PNAC parsing

Signed-off-by: Milan Lenco <milan@zededa.com>

Author: milan-zededa

pkg/pillar/cmd/zedagent/handleconfig.go

@@ -121,6 +121,9 @@ type getconfigContext struct {
 	pubAppInstanceConfig pubsub.Publication
 	bootOrderUpdateMx    sync.Mutex
 
+	// parsed PNAC configurations
+	pnacs map[string]*types.PNACConfig // key: logical label
+
 	// parsed L2 adapters
 	vlans []L2Adapter
 	bonds []L2Adapter

pkg/pillar/cmd/zedagent/parseconfig.go

@@ -148,18 +148,19 @@ func parseConfig(getconfigCtx *getconfigContext, config *zconfig.EdgeDevConfig,
 		// DeviceIoList has some defaults for Usage and UsagePolicy
 		// used by systemAdapters
 		physioChanged := parseDeviceIoListConfig(getconfigCtx, config)
+		pnacChanged := parsePNACConfig(getconfigCtx, config)
 		// It is important to parse Bonds before VLANs.
 		bondsChanged := parseBonds(getconfigCtx, config)
 		vlansChanged := parseVlans(getconfigCtx, config)
 		// Network objects are used for systemAdapters
 		networksChanged := parseNetworkXObjectConfig(getconfigCtx, config)
 		sourceChanged := getconfigCtx.lastConfigSource != source
 		// system adapter configuration that we publish, depends
-		// on Physio, VLAN, Bond and Networks configuration.
+		// on Physio, PNAC, VLAN, Bond and Networks configuration.
 		// If any of these change, we should re-parse system adapters and
 		// publish updated configuration.
 		forceSystemAdaptersParse := physioChanged || networksChanged || vlansChanged ||
-			bondsChanged || sourceChanged
+			bondsChanged || sourceChanged || pnacChanged
 		parseSystemAdapterConfig(getconfigCtx, config, source, forceSystemAdaptersParse)
 
 		if source != fromBootstrap {
@@ -1239,7 +1240,8 @@ func propagateError(higherLayerPort, lowerLayerPort *types.NetworkPortConfig) {
 	}
 }
 
-func propagatePhyioAttrsToPort(port *types.NetworkPortConfig, phyio *types.PhysicalIOAdapter) {
+func propagatePhyioAttrsToPort(getconfigCtx *getconfigContext,
+	port *types.NetworkPortConfig, phyio *types.PhysicalIOAdapter) {
 	port.Phylabel = phyio.Phylabel
 	port.IfName = phyio.Phyaddr.Ifname
 	port.USBAddr = phyio.Phyaddr.UsbAddr
@@ -1270,6 +1272,9 @@ func propagatePhyioAttrsToPort(port *types.NetworkPortConfig, phyio *types.Physi
 			handleMissingIfname(port, phyio)
 		}
 	}
+	if pnac := getconfigCtx.pnacs[phyio.Logicallabel]; pnac != nil {
+		port.PNAC = *pnac
+	}
 }
 
 func handleMissingIfname(port *types.NetworkPortConfig, phyio *types.PhysicalIOAdapter) {
@@ -1285,9 +1290,10 @@ func handleMissingIfname(port *types.NetworkPortConfig, phyio *types.PhysicalIOA
 
 // Make NetworkPortConfig entry for PhysicalIO which is below an L2 port.
 // The port configuration will contain only labels and the interface name.
-func makeL2PhyioPort(phyio *types.PhysicalIOAdapter) *types.NetworkPortConfig {
+func makeL2PhyioPort(getconfigCtx *getconfigContext,
+	phyio *types.PhysicalIOAdapter) *types.NetworkPortConfig {
 	phyioPort := &types.NetworkPortConfig{Logicallabel: phyio.Logicallabel}
-	propagatePhyioAttrsToPort(phyioPort, phyio)
+	propagatePhyioAttrsToPort(getconfigCtx, phyioPort, phyio)
 	return phyioPort
 }
 
