Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow HTTP security options to be set via device settings #317

Closed
knolleary opened this issue Sep 27, 2024 · 9 comments · Fixed by #320
Closed

Allow HTTP security options to be set via device settings #317

knolleary opened this issue Sep 27, 2024 · 9 comments · Fixed by #320
Assignees
@Steve-Mcl
Labels
customer request requested by customer needs-triage Needs looking at to decide what to do story A user-oriented description of a feature
Milestone
2.10

Comments

@knolleary
Copy link
Member

knolleary commented Sep 27, 2024
edited
Loading

Description

As a: flow creator

I want to: secure http end points served by the device agent

So that: they are secured to the same standard as hosted-instances

We can easily provide the basic auth option as that is hardcoded into the settings file. Provided FF Team auth is trickier as it requires oauth bounce to the platform and all the bits that entails. Need to think about how to achieve that securely when the device is running outside the security boundary of the platform

Acceptance Criteria

  • Able to secure dashboard/http end points served by the device

Requested By
@knolleary knolleary added story A user-oriented description of a feature customer request requested by customer labels Sep 27, 2024
@knolleary knolleary added the needs-triage Needs looking at to decide what to do label Sep 27, 2024
@robmarcer
Copy link
Contributor

As a first iteration, just being able to do this via the settings file would be valuable.

This has just been requested by - https://app-eu1.hubspot.com/contacts/26586079/record/0-2/12971827644

@knolleary
Copy link
Member Author

We don't expose the settings file for the user to edit.

One quick iteration would be to allow those settings to be set via the device.yml file - the only file we let the user edit.

The bigger iteration is providing a more consistent UX in the platform UI for modifying these settings.

@robmarcer
Copy link
Contributor

robmarcer commented Oct 10, 2024
edited
Loading

Using the device.yml would work in this (https://app-eu1.hubspot.com/contacts/26586079/record/0-2/12971827644) customer's case @knolleary

@joepavitt
Copy link
Contributor

Duplication of: FlowFuse/flowfuse#4204

@joepavitt joepavitt moved this to Scheduled in ☁️ Product Planning Oct 11, 2024
@joepavitt joepavitt added this to the 2.10 milestone Oct 11, 2024
@joepavitt joepavitt moved this to Todo in 🛠 Development Oct 11, 2024
@joepavitt joepavitt moved this from Todo to Up Next in 🛠 Development Oct 11, 2024
@Steve-Mcl
Copy link
Contributor

@joepavitt can you clarify the task in this iteration pls?

Nick states:

One quick iteration would be to allow those settings to be set via the device.yml file - the only file we let the user edit.

and

The bigger iteration is providing a more consistent UX in the platform UI for modifying these settings.

@knolleary
Copy link
Member Author

The iterations are as stated:

  • First iteration (this milestone) is allowing the auth settings to be set via the device.yml file. This should be fairly self-contained and unlocks the capability quickly.
  • Second iteration (which we can scope and schedule for a future milestone) will be to have an appropriate settings UI.

@Steve-Mcl
Copy link
Contributor

Using the device.yml would work in this (https://app-eu1.hubspot.com/contacts/26586079/record/0-2/12971827644) customer's case

Rob, that link has no details about the request (it seems to lead only to the customer details). Can you let me know what they asked for?

I ask because from my understanding, this 1st iteration proposed would only permit setting single basic auth user in httpNodeAuth and that would then add basic security to not only the dashboard but also all HTTP Endpoints that the devices flows create via http-in ~ http-response nodes.

@Steve-Mcl
Copy link
Contributor

@knolleary to clarify 1st iteration.

As this will permit user to set httpNodeAuth via device yaml, do you have thoughts on whether should this be raw or curated.

e.g. raw - take what the user enters (requires knowledge of yaml object formatting)

deviceId: xxxxxxxxxxxx
forgeURL: http://xxxxxxxxxxxxxx:3000
token: ffd_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
credentialSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
brokerURL: ws://[::1]:9884
brokerUsername: device:xxxxxxxx:xxxxxxxxxxxx
brokerPassword: ffbd_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
httpNodeAuth:
  user: admin
  pass: $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

e.g. curated - specific props, not nested, forgoes yaml formatting knowledge (i.e. simplified but not an exact translation of Node-RED docs https://nodered.org/docs/user-guide/runtime/securing-node-red)

deviceId: xxxxxxxxxxxx
forgeURL: http://xxxxxxxxxxxxxx:3000
token: ffd_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
credentialSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
brokerURL: ws://[::1]:9884
brokerUsername: device:xxxxxxxx:xxxxxxxxxxxx
brokerPassword: ffbd_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
httpNodeAuth.user: admin
httpNodeAuth.pass: $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Either way, I would recommend we sanity check the values and return a valid/not valid result when parsing the yaml file (as we do currently for missing values when provisioning etc)

@Steve-Mcl Steve-Mcl moved this from Up Next to In Progress in 🛠 Development Oct 21, 2024
@Steve-Mcl Steve-Mcl mentioned this issue Oct 21, 2024
Merged
10 tasks
@Steve-Mcl Steve-Mcl linked a pull request Oct 21, 2024 that will close this issue
Add support for picking up httpNodeAuth from device yaml #320
Merged
10 tasks
@Steve-Mcl Steve-Mcl moved this from In Progress to Review in 🛠 Development Oct 21, 2024
@knolleary
Copy link
Member Author

Option 1 gets my vote. Will check to see what you've put in the PR :)

httpNodeAuth:
  user: admin
  pass: $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

@Steve-Mcl Steve-Mcl mentioned this issue Oct 23, 2024
Closed
@joepavitt joepavitt mentioned this issue Oct 23, 2024
Closed
@github-project-automation github-project-automation bot moved this from Review to Done in 🛠 Development Oct 23, 2024
@github-project-automation github-project-automation bot moved this from Scheduled to Closed / Done in ☁️ Product Planning Oct 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Steve-Mcl Steve-Mcl

Labels
customer request requested by customer needs-triage Needs looking at to decide what to do story A user-oriented description of a feature
Projects
☁️ Product Planning
Status: Closed / Done
🛠 Development
Status: Done
Milestone
2.10
Development

Successfully merging a pull request may close this issue.

Add support for picking up httpNodeAuth from device yaml FlowFuse/device-agent
4 participants
@knolleary @Steve-Mcl @robmarcer @joepavitt