Under Strict Confinement - AzIoTIdentity integration (#429)

CMakeLists.txt

@@ -186,16 +186,37 @@ set (
     "${ADUC_EXTENSIONS_FOLDER}/${ADUC_EXTENSIONS_SUBDIR_DOWNLOAD_HANDLERS}"
     CACHE STRING "Path for the download handler extensions")
 
+if (ADUC_BUILD_UNIT_TESTS)
+    set (
+        EIS_DATA_PATH
+        "/tmp/eis_conn_info.txt"
+        CACHE STRING "The file for eis identities.")
+else()
+    set (
+        EIS_DATA_PATH
+        "/var/lib/adu/eis_conn_info.txt"
+        CACHE STRING "The file for eis identities.")
+endif()
+
 if (ADUC_BUILD_SNAP)
     set (
         ADUC_DOWNLOADS_FOLDER
         /var/lib/deviceupdate-agent-downloads
         CACHE STRING "Path to the folder containing downloaded update artifacts.")
+    set (
+        EIS_USER
+        "snap_aziotdu"
+        CACHE STRING "The uid to call eis service.")
+
 else()
     set (
         ADUC_DOWNLOADS_FOLDER
         "${ADUC_DATA_FOLDER}/downloads"
         CACHE STRING "Path to the folder containing downloaded update artifacts.")
+    set (
+        EIS_USER
+        "adu"
+        CACHE STRING "The uid to call eis service.")
 endif()
 
 set (
@@ -343,17 +364,17 @@ if (ADUC_BUILD_SNAP)
 
     set (
         ADUC_FILE_GROUP
-        "snap_aziot_du"
+        "snap_aziotdu"
         CACHE STRING "The group for adu file ownership.")
 
     set (
         DO_FILE_USER
-        "snap_aziot_do"
+        "snap_aziotdo"
         CACHE STRING "The user for do file ownership.")
 
     set (
         DO_FILE_GROUP
-        "snap_aziot_do"
+        "snap_aziotdo"
         CACHE STRING "The group for do file ownership.")
 else ()
     set (

docs/agent-reference/how-to-build-deviceupdate-agent-snap.md

@@ -95,16 +95,16 @@ Specify an agent settings, such as, manufacturer, model, agent.name, agent.conne
 {
   "schemaVersion": "1.1",
   "aduShellTrustedUsers": [
-    "snap_aziot_du",
-    "snap_aziot_do"
+    "snap_aziotdu",
+    "snap_aziotdo"
   ],
   "iotHubProtocol": "mqtt",
   "manufacturer":"<Place your device info manufacturer here>",
   "model": "<Place your device info model here>",
   "agents": [
     {
       "name": "<Place your agent name here>",
-      "runas": "snap_aziot_du",
+      "runas": "snap_aziotdu",
       "connectionSource": {
         "connectionType": "string",
         "connectionData": "HostName=...HIDDEN..."
@@ -136,16 +136,16 @@ For example:
     {
         "schemaVersion": "1.1",
         "aduShellTrustedUsers": [
-            "snap_aziot_du",
-            "snap_aziot_do"
+            "snap_aziotdu",
+            "snap_aziotdo"
         ],
         "iotHubProtocol": "mqtt",
         "manufacturer": "contoso",
         "model": "vacuum-v1",
         "agents": [
             {
             "name": "main",
-            "runas": "snap_aziot_du",
+            "runas": "snap_aziotdu",
             "connectionSource": {
                 "connectionType": "string",
                 "connectionData": "HostName=...HIDDEN..."

scripts/build.sh

@@ -275,7 +275,7 @@ while [[ $1 != "" ]]; do
         shift
         cmake_dir_path=$1
         ;;
-    -u | --ubuntu-core-snap-only)
+    --ubuntu-core-snap-only)
         shift
         build_snap=true
         ;;

snap/hooks/configure

@@ -2,11 +2,11 @@
 
 # adu_user is the user that the ADU Agent daemon will run as.
 # ADU Agent daemon needs to run as 'adu' to be able to perform high-privilege tasks via adu-shell.
-adu_user=snap_aziot_du
+adu_user=snap_aziotdu
 
 # The adu_group is the group that gives partner users like DO user
 # access to ADU resources like download sandbox folder.
-adu_group=snap_aziot_du
+adu_group=snap_aziotdu
 
 # Use getent and cut to get the info for the adu user and parse out the home directory.
 adu_home_dir=$(getent passwd $adu_user | cut -d: -f6)
@@ -35,16 +35,16 @@ sample_du_config=$(
 {
   "schemaVersion": "1.1",
   "aduShellTrustedUsers": [
-    "snap_aziot_du",
-    "snap_aziot_do"
+    "snap_aziotdu",
+    "snap_aziotdo"
   ],
   "iotHubProtocol": "mqtt",
   "manufacturer": "<Place your device info manufacturer here>",
   "model": "<Place your device info model here>",
   "agents": [
     {
       "name": "main",
-      "runas": "snap_aziot_du",
+      "runas": "snap_aziotdu",
       "connectionSource": {
         "connectionType": "string",
         "connectionData": "<Place your Azure IoT device connection string here>"

snap/local/README.md

@@ -55,8 +55,8 @@ Key differences between Device Update Agent and Device Update Agent Snap:
 
 | | Device Upate Agent | Device Update Agent Snap |
 |---|---|---|
-| user id| adu | snap_aziot_du | 
-| group id| adu | snap_aziot_du |
+| user id| adu | snap_aziotdu | 
+| group id| adu | snap_aziotdu |
 
