fix: device.id is derived from device certificate if certificate exists

[rina23q]

Proposed changes

• device.id always uses the value from a device certificate. If no certificate exists, it returns a value from the tedge.toml file. Both don't exist, finally it returns an error.

• tedge connect doesn't validate if device certficate's CN matches the value from the tedge.toml file. It just consume the value from device.id.

• tedge cert create creates a cert, which CN is determined by this order. 1) the value given by the --device-id option, 2) the value from tedge config get <corresponding_device_id_key>

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Improvement (general improvements like code refactoring that doesn't explicitly fix a bug or add any new functionality)
• Documentation Update (if none of the other choices apply)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Paste Link to the issue

#3369

Checklist

• I have read the CONTRIBUTING doc
• I have signed the CLA (in all commits with git commit -s)
• I ran cargo fmt as mentioned in CODING_GUIDELINES
• I used cargo clippy as mentioned in CODING_GUIDELINES
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Further comments

[reubenmiller]

tedge cert create always creates a cert with the value given by the --device-id option. It doesn't matter if user configure device.id in the tedge config settings explicitly.

The phrasing sounds a little strange here. The precedence of source of the device.id value just follows the cli convention of: argument => env variable => configuration, where the first value present is used.

[codecov]

Codecov Report

Attention: Patch coverage is 83.33333% with 7 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
.../tedge_config/src/tedge_config_cli/tedge_config.rs	81.81%	4 Missing ⚠️
crates/core/tedge/src/cli/certificate/cli.rs	89.47%	1 Missing and 1 partial ⚠️
crates/core/tedge/src/cli/connect/command.rs	0.00%	1 Missing ⚠️

Additional details and impacted files

📢 Thoughts on this report? Let us know!

[github-actions]

Robot Results

✅ Passed	❌ Failed	⏭️ Skipped	Total	Pass %	⏱️ Duration
570	0	3	570	100	1h32m5.072187s

[rina23q]

tedge cert create always creates a cert with the value given by the --device-id option. It doesn't matter if user configure device.id in the tedge config settings explicitly.

The phrasing sounds a little strange here. The precedence of source of the device.id value just follows the cli convention of: argument => env variable => configuration, where the first value present is used.

Yeah I fixed the phrasing. Prioritizing the argument is what this PR fixed. Note that the order of env variable => configuration is the responsibility of the tedge config settings and should be this order for all configs.

[didier-wenzek]

Okay we have now a more consistent behavior regarding device id / tedge config / tedge connect.

However, it would be good to add 4 independent tests matching exactly the 4 cases described by #3369. The current tests are useful but a bit complicated to follow because very dependent of the whole sequence of check vs tear-down steps.

[didier-wenzek]

I was expecting a cascading behavior here: i.e. if there is no specific device id for a cloud profile, then the general device id is used.

Is this because explicit paths have set for the misc cloud profiles?

I got it: this is because no device id has been set in the config file.

I would be good to have a more consistent cascading behavior.

[rina23q]

I would be good to have a more consistent cascading behavior.

If no specific device.cert_path is set for a cloud profile, the result here will be different.

# Remove specific paths 
$ tedge config unset c8y.device.cert_path
$ tedge config unset c8y.device.cert_path --device foo

# create a new cert for the generic one
$ tedge config cert create --device-id input

# get device ids
$ tedge config get device.id
input
$ tedge config get c8y.device.id
input
$ tedge config get c8y.device.id --profile foo
input

[reubenmiller]

This behaviour also caught me by surprise as setting a cloud profile certificate path changes the device.id value returned, even if the cloud profile certificate does not exist...though after reviewing it, it seems to make sense as the act of creating a different cert path for a cloud profile, will decouple it from the generic/default certificate...so it makes it easier for system users to control the device.id inheritance without forcing them to create the certificate.

[rina23q]

However, it would be good to add 4 independent tests matching exactly the 4 cases described by #3369. The current tests are useful but a bit complicated to follow because very dependent of the whole sequence of check vs tear-down steps.

Added a new suite (tests/RobotFramework/tests/tedge/device_id.robot) to cover all the four cases in ef49eeb

[didier-wenzek]

Approved. Thanks for taking the time to make more consistent how the device id is used across the misc tedge cert / config and connect API.

[didier-wenzek]

This is the cascading behavior I was expecting.

[reubenmiller]

Approved (only 1 minor test case renaming required)

Overall it would benefit from splitting the "Device ID derivation" into individual test cases (and possibly moving it to a new Test Suite so it can use a single "Suite Setup" and reuse the same device for all test cases with suitable cleanup logic between tests)...however this is not a blocker for merging the PR.