Merge pull request #479 from sarmahaj/serviceinfo_sshkey_per_device

feat(serviceinfo_api_server): implement per device Serviceinfo initial user and sshkey
fdo-rs · May 2, 2023 · d80dbc6 · d80dbc6
2 parents f546f9c + bda730a
commit d80dbc6
Show file tree

Hide file tree

Showing 11 changed files with 420 additions and 83 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -111,6 +111,7 @@ jobs:
       - name: Run tests
         env:
           FDO_PRIVILEGED: true
+          PER_DEVICE_SERVICEINFO: false
         run: cargo test
       - name: Check aio
         run: |

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/HOWTO.md b/HOWTO.md
@@ -22,6 +22,8 @@
 - How to run the clients:
   - Linuxapp client
   - Manufacturing client
+- How to use Features:
+  - How to use the `per-device serviceinfo` feature
 
 ## Pre-requisites
 
@@ -734,3 +736,26 @@ Options:
 
 Please note that in this mode there are some environment variables that are
 still required to be set by the user (`DI_SIGN_KEY_PATH`, `DI_HMAC_KEY_PATH`).
+
+## How to use Features
+
+### How to use the `per-device serviceinfo` feature
+
+  Using this feature the user can choose to apply different serviceinfo settings on different devices.
+  For that the user needs to provide a path to a `per-device serviceinfo` file under the `device_specific_store_driver` field
+  present in the `serviceinfo_api_server.yml` file.
+  If other devices do not have their `per-device serviceinfo` file under `device_specific_store_driver` they will get onboarded
+  with settings from the main file, which is `serviceinfo_api_server.yml`.
+
+  1. Initialize the device as mentioned in [How to generate an Ownership Voucher and Credential for a Device](#how-to-generate-an-ownership-voucher-ov-and-credential-for-a-device-device-initialization).
+
+  2. Dump the `device-credentials`
+  ```bash
+  fdo-owner-tool dump-device-credential /path/to/device-credentials
+  ```
+
+  3. Note the GUID of the device and create a .yml file with same name as the `guid` under directory path `device_specific_store_driver`.
+
+  4. You can refer to [per_device_serviceinfo.yml](https://github.com/fedora-iot/fido-device-onboard-rs/blob/main/examples/config/device_specific_serviceinfo.yml) as an example.
+
+  5. Follow the onboarding procedure and this particular device will get the serviceinfo settings as mentioned in the above file.
diff --git a/examples/config/device_specific_serviceinfo.yml b/examples/config/device_specific_serviceinfo.yml
@@ -0,0 +1,9 @@
+initial_user:
+  username: username_per_device
+  sshkeys:
+  - "testkeyperdevice"
+files: null
+commands: null
+diskencryption_clevis: null
+additional_serviceinfo: null
+after_onboarding_reboot: false
diff --git a/integration-tests/templates/serviceinfo-api-server.yml.j2 b/integration-tests/templates/serviceinfo-api-server.yml.j2
@@ -9,7 +9,7 @@ service_info:
   initial_user:
     username: {{ user }}
     sshkeys:
-    - "testkey"
+    - {{ sshkey }}
   files:
   - path: /etc/hosts
     permissions: 644

diff --git a/integration-tests/tests/common/mod.rs b/integration-tests/tests/common/mod.rs
@@ -778,6 +778,16 @@ impl<'a> TestServerConfigurator<'a> {
             .runner_path(&self.server_number)
             .join(config_file_name);
 
+        let per_device: bool = match env::var("PER_DEVICE_SERVICEINFO") {
+            Ok(val) => val.parse().unwrap_or(false),
+            Err(e) => {
+                eprintln!(
+                    "Error reading environment variable: {} setting to default",
+                    e
+                );
+                false
+            }
+        };
         self.test_context
             .generate_config_file(&output_path, config_file_name, |cfg| {
                 cfg.insert(
@@ -790,10 +800,23 @@ impl<'a> TestServerConfigurator<'a> {
                     "config_dir",
                     &self.test_context.runner_path(&self.server_number),
                 );
-                cfg.insert(
-                    "user",
-                    users::get_current_username().unwrap().to_str().unwrap(),
-                );
+
+                if !per_device {
+                    L.l("per_device_serviceinfo is not set, using default values");
+                    cfg.insert(
+                        "user",
+                        users::get_current_username().unwrap().to_str().unwrap(),
+                    );
+                    cfg.insert("sshkey", "sshkey_default");
+                } else {
+                    L.l("per_device_serviceinfo is set, using device specific values");
+                    cfg.insert(
+                        "user",
+                        users::get_current_username().unwrap().to_str().unwrap(),
+                    );
+                    cfg.insert("sshkey", "sshkey_per_device");
+                }
+
                 // TODO: Insert more defaults
 
                 context_configurator(cfg)