From 72cce4340e56396eb428486305502791cf9c3d68 Mon Sep 17 00:00:00 2001 From: louisg1337 Date: Wed, 19 Jun 2024 12:40:29 -0400 Subject: [PATCH 1/4] Created config directory with patch files and script so that MaEVe can work with EVerest --- config/everest/everest-patch.sh | 26 ++++++++ config/everest/maeve-csms-everest-org.patch | 13 ++++ config/everest/maeve-csms-ignore-ocsp.patch | 32 ++++++++++ config/everest/maeve-csms-local-mo-root.patch | 19 ++++++ config/everest/maeve-csms-no-lb.patch | 63 +++++++++++++++++++ config/everest/maeve-csms-no-wss.patch | 29 +++++++++ 6 files changed, 182 insertions(+) create mode 100644 config/everest/everest-patch.sh create mode 100644 config/everest/maeve-csms-everest-org.patch create mode 100644 config/everest/maeve-csms-ignore-ocsp.patch create mode 100644 config/everest/maeve-csms-local-mo-root.patch create mode 100644 config/everest/maeve-csms-no-lb.patch create mode 100644 config/everest/maeve-csms-no-wss.patch diff --git a/config/everest/everest-patch.sh b/config/everest/everest-patch.sh new file mode 100644 index 0000000..8b0a3ea --- /dev/null +++ b/config/everest/everest-patch.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +if [ "$#" -lt 1 ] ; then + echo "Usage: $0 " + echo "Where is: 1, 2, or 3." + exit 1 +fi + +SP=$1 + +echo "Patching the CSMS to disable load balancer" +patch -p1 -i config/everest/maeve-csms-no-lb.patch + +if [[ $SP == 1 ]]; then + echo "Patching the CSMS to disable WSS" + patch -p1 -i config/everest/maeve-csms-no-wss.patch +else + echo "Patching the CSMS to enable EVerest organization" + patch -p1 -i config/everest/maeve-csms-everest-org.patch + + echo "Patching the CSMS to enable local mo root" + patch -p1 -i config/everest/maeve-csms-local-mo-root.patch + + echo "Patching the CSMS to enable local mo root" + patch -p1 -i config/everest/maeve-csms-ignore-ocsp.patch +fi diff --git a/config/everest/maeve-csms-everest-org.patch b/config/everest/maeve-csms-everest-org.patch new file mode 100644 index 0000000..999e9ad --- /dev/null +++ b/config/everest/maeve-csms-everest-org.patch @@ -0,0 +1,13 @@ +diff --git a/docker-compose.yml b/docker-compose.yml +index b2d93e6..fa3a1ff 100644 +--- a/docker-compose.yml ++++ b/docker-compose.yml +@@ -47,6 +47,8 @@ services: + - "/certificates/csms.key" + - "--tls-trust-cert" + - "/certificates/trust.pem" ++ - "--org-name" ++ - "EVerest" + - "--mqtt-addr" + - "mqtt://mqtt:1883" + - "--manager-api-addr" diff --git a/config/everest/maeve-csms-ignore-ocsp.patch b/config/everest/maeve-csms-ignore-ocsp.patch new file mode 100644 index 0000000..b904ef0 --- /dev/null +++ b/config/everest/maeve-csms-ignore-ocsp.patch @@ -0,0 +1,32 @@ +diff --git a/manager/handlers/ocpp201/authorize.go b/manager/handlers/ocpp201/authorize.go +index 5df2305..0db9f79 100644 +--- a/manager/handlers/ocpp201/authorize.go ++++ b/manager/handlers/ocpp201/authorize.go +@@ -38,7 +38,12 @@ func (a AuthorizeHandler) HandleCall(ctx context.Context, chargeStationId string + if req.Certificate != nil { + _, err = a.CertificateValidationService.ValidatePEMCertificateChain(ctx, []byte(*req.Certificate), req.IdToken.IdToken) + idTokenInfo.Status, certificateStatus = handleCertificateValidationError(err) +- if err != nil { ++ if err.Error() == "failed to perform ocsp check after 1 attempts" { ++ var tempStatus = types.AuthorizeCertificateStatusEnumTypeAccepted ++ certificateStatus = &tempStatus ++ idTokenInfo.Status = types.AuthorizationStatusEnumTypeAccepted ++ span.SetAttributes(attribute.String("authorize.cert_warn", "No OCSP, but ignoring for testing purpose.")) ++ } else if err != nil { + span.SetAttributes(attribute.String("authorize.cert_error", err.Error())) + } + } +@@ -46,7 +46,12 @@ func (a AuthorizeHandler) HandleCall(ctx context.Context, chargeStationId string + if req.Iso15118CertificateHashData != nil { + _, err := a.CertificateValidationService.ValidateHashedCertificateChain(ctx, *req.Iso15118CertificateHashData) + idTokenInfo.Status, certificateStatus = handleCertificateValidationError(err) +- if err != nil { ++ if err.Error() == "failed to perform ocsp check after 1 attempts" { ++ var tempStatus = types.AuthorizeCertificateStatusEnumTypeAccepted ++ certificateStatus = &tempStatus ++ idTokenInfo.Status = types.AuthorizationStatusEnumTypeAccepted ++ span.SetAttributes(attribute.String("authorize.cert_warn", "No OCSP, but ignoring for testing purpose.")) ++ } else if err != nil { + span.SetAttributes(attribute.String("authorize.cert_error", err.Error())) + } + } \ No newline at end of file diff --git a/config/everest/maeve-csms-local-mo-root.patch b/config/everest/maeve-csms-local-mo-root.patch new file mode 100644 index 0000000..c0b7f87 --- /dev/null +++ b/config/everest/maeve-csms-local-mo-root.patch @@ -0,0 +1,19 @@ +diff --git a/config/manager/config.toml b/config/manager/config.toml +index 3fa49ec..668eda9 100644 +--- a/config/manager/config.toml ++++ b/config/manager/config.toml +@@ -19,12 +19,8 @@ firestore.project_id = "*detect-project-id*" + type = "ocsp" + + [contract_cert_validator.ocsp.root_certs] +-type = "opcp" +-opcp.url = "https://open.plugncharge-test.hubject.com" +-opcp.ttl = "24h" +-opcp.auth.type = "hubject_test_token" +-opcp.auth.hubject_test_token.url = "https://hubject.stoplight.io/api/v1/projects/cHJqOjk0NTg5/nodes/6bb8b3bc79c2e-authorization-token" +-opcp.auth.hubject_test_token.ttl = "6h" ++type = "file" ++file.files = ["/certificates/root-MO-cert.pem"] + + [contract_cert_provider] + type = "opcp" diff --git a/config/everest/maeve-csms-no-lb.patch b/config/everest/maeve-csms-no-lb.patch new file mode 100644 index 0000000..be579fc --- /dev/null +++ b/config/everest/maeve-csms-no-lb.patch @@ -0,0 +1,63 @@ +diff --git a/docker-compose.yml b/docker-compose.yml +index a2d88cd..b2d93e6 100644 +--- a/docker-compose.yml ++++ b/docker-compose.yml +@@ -25,25 +25,6 @@ services: + timeout: 10s + retries: 3 + +- lb: +- image: envoyproxy/envoy:v1.26-latest +- command: ["-c", "/config/envoy.yaml"] +- volumes: +- - type: bind +- source: ./config/envoy +- target: /config +- read_only: true +- depends_on: +- manager: +- condition: service_healthy +- gateway: +- condition: service_healthy +- ports: +- - "80:80" +- - "443:443" +- - "9410:9410" +- - "9411:9411" +- + gateway: + build: + context: gateway +@@ -71,9 +52,10 @@ services: + - "--manager-api-addr" + - "http://manager:9410" + expose: +- - "9310" +- - "9311" + - "9312" ++ ports: ++ - "80:9310" ++ - "443:9311" + volumes: + - type: bind + source: ./config/certificates +@@ -108,9 +90,9 @@ services: + source: ./config/manager + target: /config + read_only: true +- expose: +- - "9410" +- - "9411" ++ ports: ++ - "9410:9410" ++ - "9411:9411" + healthcheck: + test: ["CMD", "/usr/bin/curl", "-s", "--fail", "http://localhost:9410/health"] + interval: 10s +@@ -146,4 +128,4 @@ services: + volumes: + - ./prometheus:/etc/prometheus + command: +- - '--config.file=/etc/prometheus/prometheus.yml' +\ No newline at end of file ++ - '--config.file=/etc/prometheus/prometheus.yml' diff --git a/config/everest/maeve-csms-no-wss.patch b/config/everest/maeve-csms-no-wss.patch new file mode 100644 index 0000000..30e57a7 --- /dev/null +++ b/config/everest/maeve-csms-no-wss.patch @@ -0,0 +1,29 @@ +diff --git a/docker-compose.yml b/docker-compose.yml +index b2d93e6..f0e675a 