lf-edge
StatusForbidden in case of no registered device
According to docs we should check onboard certificate for ping endpoint.
Signed-off-by: Petr Fedchenkov [email protected]
Inside ping section you can find: Valid credentials without authorization: 403. Inside authentication section: The ping endpoint may be useful for a Device to check connectivity before registering. Since the device has not yet registered, it MUST use its onboarding certificate to authenticate to the ping endpoint.
So, with this PR I do:
- check device certificate (as inside
checkCertAndRecord), if it is ok, return 200 - check onboarding certificate, if it is not ok, return 401
- return 403 else (on this step we cannot find device certificate, but have onboarding certificate)
Where in that does its that it must return a 403 instead of a 401 for a ping with an onboarding certificate?
The spec says:
- if the controller is down,
pingshould fail to response or return500- this is what it does now, and will continue to do with your change. Good. (actually, this is the purpose ofping, to check that it is alive and I can reach it) - if I have a valid device certificate,
pingshould get a 200 - this is what it does now, and will continue to do with your change. Good. - if I do not have a valid device certificate, then I must use my onboard certificate to validate. It does not say what will happen then.
It doesn't say I should return a 403, instead of a 401. The text of ping says:
Request:
The request MUST use the Device certificate for mTLS authentication.
The request MUST NOT contain any body content.
"MUST use the Device certificate", i.e. anything else (including an onboard certificate) is invalid and should return a 401.
More fundamentally, why do I care? The point of ping is to make sure I can reach the controller and it is alive. Why does the edge device possibly care if it gets a 401 (current) or 403 (proposed)? It gets a 401, it knows the controller is there, go register.
