rdkcentral · lstruman · Sep 5, 2024 · Sep 3, 2024 · Sep 3, 2024 · Sep 5, 2024
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,30 @@
+name: CodeQL
+
+on:
+  pull_request:
+  push:
+    branches: [ main ]
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: go   # ✅ ONLY GO
+
+      - run: go build ./...
+
+      - uses: github/codeql-action/analyze@v3
+        with:
+          upload: false  # ← ADD THIS LINE
diff --git a/.gitignore b/.gitignore
@@ -14,8 +14,13 @@
 # Dependency directories (remove the comment below to include it)
 # vendor/
 
-# #####################
+# ignored files
 bin/*
 .vscode/*
 .env
 *.sh
+
+# Ignore OpenSpec generated files and folders
+openspec/
+.github/
+.claude/
diff --git a/Makefile b/Makefile
@@ -30,6 +30,9 @@ BUILDTIME := $(shell date -u +"%F_%T_%Z")
 all: build
 testall: test testsqlite testyuga
 
+testenv:  ## Run all tests sourcing env.sh for TEST_CONFIG_FILE
+	bash -c "source env.sh && go test ./... -cover -count=1"
+
 build:  ## Build a version
 	go build -v -ldflags="-X ${REPO}/common.BinaryBranch=${BRANCH} -X ${REPO}/common.BinaryVersion=${Version} -X ${REPO}/common.BinaryBuildTime=${BUILDTIME}" -o bin/${PROJ}-${GOOS}-${GOARCH} main.go
 

diff --git a/README.md b/README.md
@@ -8,7 +8,7 @@ Webconfig supports 2 types of transport between cloud and devices
 2. mqtt
 
 ## Install go
-This project is written and tested with Go **1.17**.
+This project is written and tested with Go **1.21**.
 
 ## Build the binary
 ```shell
@@ -78,6 +78,98 @@ The actual kafka topic names can be any. Below is just an example. "topics" shou
         }
 ```
 
