json.hpp>
#include <common/error.hpp>
#include <common/log.hpp>
#include <common/path.hpp>
#include <common/expected.hpp>
#include <common/identity_parser.hpp>
#include <common/optional.hpp>

namespace mender {
namespace api {
namespace auth {


using namespace std;
namespace error = mender::common::error;
namespace common = mender::common;
namespace conf = mender::common::conf;


namespace identity_parser = mender::common::identity_parser;
namespace key_value_parser = mender::common::key_value_parser;
namespace path = mender::common::path;
namespace mlog = mender::common::log;
namespace expected = mender::common::expected;
namespace io = mender::common::io;
namespace json = mender::common::json;
namespace crypto = mender::common::crypto;


const string request_uri = "/api/devices/v1/authentication/auth_requests";

const AuthClientErrorCategoryClass AuthClientErrorCategory;

const char *AuthClientErrorCategoryClass::name() const noexcept {
        return "AuthClientErrorCategory";
}

string AuthClientErrorCategoryClass::message(int code) const {
        switch (code) {
        case NoError:
                return "Success";
        case SetupError:
                return "Error during setup";
        case RequestError:
                return "HTTP client request error";
        case ResponseError:
                return "HTTP client response error";
        case APIError:
                return "API error";
        case UnauthorizedError:
                return "Unauthorized error";
        case AuthenticationError:
                return "Authentication error";
        default:
                return "Unknown";
        }
}

error::Error MakeError(AuthClientErrorCode code, const string &msg) {
        return error::Error(error_condition(code, AuthClientErrorCategory), msg);
}

namespace http {

error::Error MakeHTTPResponseError(
        const AuthClientErrorCode code,
        const mender::http::ResponsePtr resp,
        const string &response_body,
        const string &msg) {
        return error::Error(
                error_condition(code, AuthClientErrorCategory),
                "Authentication error(" + resp->GetStatusMessage() + "): " + msg + "(" + response_body
                        + ")");
}

static void TryAuthenticate(
        vector<string>::const_iterator server_it,
        vector<string>::const_iterator end,
        mender::http::Client &client,
        const string request_body,
        const string signature,
        APIResponseHandler api_handler);

error::Error FetchJWTToken(
        mender::http::Client &client,
        const vector<string> &servers,
        const string &private_key_path,
        const string &device_identity_script_path,
        APIResponseHandler api_handler,
        const string &tenant_token) {
        key_value_parser::ExpectedKeyValuesMap expected_identity_data =
                identity_parser::GetIdentityData(device_identity_script_path);
        if (!expected_identity_data) {
                return expected_identity_data.error();
        }
        expected::ExpectedString expected_identity_data_json =
                json::Dump(expected_identity_data.value());
        if (!expected_identity_data_json) {
                mlog::Error("Failed to dump the identity data to JSON");
                return expected_identity_data_json.error();
        }
        auto identity_data_json = expected_identity_data_json.value();
        mlog::Debug("Got identity data: " + identity_data_json);

        // Create the request body
        unordered_map<string, string> request_body_map {
                {"id_data", identity_data_json},
        };

        if (tenant_token.size() > 0) {
                request_body_map.insert({"tenant_token", tenant_token});
        }

        auto expected_public_key = crypto::ExtractPublicKey(private_key_path);
        if (!expected_public_key) {
                return expected_public_key.error();
        }
        request_body_map.insert({"pubkey", expected_public_key.value()});

        auto expected_request_body = json::Dump(request_body_map);
        if (!expected_request_body) {
                return expected_request_body.error();
        }
        auto request_body = expected_request_body.value();

        // Sign the body
        auto expected_signature =
                crypto::SignRawData(private_key_path, common::ByteVectorFromString(request_body));
        if (!expected_signature) {
                return expected_signature.error();
        }
        auto signature = expected_signature.value();

