Lorawan-stack: Um webhook substitui outras configurações?
Obrigado por enviar um relatório de bug. Preencha o modelo abaixo, caso contrário, não poderemos processar este relatório de bug.
Resumo
Resuma o problema em algumas frases:Estou tentando criar na mesma instância de lorawan-stack:
- 1º aplicativo + webhook para ambiente de produção (troca de dados padrão)
- 2'd aplicativo + webhook para atualização de firmware do dispositivo microcontrolador
- o mesmo dispositivo final pertence a ambos os aplicativos (o mesmo nome / eui - outro aplicativo eui / keys)
Depois de executar a inicialização completa de um aplicativo, ele parece substituir os direitos de acesso do webhook anterior (ele relata nenhum direito de acesso - status 403 no console do servidor)
Passos para reproduzir
Como podemos reproduzir o problema?Crie ap2 para atualização de firmware e webhook para ele:
ttn-lw-cli end-devices create ap2 dv1 \
--dev-eui 00217E00000003FF \
--app-eui 800000000000008C \
--frequency-plan-id EU_863_870 \
--root-keys.app-key.key 852BAEC23EAE7964AF27C325F4C23C9A \
--lorawan-version 1.0.2 \
--lorawan-phy-version 1.0.2-b
{
"ids": {
"device_id": "dv1",
"application_ids": {
"application_id": "ap2"
},
"dev_eui": "00217E00000003FF",
"join_eui": "800000000000008C"
},
"created_at": "2019-06-26T07:49:08.966Z",
"updated_at": "2019-06-26T07:49:09.197889667Z",
"attributes": {
},
"network_server_address": "localhost",
"application_server_address": "localhost",
"join_server_address": "localhost",
"lorawan_version": "1.0.2",
"lorawan_phy_version": "1.0.2-b",
"frequency_plan_id": "EU_863_870",
"supports_join": true,
"root_keys": {
"app_key": {
"key": "852BAEC23EAE7964AF27C325F4C23C9A"
}
}
}
ttn-lw-cli applications api-keys create \
--name link \
--application-id ap2 \
--right-application-link
INFO API key ID: LHUIKUKWZ62A2LXUYP4ZFC54423D3A3J36G33JY
INFO API key value: NNSXS.LHUIKUKWZ62A2LXUYP4ZFC54423D3A3J36G33JY.NGYQQRDUJW36KJC3UP6PZYP2DNUYZTGISDJEXACL2TB5BB5EWQCA
WARN The API key value will never be shown again
WARN Make sure to copy it to a safe place
{
"id": "LHUIKUKWZ62A2LXUYP4ZFC54423D3A3J36G33JY",
"key": "NNSXS.LHUIKUKWZ62A2LXUYP4ZFC54423D3A3J36G33JY.NGYQQRDUJW36KJC3UP6PZYP2DNUYZTGISDJEXACL2TB5BB5EWQCA",
"name": "link",
"rights": [
"RIGHT_APPLICATION_LINK"
]
}
ttn-lw-cli applications link set ap2 --api-key NNSXS.LHUIKUKWZ62A2LXUYP4ZFC54423D3A3J36G33JY.NGYQQRDUJW36KJC3UP6PZYP2DNUYZTGISDJEXACL2TB5BB5EWQCA
{
"api_key": "NNSXS.LHUIKUKWZ62A2LXUYP4ZFC54423D3A3J36G33JY.NGYQQRDUJW36KJC3UP6PZYP2DNUYZTGISDJEXACL2TB5BB5EWQCA"
}
