XMiDT

Questions around Themis/Talaira/JWT

Hello,

I am using the latest (at the time of writing) xmidt-org/xmidt repo and guide for quick deployment using docker-compose.

If I shutdown themis, it seems I can still register to Talaria? I was expecting the connection to be refused since no token has been provided?
The most interesting logs from the rdkb-simulator:

[1588367641][PARODUS][Info]: curl response Time: 4.9 seconds
[1588367641][PARODUS][Error]: curl_easy_perform() failed: Couldn't resolve host name
[1588367641][PARODUS][Error]: Failed to create new token
[1588367641][PARODUS][Error]: Curl execution is failed, retry attempt: 3
[1588367641][PARODUS][Error]: Curl retry is reached to max 3 attempts, proceeding without token

And Talaria:

ts=2020-05-01T21:17:41.218352616Z serverName=talaria bindAddress=:6200 listenNetwork=tcp listenAddress=[::]:6200 level=debug msg="accepted connection" remoteAddress=172.28.0.3:45898
ts=2020-05-01T21:17:41.218620186Z caller=manager.go:140 level=debug msg="device connect" url=/api/v2/device
ts=2020-05-01T21:17:41.218734591Z caller=manager.go:178 level=info id=mac:998877665544 convey="unsupported value type"
ts=2020-05-01T21:17:41.218755498Z caller=manager.go:184 level=error id=mac:998877665544 msg="missing security information"
ts=2020-05-01T21:17:41.218858779Z caller=manager.go:193 level=debug id=mac:998877665544 msg="websocket upgrade complete" localAddress=172.28.0.8:6200
ts=2020-05-01T21:17:41.219040541Z caller=handlers.go:223 level=debug msg="Connected device" id=mac:998877665544
ts=2020-05-01T21:17:41.219127899Z caller=manager.go:353 level=debug id=mac:998877665544 msg="writePump starting"
ts=2020-05-01T21:17:41.219429773Z caller=manager.go:275 level=debug id=mac:998877665544 msg="readPump starting"
ts=2020-05-01T21:17:41.220907266Z caller=workerPool.go:86 level=debug msg="HTTP response" status="202 Accepted" url=http://caduceus:6000/api/v3/notify

and I can curl devices api and see the connection:

# curl -H "Authorization: Basic dXNlcjpwYXNz" http://localhost:6200/api/v2/devices
{"devices":[{"id": "mac:998877665544", "pending": 0, "statistics": {"bytesSent": 0, "messagesSent": 0, "bytesReceived": 0, "messagesReceived": 0, "duplications": 0, "connectedAt": "2020-05-01T21:17:41.218717746Z", "upTime": "31.242819587s"}}]}

Is it expected behaviour that devices can connect without a token?

Secondly, if I restart Themis and upgrade Talaria from the default I got simply by running the “deploy.sh”:

# docker images |egrep 'talaria|themis' 
xmidt/themis                                               0.4.0               582565ce0d9b        4 months ago        22.4MB
xmidt/talaria                                              0.1.3               cc2cc5703d13        7 months ago        30.5MB

to the latest 0.5.0 image I see on docker hub:

# TALARIA_VERSION=0.5.0 deploy/docker-compose/deploy.sh

the simulator can no longer connect and I see errors in Talaria log (all configurations as per xmidt-org/xmidt/deploy/docker-compose).

simulator logs:

[1588368628][PARODUS][Info]: themis curl response 0 http_code 200
[1588368628][PARODUS][Info]: curl response Time: 0.0 seconds
[1588368628][PARODUS][Info]: cURL success
[1588368628][PARODUS][Info]: cfg->webpa_auth_token created successfully
[1588368628][PARODUS][Info]: nopoll_conn.c:331 IPv4 address of petasos is 172.29.0.8 
 
[1588368628][PARODUS][Info]: nopoll_conn.c:377 Create socket with non blocking-mode 
[1588368628][PARODUS][Info]: nopoll_conn.c:264 Result of wait after connect EINPROGRESS = 0
 
