From ac8bd295cfb85aa3839b7504c6bf5ff8ace965bf Mon Sep 17 00:00:00 2001 From: lahirumenik <115687865+lahirumenik@users.noreply.github.com> Date: Sat, 13 Jan 2024 15:45:24 +0530 Subject: [PATCH 1/4] thing reg functiom for generated CA --- backend/serverless/Lambda/thingreg.js | 97 +++++++++++++++++++++++++++ backend/serverless/testing/img.py | 0 2 files changed, 97 insertions(+) create mode 100644 backend/serverless/Lambda/thingreg.js create mode 100644 backend/serverless/testing/img.py diff --git a/backend/serverless/Lambda/thingreg.js b/backend/serverless/Lambda/thingreg.js new file mode 100644 index 00000000..ace113db --- /dev/null +++ b/backend/serverless/Lambda/thingreg.js @@ -0,0 +1,97 @@ +var AWS = require('aws-sdk'); + +exports.handler = function(event, context, callback) { + + //Replace it with the AWS region the lambda will be running in + var region = "us-east-1"; + + var accountId = event.awsAccountId.toString().trim(); + + var iot = new AWS.Iot({'region': region, apiVersion: '2015-05-28'}); + var certificateId = event.certificateId.toString().trim(); + + //Replace it with your desired topic prefix + var topicName = `foo/bar/${certificateId}`; + + var certificateARN = `arn:aws:iot:${region}:${accountId}:cert/${certificateId}`; + var policyName = `Policy_${certificateId}`; + + //Policy that allows connect, publish, subscribe and receive + var policy = { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iot:Connect" + ], + "Resource": `arn:aws:iot:${region}:${accountId}:client/${certificateId}` + }, + { + "Effect": "Allow", + "Action": [ + "iot:Publish", + "iot:Receive" + ], + "Resource": `arn:aws:iot:${region}:${accountId}:topic/${topicName}/*` + }, + { + "Effect": "Allow", + "Action": [ + "iot:Subscribe", + ], + "Resource": `arn:aws:iot:${region}:${accountId}:topicfilter/${topicName}/#` + } + ] + }; + + /* + Step 1) Create a policy + */ + iot.createPolicy({ + policyDocument: JSON.stringify(policy), + policyName: policyName + }, (err, data) => { + //Ignore if the policy already exists + if (err && (!err.code || err.code !== 'ResourceAlreadyExistsException')) { + console.log(err); + callback(err, data); + return; + } + console.log(data); + + /* + Step 2) Attach the policy to the certificate + */ + iot.attachPrincipalPolicy({ + policyName: policyName, + principal: certificateARN + }, (err, data) => { + //Ignore if the policy is already attached + if (err && (!err.code || err.code !== 'ResourceAlreadyExistsException')) { + console.log(err); + callback(err, data); + return; + } + console.log(data); + /* + Step 3) Activate the certificate. Optionally, you can have your custom Certificate Revocation List (CRL) check + logic here and ACTIVATE the certificate only if it is not in the CRL. Revoke the certificate if it is in the CRL + */ + iot.updateCertificate({ + certificateId: certificateId, + newStatus: 'ACTIVE' + }, (err, data) => { + if (err) { + console.log(err, err.stack); + callback(err, data); + } + else { + console.log(data); + callback(null, "Success, created, attached policy and activated the certificate " + certificateId); + } + }); + }); + }); + +} \ No newline at end of file diff --git a/backend/serverless/testing/img.py b/backend/serverless/testing/img.py new file mode 100644 index 00000000..e69de29b From ca2315c32988938ada755bfd5de7fba250c29771 Mon Sep 17 00:00:00 2001 From: lahirumenik <115687865+lahirumenik@users.noreply.github.com> Date: Sat, 13 Jan 2024 15:48:23 +0530 Subject: [PATCH 2/4] thing reg functiom for generated CA modified according to requirements --- backend/serverless/Lambda/thingreg.js | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/backend/serverless/Lambda/thingreg.js b/backend/serverless/Lambda/thingreg.js index ace113db..459408ef 100644 --- a/backend/serverless/Lambda/thingreg.js +++ b/backend/serverless/Lambda/thingreg.js @@ -3,7 +3,7 @@ var AWS = require('aws-sdk'); exports.handler = function(event, context, callback) { //Replace it with the AWS region the lambda will be running in - var region = "us-east-1"; + var region = "ap-southeast-1"; var accountId = event.awsAccountId.toString().trim(); @@ -11,7 +11,7 @@ exports.handler = function(event, context, callback) { var certificateId = event.certificateId.toString().trim(); //Replace it with your desired topic prefix - var topicName = `foo/bar/${certificateId}`; + var topicName = `${certificateId}`; var certificateARN = `arn:aws:iot:${region}:${accountId}:cert/${certificateId}`; var policyName = `Policy_${certificateId}`; @@ -45,14 +45,12 @@ exports.handler = function(event, context, callback) { ] }; - /* - Step 1) Create a policy - */ + //create policy iot.createPolicy({ policyDocument: JSON.stringify(policy), policyName: policyName }, (err, data) => { - //Ignore if the policy already exists + //if the policy exits if (err && (!err.code || err.code !== 'ResourceAlreadyExistsException')) { console.log(err); callback(err, data); @@ -60,9 +58,7 @@ exports.handler = function(event, context, callback) { } console.log(data); - /* - Step 2) Attach the policy to the certificate - */ + //attach the policy to the certificate iot.attachPrincipalPolicy({ policyName: policyName, principal: certificateARN @@ -74,10 +70,7 @@ exports.handler = function(event, context, callback) { return; } console.log(data); - /* - Step 3) Activate the certificate. Optionally, you can have your custom Certificate Revocation List (CRL) check - logic here and ACTIVATE the certificate only if it is not in the CRL. Revoke the certificate if it is in the CRL - */ + //certificate activation iot.updateCertificate({ certificateId: certificateId, newStatus: 'ACTIVE' From dead9361c264833e558f5c6dcf8f34a5e3fc975e Mon Sep 17 00:00:00 2001 From: lahirumenik <115687865+lahirumenik@users.noreply.github.com> Date: Sat, 13 Jan 2024 17:25:10 +0530 Subject: [PATCH 3/4] exports handler error of thing reg debugged --- backend/serverless/Lambda/thingreg.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/serverless/Lambda/thingreg.js b/backend/serverless/Lambda/thingreg.js index 459408ef..4a2abc7a 100644 --- a/backend/serverless/Lambda/thingreg.js +++ b/backend/serverless/Lambda/thingreg.js @@ -1,6 +1,6 @@ var AWS = require('aws-sdk'); -exports.handler = function(event, context, callback) { +exports.handler = async (event, context, callback) => { //Replace it with the AWS region the lambda will be running in var region = "ap-southeast-1"; From a665bf015b224b0401abc2eb742d635432e659cb Mon Sep 17 00:00:00 2001 From: lahirumenik <115687865+lahirumenik@users.noreply.github.com> Date: Sat, 13 Jan 2024 20:30:44 +0530 Subject: [PATCH 4/4] policy added in thing registration debuged --- backend/serverless/Lambda/thingreg.js | 115 +++++++++-------------- backend/serverless/testing/thingreg.json | 10 ++ 2 files changed, 55 insertions(+), 70 deletions(-) create mode 100644 backend/serverless/testing/thingreg.json diff --git a/backend/serverless/Lambda/thingreg.js b/backend/serverless/Lambda/thingreg.js index 4a2abc7a..9f5508a7 100644 --- a/backend/serverless/Lambda/thingreg.js +++ b/backend/serverless/Lambda/thingreg.js @@ -1,90 +1,65 @@ -var AWS = require('aws-sdk'); - -exports.handler = async (event, context, callback) => { - - //Replace it with the AWS region the lambda will be running in - var region = "ap-southeast-1"; - - var accountId = event.awsAccountId.toString().trim(); +const AWS = require('aws-sdk'); - var iot = new AWS.Iot({'region': region, apiVersion: '2015-05-28'}); - var certificateId = event.certificateId.toString().trim(); - - //Replace it with your desired topic prefix - var topicName = `${certificateId}`; +exports.handler = async (event, context, callback) => { + const