ttn-lw-cli applications api-keys create --name wh-client --application-id ap2 --right-application-link --right-application-all --right-application-delete --right-application-devices-read --right-application-devices-read-keys --right-application-devices-write --right-application-devices-write-keys --right-application-info --right-application-link --right-application-settings-api-keys --right-application-settings-basic --right-application-settings-collaborators --right-application-traffic-down-write --right-application-traffic-read --right-application-traffic-up-write
INFO API key ID: CLCIYOYYEDPLJSSWRNMYS5KCDI45HOE6M3WZIDY
INFO API key value: NNSXS.CLCIYOYYEDPLJSSWRNMYS5KCDI45HOE6M3WZIDY.E6DXAAZ4HSX2V6VL7C3244HGNKBO24SEROTXOZURJHWWOMWZQSPA
WARN The API key value will never be shown again
WARN Make sure to copy it to a safe place
{
"id": "CLCIYOYYEDPLJSSWRNMYS5KCDI45HOE6M3WZIDY",
"key": "NNSXS.CLCIYOYYEDPLJSSWRNMYS5KCDI45HOE6M3WZIDY.E6DXAAZ4HSX2V6VL7C3244HGNKBO24SEROTXOZURJHWWOMWZQSPA",
"name": "wh-client",
"rights": [
"RIGHT_APPLICATION_DEVICES_WRITE",
"RIGHT_APPLICATION_DEVICES_READ",
"RIGHT_APPLICATION_TRAFFIC_DOWN_WRITE",
"RIGHT_APPLICATION_SETTINGS_BASIC",
"RIGHT_APPLICATION_DEVICES_WRITE_KEYS",
"RIGHT_APPLICATION_INFO",
"RIGHT_APPLICATION_SETTINGS_API_KEYS",
"RIGHT_APPLICATION_SETTINGS_COLLABORATORS",
"RIGHT_APPLICATION_TRAFFIC_READ",
"RIGHT_APPLICATION_TRAFFIC_UP_WRITE",
"RIGHT_APPLICATION_DELETE",
"RIGHT_APPLICATION_LINK",
"RIGHT_APPLICATION_ALL",
"RIGHT_APPLICATION_DEVICES_READ_KEYS"
]
}
ttn-lw-cli applications webhooks set \
--application-id ap2 \
--webhook-id fwup \
--format json \
--base-url http://192.168.0.8/IoT/ \
--join-accept.path lorafw.php \
--uplink-message.path lorafw.php
{
"ids": {
"application_ids": {
"application_id": "ap2"
},
"webhook_id": "fwup"
},
"created_at": "2019-06-26T07:54:51.099460917Z",
"updated_at": "2019-06-26T07:54:51.099460917Z",
"base_url": "http://192.168.0.8/IoT/",
"format": "json",
"uplink_message": {
"path": "lorafw.php"
},
"join_accept": {
"path": "lorafw.php"
}
}
TESTE:
curl http://localhost:1885/api/v3/as/applications/ap2/webhooks/fwup/devices/dv1/down/push -X POST -H 'Authorization: Bearer NNSXS.CLCIYOYYEDPLJSSWRNMYS5KCDI45HOE6M3WZIDY.E6DXAAZ4HSX2V6VL7C3244HGNKBO24SEROTXOZURJHWWOMWZQSPA' --data '{"downlinks":[{"frm_payload":"vu8=","f_port":15,"priority":"NORMAL"}]}'
Os webhooks funcionam bem agora
Crie ap3 para ambiente de produção:
* Trabalho normal *
**ttn-lw-cli applications create ap3 --user-id admin**
{
"ids": {
"application_id": "ap3"
},
"created_at": "2019-07-06T09:45:28.540Z",
"updated_at": "2019-07-06T09:45:28.540Z"
}
**ttn-lw-cli end-devices create ap3 dv1 \
--dev-eui 00217E00000003FF \
--app-eui 100000000000001C \
--frequency-plan-id EU_863_870 \
--root-keys.app-key.key 152BAEC23EAE7964AF27C325F4C23C9A \
--lorawan-version 1.0.2 \
--lorawan-phy-version 1.0.2-b**
{
"ids": {
"device_id": "dv1",
"application_ids": {
"application_id": "ap3"
},
"dev_eui": "00217E00000003FF",
