Authorization with NMOS testing utility

[akanashin]

Hey! I'm working on NMOS node program, using Erlang. I have used Cowboy/Ranch libraries for HTTP/HTTPS API server.

Now, I'm using testing utility in docker. And I have enabled Authorization and HTTPS.

In my server program I have created and installed self-signed certificate and made changes in docker container to trust CA for this certificate. As result, curl utility from this docker image connects to my server using HTTPS protocol without complaints.

However, NMOS testing utility drops the handshake after receiving server certiicate.

I found this file: test_data/BCP00301/README.md and trying to make sense out of information.

• Does the utility only accepts HTTPS from server using provided certificates? Or they are required for the server to work with utility?
• Do both certificates (RSA, ECDSA) required at the same time?

I have attempted to use provided certificates as server-side certificates and was rejected again. Both chain and not-chain certificates were rejected.

Some details:

• i have set up TLSv1.2 protocol
• NMOS testing utility is running in docker with network=host and in the same address space as my server.
• server accepts whatever certificate/data was received from the client

So, now I'm in need of some help in understanding what is wrong in my environment and how do I configure my API server to work with Authorization.
Thanks

[lo-simon]

Hi @akanashin

Does the utility only accept HTTPS from a server using the provided certificates? Or they are required for the server to work with utility?

No, but you will need to configure the nmso-testing correctly, see explanation below:

Do both certificates (RSA, ECDSA) required at the same time?

For BCP-003-01 Secure Communication, it will test against both RSA and ECDSA certificates. For all other test suites, with the RSA will be good enough.

If you have generated your own certificate using the same domain as nmos-testing, testsuite.nmos.tv. Then only a few fields need to be specified for nmos-testing.

Step 1: Create your own copy of Config.py, name it UserConfig.py, and place it in the same folder as Config.py (I assume you have already done so).

Step 2: update the UserConfig.py with the following fields set:

# Switch on https
CONFIG.ENABLE_HTTPS = True
# If you have set up a DNS server setup, I would recommend enabling unicast
CONFIG.DNS_SD_MODE = 'unicast' 

# Using Authorization (IS-10)
CONFIG.ENABLE_AUTH = True

# If and only if the under test Node is using private_key_jwt, you must specify the JWKS_URI. The nmos-testing's mock Auth server uses the jwks_uri to locate the client
# JSON Web Key Set (JWKS) endpoint for the client JWKS to validate the client JWT (client_assertion) when fetching the bearer token
CONFIG.JWKS_URI = https://example_client/jwks e.g. "https://nmos-api.local:3218/x-authorization/jwks

# If the under test node is an Authorization Code Grant OAuth client, you need to set the redirect_uri. The nmos-testing's mock Auth server redirects the user-agent back to the clientwith the authorization code.
CONFIG.REDIRECT_URI = https://example_client/callback e.g. "https://nmos-api.local:3219/x-authorization/callback

Step 3: More fields are required if you are using your own domain for your certificates. See Config.json for descriptions

CONFIG.DNS_DOMAIN =

CONFIG.AUTH_TOKEN_ISSUER =
CONFIG.AUTH_TOKEN_PRIVKEY =
CONFIG.AUTH_TOKEN_PUBKEY =

# Set a Query API hostname/IP and port for use when operating without DNS-SD
CONFIG.QUERY_API_HOST = 
CONFIG.QUERY_API_PORT = 

CONFIG.CERT_TRUST_ROOT_CA = 
CONFIG.KEY_TRUST_ROOT_CA =
CONFIG.CERTS_MOCKS = 
CONFIG.KEYS_MOCKS = 

[jonathan-r-thorpe]

I would advise getting the TLS (HTTPS) working first before tackling Authorization.

# Using Authorization (IS-10)
CONFIG.ENABLE_AUTH = False

[akanashin]

Thanks! Now I made HTTPS work, thanks for points given!

Btw, there's no Config.json file anywhere I look. Can You point to its location?

Now, You've said "testing utility works with domain testsuite.nmos.tv". I run testing utility in docker with cmd line --network=host. My laptop does not have any domains configured. hostname -A returns "ThinkPad". What domain the utility sees?

[jonathan-r-thorpe]

The config is Config.py, not Config.json and is found in the nmostesting directory.

As Simon says above, the best practice is to create a file called UserConfig.py and set user defined configuration in that file. An example user config can be found in the nmostesting directory called UserConfig.example.py.

You may need to update the hosts file of your laptop to map the names to actual IPs.

[akanashin]

Can I get help with another issue?
Working with tokens and doing request from token's iss (Secondary Auth server in nmos-testing utility) I'm getting TLS error:

ssl_handshake.erl:2182 notice: TLS client: In state certify at ssl_handshake.erl:2182 generated CLIENT ALERT: Fatal - Unknown CA
src/nmos/nmos_http_client.erl:110 error: nmos_http_client(<0.1540.0>,connecting): gun is down with status={shutdown,{tls_alert,{unknown_ca,"TLS client: In state certify at ssl_handshake.erl:2182 generated CLIENT ALERT: Fatal - Unknown CA\n"}}}

This happens although communication with the main Auth server in the utility works perfectly fine.

So the question: does secondary Auth server use different TLS configuration than the main one? I use the same HTTP(s) client with the same configuration for both or them.

Thanks

[jonathan-r-thorpe]

Yes, the secondary Auth server generates a new cert and private key but based on the same CA cert as the primary Auth server which is the one found at test_data/BCP00301/ca/certs/ca.cert.pem

[akanashin]

Thanks