        // TryAuthenticate() calls the handler on any potential further errors, we
        // are done here with no errors.
        TryAuthenticate(servers.cbegin(), servers.cend(), client, request_body, signature, api_handler);
        return error::NoError;
}

static void TryAuthenticate(
        vector<string>::const_iterator server_it,
        vector<string>::const_iterator end,
        mender::http::Client &client,
        const string request_body,
        const string signature,
        APIResponseHandler api_handler) {
        if (server_it == end) {
                auto err = MakeError(AuthenticationError, "No more servers to try for authentication");
                api_handler(expected::unexpected(err));
                return;
        }

        auto whole_url = mender::http::JoinUrl(*server_it, request_uri);
        auto req = make_shared<mender::http::OutgoingRequest>();
        req->SetMethod(mender::http::Method::POST);
        req->SetAddress(whole_url);
        req->SetHeader("Content-Type", "application/json");
        req->SetHeader("Content-Length", to_string(request_body.size()));
        req->SetHeader("Accept", "application/json");
        req->SetHeader("X-MEN-Signature", signature);
        req->SetHeader("Authorization", "API_KEY");

        req->SetBodyGenerator([request_body]() -> io::ExpectedReaderPtr {
                return make_shared<io::StringReader>(request_body);
        });

        auto received_body = make_shared<vector<uint8_t>>();

        auto err = client.AsyncCall(
                req,
                [received_body, server_it, end, &client, request_body, signature, api_handler](
                        mender::http::ExpectedIncomingResponsePtr exp_resp) {
                        if (!exp_resp) {
                                mlog::Info(
                                        "Authentication error trying server '" + *server_it
                                        + "': " + exp_resp.error().String());
                                TryAuthenticate(
                                        std::next(server_it), end, client, request_body, signature, api_handler);
                                return;
                        }
                        auto resp = exp_resp.value();

                        auto body_writer = make_shared<io::ByteWriter>(received_body);
                        body_writer->SetUnlimited(true);
                        resp->SetBodyWriter(body_writer);

                        mlog::Debug("Received response header value:");
                        mlog::Debug("Status code:" + to_string(resp->GetStatusCode()));
                        mlog::Debug("Status message: " + resp->GetStatusMessage());
                },
                [received_body, server_it, end, &client, request_body, signature, api_handler](
                        mender::http::ExpectedIncomingResponsePtr exp_resp) {
                        if (!exp_resp) {
                                mlog::Info(
                                        "Authentication error trying server '" + *server_it
                                        + "': " + exp_resp.error().String());
                                TryAuthenticate(
                                        std::next(server_it), end, client, request_body, signature, api_handler);
                                return;
                        }
                        auto resp = exp_resp.value();

                        string response_body = common::StringFromByteVector(*received_body);

                        error::Error err;
                        switch (resp->GetStatusCode()) {
                        case mender::http::StatusOK:
                                api_handler(AuthData {*server_it, response_body});
                                return;
                        case mender::http::StatusUnauthorized:
                                err = MakeHTTPResponseError(
                                        UnauthorizedError, resp, response_body, "Failed to authorize with the server.");
                                mlog::Info(
                                        "Authentication error trying server '" + *server_it + "': " + err.String());
                                TryAuthenticate(
                                        std::next(server_it), end, client, request_body, signature, api_handler);
                                return;
                        case mender::http::StatusBadRequest:
                        case mender::http::StatusInternalServerError:
                                err = MakeHTTPResponseError(
                                        APIError, resp, response_body, "Failed to authorize with the server.");
                                mlog::Info(
                                        "Authentication error trying server '" + *server_it + "': " + err.String());
                                TryAuthenticate(
                                        std::next(server_it), end, client, request_body, signature, api_handler);
                                return;
                        default:
                                err =
                                        MakeError(ResponseError, "Unexpected error code: " + resp->GetStatusMessage());
                                mlog::Info(
                                        "Authentication error trying server '" + *server_it + "': " + err.String());
                                TryAuthenticate(
                                        std::next(server_it), end, client, request_body, signature, api_handler);
                                return;
                        }
                });
        if (err != error::NoError) {
                api_handler(expected::unexpected(err));
        }
}
} // namespace http

error::Error FetchJWTToken(
        mender::http::Client &client,
        const vector<string> &servers,
        const string &private_key_path,
        const string &device_identity_script_path,
        APIResponseHandler api_handler,
        const string &tenant_token) {
        return http::FetchJWTToken(
                client, servers, private_key_path, device_identity_script_path, api_handler, tenant_token);
}

void Authenticator::ExpireToken() {
        token_ = nullopt;
        server_url_ = nullopt;

        if (!token_fetch_in_progress_) {
                RequestNewToken(nullopt);
        }
}