"join_eui": "100000000000001C"
},
"created_at": "2019-07-06T09:46:16.897Z",
"updated_at": "2019-07-06T09:46:17.144655816Z",
"attributes": {
},
"network_server_address": "localhost",
"application_server_address": "localhost",
"join_server_address": "localhost",
"lorawan_version": "1.0.2",
"lorawan_phy_version": "1.0.2-b",
"frequency_plan_id": "EU_863_870",
"supports_join": true,
"root_keys": {
"app_key": {
"key": "852BAEC23EAE7964AF27C325F4C23C9A"
}
}
}
**ttn-lw-cli applications api-keys create \
--name link \
--application-id ap3 \
--right-application-link**
INFO API key ID: 77EPVZXEKOCAD7G6G4UGAKERJGNL3MHNYIWA7YI
INFO API key value: NNSXS.77EPVZXEKOCAD7G6G4UGAKERJGNL3MHNYIWA7YI.UFJ2Y5ITTD6DKTMIPSH3UOUMVGPAIOGBQGF547KWPCAZ6WZE6VXQ
WARN The API key value will never be shown again
WARN Make sure to copy it to a safe place
{
"id": "77EPVZXEKOCAD7G6G4UGAKERJGNL3MHNYIWA7YI",
"key": "NNSXS.77EPVZXEKOCAD7G6G4UGAKERJGNL3MHNYIWA7YI.UFJ2Y5ITTD6DKTMIPSH3UOUMVGPAIOGBQGF547KWPCAZ6WZE6VXQ",
"name": "link",
"rights": [
"RIGHT_APPLICATION_LINK"
]
}
**ttn-lw-cli applications link set ap3 --api-key NNSXS.77EPVZXEKOCAD7G6G4UGAKERJGNL3MHNYIWA7YI.UFJ2Y5ITTD6DKTMIPSH3UOUMVGPAIOGBQGF547KWPCAZ6WZE6VXQ**
{
"api_key": "NNSXS.77EPVZXEKOCAD7G6G4UGAKERJGNL3MHNYIWA7YI.UFJ2Y5ITTD6DKTMIPSH3UOUMVGPAIOGBQGF547KWPCAZ6WZE6VXQ"
}
**ttn-lw-cli applications api-keys create --name wh-client --application-id ap3 --right-application-link --right-application-all --right-application-delete --right-application-devices-read --right-application-devices-read-keys --right-application-devices-write --right-application-devices-write-keys --right-application-info --right-application-link --right-application-settings-api-keys --right-application-settings-basic --right-application-settings-collaborators --right-application-traffic-down-write --right-application-traffic-read --right-application-traffic-up-write**
INFO API key ID: JIXW5XX3UITDZASY4L4A3FZ4Z53YF2S63ZASO3Y
INFO API key value: NNSXS.JIXW5XX3UITDZASY4L4A3FZ4Z53YF2S63ZASO3Y.7TDNWLRAKDETDFJXHVWHYQ3J47CDD7SRQR66FGT7F72BHTZMSYGQ
WARN The API key value will never be shown again
WARN Make sure to copy it to a safe place
{
"id": "JIXW5XX3UITDZASY4L4A3FZ4Z53YF2S63ZASO3Y",
"key": "NNSXS.JIXW5XX3UITDZASY4L4A3FZ4Z53YF2S63ZASO3Y.7TDNWLRAKDETDFJXHVWHYQ3J47CDD7SRQR66FGT7F72BHTZMSYGQ",
"name": "wh-client",
"rights": [
"RIGHT_APPLICATION_TRAFFIC_READ",
"RIGHT_APPLICATION_SETTINGS_API_KEYS",
"RIGHT_APPLICATION_DEVICES_READ",
"RIGHT_APPLICATION_SETTINGS_BASIC",
"RIGHT_APPLICATION_DEVICES_READ_KEYS",
"RIGHT_APPLICATION_TRAFFIC_DOWN_WRITE",
"RIGHT_APPLICATION_ALL",
"RIGHT_APPLICATION_INFO",
"RIGHT_APPLICATION_LINK",
"RIGHT_APPLICATION_SETTINGS_COLLABORATORS",
"RIGHT_APPLICATION_TRAFFIC_UP_WRITE",
"RIGHT_APPLICATION_DEVICES_WRITE_KEYS",
