How to apply Microservice Level Authentication to the Custom Application Servcie

[pachori91]

Hi,

I have implemented a Custom Application Service by using app function sdk. and that was working fine while runing with non-secured EdgeX Environment.

Now i am trying to run Edegx in secured mod for that i just followed Configure Add On Service Documnetation to configure my Custom Application service. As the result all EdgeX services and Custom Appliation Servcie are started properly and application service doing its job as expected.

But to check if service leve authentication applied to my Custom Applciation Service I JUST executed below curl command
curl "http://localhost:(csutom-application-service-prot)/api/v3/version". Here i was expecting Unauthorized(401) but it was 200.
So do i need to make any code change in my Custom Applicaiton service or something else i am missed while configuration.

Please suggest me step to apply service level authentication for Cutom Application service.

One more issue i am facing while trying to create device profile from the EdgeX UI. I am getting error as below while trying to submit add profile form.

Error - code: 400 , message: request failed, status code: 401, err: Unauthorized

Thanks

[jiekechoo]

@pachori91 , you can't submit two issues in one question, and you need to provide more information about your issues.
According to your error message, it seems there was not running in real SecureMode, here is a guide Working in a Hybrid Environment
you can refer.
I suggest you run all micro service in no-secty mode for develop, docker compose is perfered. And run them in secure mode for full test.

Jieke
YIQISOFT

[pachori91]

Hi @jiekechoo

Thanks for your reply.
I apologies for submitting multiple issue in same question.

Lets discuss for first query only-

After following Configure Add On Service documentation my custom application service is secured behind the NGNIX means-

• while i am calling https://(host):8443/(custom-application-service-key)/api/v3/version without passing JWT token then responding with 401 and responding with status 200 while passing valid JWT token in CURL Command.

But while i was testing microservice level security (New feature in EdgeX Minnesota release) for My Custom application Servcie it was failed as described in previous post where i tried with curl as below-
curl "http://localhost:(custom-application-service-port)/api/v3/version"
Response - 200 , but i was expecting 401 as i haven't passed JWT token in my Curl request.

SO my question is -
do i need to make any other changes (may be in Custom application service code) execpt descibed at Configure Add On Service documentation.

Thanks

[jiekechoo]

Have you enabled EDGEX_SECURITY_SECRET_STORE: "true" in your docker-compose.yml ? or set the Linux environment EDGEX_SECURITY_SECRET_STORE=true before start your application?

[pachori91]

Yes, EDGEX_SECURITY_SECRET_STORE: "true" is provided into docker-compose.yml

Let me explain what i have in docker-compose.yml

The Service i have as below-
custom-app-service:
container_name: edgex-app-gfiware-export
command:
- /custom-app-service
- -cp=consul.http://edgex-core-consul:8500
- --registry
depends_on:
consul:
condition: service_started
core-data:
condition: service_started
security-bootstrapper:
condition: service_started
entrypoint:
- /edgex-init/ready_to_run_wait_install.sh
environment:
EDGEX_SECURITY_SECRET_STORE: "true"
SERVICE_HOST: edgex-custom-app-service
WRITABLE_LOGLEVEL: DEBUG
PROXY_SETUP_HOST: edgex-security-proxy-setup
SECRETSTORE_HOST: edgex-vault
STAGEGATE_BOOTSTRAPPER_HOST: edgex-security-bootstrapper
STAGEGATE_BOOTSTRAPPER_STARTPORT: "54321"
STAGEGATE_DATABASE_HOST: edgex-redis
STAGEGATE_DATABASE_PORT: "6379"
STAGEGATE_DATABASE_READYPORT: "6379"
STAGEGATE_READY_TORUNPORT: "54329"
STAGEGATE_REGISTRY_HOST: edgex-core-consul
STAGEGATE_REGISTRY_PORT: "8500"
STAGEGATE_REGISTRY_READYPORT: "54324"
STAGEGATE_SECRETSTORESETUP_HOST: edgex-security-secretstore-setup
STAGEGATE_SECRETSTORESETUP_TOKENS_READYPORT: "54322"
STAGEGATE_WAITFOR_TIMEOUT: 60s
hostname: edgex-custom-app-service
image: localrepo/custom-app-service:0.0.0-dev
networks:
edgex-network: null
ports:
- mode: ingress
target: 59705
published: "59705"
protocol: tcp
read_only: true
restart: always
security_opt:
- no-new-privileges:true
user: 2002:2001
volumes:
- type: volume
source: edgex-init
target: /edgex-init
read_only: true
volume: {}
- type: bind
source: /tmp/edgex/secrets/custom-app-service
target: /tmp/edgex/secrets/custom-app-service
read_only: true
bind:
selinux: z
create_host_path: true

