Enable iotedged identity certificates endpoint (#497)

The changes here enable modules to request their identity (client) certificates. With this capability, modules built as microservices and their clients can authenticate themselves in a generic manner using standard secure communication protocols built over TLS! Here are the salient properties of the certificate. These certificates are rooted using the Edge device CA. Note: The CA certificate is obtained via the trust bundle API. Each of these certificates will have their identifier stamped in the certificate as SAN URI entry which can be used for identification. The following is the URI format: azureiot://{hub}/devices/{did}/module/{mid} The CN field of the subject will contain the module id and is not configurable. The certificates are short lived for a duration of two hours.
Azure · Nov 2, 2018 · 40f1095 · 40f1095
1 parent e93e707
commit 40f1095
Show file tree

Hide file tree

Showing 22 changed files with 3,620 additions and 2,669 deletions.
diff --git a/edgelet/api/workload.yaml b/edgelet/api/workload.yaml
@@ -121,7 +121,7 @@ paths:
           description: Error
           schema:
             $ref: '#/definitions/ErrorResponse'
-  '/modules/{name}/genid/{genid}/certificate/identity':
+  '/modules/{name}/certificate/identity':
     post:
       tags:
         - Workload
@@ -131,14 +131,15 @@ paths:
         - $ref: '#/parameters/api-version'
         - in: path
           name: name
-          description: The name of the module to get certificate. (urlencoded)
+          description: The name of the module needed to obtain the certificate. (urlencoded)
           required: true
           type: string
-        - in: path
-          name: genid
-          description: The generation identifier for the module as generated by IoT Hub.
+        - in: body
+          name: request
+          description: Parameters for certificate creation.
           required: true
-          type: string
+          schema:
+            $ref: '#/definitions/IdentityCertificateRequest'
       responses:
         '200':
           description: Ok
@@ -296,6 +297,13 @@ definitions:
     required:
       - commonName
       - expiration
+  IdentityCertificateRequest:
+    type: object
+    properties:
+      expiration:
+        type: string
+        format: date-time
+        description: Certificate expiration date-time (ISO 8601)
   CertificateResponse:
     type: object
     properties:

diff --git a/edgelet/edgelet-core/src/lib.rs b/edgelet/edgelet-core/src/lib.rs
@@ -32,6 +32,7 @@ mod identity;
 mod module;
 pub mod pid;
 pub mod watchdog;
+pub mod workload;
 
 pub use authorization::{Authorization, Policy};
 pub use certificate_properties::{CertificateIssuer, CertificateProperties, CertificateType};
@@ -45,6 +46,7 @@ pub use module::{
     LogOptions, LogTail, Module, ModuleRegistry, ModuleRuntime, ModuleRuntimeState, ModuleSpec,
     ModuleStatus, SystemInfo,
 };
+pub use workload::WorkloadConfig;
 
 lazy_static! {
     static ref VERSION: String = option_env!("VERSION")

diff --git a/edgelet/edgelet-core/src/workload.rs b/edgelet/edgelet-core/src/workload.rs
@@ -0,0 +1,11 @@
+// Copyright (c) Microsoft. All rights reserved.
+
+use certificate_properties::CertificateType;
+
+/// Trait to obtain configuration data needed by any implementation of the workload interface
+/// for module identity and certificate management.
+pub trait WorkloadConfig {
+    fn iot_hub_name(&self) -> &str;
+    fn device_id(&self) -> &str;
+    fn get_cert_max_duration(&self, cert_type: CertificateType) -> i64;
+}