"RIGHT_APPLICATION_DELETE",
"RIGHT_APPLICATION_DEVICES_WRITE"
]
}
**ttn-lw-cli applications webhooks set \
--application-id ap3 \
--webhook-id production \
--format json \
--base-url http://192.168.0.8/IoT/ \
--join-accept.path join.php \
--uplink-message.path up.php**
{
"ids": {
"application_ids": {
"application_id": "ap3"
},
"webhook_id": "production"
},
"created_at": "2019-07-06T09:57:36.729241177Z",
"updated_at": "2019-07-06T09:57:36.729241177Z",
"base_url": "http://192.168.0.8/IoT/",
"format": "json",
"uplink_message": {
"path": "up.php"
},
"join_accept": {
"path": "join.php"
}
}
**ttn-lw-cli applications api-keys create --name wh-prod --application-id ap3 --right-application-link --right-application-all --right-application-delete --right-application-devices-read --right-application-devices-read-keys --right-application-devices-write --right-application-devices-write-keys --right-application-info --right-application-link --right-application-settings-api-keys --right-application-settings-basic --right-application-settings-collaborators --right-application-traffic-down-write --right-application-traffic-read --right-application-traffic-up-write**
INFO API key ID: SC626ESUGY3E5RO2NB6NOMCPKT6SDR3MJWTAQZA
INFO API key value: NNSXS.SC626ESUGY3E5RO2NB6NOMCPKT6SDR3MJWTAQZA.VCUMNMSQQFDNBD7BSKKXEXCCMJH77254DEVTDCUICO45RDAT2TVA
WARN The API key value will never be shown again
WARN Make sure to copy it to a safe place
{
"id": "SC626ESUGY3E5RO2NB6NOMCPKT6SDR3MJWTAQZA",
"key": "NNSXS.SC626ESUGY3E5RO2NB6NOMCPKT6SDR3MJWTAQZA.VCUMNMSQQFDNBD7BSKKXEXCCMJH77254DEVTDCUICO45RDAT2TVA",
"name": "wh-prod",
"rights": [
"RIGHT_APPLICATION_DELETE",
"RIGHT_APPLICATION_LINK",
"RIGHT_APPLICATION_DEVICES_WRITE",
"RIGHT_APPLICATION_TRAFFIC_READ",
"RIGHT_APPLICATION_TRAFFIC_UP_WRITE",
"RIGHT_APPLICATION_SETTINGS_COLLABORATORS",
"RIGHT_APPLICATION_DEVICES_WRITE_KEYS",
"RIGHT_APPLICATION_TRAFFIC_DOWN_WRITE",
"RIGHT_APPLICATION_DEVICES_READ_KEYS",
"RIGHT_APPLICATION_SETTINGS_API_KEYS",
"RIGHT_APPLICATION_SETTINGS_BASIC",
"RIGHT_APPLICATION_DEVICES_READ",
"RIGHT_APPLICATION_ALL",
"RIGHT_APPLICATION_INFO"
]
}
a) O downlink do webhook do aplicativo AP2 parou de funcionar (downlink - com problema de direitos de acesso)b) O webhook do aplicativo AP3 começa a funcionarc) Ao modificar a chave api AP1 e trocá-la no arquivo php do webhook e reinicializar o servidor de rede, o AP2 volta ao trabalho e o AP3 para o funcionamento do downlink (downlink - com problema de direitos de acesso)
API de manipulação
O que você vê agora?
...
O que você quer ver em vez disso?
...
Meio Ambiente
Não relevante Ubuntu 16 / kerlink / Telit / 1.0.2 Classe A
...
Como você pretende implementar isso?
...
Você pode fazer isso sozinho e enviar uma solicitação pull?