Further as per Configure Add On Service document below environment variable added in respective services-
Service - Environment variables
consul - EDGEX_ADD_REGISTRY_ACL_ROLES: "custom-app-service"
security-proxy-setup - EDGEX_ADD_PROXY_ROUTE: device-rest.http://edgex-device-rest:59986,custom-app-service.http://edgex-custom-app-service:59705
security-secretstore-setup - EDGEX_ADD_SECRETSTORE_TOKENS: "custom-app-service"
security-secretstore-setup - EDGEX_ADD_KNOWN_SECRETS: redisdb[app-rules-engine],redisdb[device-rest],message-bus[device-rest],redisdb[device-virtual],message-bus[device-virtual],redisdb[custom-app-service],message-bus[custom-app-service]

Note:- "custom-app-service" is the service key of my custom application service.

[jiekechoo]

Please check, is there any files in /tmp/edgex/secrets/custom-app-service dirctory on your host?

[pachori91]

yes it is present and same directory have file named as "secrets-token.json"

content of secret-token.json is a below

{
"auth": {
"accessor": "(random string)",
"client_token": "hvs.(random string)",
"entity_id": "(random string)",
"identity_policies": [
"edgex-service-custom-app-service"
],
"lease_duration": 3600,
"metadata": {
"username": "custom-app-service"
},
"mfa_requirement": null,
"num_uses": 0,
"orphan": true,
"policies": [
"default",
"edgex-service-custom-app-service"
],
"renewable": true,
"token_policies": [
"default"
],
"token_type": "service"
},
"data": null,
"lease_duration": 0,
"lease_id": "",
"renewable": false,
"request_id": "(random string)",
"warnings": null,
"wrap_info": null
}

[bnevis-i]

Here is some info to help you debug:

In app-functions-sdk-go it starts the web server and registers the common endpoints:
https://github.com/edgexfoundry/app-functions-sdk-go/blob/main/internal/webserver/server.go#L53

The version route is registered here:
https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/controller/commonapi.go#L65

The pipeline authentication hook is instantiated here:
https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/controller/commonapi.go#L50

The authentication handler is here:
https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/handlers/auth_middleware.go#L102

Optional disable for it is here:
https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/handlers/auth_middleware.go#L104

If the Auto function detects security is disabled, it just returns a Nil authentication handler here:
https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/handlers/auth_middleware.go#L85

Otherwise, you get a real handler and the actual check for token validity is here:
https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/handlers/auth_middleware.go#L60

If you are running without the EdgeX secret store, it returns the InsecureSecretsProvider, which returns true always
https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/secret/insecure.go#L245

If you are running with the EdgeX secret store, it returns a real secret provider, that checks the JWT with Vault:
https://github.com/edgexfoundry/go-mod-bootstrap/blob/main/bootstrap/secret/secure.go#L477

If you end up at line 245, your service actually isn't running in secure mode. If you end up at line 477, then it is. If you end up at line 477 and you always get true back no matter what is passed for the JWT, there are big problems. (For reference, I hit the /api/v3/version endpoint of app-http-export and it works as expected--HTTP 401)