error::Error Authenticator::StartWatchingTokenSignal() {
        auto err = dbus_client_.RegisterSignalHandler<dbus::ExpectedStringPair>(
                "io.mender.Authentication1",
                "JwtTokenStateChange",
                [this](dbus::ExpectedStringPair ex_auth_dbus_data) {
                        auth_timeout_timer_.Cancel();
                        token_fetch_in_progress_ = false;
                        ExpectedAuthData ex_auth_data;
                        if (!ex_auth_dbus_data) {
                                mlog::Error(
                                        "Error from the JwtTokenStateChange DBus signal: "
                                        + ex_auth_dbus_data.error().String());
                                ex_auth_data = ExpectedAuthData(expected::unexpected(ex_auth_dbus_data.error()));
                        } else {
                                token_ = ex_auth_dbus_data.value().first;
                                server_url_ = ex_auth_dbus_data.value().second;
                                AuthData auth_data {*server_url_, *token_};
                                ex_auth_data = ExpectedAuthData(std::move(auth_data));
                        }
                        PostPendingActions(ex_auth_data);
                });

        watching_token_signal_ = (err == error::NoError);
        return err;
}

void Authenticator::PostPendingActions(ExpectedAuthData &ex_auth_data) {
        for (auto action : pending_actions_) {
                loop_.Post([action, ex_auth_data]() { action(ex_auth_data); });
        }
        pending_actions_.clear();
}

error::Error Authenticator::RequestNewToken(optional<AuthenticatedAction> opt_action) {
        if (token_fetch_in_progress_) {
                // Just make sure the action (if any) is called once the token is
                // obtained.
                if (opt_action) {
                        pending_actions_.push_back(*opt_action);
                }
                return error::NoError;
        }

        auto err = dbus_client_.CallMethod<expected::ExpectedBool>(
                "io.mender.AuthenticationManager",
                "/io/mender/AuthenticationManager",
                "io.mender.Authentication1",
                "FetchJwtToken",
                [this](expected::ExpectedBool ex_value) {
                        if (!ex_value) {
                                token_fetch_in_progress_ = false;
                                mlog::Error("Failed to request new token fetching: " + ex_value.error().String());
                                ExpectedAuthData ex_auth_data = expected::unexpected(ex_value.error());
                                PostPendingActions(ex_auth_data);
                        } else if (!ex_value.value()) {
                                // mender-auth encountered an error not sent over DBus (should never happen)
                                token_fetch_in_progress_ = false;
                                mlog::Error(
                                        "Failed to request new token fetching (see mender-auth logs for details)");
                                ExpectedAuthData ex_auth_data = expected::unexpected(MakeError(
                                        AuthenticationError, "Failed to request new token fetching from mender-auth"));
                                PostPendingActions(ex_auth_data);
                        }
                });
        if (err != error::NoError) {
                // A sync DBus error.
                mlog::Error("Failed to request new token fetching: " + err.String());
                token_fetch_in_progress_ = false;
                ExpectedAuthData ex_auth_data = expected::unexpected(err);
                PostPendingActions(ex_auth_data);
                if (opt_action) {
                        (*opt_action)(ex_auth_data);
                }
                return err;
        }
        // else everything went OK

        token_fetch_in_progress_ = true;

        // Make sure the action (if any) is called once the token is
        // obtained.
        if (opt_action) {
                pending_actions_.push_back(*opt_action);
        }

        // Make sure we don't wait for the token forever.
        auth_timeout_timer_.AsyncWait(auth_timeout_, [this](error::Error err) {
                if (err.code == make_error_condition(errc::operation_canceled)) {
                        return;
                } else if (err == error::NoError) {
                        mlog::Warning("Timed-out waiting for a new token");
                        token_fetch_in_progress_ = false;
                        ExpectedAuthData ex_auth_data = expected::unexpected(
                                MakeError(AuthenticationError, "Timed-out waiting for a new token"));
                        PostPendingActions(ex_auth_data);
                } else {
                        // should never happen
                        assert(false);
                        mlog::Error("Authentication timer error: " + err.String());