...
ecities
Todos 5 comentários
Posso confirmar que consegui reproduzir esse bug no v3.0.3 . Minha corrida pode ser encontrada aqui . Vou investigar e voltar com os resultados.
adriansmares
em 9 jul. 2019
Obrigado @adriansmares .
ecities
em 9 jul. 2019
Migrei minha configuração de v3.0.3 para o master mais recente e, aparentemente, o bug foi corrigido nesse ínterim.
adriansmares<strong i="8">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ git checkout master
Previous HEAD position was e8450dac8 all: Bump to version 3.0.3
Switched to branch 'master'
Your branch is up to date with 'ttn/master'.
adriansmares<strong i="9">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ curl http://localhost:1885/api/v3/as/applications/app1/webhooks/wh1/devices/dev1/down/push -X POST -H 'Authorization: Bearer NNSXS.PRF4BDQMASLMRWXTV5HRM4TQUROQAHNTDR7EZTY.JK6XNLQYXQSNCAWZHFOXG6LCBINIEMVSDPR3OIORDVQF5FJCI6YA' --data '{"downlinks":[{"frm_payload":"vu8=","f_port":15,"priority":"NORMAL"}]}'
adriansmares<strong i="10">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ curl http://localhost:1885/api/v3/as/applications/app2/webhooks/wh1/devices/dev1/down/push -X POST -H 'Authorization: Bearer NNSXS.V3ZM2DMCSFK4YEBB55WA6MMY34YXQ6SARLJS4TQ.OILYCKNO5R25HYYZB6BPOJN5XLKWQZFXOIB77TJ464IDQBQ2YI7A' --data '{"downlinks":[{"frm_payload":"vu8=","f_port":15,"priority":"NORMAL"}]}'
adriansmares<strong i="11">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ git checkout v3.0.3
Note: checking out 'v3.0.3'.
...
HEAD is now at e8450dac8 all: Bump to version 3.0.3
adriansmares<strong i="12">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ curl http://localhost:1885/api/v3/as/applications/app1/webhooks/wh1/devices/dev1/down/push -X POST -H 'Authorization: Bearer NNSXS.PRF4BDQMASLMRWXTV5HRM4TQUROQAHNTDR7EZTY.JK6XNLQYXQSNCAWZHFOXG6LCBINIEMVSDPR3OIORDVQF5FJCI6YA' --data '{"downlinks":[{"frm_payload":"vu8=","f_port":15,"priority":"NORMAL"}]}'
adriansmares<strong i="13">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ curl http://localhost:1885/api/v3/as/applications/app2/webhooks/wh1/devices/dev1/down/push -X POST -H 'Authorization: Bearer NNSXS.V3ZM2DMCSFK4YEBB55WA6MMY34YXQ6SARLJS4TQ.OILYCKNO5R25HYYZB6BPOJN5XLKWQZFXOIB77TJ464IDQBQ2YI7A' --data '{"downlinks":[{"frm_payload":"vu8=","f_port":15,"priority":"NORMAL"}]}'
error:pkg/auth/rights:no_application_rights (no rights for application `app2`)
No entanto, observei quais commits corrigiram esse problema, e eles são a2e7e4c6b8929dfd52ba62046cc70d4529c4f25e e fe95aafb9959e841e920eaad39eb2e39b6ed24e6
adriansmares<strong i="17">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ git checkout v3.0.3
...