@@ -1296,7 +1302,8 @@ func makeL2PhyioPort(phyio *types.PhysicalIOAdapter) *types.NetworkPortConfig {
 // Recursively adds port entries for all adapter below this one.
 // The port configuration will contain only labels, the interface name
 // and L2 configuration.
-func makeL2Port(l2Adapter *L2Adapter) (ports []*types.NetworkPortConfig) {
+func makeL2Port(getconfigCtx *getconfigContext,
+	l2Adapter *L2Adapter) (ports []*types.NetworkPortConfig) {
 	ports = append(ports, &types.NetworkPortConfig{
 		IfName:       l2Adapter.config.IfName,
 		Phylabel:     l2Adapter.config.Phylabel,
@@ -1306,10 +1313,10 @@ func makeL2Port(l2Adapter *L2Adapter) (ports []*types.NetworkPortConfig) {
 		TestResults: l2Adapter.config.TestResults,
 	})
 	for _, phyio := range l2Adapter.lowerPhysPorts {
-		ports = append(ports, makeL2PhyioPort(phyio))
+		ports = append(ports, makeL2PhyioPort(getconfigCtx, phyio))
 	}
 	for _, lowerL2 := range l2Adapter.lowerL2Ports {
-		ports = append(ports, makeL2Port(lowerL2)...)
+		ports = append(ports, makeL2Port(getconfigCtx, lowerL2)...)
 	}
 	return ports
 }
@@ -1388,7 +1395,7 @@ func parseOneSystemAdapterConfig(getconfigCtx *getconfigContext,
 		phyioFreeUplink = phyio.UsagePolicy.FreeUplink
 		log.Functionf("Found phyio for %s: free %t, oldController: %t",
 			sysAdapter.Name, phyioFreeUplink, oldController)
-		propagatePhyioAttrsToPort(port, phyio)
+		propagatePhyioAttrsToPort(getconfigCtx, port, phyio)
 	} else {
 		// Note that if controller sends VLAN or bond config,
 		// it means that it is new enough to not use FreeUplink anymore.
@@ -1397,10 +1404,10 @@ func parseOneSystemAdapterConfig(getconfigCtx *getconfigContext,
 		propagateError(port, l2Adapter.config)
 		// Add NetworkPortConfig entries for lower-layer adapters.
 		for _, phyio := range l2Adapter.lowerPhysPorts {
-			ports = append(ports, makeL2PhyioPort(phyio))
+			ports = append(ports, makeL2PhyioPort(getconfigCtx, phyio))
 		}
 		for _, lowerL2 := range l2Adapter.lowerL2Ports {
-			ports = append(ports, makeL2Port(lowerL2)...)
+			ports = append(ports, makeL2Port(getconfigCtx, lowerL2)...)
 		}
 	}
 
@@ -1684,6 +1691,58 @@ func parseDeviceIoListConfig(getconfigCtx *getconfigContext,
 	return true
 }
 
+var pnacPrevConfigHash []byte
+
+func parsePNACConfig(getconfigCtx *getconfigContext, config *zconfig.EdgeDevConfig) bool {
+	pnacs := config.GetPnacs()
+	h := sha256.New()
+	for _, pnac := range pnacs {
+		computeConfigElementSha(h, pnac)
+	}
+	configHash := h.Sum(nil)
+	same := bytes.Equal(configHash, pnacPrevConfigHash)
+	if same {
+		return false
+	}
+	pnacPrevConfigHash = configHash
+
+	getconfigCtx.pnacs = make(map[string]*types.PNACConfig)
+	for _, pnac := range config.GetPnacs() {
+		if pnac.GetLogicallabel() == "" {
+			errStr := fmt.Sprintf("PNAC entry missing logical label; "+
+				"ignoring config: %+v", pnac)
+			log.Errorf("parsePNACConfig: %s", errStr)
+			continue
+		}
+
+		// Check that the referenced physical IO exists and is Ethernet NIC.
+		physIO := lookupDeviceIoLogicallabel(getconfigCtx, pnac.GetLogicallabel())
+		if physIO == nil {
+			errStr := fmt.Sprintf(
+				"PNAC logical label %q references a non-existent physical IO; "+
+					"ignoring config", pnac.GetLogicallabel())
+			log.Errorf("parsePNACConfig: %s", errStr)
+			continue
+		}
+
+		physIOType := types.IoType(physIO.Ptype)
+		if physIOType != types.IoNetEth && physIOType != types.IoNetEthPF {
+			errStr := fmt.Sprintf(
+				"PNAC logical label %q references non-Ethernet physical IO (type: %v); "+
+					"ignoring config", pnac.GetLogicallabel(), physIOType)
+			log.Errorf("parsePNACConfig: %s", errStr)
+			continue
+		}
+		getconfigCtx.pnacs[pnac.GetLogicallabel()] = &types.PNACConfig{
+			Enabled:                   true,
+			EAPIdentity:               pnac.GetEapIdentity(),
+			EAPMethod:                 pnac.GetEapMethod(),
+			CertEnrollmentProfileName: pnac.GetCertEnrollmentProfileName(),
+		}
+	}
+	return true
+}
+
 var bondsPrevConfigHash []byte
 
 func parseBonds(getconfigCtx *getconfigContext, config *zconfig.EdgeDevConfig) bool {