                        // In case it did happen, run the stacked up actions and unset the
                        // in_progress_ flag or things may got stuck.
                        token_fetch_in_progress_ = false;
                        ExpectedAuthData ex_auth_data = expected::unexpected(err);
                        PostPendingActions(ex_auth_data);
                }
        });
        return error::NoError;
}

error::Error Authenticator::WithToken(AuthenticatedAction action) {
        if (!watching_token_signal_) {
                auto err = StartWatchingTokenSignal();
                if (err != error::NoError) {
                        // Should never fail. We rely on the signal heavily so let's fail
                        // hard if it does.
                        action(expected::unexpected(err));
                        return err;
                }
        }

        if (token_ && server_url_) {
                AuthData auth_data {*server_url_, *token_};
                action(ExpectedAuthData(std::move(auth_data)));
                return error::NoError;
        }
        // else => no token

        if (token_fetch_in_progress_) {
                // Already waiting for a new token, just make sure the action is called
                // once it arrives (or once the wait times out).
                pending_actions_.push_back(action);
                return error::NoError;
        }
        // else => should fetch the token, cache it and call all pending actions
        // Try to get token from mender-auth
        auto err = dbus_client_.CallMethod<dbus::ExpectedStringPair>(
                "io.mender.AuthenticationManager",
                "/io/mender/AuthenticationManager",
                "io.mender.Authentication1",
                "GetJwtToken",
                [this, action](dbus::ExpectedStringPair ex_auth_dbus_data) {
                        token_fetch_in_progress_ = false;
                        auth_timeout_timer_.Cancel();
                        if (ex_auth_dbus_data && (ex_auth_dbus_data.value().first != "")
                                && (ex_auth_dbus_data.value().second != "")) {
                                // Got a valid token, let's save it and then call action and any
                                // previously-pending actions (if any) with it.
                                token_ = ex_auth_dbus_data.value().first;
                                server_url_ = ex_auth_dbus_data.value().second;
                                AuthData auth_data {*server_url_, *token_};

                                // Post/schedule pending actions before running the given action
                                // because the action can actually add more actions or even
                                // expire the token, etc. So post actions stacked up before we
                                // got here with the current token and only then give action a
                                // chance to mess with things.
                                ExpectedAuthData ex_auth_data {std::move(auth_data)};
                                PostPendingActions(ex_auth_data);
                                action(ex_auth_data);
                        } else {
                                // No valid token, let's request fetching of a new one
                                RequestNewToken(action);
                        }
                });
        if (err != error::NoError) {
                // No token and failed to try to get one (should never happen).
                ExpectedAuthData ex_auth_data = expected::unexpected(err);
                PostPendingActions(ex_auth_data);
                action(ex_auth_data);
                return err;
        }
        // else record that token is already being fetched (by GetJwtToken()).
        token_fetch_in_progress_ = true;