region = "ap-southeast-1"; + const accountId = event.awsAccountId.toString().trim(); + console.log(event); - var certificateARN = `arn:aws:iot:${region}:${accountId}:cert/${certificateId}`; - var policyName = `Policy_${certificateId}`; - - //Policy that allows connect, publish, subscribe and receive - var policy = { + const iot = new AWS.Iot({ 'region': region, apiVersion: '2015-05-28' }); + const certificateId = event.certificateId.toString().trim(); + const topicName = `${certificateId}`; + const certificateARN = `arn:aws:iot:${region}:${accountId}:cert/${certificateId}`; + const policyName = `Policy_${certificateId}`; + + const policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", - "Action": [ - "iot:Connect" - ], + "Action": ["iot:Connect"], "Resource": `arn:aws:iot:${region}:${accountId}:client/${certificateId}` }, { "Effect": "Allow", - "Action": [ - "iot:Publish", - "iot:Receive" - ], - "Resource": `arn:aws:iot:${region}:${accountId}:topic/${topicName}/*` + "Action": ["iot:Publish", "iot:Receive"], + "Resource": `arn:aws:iot:${region}:${accountId}:topic/*` }, { "Effect": "Allow", - "Action": [ - "iot:Subscribe", - ], + "Action": ["iot:Subscribe"], "Resource": `arn:aws:iot:${region}:${accountId}:topicfilter/${topicName}/#` } ] }; - //create policy - iot.createPolicy({ - policyDocument: JSON.stringify(policy), - policyName: policyName - }, (err, data) => { - //if the policy exits - if (err && (!err.code || err.code !== 'ResourceAlreadyExistsException')) { - console.log(err); - callback(err, data); - return; - } - console.log(data); - - //attach the policy to the certificate - iot.attachPrincipalPolicy({ + try { + console.log("Started creating policy"); + const policyResult = await iot.createPolicy({ + policyDocument: JSON.stringify(policy), + policyName: policyName + }).promise(); + + console.log("Policy created:", policyResult); + + console.log("Attaching policy to certificate"); + const attachPolicyResult = await iot.attachPrincipalPolicy({ policyName: policyName, principal: certificateARN - }, (err, data) => { - //Ignore if the policy is already attached - if (err && (!err.code || err.code !== 'ResourceAlreadyExistsException')) { - console.log(err); - callback(err, data); - return; - } - console.log(data); - //certificate activation - iot.updateCertificate({ - certificateId: certificateId, - newStatus: 'ACTIVE' - }, (err, data) => { - if (err) { - console.log(err, err.stack); - callback(err, data); - } - else { - console.log(data); - callback(null, "Success, created, attached policy and activated the certificate " + certificateId); - } - }); - }); - }); - -} \ No newline at end of file + }).promise(); + + console.log("Policy attached to certificate:", attachPolicyResult); + + console.log("Activating certificate"); + const activateCertificateResult = await iot.updateCertificate({ + certificateId: certificateId, + newStatus: 'ACTIVE' + }).promise(); + + console.log("Certificate activated:", activateCertificateResult); + + callback(null, "Success, created, attached policy, and activated the certificate " + certificateId); + } catch (err) { + console.error("Error:", err); + callback(err); + } +}; diff --git a/backend/serverless/testing/thingreg.json b/backend/serverless/testing/thingreg.json new file mode 100644 index 00000000..89a699b4 --- /dev/null +++ b/backend/serverless/testing/thingreg.json @@ -0,0 +1,10 @@ +{ + "certificateId": "dd65ef7b374ec529e169aeead5f712a6a5d54653447d6eb04325e5a9261f8cf5", + "caCertificateId": "213adfc300a3f9841bd3c5aac09dcacf354171039c8be383ffd5914f600d3f4c", + "timestamp": "1705156374335", + "certificateStatus": "PENDING_ACTIVATION", + "awsAccountId": "782538749135", + "certificateRegistrationTimestamp": "1705146021287", + "sourceIp": "2402:d000:a400:f6c1:2625:20e0:d648:c4cf" + } + \ No newline at end of file