inconsistency with c8y.proxy client authentication

[reubenmiller]

Is your feature improvement request related to a problem? Please describe.

As pointed out by @didier-wenzek, there is an inconsistency when it comes to the client authentication configuration between the tedge file transfer service/api endpoint (e.g. localhost:8000) and the Cumulocity local proxy. Currently when tedge-agent is running on a child device, it just uses the http.client.auth.* settings for both the file transfer service and the c8y local proxy...however each of these endpoints can be configured to used different certificates (especially if the c8y local proxy and file transfer service are running on different devices.

Below shows the existing settings which are used both both accessing the file transfer service and the Cumulocity local proxy:

http.client.auth.cert_file  Path to the certificate which is used by the agent when connecting to external services. 
http.client.auth.key_file  Path to the private key which is used by the agent when connecting to external services. 

Describe the solution you'd like

Some further evaluation is required, however one suggestion would be:

• deprecate http.client.auth.* and replace it with two settings:
  • c8y.local_proxy.client.auth.* (though remember there are now cloud profiles, so this will need to be configured for each cloud profile as well)
  • fts.client.auth.* (or tedge.api.client.auth.*?)

Describe alternatives you've considered

Additional context

[didier-wenzek]

The proposal is to introduce a new setting c8y.local_proxy.client.auth.*, but it would be better to be consistent with what we have today i.e a bunch of settings for c8y.proxy.bind.* and c8y.proxy.client.* (which are already cloud-profile specific).

Similarly, there is already a bunch of settings for http.bind.* and http.client.*. I would prefer not to change the setting names along this fix, even if a name like tedge.http.* makes more sense.

[didier-wenzek]

Tedge cli and daemons all use a wrong combination of settings to connect local HTTP servers (c8y proxy, file transfer, entity store):

• checking the server with an incorrect root cert path,
• providing a client certificate that might not be trusted by the c8y proxy (main point of this issue).

This works if all the local certificates are signed by the same CA which certificate is included in /etc/ssl/certs.
And this is what is done in practice (hiding the issue so far) but this is brittle (especially because there are so many settings).

To fix that there are two approaches:

• add missing settings to let clients connect local HTTP services with appropriate certificates
• simplify local certificate settings enforcing all the local certificates signed by the same CA (preferred approach).

Current usage of the certificate settings

• tedge_agent interacts with the c8y HTTP proxy and with the file transfer service
  • Uses {c8y,aws,az}.root_cert_path to check the remote host identity (incorrect)
  • Uses http.client.auth to authenticate itself over HTTPS as a client
  • Uses http.cert_path and http.key_path to authenticate itself over HTTPS as a server (correct)
• plugin_sm downloads software packages from remote urls
  • Uses {c8y,aws,az}.root_cert_path to check the remote host identity (incorrect when through the c8y proxy)
  • Uses http.client.auth to authenticate itself over HTTPS (incorrect when the host is actually remote)
• tedge_mapper interacts with the file transfer service but also of itself (aka c8y HTTP proxy)
  • Uses {c8y,aws,az}.root_cert_path to check the FTS and proxy host identity (incorrect)
  • Uses http.client.auth to authenticate itself as a client to the FTS and proxy
  • Uses c8y.proxy.cert_path and c8y.proxy.key_path to authenticate itself as a server.
• tedge http interacts with the c8y HTTP proxy and with the agent (file transfer service / entity store).
  • Uses {c8y,aws,az}.root_cert_path to check the proxy identity as well as the agent identity (incorrect).
  • Uses http.client.auth to authenticate itself as a client of the proxy and of the agent.
• tedge upload interacts only with the c8y HTTP proxy
  • Uses {c8y,aws,az}.root_cert_path to check the proxy identity.
  • But uses http.client.auth to authenticate itself as a client.
• c8y_firmware_plugin uses the c8y HTTP proxy to download firmware files.
  • Interacts with the file transfer service, but not over HTTP
    (it uses the file system, wrongly assuming the agent is running on the same host).
  • Uses {c8y,aws,az}.root_cert_path to check the proxy identity.
  • Uses http.client.auth to authenticate itself as a client.

Issue

• Using http.client.auth to authenticate a client of the C8Y proxy, is incorrect if c8y.proxy.ca_path and http.ca_path differ.
• Checking the C8Y proxy identity with {c8y,aws,az}.root_cert_path is incorrect when c8y.proxy.ca_path is not included by {c8y,aws,az}.root_cert_path
• Checking the agent HTTP server identity with {c8y,aws,az}.root_cert_path is incorrect when http.ca_path is not included by {c8y,aws,az}.root_cert_path

Discussion

To fix the server identity check, there are several options:

1. Fix the method TEdgeConfigReader::cloud_root_certs() (currently loading the root certificates for c8y, aws and az)
   by adding http.ca_path and c8y.proxy.ca_path to this list.
2. Introduce a new method TEdgeConfigReader::local_root_certs() loading http.ca_path and c8y.proxy.ca_path

To fix the client identity, the current proposal is to introduce a new setting:

• c8y.proxy.client.auth.cert_file used by a client to connect the local Cumulocity HTTP Proxy
• c8y.proxy.client.auth.key_file

But, is this really the way to go? We already have too many certificate-related settings.

A better approach might be to rethink the local certificate configuration, with

• A single tedge.root_cert_path to a directory containing the signing certificate for all the local certificates.
  Indeed, do we need to distinguish signing certificates for http.ca_path, c8y.proxy.ca_path and mqtt.external.ca_path?
  I don't think so.
• A local client certificate for the tedge clients connecting to MQTT, HTTP c8y proxy and HTTP FTS+ES
  (i.e tedge.auth.cert_file and tedge.auth.key_file). Somehow, what we have today with two certificates http.client.auth
  and mqtt.client.auth (in practice configured to the same).