Device Shared Secret Authentication (#1139)

this is based upon 0d44fc2 with the addition of Product Shared Secrets * device token auth strategy requires opt in during runtime * add an `Experimental` badge * improvements to the shared secrets UI * add authorization to the Product Settings LiveView --------- Co-authored-by: Jon Carstens <[email protected]>
nerves-hub · Jan 7, 2024 · b83ea21 · b83ea21
1 parent a2294c7
commit b83ea21
Show file tree

Hide file tree

Showing 32 changed files with 1,012 additions and 33 deletions.
diff --git a/assets/css/_navigation.scss b/assets/css/_navigation.scss
@@ -272,11 +272,16 @@ nav.navbar {
 
   .nav-item {
     margin-right: 2.75rem;
+    padding: 0 1.25rem;
 
     @media (max-width: 1100px) {
       margin-right: 0;
     }
 
+    &:first-child {
+      padding: 0 1.25rem 0 0;
+    }
+
     &:last-child {
       margin-right: 0;
     }
@@ -290,7 +295,7 @@ nav.navbar {
     height: 76px;
     display: flex;
     align-items: center;
-    padding: 0 1.25rem;
+    padding: 0 0 0 0;
 
     @media (max-width: 1100px) {
       height: 60px;

diff --git a/assets/js/app.js b/assets/js/app.js
@@ -64,3 +64,16 @@ window.deploymentPolling = (url) => {
 document.querySelectorAll('.date-time').forEach(d => {
   d.innerHTML = dates.formatDateTime(d.innerHTML)
 })
+
+window.addEventListener('phx:sharedsecret:clipcopy', (event) => {
+  if ("clipboard" in navigator) {
+    const text = event.detail.secret;
+    navigator.clipboard.writeText(text).then(() => {
+      confirm('Content copied to clipboard');
+    }, () => {
+      alert('Failed to copy');
+    });
+  } else {
+    alert("Sorry, your browser does not support clipboard copy.");
+  }
+});
diff --git a/config/dev.exs b/config/dev.exs
@@ -100,6 +100,8 @@ config :nerves_hub, NervesHub.Uploads.File,
 ##
 # Other
 #
+config :nerves_hub, NervesHubWeb.DeviceSocketSharedSecretAuth, enabled: true
+
 config :nerves_hub, NervesHub.SwooshMailer, adapter: Swoosh.Adapters.Local
 
 config :nerves_hub, NervesHub.RateLimit, limit: 10

diff --git a/config/runtime.exs b/config/runtime.exs
@@ -14,8 +14,8 @@ config :nerves_hub,
   deploy_env: System.get_env("DEPLOY_ENV", to_string(config_env())),
   from_email: System.get_env("FROM_EMAIL", "[email protected]")
 
-if log_level = System.get_env("LOG_LEVEL") do
-  config :logger, level: String.to_atom(log_level)
+if level = System.get_env("LOG_LEVEL") do
+  config :logger, level: String.to_atom(level)
 end
 
 dns_cluster_query =
@@ -55,6 +55,9 @@ if config_env() == :prod do
         signing_salt: System.fetch_env!("LIVE_VIEW_SIGNING_SALT")
       ],
       server: true
+
+    config :nerves_hub, NervesHubWeb.DeviceSocketSharedSecretAuth,
+      enabled: System.get_env("DEVICE_SHARED_SECRET_AUTH", "false") == "true"
   end
 
   if nerves_hub_app in ["all", "device"] do

diff --git a/config/test.exs b/config/test.exs
@@ -8,8 +8,8 @@ config :logger, :default_handler, false
 # NervesHub Web
 #
 config :nerves_hub, NervesHubWeb.Endpoint,
-  http: [port: 5000],
-  server: false,
+  http: [port: 4100],
+  server: true,
   secret_key_base: "x7Vj9rmmRke//ctlapsPNGHXCRTnArTPbfsv6qX4PChFT9ARiNR5Ua8zoRilNCmX",
   live_view: [signing_salt: "FnV9rP_c2BL11dvh"]
 
@@ -41,8 +41,7 @@ config :nerves_hub, NervesHubWeb.DeviceEndpoint,
 ##
 # Firmware uploader
 #
-config :nerves_hub,
-  firmware_upload: NervesHub.UploadMock
+config :nerves_hub, firmware_upload: NervesHub.UploadMock
 
 config :nerves_hub, NervesHub.Firmwares.Upload.S3, bucket: "mybucket"
 
@@ -74,6 +73,8 @@ config :nerves_hub, Oban, queues: false, plugins: false
 ##
 # Other
 #
+config :nerves_hub, NervesHubWeb.DeviceSocketSharedSecretAuth, enabled: true
+
 config :nerves_hub, delta_updater: NervesHub.DeltaUpdaterMock
 
 config :nerves_hub, NervesHub.SwooshMailer, adapter: Swoosh.Adapters.Test

diff --git a/lib/nerves_hub/accounts.ex b/lib/nerves_hub/accounts.ex
@@ -15,6 +15,8 @@ defmodule NervesHub.Accounts do
     RemoveAccount
   }
 