 ### How DU Agent Acquire the IoT Hub Connection Information
 
@@ -71,17 +71,17 @@ idtype = ["module"]
 uid = <SNAP_AZIOT_DU_USER_ID>
 ```
 
-Replace `SNAP_AZIOT_DU_USER_ID` with the actual user id of `snap_aziot_du`
+Replace `SNAP_AZIOT_DU_USER_ID` with the actual user id of `snap_aziotdu`
 
 This specifies the principal information for the DU Agent Module, including its name, ID type, and user ID. It is important to ensure that the file is created with the correct filename and location, and that the specified values are appropriate for your specific use case.
 
 
 #### Connect to Other Snap with Specific User ID
 When connecting snaps with interfaces, the snaps are typically connected with the default user or "system" user. However, it is possible to connect snaps with a specific user ID by using the `--classic` and `--username` options with the snap connect command.
 
-For example, to connect to Azure Identity Service with a specific user ID called "snap_aziot_du", you would use the following command:
-`snap connect --classic --username=snap_aziot_du deviceupdate-agent:AIS-interface azureIdentityService-snap:AIS-interface`  
-This will connect the two snaps using the "snap_aziot_du" user ID, allowing the snaps to communicate with each other as that user.
+For example, to connect to Azure Identity Service with a specific user ID called "snap_aziotdu", you would use the following command:
+`snap connect --classic --username=snap_aziotdu deviceupdate-agent:AIS-interface azureIdentityService-snap:AIS-interface`  
+This will connect the two snaps using the "snap_aziotdu" user ID, allowing the snaps to communicate with each other as that user.
 
 It is important to note that using the `--classic` and `--username` options with the snap connect command can have security implications, as it allows the connected snaps to access each other's data and resources as the specified user. Therefore, it should only be used if necessary and with caution.
 
@@ -419,8 +419,8 @@ Key differences between Device Update Agent and Device Update Agent Snap:
 
 | | Device Upate Agent | Device Update Agent Snap |
 |---|---|---|
-| user id| adu | snap_aziot_du | 
-| group id| adu | snap_aziot_du |
+| user id| adu | snap_aziotdu | 
+| group id| adu | snap_aziotdu |
 | downloads folder | /var/lib/adu/downloads | $SNAP_DATA/data/downloads |
 | configs file | /etc/adu/du-config.json | $SNAP_DATA/configs/du-config.json|
 | logs folder | /var/log/adu | $SNAP_DATA/log 

snap/snapcraft.yaml

@@ -20,6 +20,13 @@ description: |
 grade: devel
 confinement: strict
 
+# Use passthrough for the moment, until the appropriate snapcraft release lands
+# system-usernames:
+#   snap_aziotedge: shared
+passthrough:
+  system-usernames:
+    snap_aziotdu: shared
+
 #####
 #
 # Keywords
@@ -201,8 +208,6 @@ plugs:
     content: aziot-identity-service
     target: $SNAP_DATA
 
-
-
 # Provides resources to be accssed by other snaps.
 slots:
   #
@@ -246,4 +251,4 @@ layout:
     symlink: $SNAP_DATA/shared/config/aziot
 # aziot sockets
   /var/sockets/aziot:
-    symlink: $SNAP_DATA/shared/sockets/aziot
+    symlink: $SNAP_DATA/shared/sockets/aziot

src/utils/eis_utils/CMakeLists.txt

@@ -15,13 +15,16 @@ target_link_libraries (
     PUBLIC aduc::c_utils
     PRIVATE aduc::adu_types
             aduc::logging
+            aduc::permission_utils
             Parson::parson
             aziotsharedutil
             uhttp)
 
 target_compile_definitions (
     ${PROJECT_NAME}
     PRIVATE ADUC_BUILD_SNAP="${ADUC_BUILD_SNAP}"
+            EIS_DATA_PATH="${EIS_DATA_PATH}"
+            EIS_USER="${EIS_USER}"
 )
 
 if (ADUC_BUILD_UNIT_TESTS)
@@ -30,3 +33,7 @@ if (ADUC_BUILD_UNIT_TESTS)
 
     add_subdirectory (tests)
 endif ()
+
+if (ADUC_BUILD_SNAP)
+    target_compile_definitions (${PROJECT_NAME} PRIVATE ADUC_BUILD_SNAP)
+endif ()

src/utils/eis_utils/inc/eis_err.h

@@ -27,6 +27,8 @@ typedef enum tagEISErr
     EISErr_RecvRespOutOfLimitsErr = 7, /**< Service returned a response out of the EIS Utility Limits */
     EISErr_ContentAllocErr = 8, /**< EisComs could not allocate enough memory for the content*/
     EISErr_InvalidJsonRespErr = 9, /**< Service returned invalid JSON */
+    EISErr_RespNamedPipeInitErr = 10, /**< Failure on EIS Named Pipe Initialization */
+    EISErr_RespNamedFileReaderWriteErr = 11, /**< Failure on EIS Named Pipe Read/Write */
 } EISErr;
 
 /**

src/utils/eis_utils/src/eis_err.c

@@ -58,6 +58,10 @@ const char* EISErr_ErrToString(EISErr eisErr)
         return "EISErr_ContentAllocErr";
     case EISErr_InvalidJsonRespErr:
         return "EISErr_InvalidJsonRespErr";
+    case EISErr_RespNamedPipeInitErr:
+        return "EISErr_RespNamedPipeInitErr";
+    case EISErr_RespNamedFileReaderWriteErr:
+        return "EISErr_RespNamedFileReaderWriteErr";
     }
     return "<Unknown>";
 }