        return error::NoError;
}

} // namespace auth
} // namespace api
} // namespace mender

1	// Copyright 2023 Northern.tech AS
2	//
3	// Licensed under the Apache License, Version 2.0 (the "License");
4	// you may not use this file except in compliance with the License.
5	// You may obtain a copy of the License at
6	//
7	// http://www.apache.org/licenses/LICENSE-2.0
8	//
9	// Unless required by applicable law or agreed to in writing, software
10	// distributed under the License is distributed on an "AS IS" BASIS,
11	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12	// See the License for the specific language governing permissions and
13	// limitations under the License.
14
15	#include <api/auth.hpp>
16
17	#include <mutex>
18	#include <string>
19	#include <vector>
20
21	#include <common/common.hpp>
22	#include <common/crypto.hpp>
23	#include <common/json.hpp>
24	#include <common/error.hpp>
25	#include <common/log.hpp>
26	#include <common/path.hpp>
27	#include <common/expected.hpp>
28	#include <common/identity_parser.hpp>
29	#include <common/optional.hpp>
30
31	namespace mender {
32	namespace api {
33	namespace auth {
34
35
36	using namespace std;
37	namespace error = mender::common::error;
38	namespace common = mender::common;
39	namespace conf = mender::common::conf;
40
41
42	namespace identity_parser = mender::common::identity_parser;
43	namespace key_value_parser = mender::common::key_value_parser;
44	namespace path = mender::common::path;
45	namespace mlog = mender::common::log;
46	namespace expected = mender::common::expected;
47	namespace io = mender::common::io;
48	namespace json = mender::common::json;
49	namespace crypto = mender::common::crypto;
50
51
52	const string request_uri = "/api/devices/v1/authentication/auth_requests";
53
54	const AuthClientErrorCategoryClass AuthClientErrorCategory;
55
56	const char *AuthClientErrorCategoryClass::name() const noexcept {	×
57	return "AuthClientErrorCategory";	×
58	}
59
60	string AuthClientErrorCategoryClass::message(int code) const {	4✔
61	switch (code) {	4✔
62	case NoError:
63	return "Success";	×
64	case SetupError:
65	return "Error during setup";	×
66	case RequestError:
67	return "HTTP client request error";	×
68	case ResponseError:
69	return "HTTP client response error";	×
70	case APIError:
71	return "API error";	2✔
72	case UnauthorizedError:
73	return "Unauthorized error";	×
74	case AuthenticationError:
75	return "Authentication error";	2✔
76	default:
77	return "Unknown";	×
78	}
79	}
80
81	error::Error MakeError(AuthClientErrorCode code, const string &msg) {	×
82	return error::Error(error_condition(code, AuthClientErrorCategory), msg);	3✔
83	}
84
85	namespace http {
86
87	error::Error MakeHTTPResponseError(	2✔
88	const AuthClientErrorCode code,
89	const mender::http::ResponsePtr resp,
90	const string &response_body,
91	const string &msg) {
92	return error::Error(
93	error_condition(code, AuthClientErrorCategory),	2✔
94	"Authentication error(" + resp->GetStatusMessage() + "): " + msg + "(" + response_body	4✔
95	+ ")");	6✔
96	}
97
98	static void TryAuthenticate(
99	vector<string>::const_iterator server_it,
100	vector<string>::const_iterator end,
101	mender::http::Client &client,
102	const string request_body,
103	const string signature,
104	APIResponseHandler api_handler);
105
106	error::Error FetchJWTToken(	6✔
107	mender::http::Client &client,
108	const vector<string> &servers,
109	const string &private_key_path,
110	const string &device_identity_script_path,
111	APIResponseHandler api_handler,
112	const string &tenant_token) {
113	key_value_parser::ExpectedKeyValuesMap expected_identity_data =
114	identity_parser::GetIdentityData(device_identity_script_path);	6✔
115	if (!expected_identity_data) {	6✔
116	return expected_identity_data.error();	×
117	}
118	expected::ExpectedString expected_identity_data_json =
119	json::Dump(expected_identity_data.value());	18✔
120	if (!expected_identity_data_json) {	6✔
121	mlog::Error("Failed to dump the identity data to JSON");	×
122	return expected_identity_data_json.error();	×
123	}
124	auto identity_data_json = expected_identity_data_json.value();	6✔
125	mlog::Debug("Got identity data: " + identity_data_json);	12✔
126
127	// Create the request body
128	unordered_map<string, string> request_body_map {
