hono icon indicating copy to clipboard operation
hono copied to clipboard
verified publisher icon eclipse-hono

Device auto-provision and auto-create may use invalid device id

Open harism opened this issue 1 year ago • 2 comments

It seems possible that gateway device auto-provision and certificate based device auto-create may create a device with invalid device id. Invalid in a sense that you cannot access that device id using Device Registry API in any way.

Would it be better to add similar validation for auto-provision and auto-create as Device Registry HTTP calls have to ensure it the created device or gateway has always valid device id which works with Device Registry API calls also?

To test this:

  1. Create an auto-provisioning gateway with http-credentials
  2. Send PUT /telemetry/{tenant_id}/**invalid to http-adapter with previous step gateway credentials
  3. Device with **invalid -device id is created which is inaccessible with Device Registry API

harism avatar Jan 20 '24 18:01 harism

Would it be better to add similar validation for auto-provision and auto-create as Device Registry HTTP calls have to ensure it the created device or gateway has always valid device id which works with Device Registry API calls also?

I guess the check, if it is currently missing, should be added to the component that both the Registry Management API endpoint as well as the (adapter facing) AMQP based service Device Registration endpoint are using.

sophokles73 avatar Jan 25 '24 06:01 sophokles73

Ok, I could make a PR for this change for evaluation for its need. There is configurable validator already in device registry for device and tenant ids but it seems to be in use only for incoming HTTP requests parameters unless I'm mistaken. It should be somewhat straightforward to bring same validator into use for automated device creation paths also.

harism avatar Jan 27 '24 08:01 harism

Sorry for the long delay but now finally I had time to look at this again, and there is one question I'd like to clarify first before starting any actual implementation;

The current deviceId regexp pattern is defined in the property hono.registry.http.deviceIdPattern and now I would need to extend its use and bring a properties object containing it ServiceConfigProperties into use for AMQP or more specifically the EdgeDeviceAutoProvisioner class's use. It depends a bit also on how early the deviceId check is wanted to be made as part of device assertion.

And the question is how would you like to see this property hono.registry.http.deviceIdPattern handled now if its use gets extended above default HTTP device create only?

harism avatar Apr 14 '24 10:04 harism