+#### Kafka TLS/SSL Configuration
+
+Webconfig supports secure TLS/SSL connections to Kafka brokers for both consumers and producers. This is recommended for production environments to ensure data encryption in transit and proper authentication.
+
+**TLS Configuration Options:**
+
+- `tls.enabled` - Enable/disable TLS for Kafka connections (default: false)
+- `tls.cert_file` - Path to client certificate file for mTLS authentication (optional)
+- `tls.key_file` - Path to client private key file for mTLS authentication (optional)
+- `tls.ca_cert_file` - Path to CA certificate file for broker verification (optional)
+- `tls.insecure_skip_verify` - Skip certificate verification (insecure, for testing only, default: false)
+
+**Consumer TLS Configuration Example:**
+
+```shell
+    kafka {
+        enabled = true
+        brokers = "kafka-broker:9093"  # Use secure port
+        topics = "config-version-report"
+        consumer_group = "webconfig"
+
+        tls {
+            enabled = true
+            cert_file = "/etc/webconfig/kafka/client.crt"
+            key_file = "/etc/webconfig/kafka/client.key"
+            ca_cert_file = "/etc/webconfig/kafka/ca.crt"
+            insecure_skip_verify = false
+        }
+
+        # Per-cluster TLS configuration
+        clusters {
+            mesh {
+                enabled = true
+                brokers = "kafka-mesh:9093"
+                topics = "staging-chi-onewifi-from-device"
+
+                tls {
+                    enabled = true
+                    cert_file = "/etc/webconfig/kafka/mesh-client.crt"
+                    key_file = "/etc/webconfig/kafka/mesh-client.key"
+                    ca_cert_file = "/etc/webconfig/kafka/mesh-ca.crt"
+                }
+            }
+        }
+    }
+```
+
+**Producer TLS Configuration Example:**
+
+```shell
+    kafka_producer {
+        enabled = true
+        brokers = "kafka-broker:9093"
+        topic = "webconfig_downstream"
+
+        tls {
+            enabled = true
+            cert_file = "/etc/webconfig/kafka/producer-client.crt"
+            key_file = "/etc/webconfig/kafka/producer-client.key"
+            ca_cert_file = "/etc/webconfig/kafka/ca.crt"
+        }
+    }
+```
+
+**Certificate Requirements:**
+
+1. **Client Certificate (mTLS)**: If `cert_file` and `key_file` are provided, mutual TLS authentication is enabled. The certificate and key must be in PEM format.
+
+2. **CA Certificate**: If `ca_cert_file` is provided, it will be used to verify the Kafka broker's certificate. This is useful when using self-signed certificates or internal CAs.
+
+3. **Certificate Validation**: All certificate files are validated at startup. The application will fail to start with clear error messages if:
+   - Certificate files are missing or unreadable
+   - Certificates are in invalid format
+   - Certificate and key don't match
+
+**TLS Security Best Practices:**
+
+1. **Use TLS in Production**: Always enable TLS for production Kafka connections to encrypt data in transit
+2. **Use mTLS**: Provide client certificates (`cert_file` and `key_file`) for mutual authentication
+3. **Verify Certificates**: Never use `insecure_skip_verify = true` in production - it disables certificate verification and is insecure
+4. **Protect Certificate Files**: Set appropriate file permissions (0600) on certificate and key files
+5. **Use Secure Ports**: Configure Kafka brokers to listen on secure ports (typically 9093 for TLS)
+6. **Certificate Rotation**: Plan for certificate rotation - the service must be restarted to pick up new certificates
+
+**Troubleshooting TLS Issues:**
+
+- Check logs for TLS-related errors during startup
+- Verify certificate file paths are correct and files are readable
+- Ensure Kafka brokers are configured to accept TLS connections
+- Test certificate validity: `openssl x509 -in client.crt -text -noout`
+- Verify certificate and key match: `openssl x509 -noout -modulus -in client.crt | openssl md5` vs `openssl rsa -noout -modulus -in client.key | openssl md5`
+
 ### Configuration for database
 The main database operations are defined as an interface. Any driver that implements the interface should work. We has implemented using sqlite, cassandra and yugabytedb. After the db is properly configured, the dbinit.cql can be used to create the tables for cassandra.
 