HEAD is now at e8450dac8 all: Bump to version 3.0.3
adriansmares<strong i="18">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ git cherry-pick a2e7e4c6b8929dfd52ba62046cc70d4529c4f25e
[detached HEAD d8f1ee6fc] as: Use request context in webhook downlink
Author: Johan Stokking <[email protected]>
Date: Mon May 27 14:39:05 2019 +0200
4 files changed, 27 insertions(+), 4 deletions(-)
adriansmares<strong i="19">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ git cherry-pick fe95aafb9959e841e920eaad39eb2e39b6ed24e6
[detached HEAD dce35a353] as: Fill Webhook downlink queue request context
Date: Tue Jul 2 11:44:10 2019 +0200
1 file changed, 1 insertion(+), 1 deletion(-)
adriansmares<strong i="20">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ curl http://localhost:1885/api/v3/as/applications/app1/webhooks/wh1/devices/dev1/down/push -X POST -H 'Authorization: Bearer NNSXS.PRF4BDQMASLMRWXTV5HRM4TQUROQAHNTDR7EZTY.JK6XNLQYXQSNCAWZHFOXG6LCBINIEMVSDPR3OIORDVQF5FJCI6YA' --data '{"downlinks":[{"frm_payload":"vu8=","f_port":15,"priority":"NORMAL"}]}'
adriansmares<strong i="21">@A98BCD2222F1</strong>:~/go/src/go.thethings.network/lorawan-stack$ curl http://localhost:1885/api/v3/as/applications/app2/webhooks/wh1/devices/dev1/down/push -X POST -H 'Authorization: Bearer NNSXS.V3ZM2DMCSFK4YEBB55WA6MMY34YXQ6SARLJS4TQ.OILYCKNO5R25HYYZB6BPOJN5XLKWQZFXOIB77TJ464IDQBQ2YI7A' --data '{"downlinks":[{"frm_payload":"vu8=","f_port":15,"priority":"NORMAL"}]}'
Visto que não temos uma imagem de master docker, devemos ter uma versão v3.0.3b que inclua essas correções? @johanstokking @htdvisser
adriansmares
em 9 jul. 2019
Eu investiguei _por que_ os dois commits realmente corrigem esse problema e descobri que a causa real não está relacionada a eles diretamente, mas sim ao fato de que em v3.0.3 o contexto usado para verificação de direitos é compartilhado entre as solicitações .
Em v3.0.3 , o contexto usado pelo componente Webhooks para verificar os direitos da solicitação é w.ctx , que se seguirmos até sua criação, é o contexto de Component , então preenchido usando FillContext .
https://github.com/TheThingsNetwork/lorawan-stack/blob/e8450dac84c1d7ec685121957d7e8cd4ef67c013/pkg/applicationserver/applicationserver.go#L163
Isso parece inofensivo (ou pelo menos parecia até hoje), até você perceber que um dos preenchedores de contexto é um cache de direitos, _que permanece dentro do contexto após o primeiro uso_.
https://github.com/TheThingsNetwork/lorawan-stack/blob/e8450dac84c1d7ec685121957d7e8cd4ef67c013/pkg/identityserver/entity_access.go#L46 -L69
https://github.com/TheThingsNetwork/lorawan-stack/blob/e8450dac84c1d7ec685121957d7e8cd4ef67c013/pkg/identityserver/identityserver.go#L146 -L150
O que acontece é que a primeira solicitação (por app1 , ou app2 - realmente não importa) define o cache do contexto dos Webhooks ( w.ctx ). w.ctx é FillContext ed na criação e contém o cache de autenticação - então, após a primeira solicitação ser feita, os direitos são salvos dentro do contexto.
https://github.com/TheThingsNetwork/lorawan-stack/blob/e8450dac84c1d7ec685121957d7e8cd4ef67c013/pkg/identityserver/entity_access.go#L64 -L68
As solicitações de acompanhamento não são mais atendidas pelo banco de dados IS e, em vez disso, são preenchidas pelo cache. Mas, como a chave API que fez a primeira solicitação não tem direitos no segundo aplicativo, a segunda solicitação falha. O corolário é que quaisquer outras solicitações que não sejam feitas pela primeira chave de API falharão por padrão.
TLDR: Provavelmente https://github.com/TheThingsNetwork/lorawan-stack/pull/902/commits/e6ab950fa76bc8cdbe6dc519ec71b9deed2e7231 deve ser mesclado também na versão de correção rápida.
adriansmares
em 9 jul. 2019
johanstokking
em 10 jul. 2019
Questões relacionadas
kschiffer
·
7Comentários
bafonins
·
5Comentários
adamsondelacruz
·
7Comentários
htdvisser
·
4Comentários
adriansmares
·
8Comentários
Comentários muito úteis
Posso confirmar que consegui reproduzir esse bug no
v3.0.3. Minha corrida pode ser encontrada aqui . Vou investigar e voltar com os resultados.