+  alias NervesHub.Products.Product
+
   alias NervesHub.Repo
 
   @spec create_org(User.t(), map) ::
@@ -128,12 +130,9 @@ defmodule NervesHub.Accounts do
   end
 
   def get_org_user(org, user) do
-    from(
-      ou in OrgUser,
-      where:
-        ou.org_id == ^org.id and
-          ou.user_id == ^user.id
-    )
+    OrgUser
+    |> where([ou], ou.org_id == ^org.id)
+    |> where([ou], ou.user_id == ^user.id)
     |> OrgUser.with_user()
     |> Repo.exclude_deleted()
     |> Repo.one()
@@ -224,12 +223,16 @@ defmodule NervesHub.Accounts do
     |> Repo.get!(user_id)
   end
 
-  def get_user_with_all_orgs(user_id) do
-    query = from(u in User, where: u.id == ^user_id)
+  def get_user_with_all_orgs_and_products(user_id) do
+    org_query = from(o in Org, where: is_nil(o.deleted_at))
+    product_query = from(p in Product, where: is_nil(p.deleted_at))
 
-    query
+    orgs_preload = {org_query, products: product_query}
+
+    User
+    |> where([u], u.id == ^user_id)
     |> Repo.exclude_deleted()
-    |> User.with_all_orgs()
+    |> preload(orgs: ^orgs_preload)
     |> Repo.one()
     |> case do
       nil -> {:error, :not_found}

diff --git a/lib/nerves_hub/application.ex b/lib/nerves_hub/application.ex
@@ -33,9 +33,11 @@ defmodule NervesHub.Application do
           {Cluster.Supervisor, [topologies]},
           {Task.Supervisor, name: NervesHub.TaskSupervisor},
           {Oban, Application.fetch_env!(:nerves_hub, Oban)},
-          NervesHub.Tracker
+          NervesHub.Tracker,
+          NervesHub.Devices.Supervisor
         ] ++
-        endpoints(Application.get_env(:nerves_hub, :deploy_env))
+        deployments_supervisor(deploy_env()) ++
+        endpoints(deploy_env())
 
     opts = [strategy: :one_for_one, name: NervesHub.Supervisor]
     Supervisor.start_link(children, opts)
@@ -52,9 +54,14 @@ defmodule NervesHub.Application do
     [NervesHub.Metrics]
   end
 
+  defp deployments_supervisor("test"), do: []
+
+  defp deployments_supervisor(_) do
+    [NervesHub.Deployments.Supervisor]
+  end
+
   defp endpoints("test") do
     [
-      NervesHub.Devices.Supervisor,
       NervesHubWeb.DeviceEndpoint,
       NervesHubWeb.Endpoint
     ]
@@ -64,16 +71,12 @@ defmodule NervesHub.Application do
     case Application.get_env(:nerves_hub, :app) do
       "all" ->
         [
-          NervesHub.Deployments.Supervisor,
-          NervesHub.Devices.Supervisor,
           NervesHubWeb.DeviceEndpoint,
           NervesHubWeb.Endpoint
         ] ++ device_socket_drainer()
 
       "device" ->
         [
-          NervesHub.Deployments.Supervisor,
-          NervesHub.Devices.Supervisor,
           NervesHubWeb.DeviceEndpoint
         ] ++ device_socket_drainer()
 

diff --git a/lib/nerves_hub/devices.ex b/lib/nerves_hub/devices.ex
@@ -19,14 +19,31 @@ defmodule NervesHub.Devices do
   alias NervesHub.Firmwares
   alias NervesHub.Firmwares.Firmware
   alias NervesHub.Firmwares.FirmwareMetadata
+  alias NervesHub.Products
   alias NervesHub.Products.Product
+  alias NervesHub.Products.SharedSecretAuth
   alias NervesHub.Repo
   alias NervesHub.TaskSupervisor, as: Tasks
 
   @min_fwup_delta_updatable_version ">=1.10.0"
 
-  def get_device(device_id), do: Repo.get(Device, device_id)
-  def get_device!(device_id), do: Repo.get!(Device, device_id)
+  def get_device!(device_id) do
+    Repo.get!(Device, device_id)
+  end
+
+  def get_device(device_id) when is_integer(device_id) do
+    Repo.get(Device, device_id)
+  end
+
+  def get_active_device(filters) do
+    Device
+    |> Repo.exclude_deleted()
+    |> Repo.get_by(filters)
+    |> case do
+      nil -> {:error, :not_found}
+      device -> {:ok, device}
+    end
+  end
 
   def get_devices_by_org_id(org_id) do
     query =
@@ -154,6 +171,14 @@ defmodule NervesHub.Devices do
     |> Repo.one!()
   end
 