100644 +--- a/docker-compose.yml ++++ b/docker-compose.yml +@@ -37,16 +37,8 @@ services: + - "serve" + - "--ws-addr" + - ":9310" +- - "--wss-addr" +- - ":9311" + - "--status-addr" + - ":9312" +- - "--tls-server-cert" +- - "/certificates/csms.pem" +- - "--tls-server-key" +- - "/certificates/csms.key" +- - "--tls-trust-cert" +- - "/certificates/trust.pem" + - "--mqtt-addr" + - "mqtt://mqtt:1883" + - "--manager-api-addr" +@@ -55,7 +47,6 @@ services: + - "9312" + ports: + - "80:9310" +- - "443:9311" + volumes: + - type: bind + source: ./config/certificates From 5423151e71f329264703b95676ee0b5c656766ae Mon Sep 17 00:00:00 2001 From: louisg1337 Date: Thu, 20 Jun 2024 13:19:33 -0400 Subject: [PATCH 2/4] Added ability for wss to not open if no certs were provided. Also cleaned up the bash script by getting rid of wss and lb patches --- config/everest/everest-patch.sh | 8 +--- config/everest/maeve-csms-no-lb.patch | 63 --------------------------- gateway/cmd/serve.go | 24 ++++++++-- 3 files changed, 21 insertions(+), 74 deletions(-) delete mode 100644 config/everest/maeve-csms-no-lb.patch diff --git a/config/everest/everest-patch.sh b/config/everest/everest-patch.sh index 8b0a3ea..757c184 100644 --- a/config/everest/everest-patch.sh +++ b/config/everest/everest-patch.sh @@ -8,13 +8,7 @@ fi SP=$1 -echo "Patching the CSMS to disable load balancer" -patch -p1 -i config/everest/maeve-csms-no-lb.patch - -if [[ $SP == 1 ]]; then - echo "Patching the CSMS to disable WSS" - patch -p1 -i config/everest/maeve-csms-no-wss.patch -else +if [[ $SP == 2 || $SP == 3 ]]; then echo "Patching the CSMS to enable EVerest organization" patch -p1 -i config/everest/maeve-csms-everest-org.patch diff --git a/config/everest/maeve-csms-no-lb.patch b/config/everest/maeve-csms-no-lb.patch deleted file mode 100644 index be579fc..0000000 --- a/config/everest/maeve-csms-no-lb.patch +++ /dev/null @@ -1,63 +0,0 @@ -diff --git a/docker-compose.yml b/docker-compose.yml -index a2d88cd..b2d93e6 100644 ---- a/docker-compose.yml -+++ b/docker-compose.yml -@@ -25,25 +25,6 @@ services: - timeout: 10s - retries: 3 - -- lb: -- image: envoyproxy/envoy:v1.26-latest -- command: ["-c", "/config/envoy.yaml"] -- volumes: -- - type: bind -- source: ./config/envoy -- target: /config -- read_only: true -- depends_on: -- manager: -- condition: service_healthy -- gateway: -- condition: service_healthy -- ports: -- - "80:80" -- - "443:443" -- - "9410:9410" -- - "9411:9411" -- - gateway: - build: - context: gateway -@@ -71,9 +52,10 @@ services: - - "--manager-api-addr" - - "http://manager:9410" - expose: -- - "9310" -- - "9311" - - "9312" -+ ports: -+ - "80:9310" -+ - "443:9311" - volumes: - - type: bind - source: ./config/certificates -@@ -108,9 +90,9 @@ services: - source: ./config/manager - target: /config - read_only: true -- expose: -- - "9410" -- - "9411" -+ ports: -+ - "9410:9410" -+ - "9411:9411" - healthcheck: - test: ["CMD", "/usr/bin/curl", "-s", "--fail", "http://localhost:9410/health"] - interval: 10s -@@ -146,4 +128,4 @@ services: - volumes: - - ./prometheus:/etc/prometheus - command: -- - '--config.file=/etc/prometheus/prometheus.yml' -\ No newline at end of file -+ - '--config.file=/etc/prometheus/prometheus.yml' diff --git a/gateway/cmd/serve.go b/gateway/cmd/serve.go index 0abdd1e..790d468 100644 --- a/gateway/cmd/serve.go +++ b/gateway/cmd/serve.go @@ -7,6 +7,10 @@ import ( "crypto/tls" "crypto/x509" "fmt" + "net/url" + "os" + "time" + "github.com/spf13/cobra" "github.com/subnova/slog-exporter/slogtrace" "github.com/thoughtworks/maeve-csms/gateway/registry" @@ -21,9 +25,6 @@ import ( "golang.org/x/exp/slog" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" - "net/url" - "os" - "time" ) var ( @@ -149,7 +150,22 @@ var serveCmd = &cobra.Command{ wsServer := server.New("ws", wsAddr, nil, websocketHandler) var wssServer *server.Server - if wssAddr != "" { + certs := []string{tlsServerCert, tlsServerKey} + certs = append(certs, tlsTrustCert...) + certsProvided := false + slog.Info("Checking to see what certs were provided...") + for _, cert := range certs { + _, err := os.ReadFile(cert) + if err == nil { + slog.Info("Found at least one cert:", cert) + certsProvided = true + break + } + } + + if certsProvided { + slog.Warn("no certs were provided, WSS will be closed") + } else if wssAddr != "" { if tlsServerCert == "" { return fmt.Errorf("no tls server cert specified for wss connection") } From 207477350f16e32e14f4334a8c7a77765e5fbdf0 Mon Sep 17 00:00:00 2001 From: louisg1337 Date: Thu, 20 Jun 2024 13:25:46 -0400 Subject: [PATCH 3/4] Fixed small typo --- gateway/cmd/serve.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gateway/cmd/serve.go b/gateway/cmd/serve.go index 790d468..305025b 100644 --- a/gateway/cmd/serve.go +++ b/gateway/cmd/serve.go @@ -163,7 +163,7 @@ var serveCmd = &cobra.Command{ } } - if certsProvided { + if !certsProvided { slog.Warn("no certs were provided, WSS will be closed") } else if wssAddr != "" { if tlsServerCert == "" { From 6de9495aed8bdb2070eca0beb6083f1a2711a191 Mon Sep 17 00:00:00 2001 From: louisg1337 Date: Thu, 20 Jun 2024 14:28:11 -0400 Subject: [PATCH 4/4] Removed extraneous change, deleted wss patch, fixed echo statement --- config/everest/everest-patch.sh | 2 +- config/everest/maeve-csms-no-wss.patch | 29 -------------------------- gateway/cmd/serve.go | 7 +++---- 3 files changed, 4 insertions(+), 34 deletions(-) delete mode 100644 config/everest/maeve-csms-no-wss.patch diff --git a/config/everest/everest-patch.sh b/config/everest/everest-patch.sh index 757c184..b1b0047 100644 --- a/config/everest/everest-patch.sh +++ b/config/everest/everest-patch.sh @@ -15,6 +15,6 @@ if [[ $SP == 2 || $SP == 3 ]]; then echo "Patching the CSMS to enable local mo root" patch -p1 -i config/everest/maeve-csms-local-mo-root.patch - echo "Patching the CSMS to enable local mo root" + echo "Patching the CSMS to ignore OCSP" patch -p1 -i config/everest/maeve-csms-ignore-ocsp.patch fi diff --git a/config/everest/maeve-csms-no-wss.patch b/config/everest/maeve-csms-no-wss.patch deleted file mode 100644 index 30e57a7..0000000 --- a/config/everest/maeve-csms-no-wss.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/docker-compose.yml b/docker-compose.yml -index b2d93e6..f0e675a 100644 ---- a/docker-compose.yml -+++ b/docker-compose.yml -@@ -37,16 +37,8 @@ services: - - "serve" - - "--ws-addr" - - ":9310" -- - "--wss-addr" -- - ":9311" - - "--status-addr" - - ":9312" -- - "--tls-server-cert" -- - "/certificates/csms.pem" -- - "--tls-server-key" -- - "/certificates/csms.key" -- - "--tls-trust-cert" -- - "/certificates/trust.pem" - - "--mqtt-addr" - - "mqtt://mqtt:1883" - - "--manager-api-addr" -@@ -55,7 +47,6 @@ services: - - "9312" - ports: - - "80:9310" -- - "443:9311" - volumes: - - type: bind - source: ./config/certificates diff --git a/gateway/cmd/serve.go b/gateway/cmd/serve.go index 305025b..fc36be7 100644 --- a/gateway/cmd/serve.go +++ b/gateway/cmd/serve.go @@ -7,10 +7,6 @@ import ( "crypto/tls" "crypto/x509" "fmt" - "net/url" - "os" - "time" - "github.com/spf13/cobra" "github.com/subnova/slog-exporter/slogtrace" "github.com/thoughtworks/maeve-csms/gateway/registry" @@ -25,6 +21,9 @@ import ( "golang.org/x/exp/slog" "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" + "net/url" + "os" + "time" ) var (