diff --git a/common/bitmap.go b/common/bitmap.go
@@ -0,0 +1,173 @@
+/**
+* Copyright 2021 Comcast Cable Communications Management, LLC
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*
+* SPDX-License-Identifier: Apache-2.0
+ */
+package common
+
+// header X-System-Supported-Docs
+type BitMaskTuple struct {
+	GroupBit int
+	CpeBit   int
+}
+
+// The group based bitmaps will be merged into 1 cpe bitmap
+// 1: []BitMaskTuple{ // meta_group_id: defined by RDK
+//
+//	BitMaskTuple{1, 1},  // {"index_of_bit_from_lsb" for a group bitmap, "index_of_bit_from_lsb" for the cpe bitmap
+var (
+	SupportedDocsBitMaskMap = map[int][]BitMaskTuple{
+		1: {
+			{1, 1},
+			{2, 2},
+			{3, 3},
+			{4, 4},
+			{5, 5},
+			{6, 6},
+			{7, 29}, // connectedbuilding
+			{8, 35}, // xmspeedboost
+			{9, 40}, // webui
+		},
+		2: {
+			{1, 7},
+			{2, 8},
+			{3, 9},
+		},
+		3: {
+			{1, 10},
+		},
+		4: {
+			{1, 11},
+		},
+		5: {
+			{1, 12},
+		},
+		6: {
+			{1, 13}, // mesh
+			{2, 31}, // clienttosteeringprofile
+			{3, 36}, // meshsteeringprofiles
+			{4, 37}, // wifistatsconfig
+			{5, 38}, // mwoconfigs
+			{6, 39}, // interference
+			{7, 34}, // wifimotionsettings
+			{8, 41}, // channelplan
+		},
+		7: {
+			{1, 14},
+		},
+		8: {
+			{1, 15},
+			{2, 32},
+			{3, 33},
+		},
+		9: {
+			{1, 16},
+			{2, 17},
+		},
+		10: {
+			{1, 18},
+			{2, 19},
+		},
+		11: {
+			{1, 20},
+			{2, 25},
+		},
+		12: {
+			{1, 21},
+			{2, 23},
+		},
+		13: {
+			{1, 22},
+		},
+		14: {
+			{1, 24},
+		},
+		15: {
+			{1, 26},
+			{2, 27},
+		},
+		16: {
+			{1, 28},
+		},
+		17: {
+			{1, 30},
+		},
+	}
+)
+
+var (
+	SubdocBitIndexMap = map[string]int{
+		"portforwarding":          1,
+		"lan":                     2,
+		"wan":                     3,
+		"macbinding":              4,
+		"hotspot":                 5,
+		"bridge":                  6,
+		"privatessid":             7,
+		"homessid":                8,
+		"radio":                   9,
+		"moca":                    10,
+		"xdns":                    11,
+		"advsecurity":             12,
+		"mesh":                    13,
+		"aker":                    14,
+		"telemetry":               15,
+		"statusreport":            16,
+		"trafficreport":           17,
+		"interfacereport":         18,
+		"radioreport":             19,
+		"telcovoip":               20,
+		"wanmanager":              21,
+		"voiceservice":            22,
+		"wanfailover":             23,
+		"cellularconfig":          24,
+		"telcovoice":              25,
+		"gwfailover":              26,
+		"gwrestore":               27,
+		"prioritizedmacs":         28,
+		"connectedbuilding":       29,
+		"lldqoscontrol":           30,
+		"clienttosteeringprofile": 31,
+		"defaultrfc":              32,
+		"rfc":                     33,
+		"wifimotionsettings":      34,
+		"xmspeedboost":            35,
+		"meshsteeringprofiles":    36,
+		"wifistatsconfig":         37,
+		"mwoconfigs":              38,
+		"interference":            39,
+		"webui":                   40,
+		"channelplan":             41,
+	}
+)
+
+func GetDefaultSupportedSubdocMap() map[string]bool {
+	m := make(map[string]bool)
+	for k := range SubdocBitIndexMap {
+		m[k] = false
+	}
+	return m
+}
+
+func BuildSupportedSubdocMapWithDefaults(supportedSubdocIds []string) map[string]bool {
+	m := make(map[string]bool)
+	for k := range SubdocBitIndexMap {
+		m[k] = false
+	}
+	for _, s := range supportedSubdocIds {
+		m[s] = true
+	}
+	return m
+}
diff --git a/common/bitmap_test.go b/common/bitmap_test.go
@@ -0,0 +1,47 @@
+/**
+* Copyright 2021 Comcast Cable Communications Management, LLC
+*
+* Licensed under the Apache License, Version 2.0 (the "License");
+* you may not use this file except in compliance with the License.
+* You may obtain a copy of the License at
+*
+* http://www.apache.org/licenses/LICENSE-2.0
+*
+* Unless required by applicable law or agreed to in writing, software
+* distributed under the License is distributed on an "AS IS" BASIS,
+* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+* limitations under the License.
+*
+* SPDX-License-Identifier: Apache-2.0
+*/
+package common
+
+import (
+	"slices"
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+func TestGetDefaultSupportedSubdocMap(t *testing.T) {
+	m := GetDefaultSupportedSubdocMap()
+	assert.Equal(t, len(m), len(SubdocBitIndexMap))
+}
+
+func TestBuildSupportedSubdocMapWithDefaults(t *testing.T) {
+	supportedSubdocIds := []string{
+		"lan",
+		"wan",
+		"macbinding",
+		"hotspot",
+		"privatessid",
+	}
+	m := BuildSupportedSubdocMapWithDefaults(supportedSubdocIds)
+	assert.Equal(t, len(m), len(SubdocBitIndexMap))
+	for k := range m {
+		if m[k] {
+			assert.Assert(t, slices.Contains(supportedSubdocIds, k))
+		}
+	}
+}