129	{"id_data", identity_data_json},
130	};	18✔
131
132	if (tenant_token.size() > 0) {	6✔
133	request_body_map.insert({"tenant_token", tenant_token});	4✔
134	}
135
136	auto expected_public_key = crypto::ExtractPublicKey(private_key_path);	6✔
137	if (!expected_public_key) {	6✔
138	return expected_public_key.error();	×
139	}
140	request_body_map.insert({"pubkey", expected_public_key.value()});	12✔
141
142	auto expected_request_body = json::Dump(request_body_map);	12✔
143	if (!expected_request_body) {	6✔
144	return expected_request_body.error();	×
145	}
146	auto request_body = expected_request_body.value();	6✔
147
148	// Sign the body
149	auto expected_signature =
150	crypto::SignRawData(private_key_path, common::ByteVectorFromString(request_body));	12✔
151	if (!expected_signature) {	6✔
152	return expected_signature.error();	×
153	}
154	auto signature = expected_signature.value();	6✔
155
156	// TryAuthenticate() calls the handler on any potential further errors, we
157	// are done here with no errors.
158	TryAuthenticate(servers.cbegin(), servers.cend(), client, request_body, signature, api_handler);	12✔
159	return error::NoError;	6✔
160	}
161
162	static void TryAuthenticate(	10✔
163	vector<string>::const_iterator server_it,
164	vector<string>::const_iterator end,
165	mender::http::Client &client,
166	const string request_body,
167	const string signature,
168	APIResponseHandler api_handler) {
169	if (server_it == end) {	10✔
170	auto err = MakeError(AuthenticationError, "No more servers to try for authentication");	2✔
171	api_handler(expected::unexpected(err));	2✔
172	return;
173	}
174
175	auto whole_url = mender::http::JoinUrl(*server_it, request_uri);	9✔
176	auto req = make_shared<mender::http::OutgoingRequest>();	9✔
177	req->SetMethod(mender::http::Method::POST);	9✔
178	req->SetAddress(whole_url);	18✔
179	req->SetHeader("Content-Type", "application/json");	18✔
180	req->SetHeader("Content-Length", to_string(request_body.size()));	18✔
181	req->SetHeader("Accept", "application/json");	18✔
182	req->SetHeader("X-MEN-Signature", signature);	18✔
183	req->SetHeader("Authorization", "API_KEY");	18✔
184
185	req->SetBodyGenerator([request_body]() -> io::ExpectedReaderPtr {	45✔
186	return make_shared<io::StringReader>(request_body);	7✔
187	});	18✔
188
189	auto received_body = make_shared<vector<uint8_t>>();	9✔
190
191	auto err = client.AsyncCall(
192	req,
193	[received_body, server_it, end, &client, request_body, signature, api_handler](	9✔
194	mender::http::ExpectedIncomingResponsePtr exp_resp) {	2✔
195	if (!exp_resp) {	9✔
196	mlog::Info(	2✔
197	"Authentication error trying server '" + *server_it	4✔
198	+ "': " + exp_resp.error().String());	6✔
199	TryAuthenticate(	2✔
200	std::next(server_it), end, client, request_body, signature, api_handler);	4✔
201	return;	2✔
202	}
203	auto resp = exp_resp.value();	7✔
204
205	auto body_writer = make_shared<io::ByteWriter>(received_body);	7✔
206	body_writer->SetUnlimited(true);	7✔
207	resp->SetBodyWriter(body_writer);	7✔
208
209	mlog::Debug("Received response header value:");	14✔
210	mlog::Debug("Status code:" + to_string(resp->GetStatusCode()));	14✔
211	mlog::Debug("Status message: " + resp->GetStatusMessage());	14✔
212	},
213	[received_body, server_it, end, &client, request_body, signature, api_handler](	7✔
214	mender::http::ExpectedIncomingResponsePtr exp_resp) {	2✔
215	if (!exp_resp) {	7✔
216	mlog::Info(	×
217	"Authentication error trying server '" + *server_it	×
218	+ "': " + exp_resp.error().String());	×
219	TryAuthenticate(	×
220	std::next(server_it), end, client, request_body, signature, api_handler);	×
221	return;	×
222	}
223	auto resp = exp_resp.value();	7✔
224
225	string response_body = common::StringFromByteVector(*received_body);	7✔
226
227	error::Error err;	7✔
228	switch (resp->GetStatusCode()) {	7✔
229	case mender::http::StatusOK:	5✔
230	api_handler(AuthData {*server_it, response_body});	15✔
231	return;	5✔
232	case mender::http::StatusUnauthorized:
233	err = MakeHTTPResponseError(	×
234	UnauthorizedError, resp, response_body, "Failed to authorize with the server.");	×
235	mlog::Info(	×
236	"Authentication error trying server '" + *server_it + "': " + err.String());	×
237	TryAuthenticate(	×
238	std::next(server_it), end, client, request_body, signature, api_handler);	×
