Unusual behavior when configuring HTTPS from config file

[egekorkan]

Summary: We need strict validation of the security-related configuration in the config file passed to wot-servient CLI. The code expects a very strict config file where empty or wrong fields are not filled by defaults or any error reported, even with log level equal to debug (even for info level, there should be error messages).

Long version: I want to have basic auth on an HTTP Thing that I instantiate via wot-servient CLI and by supplying a config file. I write the following config files and observe the following behavior. Only the relevant parts of the config file are shown:

• Forgetting serverKey or serverCert

"http":{
        "port":8080,
        "serverKey":"/home/eko/git/thingweb.node-wot/examples/security/privatekey.pem"
    }

An HTTP server is started, without giving any information. This happens due to this line.

• Forgetting security

    "http":{
        "port":8080,
        "serverKey":"/home/eko/git/thingweb.node-wot/examples/security/privatekey.pem",
        "serverCert":"/home/eko/git/thingweb.node-wot/examples/security/certificate.pem"
    }

HTTPS server is instantiated but no need to use username password. This is intended but again no information is given.

• No credentials or wrong id

    "http":{
        "port":8080,
        "serverKey":"/home/eko/git/thingweb.node-wot/examples/security/privatekey.pem",
        "serverCert":"/home/eko/git/thingweb.node-wot/examples/security/certificate.pem"
    },
    "credentials": { //this whole block can be removed for the same behavior
        "urn:myThing": { //id in the counter.js is set to urn:uuid:counter
            "username": "node-wot", // username key (not the value) can be changed to another string for the same behavior
            "password": "hello" // password key (not the value) can be changed to another string for the same behavior
        }
    }

This is the most obscure case since:

1. Credentials object must be added
2. The id of thing from the script must be copy pasted. If the script does not have id, which is optional, a random id is generated.
3. username and password keys must be put correctly and not identity and psk. So the programmer must know what keys should be for the given security scheme above.

If all these and also the ones above, are not done perfectly, a Thing is created with an unknown username-password.

[danielpeintner]

Mhh, in general this tends to go into the direction that we try to figure out what the users intends to achieve (e.g., providing serverKey and forgetting serverCert. Shall we ask the user whether he wants to setup TLS?). I think this gets very complicated and tricky.

After starting a servient we could show some easy consumable table that shows which options have been set due to the configuration (and maybe which are default values). Having said that, I am not sure whether logging this information on console helps a lot.

I agree though that the should try to improve the situation (@egekorkan do you want to provide some fixes).

What would be (other) improvements?

[egekorkan]

As you said there could be multiple solutions:

• Asking the user: We can do prompts with the inquirer package. This way, we can also find the id of the things that will be ran and ask credentials per id, if they are not provided. This can be extended in the future to create a config file by asking questions.
• Doing a validation of the config file that does not start the servient if security is basic but there is no credentials provided.

providing serverKey and forgetting serverCert

This might be desired by the user but node-wot simply ignores it. If we want to give the flexibility to use only one of them, then the code for the http-server must change.

In any case, I would like to contribute by defining a JSON Schema for the configuration file.

[VigneshVSV]

Not sure where to inquire for this:

HttpConfig for https client seems to ignore allowSelfSigned:

const { HttpsClientFactory } = require("@node-wot/binding-http");


const servient = new Servient();
servient.addClientFactory(new HttpsClientFactory({ 
        allowSelfSigned : true,
    }));

servient.start().then(async (WoT) => {
    const td = await WoT.requestThingDescription("https://localhost:8083/spectrometer/ocean-optics/USB2000-plus/resources/wot");

I get error:

FetchError: request to https://localhost:8083/spectrometer/ocean-optics/USB2000-plus/resources/wot failed, reason: self-signed certificate at ClientRequest. (H:\New Work\node-clients\serial-utility\node_modules\node-fetch\lib\index.js:1501:11) at ClientRequest.emit (node:events:514:28) at TLSSocket.socketErrorListener (node:_http_client:495:9) at TLSSocket.emit (node:events:514:28) at emitErrorNT (node:internal/streams/destroy:151:8) at emitErrorCloseNT (node:internal/streams/destroy:116:3) at process.processTicksAndRejections (node:internal/process/task_queues:82:21) { type: 'system', errno: 'DEPTH_ZERO_SELF_SIGNED_CERT', code: 'DEPTH_ZERO_SELF_SIGNED_CERT' }

[danielpeintner]

Not sure where to inquire for this:

I created a new issue https://github.com/eclipse-thingweb/node-wot/issues/1268 for it since it doesn't have to do with this issue. I believe. Lets deal with it there...