[1588368628][PARODUS][Error]: nopoll_conn.c:3067 websocket server denied connection with: 307 Temporary Redirect
 
[1588368628][PARODUS][Error]: nopoll_conn.c:2914 Received uncomplete listener handshake reply (0 0 0) 
[1588368628][PARODUS][Info]: nopoll_conn.c:5229 nopoll_conn_wait_for_status_until_connection_ready() response: message: Redirect:http://talaria-0:6200/api/v2/device 
[1588368628][PARODUS][Info]: Received temporary redirection response message Redirect:http://talaria-0:6200/api/v2/device
[1588368628][PARODUS][Info]: full url: http://talaria-0:6200/api/v2/device
[1588368628][PARODUS][Info]: server address copied from url
[1588368628][PARODUS][Info]: server talaria-0, port 6200, http_match 1
[1588368628][PARODUS][Info]: nopoll_ctx.c:338 Unregistered connection id 2 
[1588368628][PARODUS][Info]: cloud_status set as offline after connection close
[1588368628][PARODUS][Info]: nopoll_conn.c:331 IPv4 address of talaria-0 is 172.29.0.6 
 
[1588368628][PARODUS][Info]: nopoll_conn.c:377 Create socket with non blocking-mode 
[1588368628][PARODUS][Info]: nopoll_conn.c:264 Result of wait after connect EINPROGRESS = 0
 
[1588368628][PARODUS][Error]: nopoll_conn.c:3067 websocket server denied connection with: 403 Forbidden
 
[1588368628][PARODUS][Error]: nopoll_conn.c:2914 Received uncomplete listener handshake reply (0 0 0) 
[1588368628][PARODUS][Info]: nopoll_conn.c:5235 nopoll_conn_wait_for_status_until_connection_ready() response: status: 403 
[1588368628][PARODUS][Error]: Received Unauthorized response with status: 403

Talaria logs:

ts=2020-05-01T21:28:41.352973378Z serverName=talaria bindAddress=:6200 listenNetwork=tcp listenAddress=[::]:6200 level=debug msg="accepted connection" remoteAddress=172.29.0.10:59140
ts=2020-05-01T21:28:41.353128293Z requestHeaders="unsupported value type" requestURL=/api/v2/device method=GET ts=2020-05-01T21:28:41.353122038Z caller=constructor.go:129 level=error error="key not supported: [Bearer]" auth="Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImxvY2FsIiwidHlwIjoiSldUIn0.eyJjYXBhYmlsaXRpZXMiOlsieG1pZHQ6aXNzdWVyOnRlc3Q6Lio6YWxsIl0sImV4cCI6MTU4ODM3NTcyMSwiaWF0IjoxNTg4MzY4NTIxLCJpc3MiOiJ0aGVtaXMiLCJqdGkiOiJxMWJySGt0d0s5Y3ptVjJUUFhpdy1BIiwibmJmIjoxNTg4MzY4NTA2LCJwYXJ0bmVyLWlkIjoiY29tY2FzdCIsInRydXN0IjoxMDAwfQ.X6gpaW4N6RyODwGSBLuLfZMNc4UyImQt-fFK3H6O0TXOWYbfJjCL4vA4ERkK-lEYBqsTRVCsw1LpqxSunjLYCUYqJxmQHgMUW3KAHgTbM8LsXbwCSGrBjKWHtx4cJKYruUCk1dS14c3eF8zbT-fLjAFqLHz5RKWmXDyy7LrFJ8kKq-B2kPsjU8QvwbOJB-UD6eq9et8aqNDfr62UkLPZ2rIPpbPyz-prm8lKIk8jEllD7nOVJSqgcDL8_tc5M8rjj3H3h-cYEXglebJB7WQDpbuMR0UmUDZEkdFUAorlli9BcFXuVOzvAoiQOaUCBW7L_4FNAy_hLkRpt3oyrE3B7g"
ts=2020-05-01T21:28:41.359281901Z serverName=talaria bindAddress=:6200 listenNetwork=tcp listenAddress=[::]:6200 level=debug msg="accepted connection" remoteAddress=172.29.0.10:59144
ts=2020-05-01T21:28:41.35971347Z requestHeaders="unsupported value type" requestURL=/api/v2/device method=GET ts=2020-05-01T21:28:41.359697566Z caller=constructor.go:129 level=error error="key not supported: [Bearer]" auth="Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImxvY2FsIiwidHlwIjoiSldUIn0.eyJjYXBhYmlsaXRpZXMiOlsieG1pZHQ6aXNzdWVyOnRlc3Q6Lio6YWxsIl0sImV4cCI6MTU4ODM3NTcyMSwiaWF0IjoxNTg4MzY4NTIxLCJpc3MiOiJ0aGVtaXMiLCJqdGkiOiI1aEtEVTFUeTlETFR6VkZxX0ZnUllBIiwibmJmIjoxNTg4MzY4NTA2LCJwYXJ0bmVyLWlkIjoiY29tY2FzdCIsInRydXN0IjoxMDAwfQ.X7-TV1iYJK830OVXMCvAakeeFzCcO5kWXmvMctoD8bN950c7UzB-b21WolY1yySwmoRybf1b1qMLdsPOevoSFx9D3BGgAR_XDsZEf_0EXWyiIZRQIrA3s7LKRr4W5BQQE6bHLcucP_a9ROLLXp9xiB91SWZ4Q2-50uihQ_CNsI5REG5mj2S61s5TEGNAF-Z-CRJIlxOMxIc2OVVPE54E5mBfnEH2wuNRokFzvtoJvXtadoOPN6rLVRtsO7mXkWhAwff4uAh6-kjCwqsSavV-nzlF7ZFoS35D7XjDpXRm-r-OHyE5vYPivWzfcUd5V_0NekQBlmVOcIRDXXy8DkOG_g"

