eclipse-hono · kaniyan · Nov 22, 2021 · Dec 6, 2021 · Dec 7, 2021 · sophokles73
@@ -39,6 +39,11 @@ public final class CredentialsConstants extends RequestResponseApiConstants {
  * The name of the field that contains the authentication identifier.
  */
  public static final String FIELD_AUTH_ID = "auth-id";
+ /**
+ * The name of the field that contains the generated authentication identifier
+ * by applying the template to the subject DN.
+ */
+ public static final String FIELD_GENERATED_AUTH_ID = "generated-auth-id";
  /**
  * The name of the field that contains the secret(s) of the credentials.
  */

@@ -180,6 +180,15 @@ public final class RegistryManagementConstants extends RequestResponseApiConstan
  * The name of the field that contains the authentication identifier.
  */
  public static final String FIELD_AUTH_ID = "auth-id";
+ /**
+ * The name of the field that contains the generated authentication identifier
+ * by applying the template to the subject DN.
+ */
+ public static final String FIELD_GENERATED_AUTH_ID = "generated-auth-id";
+ /**
+ * The name of the field that contains the issuer DN of the client certificate.
+ */
+ public static final String FIELD_ISSUER_DN = "issuer-dn";
  /**
  * The name of the field that contains the secret(s) of the credentials.
  */

diff --git a/...c/src/main/java/org/eclipse/hono/service/base/jdbc/store/device/TableManagementStore.java b/...c/src/main/java/org/eclipse/hono/service/base/jdbc/store/device/TableManagementStore.java
@@ -39,6 +39,7 @@
 import org.eclipse.hono.service.management.device.Device;
 import org.eclipse.hono.service.management.tenant.Tenant;
 import org.eclipse.hono.tracing.TracingHelper;
+import org.eclipse.hono.util.RegistryManagementConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -162,6 +163,7 @@ public TableManagementStore(final SQLClient client, final Tracer tracer, final S
  "device_id",
  "type",
  "auth_id",
+ "generated_auth_id",
  "data");
 
  this.deleteAllCredentialsStatement = cfg
@@ -692,8 +694,9 @@ public Future<Versioned<Boolean>> setCredentials(
  .expand(map -> {
  map.put("tenant_id", key.getTenantId());
  map.put("device_id", key.getDeviceId());
- map.put("type", c.getString("type"));
- map.put("auth_id", c.getString("auth-id"));
+ map.put("type", c.getString(RegistryManagementConstants.FIELD_TYPE));
+ map.put("auth_id", c.getString(RegistryManagementConstants.FIELD_AUTH_ID));
+ map.put("generated_auth_id", c.getString(RegistryManagementConstants.FIELD_GENERATED_AUTH_ID));
  map.put("data", c.toString());
  })
  .trace(this.tracer, span.context())

diff --git a/...c/main/resources/org/eclipse/hono/service/base/jdbc/store/device/base.postgresql.sql.yaml b/...c/main/resources/org/eclipse/hono/service/base/jdbc/store/device/base.postgresql.sql.yaml
@@ -35,12 +35,14 @@ insertCredentialEntry: |
  device_id,
  type,
  auth_id,
+ generated_auth_id,
  data
  ) VALUES (
  :tenant_id,
  :device_id,
  :type,
  :auth_id,
+ :generated_auth_id,
  :data::jsonb
  )
 

diff --git a/...ase-jdbc/src/main/resources/org/eclipse/hono/service/base/jdbc/store/device/base.sql.yaml b/...ase-jdbc/src/main/resources/org/eclipse/hono/service/base/jdbc/store/device/base.sql.yaml
@@ -102,7 +102,7 @@ findCredentials: |
  WHERE
  tenant_id=:tenant_id
  AND
- auth_id=:auth_id
+ COALESCE(generated_auth_id, auth_id)=:auth_id
  AND
  type=:type
 
@@ -112,12 +112,14 @@ insertCredentialEntry: |
  device_id,
  type,
  auth_id,
+ generated_auth_id,
  data
  ) VALUES (
  :tenant_id,
  :device_id,
  :type,
  :auth_id,
+ :generated_auth_id,
  :data
  )
 

diff --git a/services/base-jdbc/src/main/resources/sql/h2/02-create.devices.sql b/services/base-jdbc/src/main/resources/sql/h2/02-create.devices.sql
@@ -20,8 +20,9 @@ CREATE TABLE IF NOT EXISTS device_credentials
  TENANT_ID VARCHAR(256) NOT NULL,
  DEVICE_ID VARCHAR(256) NOT NULL,
 
- TYPE VARCHAR(64) NOT NULL,
- AUTH_ID VARCHAR(256) NOT NULL,
+ TYPE VARCHAR(64) NOT NULL,
+ AUTH_ID VARCHAR(256) NOT NULL,
+ GENERATED_AUTH_ID VARCHAR(256),
 
  DATA TEXT,
 

diff --git a/services/base-jdbc/src/main/resources/sql/postgresql/02-create.devices.sql b/services/base-jdbc/src/main/resources/sql/postgresql/02-create.devices.sql
@@ -20,8 +20,9 @@ CREATE TABLE IF NOT EXISTS device_credentials
  TENANT_ID VARCHAR(36) NOT NULL,
  DEVICE_ID VARCHAR(256) NOT NULL,
 