+  def get_device_count_by_product_id(product_id) do
+    Device
+    |> where([d], d.product_id == ^product_id)
+    |> Repo.exclude_deleted()
+    |> select([d], count(d))
+    |> Repo.one!()
+  end
+
   defp device_by_org_query(org_id, device_id) do
     from(
       d in Device,
@@ -221,6 +246,24 @@ defmodule NervesHub.Devices do
     end
   end
 
+  @spec get_or_create_device(SharedSecretAuth.t(), String.t()) ::
+          {:ok, Device.t()} | {:error, :not_found}
+  def get_or_create_device(%SharedSecretAuth{} = auth, identifier) do
+    with {:error, :not_found} <-
+           get_active_device(product_id: auth.product_id, identifier: identifier),
+         {:ok, product} <-
+           Products.get_product(auth.product_id) do
+      create_device(%{
+        org_id: product.org_id,
+        product_id: product.id,
+        identifier: identifier
+      })
+    else
+      result ->
+        result
+    end
+  end
+
   def get_device_by(filters) do
     Repo.get_by(Device, filters)
     |> case do

diff --git a/lib/nerves_hub/products.ex b/lib/nerves_hub/products.ex
@@ -7,7 +7,7 @@ defmodule NervesHub.Products do
 
   alias Ecto.Multi
   alias NervesHub.{Certificate, Repo}
-  alias NervesHub.Products.Product
+  alias NervesHub.Products.{Product, SharedSecretAuth}
   alias NervesHub.Accounts.{User, Org, OrgUser}
 
   alias NimbleCSV.RFC4180, as: CSV
@@ -54,6 +54,16 @@ defmodule NervesHub.Products do
     |> Repo.get!(id)
   end
 
+  def get_product(id) do
+    Product
+    |> Repo.exclude_deleted()
+    |> Repo.get(id)
+    |> case do
+      nil -> {:error, :not_found}
+      product -> {:ok, product}
+    end
+  end
+
   def get_product_by_org_id_and_name(org_id, name) do
     Product
     |> Repo.exclude_deleted()
@@ -130,6 +140,49 @@ defmodule NervesHub.Products do
     Product.changeset(product, %{})
   end
 
+  def get_shared_secret_auth(product_id, auth_id) do
+    SharedSecretAuth
+    |> join(:inner, [ssa], p in assoc(ssa, :product))
+    |> where([ssa], ssa.id == ^auth_id)
+    |> where([_, p], p.id == ^product_id)
+    |> Repo.one()
+    |> case do
+      nil -> {:error, :not_found}
+      auth -> {:ok, auth}
+    end
+  end
+
+  def get_shared_secret_auth(key) do
+    SharedSecretAuth
+    |> join(:inner, [ssa], p in assoc(ssa, :product))
+    |> where([ssa], ssa.key == ^key)
+    |> where([ssa], is_nil(ssa.deactivated_at))
+    |> where([_, p], is_nil(p.deleted_at))
+    |> Repo.one()
+    |> case do
+      nil -> {:error, :not_found}
+      auth -> {:ok, auth}
+    end
+  end
+
+  def load_shared_secret_auth(product) do
+    Repo.preload(product, :shared_secret_auths)
+  end
+
+  def create_shared_secret_auth(product) do
+    product
+    |> SharedSecretAuth.create_changeset()
+    |> Repo.insert()
+  end
+
+  def deactivate_shared_secret_auth(product, shared_secret_id) do
+    {:ok, auth} = get_shared_secret_auth(product.id, shared_secret_id)
+
+    auth
+    |> SharedSecretAuth.deactivate_changeset()
+    |> Repo.update()
+  end
+
   def devices_csv(%Product{} = product) do
     product = Repo.preload(product, [:org, devices: :device_certificates])
     data = Enum.map(product.devices, &device_csv_line(&1, product))

diff --git a/lib/nerves_hub/products/product.ex b/lib/nerves_hub/products/product.ex
@@ -7,6 +7,7 @@ defmodule NervesHub.Products.Product do
   alias NervesHub.Devices.CACertificate
   alias NervesHub.Devices.Device
   alias NervesHub.Firmwares.Firmware
+  alias NervesHub.Products.SharedSecretAuth
   alias NervesHub.Repo
 
   @required_params [:name, :org_id]
@@ -20,6 +21,10 @@ defmodule NervesHub.Products.Product do
     has_many(:jitp, CACertificate.JITP)
     has_many(:archives, Archive)
 
+    has_many(:shared_secret_auths, SharedSecretAuth,
+      preload_order: [desc: :deactivated_at, asc: :id]
+    )
+
     belongs_to(:org, Org, where: [deleted_at: nil])
 
     field(:name, :string)