How to implement RPC Security

#1

Hey peolple,
I’m trying to find a tutorial about this i’m I only found the documentation.
The problem is it do not show how to make the call using the user/password, only explain how to implement it.
My objetive in this is to document what I’m able to execute and how I do it, and hopefully I will finish it. Feel free to help, please.

To be able to call rpc, we need to add the lib rpc-commom.
This lib allow us to add configurate authentication and authorisation , through 3 system variable:

- ["rpc.acl_file", "s", "<some json file name>", {title: "File with RPC ACL JSON"}]
- ["rpc.auth_domain", "s", "<some string>",{title: "Realm to use for digest authentication"}]
- ["rpc.auth_file", "s", "<some text file name>", {title: "File with user credentials in the htdigest format"}]

rpc.acl_file and rpc.auth_file are files (duh! :stuck_out_tongue_closed_eyes:), so we need to add them to the filesystem, explain here - TODO.
The rpc.acl_file is already explain in the documentation.
The rpc.auth_file format is the htdigest standard format, which is the same as for the HTTP Digest authentication, and it could be managed by the Apache’s htdigest. This standard are describe in RPC, and basically follow the structure:

user1:rpc.auth_domain:MD5(user1:rpc.auth_domain:pass1)
user2:rpc.auth_domain:MD5(user2:rpc.auth_domain:pass2)

To test we simply call the RPC, with the user/password authentication, in any supported channel: serial (UART), HTTP/Restful, WebSocket, MQTT, Bluetooth.

  • UART: Simply call mos call <RPC name> --rpc-creds=user1:pass1 (thanks to this)
  • HTTP/Restful: TODO
  • WebSocket: TODO
  • MQTT: TODO
  • Bluetooth: TODO

So far I only call via UART. When I find out about the other channels, I will edit this.
Questoins about this:
RPC Security Configuration Failure (rpc.acl_file not saved)
RPC authentication & authorisation
Disable RPC channels at runtime
RPCs: Switching from HTTPS to Secure Web Sockets