Cumulocity mapper fails to process messages when connected to a thick-edge VM (#1103)

* Closes #1082 do not validate self-signed certificates Signed-off-by: Pradeep Kumar K J <pradeepkumar.kj@softwareag.com> * add individual certificate to root_store Signed-off-by: Pradeep Kumar K J <pradeepkumar.kj@softwareag.com> * update document
author: PradeepKiruvale <pradeepkumar.kj@softwareag.com> 2022-05-05 18:01:35 +0530
committer: GitHub <noreply@github.com> 2022-05-05 18:01:35 +0530
commit: 7c8bc1bedc9990e1c493a0678ba0470a959196da (patch)
tree: 91b1956c525fc1dd7fd76ad7b1887880de57008d /crates/core
parent: 16ddae45cea0c605aeb4e100cff9a855d12e839c (diff)
5 files changed, 54 insertions, 17 deletions
diff --git a/crates/core/c8y_api/src/http_proxy.rs b/crates/core/c8y_api/src/http_proxy.rs
index ac0423da..098ce82f 100644
--- a/crates/core/c8y_api/src/http_proxy.rs
+++ b/crates/core/c8y_api/src/http_proxy.rs
@@ -10,8 +10,8 @@ use mqtt_channel::{Connection, PubChannel, StreamExt, Topic, TopicFilter};
 use reqwest::Url;
 use std::{collections::HashMap, path::Path, time::Duration};
 use tedge_config::{
-    C8yUrlSetting, ConfigSettingAccessor, ConfigSettingAccessorStringExt, DeviceIdSetting,
-    MqttBindAddressSetting, MqttPortSetting, TEdgeConfig,
+    C8yRootCertPathSetting, C8yUrlSetting, ConfigSettingAccessor, ConfigSettingAccessorStringExt,
+    DeviceIdSetting, MqttBindAddressSetting, MqttPortSetting, TEdgeConfig,
 };
 use time::OffsetDateTime;
 
@@ -211,7 +211,17 @@ impl JwtAuthHttpProxy {
     ) -> Result<JwtAuthHttpProxy, SMCumulocityMapperError> {
         let c8y_host = tedge_config.query_string(C8yUrlSetting)?;
         let device_id = tedge_config.query_string(DeviceIdSetting)?;
-        let http_con = reqwest::ClientBuilder::new().build()?;
+        let root_cert = tedge_config.query(C8yRootCertPathSetting)?;
+
+        let client_builder = reqwest::Client::builder();
+        let http_con = match std::fs::metadata(&root_cert)?.is_file() {
+            true => {
+                let cert = std::fs::read(root_cert)?;
+                let cert_pem = reqwest::Certificate::from_pem(&cert)?;
+                client_builder.add_root_certificate(cert_pem).build()?
+            }
+            false => client_builder.build()?,
+        };
 
         let mqtt_port = tedge_config.query(MqttPortSetting)?.into();
         let mqtt_host = tedge_config.query(MqttBindAddressSetting)?.to_string();
diff --git a/crates/core/tedge/src/cli/certificate/error.rs b/crates/core/tedge/src/cli/certificate/error.rs
index 92950823..8fffc417 100644
--- a/crates/core/tedge/src/cli/certificate/error.rs
+++ b/crates/core/tedge/src/cli/certificate/error.rs
@@ -1,6 +1,7 @@
 use reqwest::StatusCode;
 use std::error::Error;
 use tedge_config::FilePath;
+use tedge_config::{ConfigSettingError, TEdgeConfigError};
 use tedge_users::UserSwitchError;
 use tedge_utils::paths::PathsError;
 
@@ -76,6 +77,12 @@ pub enum CertError {
 
     #[error("HTTP Connection Problem: {msg} \nHint: {hint}")]
     CertificateValidationFailure { hint: String, msg: String },
+
+    #[error(transparent)]
+    TedgeConfigError(#[from] TEdgeConfigError),
+
+    #[error(transparent)]
+    TedgeConfigSettingError(#[from] ConfigSettingError),
 }
 
 impl CertError {
diff --git a/crates/core/tedge/src/cli/certificate/upload.rs b/crates/core/tedge/src/cli/certificate/upload.rs
index 603f6477..0fdb7313 100644
--- a/crates/core/tedge/src/cli/certificate/upload.rs
+++ b/crates/core/tedge/src/cli/certificate/upload.rs
@@ -44,8 +44,17 @@ impl UploadCertCmd {
             Err(_) => rpassword::read_password_from_tty(Some("Enter password: "))?,
         };
 