pkg/pillar/cmd/zedagent/parseconfig_test.go

@@ -1841,3 +1841,115 @@ func TestParseIpspec_GatewayVersionMismatch(t *testing.T) {
 	g.Expect(err).To(HaveOccurred())
 	g.Expect(err.Error()).To(ContainSubstring("IP version mismatch"))
 }
+
+func TestParsePNAC(t *testing.T) {
+	g := NewGomegaWithT(t)
+	getconfigCtx := initGetConfigCtx(g)
+
+	const networkUUID = "572cd3bc-ade6-42ad-97a0-22cd24fed1a0"
+	config := &zconfig.EdgeDevConfig{
+		Networks: []*zconfig.NetworkConfig{
+			{
+				Id:   networkUUID,
+				Type: zcommon.NetworkType_V4,
+				Ip: &zcommon.Ipspec{
+					Dhcp: zcommon.DHCPType_Client,
+				},
+			},
+		},
+		DeviceIoList: []*zconfig.PhysicalIO{
+			{
+				Ptype:        zcommon.PhyIoType_PhyIoNetEth,
+				Phylabel:     "eth0",
+				Logicallabel: "ethernet0",
+				Assigngrp:    "eth-grp-1",
+				Phyaddrs: map[string]string{
+					"ifname":  "eth0",
+					"pcilong": "0000:04:00.0",
+				},
+				Usage: zcommon.PhyIoMemberUsage_PhyIoUsageMgmtAndApps,
+			},
+			{
+				Ptype:        zcommon.PhyIoType_PhyIoNetEth,
+				Phylabel:     "eth1",
+				Logicallabel: "ethernet1",
+				Assigngrp:    "eth-grp-1",
+				Phyaddrs: map[string]string{
+					"ifname":  "eth1",
+					"pcilong": "0000:05:00.0",
+				},
+				Usage: zcommon.PhyIoMemberUsage_PhyIoUsageMgmtAndApps,
+			},
+		},
+		SystemAdapterList: []*zconfig.SystemAdapter{
+			{
+				Name:           "adapter-ethernet0",
+				Uplink:         true,
+				NetworkUUID:    networkUUID,
+				Alias:          "ethernet0-alias",
+				LowerLayerName: "ethernet0",
+				Cost:           0,
+			},
+			{
+				Name:           "adapter-ethernet1",
+				Uplink:         true,
+				NetworkUUID:    networkUUID,
+				Alias:          "ethernet1-alias",
+				LowerLayerName: "ethernet1",
+				Cost:           10,
+			},
+		},
+		Pnacs: []*zconfig.PNAC{
+			{
+				Logicallabel:              "ethernet0",
+				EapIdentity:               "123456789",
+				EapMethod:                 zconfig.EAPMethod_EAP_METHOD_TLS,
+				CertEnrollmentProfileName: "scep-profile1",
+			},
+		},
+		ScepProfiles: []*zconfig.SCEPProfile{
+			{
+				ProfileName:        "scep-profile1",
+				ScepUrl:            "https://ca.example.com/scep",
+				UseControllerProxy: true,
+				CsrProfile: &zconfig.CSRProfile{
+					CommonName:         "123456789",
+					Organization:       "Test Organization",
+					OrganizationalUnit: "Unit Test",
+					Country:            "US",
+					State:              "TestState",
+					Locality:           "TestCity",
+					SanUri:             []string{"urn:test:device:123456789"},
+					RenewPeriodPercent: 60,
+					KeyType:            zconfig.KeyType_KEY_TYPE_RSA_4096,
+					HashAlgorithm:      zconfig.HashAlgorithm_HASH_ALGORITHM_SHA256,
+				},
+			},
+		},
+	}
+
+	parseDeviceIoListConfig(getconfigCtx, config)
+	// TODO : parse SCEP profiles
+	parsePNACConfig(getconfigCtx, config)
+	parseNetworkXObjectConfig(getconfigCtx, config)
+	parseSystemAdapterConfig(getconfigCtx, config, fromController, true)
+
+	portConfig, err := getconfigCtx.pubDevicePortConfig.Get("zedagent")
+	g.Expect(err).To(BeNil())
+	dpc := portConfig.(types.DevicePortConfig)
+	g.Expect(dpc.Version).To(Equal(types.DPCIsMgmt))
+	g.Expect(dpc.HasError()).To(BeFalse())
+	g.Expect(dpc.Ports).To(HaveLen(2))
+	port0 := dpc.Ports[0]
+	g.Expect(port0.Logicallabel).To(Equal("adapter-ethernet0"))
+	g.Expect(port0.PNAC.Enabled).To(BeTrue())
+	g.Expect(port0.PNAC.CertEnrollmentProfileName).To(Equal("scep-profile1"))
+	g.Expect(port0.PNAC.EAPMethod).To(Equal(zconfig.EAPMethod_EAP_METHOD_TLS))
+	g.Expect(port0.PNAC.EAPIdentity).To(Equal("123456789"))
+	port1 := dpc.Ports[0]
+	g.Expect(port1.Logicallabel).To(Equal("adapter-ethernet1"))
+	g.Expect(port1.PNAC.Enabled).To(BeFalse())
+	g.Expect(port1.PNAC.CertEnrollmentProfileName).To(BeEmpty())
+	g.Expect(port1.PNAC.EAPMethod).To(Equal(zconfig.EAPMethod_EAP_METHOD_UNSPECIFIED))
+	g.Expect(port1.PNAC.EAPIdentity).To(BeEmpty())
+}