- TYPE VARCHAR(64) NOT NULL,
- AUTH_ID VARCHAR(256) NOT NULL,
+ TYPE VARCHAR(64) NOT NULL,
+ AUTH_ID VARCHAR(256) NOT NULL,
+ GENERATED_AUTH_ID VARCHAR(256),
 
  DATA JSONB,
 

@@ -35,6 +35,8 @@
 import org.eclipse.hono.service.management.credentials.CommonCredential;
 import org.eclipse.hono.service.management.credentials.CredentialsManagementService;
 import org.eclipse.hono.service.management.credentials.PasswordCredential;
+import org.eclipse.hono.service.management.credentials.X509CertificateCredential;
+import org.eclipse.hono.service.management.tenant.Tenant;
 import org.eclipse.hono.util.Futures;
 import org.eclipse.hono.util.Lifecycle;
 import org.eclipse.hono.util.Strings;
@@ -177,10 +179,11 @@ public final Future<OperationResult<Void>> updateCredentials(
  Objects.requireNonNull(resourceVersion);
  Objects.requireNonNull(span);
 
- return this.tenantInformationService
-  .getTenant(tenantId, span)
+ final Future<Tenant> tenantFuture = tenantInformationService.getTenant(tenantId, span);
+ return tenantFuture
  .compose(tenant -> tenant.checkCredentialsLimitExceeded(tenantId, credentials))
- .compose(ok -> verifyAndEncodePasswords(credentials))
+ .compose(ok -> applyAuthIdTemplateForX509CertificateCredentials(tenantFuture.result(), credentials))
+ .compose(this::verifyAndEncodePasswords)
  .compose(encodedCredentials -> processUpdateCredentials(
  DeviceKey.from(tenantId, deviceId),
  encodedCredentials,
@@ -279,4 +282,13 @@ protected List<CommonCredential> checkCredentials(final List<CommonCredential> c
  return credentials;
  }
 
+ private static Future<List<CommonCredential>> applyAuthIdTemplateForX509CertificateCredentials(
+ final Tenant tenant,
+ final List<CommonCredential> credentials) {
+ credentials.stream()
+ .filter(X509CertificateCredential.class::isInstance)
+ .map(X509CertificateCredential.class::cast)
+ .forEach(c -> c.applyAuthIdTemplate(tenant));
+ return Future.succeededFuture(credentials);
+ }
 }
diff --git a/.../java/org/eclipse/hono/deviceregistry/service/credentials/AbstractCredentialsService.java b/.../java/org/eclipse/hono/deviceregistry/service/credentials/AbstractCredentialsService.java
@@ -29,6 +29,7 @@
 import org.eclipse.hono.util.CredentialsConstants;
 import org.eclipse.hono.util.CredentialsResult;
 import org.eclipse.hono.util.Lifecycle;
+import org.eclipse.hono.util.RegistryManagementConstants;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -180,6 +181,7 @@ public final Future<CredentialsResult<JsonObject>> get(
  }
  });
  })
+ .map(AbstractCredentialsService::overrideAuthIdWithGeneratedAuthIdIfExists)
  .recover(error -> {
  LOG.debug("error getting credentials [tenant: {}, type: {}, auth-id: {}]", tenantId, type, authId, error);
  TracingHelper.logError(span, error);
@@ -190,8 +192,20 @@ public final Future<CredentialsResult<JsonObject>> get(
  });
  }
 
+ private static CredentialsResult<JsonObject> overrideAuthIdWithGeneratedAuthIdIfExists(
+ final CredentialsResult<JsonObject> credentialsResult) {
+ if (!credentialsResult.isError()) {
+ final JsonObject credential = credentialsResult.getPayload();
+ Optional.ofNullable(credential)
+ .map(c -> c.getString(RegistryManagementConstants.FIELD_TYPE))
+ .filter(RegistryManagementConstants.SECRETS_TYPE_X509_CERT::equals)
+ .map(ok -> credential.getString(RegistryManagementConstants.FIELD_GENERATED_AUTH_ID))
+ .ifPresent(id -> credential.put(RegistryManagementConstants.FIELD_AUTH_ID, id));
+ }
+ return credentialsResult;
+ }
+
  private boolean isAutoProvisioningConfigured() {
  return this.deviceAndGatewayAutoProvisioner != null;
  }
-
 }
@@ -70,7 +70,8 @@ private DeviceRegistryUtils() {
  */
  public static <T> Future<T> mapError(final Throwable error, final String tenantId) {
  if (error instanceof IllegalArgumentException) {
- return Future.failedFuture(new ClientErrorException(tenantId, HttpURLConnection.HTTP_BAD_REQUEST, error.getMessage()));
+ return Future.failedFuture(
+ new ClientErrorException(tenantId, HttpURLConnection.HTTP_BAD_REQUEST, error.getMessage(), error));
  }
  return Future.failedFuture(error);
  }

@@ -42,6 +42,16 @@ public static PskCredential createPSKCredential(final String authId, final Strin
  return new PskCredential(authId, List.of(s));
  }
 
+ /**
+ * Creates a X509 certificate based credential from the given subject DN.
+ *
+ * @param subjectDN The subject DN.
+ * @return The X509 certificate credential.
+ */
+ public static X509CertificateCredential createX509CertificateCredential(final String subjectDN) {
+ return X509CertificateCredential.fromSubjectDn(subjectDN, List.of(new X509CertificateSecret()));
+ }
+
  /**
  * Creates a password type based credential containing a hashed password secret.
  *