-        // Use a builder instead of `Client::new`, `new` could panic, builder adds option to allow invalid certs.
-        let client = reqwest::blocking::Client::builder().build()?;
+        let config = get_tedge_config()?;
+        let root_cert = config.query(C8yRootCertPathSetting)?;
+        let client_builder = reqwest::blocking::Client::builder();
+        let client = match std::fs::metadata(&root_cert)?.is_file() {
+            true => {
+                let cert = std::fs::read(root_cert)?;
+                let cert_pem = reqwest::Certificate::from_pem(&cert)?;
+                client_builder.add_root_certificate(cert_pem).build()?
+            }
+            false => client_builder.build()?,
+        };
 
         // To post certificate c8y requires one of the following endpoints:
         // https://<tenant_id>.cumulocity.url.io/tenant/tenants/<tenant_id>/trusted-certificates
diff --git a/crates/core/tedge/src/cli/connect/bridge_config.rs b/crates/core/tedge/src/cli/connect/bridge_config.rs
index bb4a7930..f843c7fe 100644
--- a/crates/core/tedge/src/cli/connect/bridge_config.rs
+++ b/crates/core/tedge/src/cli/connect/bridge_config.rs
@@ -39,7 +39,6 @@ impl BridgeConfig {
         }
         writeln!(writer, "address {}", self.address)?;
 
-        // XXX: This has to go away
         if std::fs::metadata(&self.bridge_root_cert_path)?.is_dir() {
             writeln!(writer, "bridge_capath {}", self.bridge_root_cert_path)?;
         } else {
diff --git a/crates/core/tedge/src/cli/connect/c8y_direct_connection.rs b/crates/core/tedge/src/cli/connect/c8y_direct_connection.rs
index d080eda2..bba72e6a 100644
--- a/crates/core/tedge/src/cli/connect/c8y_direct_connection.rs
+++ b/crates/core/tedge/src/cli/connect/c8y_direct_connection.rs
@@ -9,6 +9,7 @@ use rustls_0_19::ClientConfig;
 
 use std::fs;
 use std::io::{Error, ErrorKind};
+use std::path::PathBuf;
 use std::{fs::File, io::BufReader};
 use tedge_config::FilePath;
 
@@ -111,22 +112,33 @@ fn publish_device_create_message(
 
 fn load_root_certs(
     root_store: &mut rustls_0_19::RootCertStore,
-    cert_dir: FilePath,
+    cert_path: FilePath,
 ) -> Result<(), ConnectError> {
-    for file_entry in fs::read_dir(cert_dir)? {
-        let file = file_entry?;
-        let f = File::open(file.path())?;
-        let mut rd = BufReader::new(f);
-        let _ = root_store.add_pem_file(&mut rd).map(|_| ()).map_err(|()| {
-            Error::new(
-                ErrorKind::InvalidData,
-                "could not load PEM file".to_string(),
-            )
-        });
+    if fs::metadata(&cert_path)?.is_dir() {
+        for file_entry in fs::read_dir(cert_path)? {
+            add_root_cert(root_store, file_entry?.path())?;
+        }
+    } else {
+        add_root_cert(root_store, cert_path.into())?;
     }
     Ok(())
 }
 
+fn add_root_cert(
+    root_store: &mut rustls_0_19::RootCertStore,
+    cert_path: PathBuf,
+) -> Result<(), ConnectError> {
+    let f = File::open(cert_path)?;
+    let mut rd = BufReader::new(f);
+    let _ = root_store.add_pem_file(&mut rd).map(|_| ()).map_err(|()| {
+        Error::new(
+            ErrorKind::InvalidData,
+            "could not load PEM file".to_string(),
+        )
+    });
+    Ok(())
+}
+
 fn read_pvt_key(
     user_manager: UserManager,
     key_file: tedge_config::FilePath,
author	PradeepKiruvale <pradeepkumar.kj@softwareag.com>	2022-05-05 18:01:35 +0530
committer	GitHub <noreply@github.com>	2022-05-05 18:01:35 +0530
commit	7c8bc1bedc9990e1c493a0678ba0470a959196da (patch)
tree	91b1956c525fc1dd7fd76ad7b1887880de57008d /crates/core
parent	16ddae45cea0c605aeb4e100cff9a855d12e839c (diff)