I’m confused by the differences in the example yaml configurations in xmidt-org/xmidt/deploy/docker-compose/docFiles vs the yaml examples in the individual components (i.e. https://github.com/xmidt-org/talaria/blob/master/talaria.yaml)

Is it possible to have an example configuration in the docker-compose that works with the latest 0.5.0 Talaria?

Many thanks,
Tom

1 Like

Hey @Tom, thanks for your questions!
As for your first question: that’s expected behavior and the device connects to the cluster as not trusted.

For your second question: those configuration values just lagged behind the latest version. Here’s a PR that we are working on to update the configuration values https://github.com/xmidt-org/xmidt/pull/26/files
The PR might not be final yet but the configs there work in case you want to try it out.

@joe94, thanks a lot for the support.
I tried the latest versions and it makes more sense now. If I change the talaria action from “monitor” to “enforce”, when I curl tr1d1um without a header:

curl -i -H “Authorization: Basic dXNlcjpwYXNz” “http://localhost:6100/api/v2/device/mac:112233445566/config?names=Device.DeviceInfo.X_CISCO_COM_BootloaderVersion

I get a 403 forbidden and see this in the Talaria log:
{“caller”:“deviceAccess.go:175”,“check”:“PartnerID”,“level”:“debug”,“msg”:“WRP is unauthorized to reach device”,“ts”:“2020-05-11T18:43:45.025123811Z”}

@Tom np! That’s because the WRP message created by tr1d1um didn’t have any partnerIDs in it. You’ll have to pass it as a header. That check (when run in enforce mode) ensures that the partnerIDs in the WRP matches the partnerID corresponding to the device.
The PR was merged and the readme was updated with the new request:

curl -i -H "Authorization: Basic dXNlcjpwYXNz" "http://localhost:6100/api/v2/device/mac:112233445566/config?names=Device.DeviceInfo.X_CISCO_COM_BootloaderVersion" -H "X-Xmidt-Partner-ID: comcast,nbc,sky"

Ideally, what you should see is:

FYI: for any service configuration value, we try to keep some basic explanations up to date at https://github.com/xmidt-org/[serviceName]/blob/master/[serviceName].yaml (i.e. https://github.com/xmidt-org/talaria/blob/master/talaria.yaml) as a guide.