239	return;	×
240	case mender::http::StatusBadRequest:
241	case mender::http::StatusInternalServerError:
242	err = MakeHTTPResponseError(	2✔
243	APIError, resp, response_body, "Failed to authorize with the server.");	6✔
244	mlog::Info(	2✔
245	"Authentication error trying server '" + *server_it + "': " + err.String());	4✔
246	TryAuthenticate(	2✔
247	std::next(server_it), end, client, request_body, signature, api_handler);	4✔
248	return;	2✔
249	default:
250	err =
251	MakeError(ResponseError, "Unexpected error code: " + resp->GetStatusMessage());	×
252	mlog::Info(	×
253	"Authentication error trying server '" + *server_it + "': " + err.String());	×
254	TryAuthenticate(	×
255	std::next(server_it), end, client, request_body, signature, api_handler);	×
256	return;	×
257	}
258	});	36✔
259	if (err != error::NoError) {	9✔
260	api_handler(expected::unexpected(err));	×
261	}
262	}
263	} // namespace http
264
265	error::Error FetchJWTToken(	6✔
266	mender::http::Client &client,
267	const vector<string> &servers,
268	const string &private_key_path,
269	const string &device_identity_script_path,
270	APIResponseHandler api_handler,
271	const string &tenant_token) {
272	return http::FetchJWTToken(
273	client, servers, private_key_path, device_identity_script_path, api_handler, tenant_token);	12✔
274	}
275
276	void Authenticator::ExpireToken() {	27✔
277	token_ = nullopt;
278	server_url_ = nullopt;
279
280	if (!token_fetch_in_progress_) {	27✔
281	RequestNewToken(nullopt);	54✔
282	}
283	}	27✔
284
285	error::Error Authenticator::StartWatchingTokenSignal() {	11✔
286	auto err = dbus_client_.RegisterSignalHandler<dbus::ExpectedStringPair>(
287	"io.mender.Authentication1",
288	"JwtTokenStateChange",
289	[this](dbus::ExpectedStringPair ex_auth_dbus_data) {	4✔
290	auth_timeout_timer_.Cancel();	4✔
291	token_fetch_in_progress_ = false;	4✔
292	ExpectedAuthData ex_auth_data;
293	if (!ex_auth_dbus_data) {	4✔
294	mlog::Error(	×
295	"Error from the JwtTokenStateChange DBus signal: "
296	+ ex_auth_dbus_data.error().String());	×
297	ex_auth_data = ExpectedAuthData(expected::unexpected(ex_auth_dbus_data.error()));	×
298	} else {
299	token_ = ex_auth_dbus_data.value().first;	4✔
300	server_url_ = ex_auth_dbus_data.value().second;	4✔
301	AuthData auth_data {server_url_, token_};	4✔
302	ex_auth_data = ExpectedAuthData(std::move(auth_data));	4✔
303	}
304	PostPendingActions(ex_auth_data);	4✔
305	});	26✔
306
307	watching_token_signal_ = (err == error::NoError);	11✔
308	return err;	11✔
309	}
310
311	void Authenticator::PostPendingActions(ExpectedAuthData &ex_auth_data) {	39✔
312	for (auto action : pending_actions_) {	47✔
313	loop_.Post([action, ex_auth_data]() { action(ex_auth_data); });	40✔
314	}
315	pending_actions_.clear();	39✔
316	}	39✔
317
318	error::Error Authenticator::RequestNewToken(optional<AuthenticatedAction> opt_action) {	29✔
319	if (token_fetch_in_progress_) {	29✔
320	// Just make sure the action (if any) is called once the token is
321	// obtained.
322	if (opt_action) {	×
323	pending_actions_.push_back(*opt_action);	×
324	}
325	return error::NoError;	×
326	}
327
328	auto err = dbus_client_.CallMethod<expected::ExpectedBool>(
329	"io.mender.AuthenticationManager",
330	"/io/mender/AuthenticationManager",
331	"io.mender.Authentication1",
332	"FetchJwtToken",
333	[this](expected::ExpectedBool ex_value) {	6✔
334	if (!ex_value) {	6✔
335	token_fetch_in_progress_ = false;	1✔
336	mlog::Error("Failed to request new token fetching: " + ex_value.error().String());	2✔
337	ExpectedAuthData ex_auth_data = expected::unexpected(ex_value.error());	1✔
338	PostPendingActions(ex_auth_data);	1✔
339	} else if (!ex_value.value()) {	5✔
340	// mender-auth encountered an error not sent over DBus (should never happen)
341	token_fetch_in_progress_ = false;	×
342	mlog::Error(	×
343	"Failed to request new token fetching (see mender-auth logs for details)");	×
344	ExpectedAuthData ex_auth_data = expected::unexpected(MakeError(	×
345	AuthenticationError, "Failed to request new token fetching from mender-auth"));	×
346	PostPendingActions(ex_auth_data);	×
347	}
348	});	64✔
349	if (err != error::NoError) {	29✔
350	// A sync DBus error.
351	mlog::Error("Failed to request new token fetching: " + err.String());	46✔
352	token_fetch_in_progress_ = false;	23✔
