device.id should be derived from device certificates when in use

[reubenmiller]

Is your feature improvement request related to a problem? Please describe.

If the cloud connection uses a certificate, then the device.id used for any cloud communication should be derived from the certificate's Common Name (CN).

Describe the solution you'd like

• When using certificates, the device.id should only be used as a default value when creating a certificate via the tedge cert create command if the --device-id flag is not provided by the user.
• Cloud connections should only use the device.id from the certificate being used for the connection

The change in behaviour is best highlighted in the follow cases:

Case 1: Use explicit device id during cert creation

tedge config set device.id foo
tedge cert create --device-id bar

# => CN=bar

Case 2: Use default device.id

tedge config set device.id foo
tedge cert create

# => CN=foo

Case 3: Use default device.id

tedge cert create --device-id foo
tedge config set device.id bar
tedge connect c8y

# => connect: device.id=foo

Case 4: Use default device.id to create the cert

tedge config set device.id foo
tedge cert create
# CN=foo
tedge config set device.id bar

tedge connect c8y
# => connect: device.id=foo

Describe alternatives you've considered

Additional context

[rina23q]

If we change tedge connect to use always CN besides the case of basic auth, I think we also have to change cloud mappers to use the value from CN, not from the internal API device.id().

I can foresee this change will introduce another inconsistency for the case 3 & 4.

• the internal API device.id() returns bar (= same result as you run tedge config get device.id)
• however, certificate CN is foo.
• tedge connect <cloud> will pass and using foo as the remote_clientid of mosquitto bridge configuration.
• however, tedge-mapper-<cloud> will consume bar as the remote_clientid of build-in bridge configuration and also the main entity external ID for c8y mapper.
  

  thin-edge.io/crates/core/tedge_mapper/src/c8y/mapper.rs

  Line 167 in 2a5a2ec

  let main_device_xid: EntityExternalId = c8y_config.device.id()?.into();

So my proposal is also changing all cloud mappers to those directions:

• stop calling device.id() internal API
• instead, using device CN for the client ID and the main entity external ID unless auth_mode is basic

[didier-wenzek]

I think we also have to change cloud mappers to use the value from CN, not from the internal API device.id().

I would really avoid to do that. This sounds like saying device.id() is not the device id! Somehow this is puzzling everything only to support a legacy case we do not recommend (i.e. smartrest 1 and password authentication)

I do think that:

• If there is a certificate, device.id() must return the CN of that certificate, ignoring any entry in tedge.toml.
• device.id() should only use the id set in tedge.toml when there is no certificate.

And I would even go a step further:

• tedge config get device.id should returns the CN of the certificate when there is one - ignoring the id set in the toml file if any.
• this will be less error prone, the value being returned by tedge config get device.id being the value actually used
• this might be a bit confusing but only on the effect of tedge config set device.id
• this works well for users using only certificates
• this works well for users using only passwords
• this might confuse users mixing passwords and certificates.

So revisiting the use cases:

Case 1: Use explicit device id during cert creation

$ tedge config set device.id foo
$ tedge cert create --device-id bar
$ tedge config get device.id
bar

# => CN=bar && used by tedge connect and the mapper.

Case 2: Use default device.id

$ tedge config set device.id foo
$ tedge cert create
$ tedge config get device.id
foo

# => CN=foo && used by tedge connect and the mapper.

Case 3: Use default device.id

$ tedge cert create --device-id foo
$ tedge config set device.id bar
$ tedge connect c8y

# => connect: device.id=foo
$ tedge config get device.id
foo

Case 4: Use default device.id to create the cert

$ tedge config set device.id foo
$ tedge cert create
# CN=foo
$ tedge config set device.id bar
$ tedge config get device.id
foo

$ tedge connect c8y
# => connect: device.id=foo