353	ExpectedAuthData ex_auth_data = expected::unexpected(err);	23✔
354	PostPendingActions(ex_auth_data);	23✔
355	if (opt_action) {	23✔
356	(*opt_action)(ex_auth_data);	×
357	}
358	return err;	23✔
359	}
360	// else everything went OK
361
362	token_fetch_in_progress_ = true;	6✔
363
364	// Make sure the action (if any) is called once the token is
365	// obtained.
366	if (opt_action) {	6✔
367	pending_actions_.push_back(*opt_action);	2✔
368	}
369
370	// Make sure we don't wait for the token forever.
371	auth_timeout_timer_.AsyncWait(auth_timeout_, [this](error::Error err) {	6✔
372	if (err.code == make_error_condition(errc::operation_canceled)) {	5✔
373	return;
374	} else if (err == error::NoError) {	2✔
375	mlog::Warning("Timed-out waiting for a new token");	4✔
376	token_fetch_in_progress_ = false;	2✔
377	ExpectedAuthData ex_auth_data = expected::unexpected(	2✔
378	MakeError(AuthenticationError, "Timed-out waiting for a new token"));	6✔
379	PostPendingActions(ex_auth_data);	2✔
380	} else {
381	// should never happen
382	assert(false);
383	mlog::Error("Authentication timer error: " + err.String());	×
384
385	// In case it did happen, run the stacked up actions and unset the
386	// in_progress_ flag or things may got stuck.
387	token_fetch_in_progress_ = false;	×
388	ExpectedAuthData ex_auth_data = expected::unexpected(err);	×
389	PostPendingActions(ex_auth_data);	×
390	}
391	});	×
392	return error::NoError;	6✔
393	}
394
395	error::Error Authenticator::WithToken(AuthenticatedAction action) {	20✔
396	if (!watching_token_signal_) {	20✔
397	auto err = StartWatchingTokenSignal();	11✔
398	if (err != error::NoError) {	11✔
399	// Should never fail. We rely on the signal heavily so let's fail
400	// hard if it does.
401	action(expected::unexpected(err));	×
402	return err;	×
403	}
404	}
405
406	if (token_ && server_url_) {	20✔
407	AuthData auth_data {server_url_, token_};	6✔
408	action(ExpectedAuthData(std::move(auth_data)));	3✔
409	return error::NoError;	3✔
410	}
411	// else => no token
412
413	if (token_fetch_in_progress_) {	17✔
414	// Already waiting for a new token, just make sure the action is called
415	// once it arrives (or once the wait times out).
416	pending_actions_.push_back(action);	6✔
417	return error::NoError;	6✔
418	}
419	// else => should fetch the token, cache it and call all pending actions
420	// Try to get token from mender-auth
421	auto err = dbus_client_.CallMethod<dbus::ExpectedStringPair>(
422	"io.mender.AuthenticationManager",
423	"/io/mender/AuthenticationManager",
424	"io.mender.Authentication1",
425	"GetJwtToken",
426	[this, action](dbus::ExpectedStringPair ex_auth_dbus_data) {	31✔
427	token_fetch_in_progress_ = false;	11✔
428	auth_timeout_timer_.Cancel();	11✔
429	if (ex_auth_dbus_data && (ex_auth_dbus_data.value().first != "")	10✔
430	&& (ex_auth_dbus_data.value().second != "")) {	20✔
431	// Got a valid token, let's save it and then call action and any
432	// previously-pending actions (if any) with it.
433	token_ = ex_auth_dbus_data.value().first;	9✔
434	server_url_ = ex_auth_dbus_data.value().second;	9✔
435	AuthData auth_data {server_url_, token_};	18✔
436
437	// Post/schedule pending actions before running the given action
438	// because the action can actually add more actions or even
439	// expire the token, etc. So post actions stacked up before we
440	// got here with the current token and only then give action a
441	// chance to mess with things.
442	ExpectedAuthData ex_auth_data {std::move(auth_data)};
443	PostPendingActions(ex_auth_data);	9✔
444	action(ex_auth_data);	18✔
445	} else {
446	// No valid token, let's request fetching of a new one
447	RequestNewToken(action);	4✔
448	}
449	});	33✔
450	if (err != error::NoError) {	11✔
451	// No token and failed to try to get one (should never happen).
452	ExpectedAuthData ex_auth_data = expected::unexpected(err);	×
453	PostPendingActions(ex_auth_data);	×
454	action(ex_auth_data);	×
455	return err;	×
456	}
457	// else record that token is already being fetched (by GetJwtToken()).
458	token_fetch_in_progress_ = true;	11✔
459
460	return error::NoError;	11✔
461	}
462
463	} // namespace auth
464	} // namespace api
465	} // namespace mender

mendersoftware / mender / 1054972315

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous