Merge branch 'master' of https://github.com/NTIA/scos-sensor into wai…

…t_until_db_ready

configs/actions/readme.md

@@ -0,0 +1,3 @@
+# Actions
+
+Add yaml configs for actions in this directory to create additional actions.

configs/certs/README.md

@@ -1,3 +1,3 @@
 # Certs
 
-Add SSL certs and JWT public key here.
+Add SSL certs here.

configs/default_calibration.json

@@ -0,0 +1,16 @@
+{
+  "calibration_data":{
+    "datetime": "1970-01-01T00:00:00.000000Z",
+    "gain": 0,
+    "noise_figure": 0.0,
+    "1db_compression_point": null,
+    "enbw": null,
+    "temperature": 26.85
+  },
+  "last_calibration_datetime": "1970-01-01T00:00:00.000000Z",
+  "calibration_parameters": [],
+  "clock_rate_lookup_by_sample_rate": [
+  ],
+  "sensor_uid": "DEFAULT CALIBRATION",
+  "calibration_reference": "noise source output"
+}

docker-compose.yml

@@ -39,14 +39,15 @@ services:
         - DEBUG
         - DOCKER_GIT_CREDENTIALS
     environment:
+      - ADMIN_NAME
       - ADMIN_EMAIL
       - ADMIN_PASSWORD
+      - ADDITIONAL_USER_NAMES
+      - ADDITIONAL_USER_PASSWORD
       - AUTHENTICATION
       - CALLBACK_AUTHENTICATION
       - CALLBACK_SSL_VERIFICATION
       - CALLBACK_TIMEOUT
-      - CLIENT_ID
-      - CLIENT_SECRET
       - DEBUG
       - DOCKER_TAG
       - DOMAINS
@@ -60,15 +61,17 @@ services:
       - MAX_DISK_USAGE
       - MOCK_SIGAN
       - MOCK_SIGAN_RANDOM
-      - OAUTH_TOKEN_URL
       - PATH_TO_CLIENT_CERT
-      - PATH_TO_JWT_PUBLIC_KEY
       - PATH_TO_VERIFY_CERT
       - POSTGRES_PASSWORD
       - SCOS_SENSOR_GIT_TAG
       - SECRET_KEY
+      - SIGAN_MODULE
+      - SIGAN_CLASS
       - SIGAN_POWER_SWITCH
       - SIGAN_POWER_CYCLE_STATES
+      - RUNNING_MIGRATIONS
+      - USB_DEVICE
     expose:
       - '8000'
     volumes:

docker/Dockerfile-api

@@ -6,7 +6,7 @@ RUN apt-get update -q && \
                    apt-get install -qy --no-install-recommends \
                    libusb-1.0-0 libpython3.8 \
                    git smartmontools \
-                   python3-pip python3.8 python3.8-dev && \
+                   python3-pip python3.8 python3.8-dev usbutils && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
 
 ENV PYTHONUNBUFFERED 1
@@ -27,9 +27,6 @@ COPY ./gunicorn /gunicorn
 RUN mkdir -p /entrypoints
 COPY ./entrypoints/api_entrypoint.sh /entrypoints
 
-RUN mkdir -p /scripts
-COPY ./scripts/create_superuser.py /scripts
-
 RUN chmod +x /entrypoints/api_entrypoint.sh
 
 COPY ./configs /configs

docs/openapi.json

@@ -14,7 +14,7 @@
     },
     "host": "testserver",
     "schemes": [
-        "http"
+        "https"
     ],
     "basePath": "/api",
     "consumes": [
@@ -24,14 +24,21 @@
         "application/json"
     ],
     "securityDefinitions": {
+        "cert": {
+            "type": "cert",
+            "description": "Certificate based mutual TLS authentication. AUTHENTICATION must be set to 'CERT'. This is done by the client verifying the server certificate and the server verifying the client certificate. The client certificate Common Name (CN) should contain the username of a user that exists in the database. Client certificate verification is handled by NGINX. For more information, see https://www.rfc-editor.org/rfc/rfc5246."
+        },
         "token": {
             "type": "apiKey",
-            "description": "Tokens are automatically generated for all users. You can view yours by going to your User Details view in the browsable API at `/api/v1/users/me` and looking for the `auth_token` key. New user accounts do not initially have a password and so can not log in to the browsable API. To set a password for a user (for testing purposes), an admin can do that in the Sensor Configuration Portal, but only the account's token should be stored and used for general purpose API access. Example cURL call: `curl -kLsS -H \"Authorization: Token 529c30e6e04b3b546f2e073e879b75fdfa147c15\" https://localhost/api/v1`",
+            "description": "Tokens are automatically generated for all users. You can view yours by going to your User Details view in the browsable API at `/api/v1/users/me` and looking for the `auth_token` key. New user accounts do not initially have a password and so can not log in to the browsable API. To set a password for a user (for testing purposes), an admin can do that in the Sensor Configuration Portal, but only the account's token should be stored and used for general purpose API access. Example cURL call: `curl -kLsS -H \"Authorization: Token 529c30e6e04b3b546f2e073e879b75fdfa147c15\" https://localhost/api/v1`. AUTHENTICATION should be set to 'TOKEN'",
             "name": "Token",
             "in": "header"
         }
     },
     "security": [
+        {
+            "cert": []
+        },
         {
             "token": []
         }
@@ -642,13 +649,13 @@
             },
             "parameters": [
                 {
-                    "name": "format",
+                    "name": "schedule_entry_name",
                     "in": "path",
                     "required": true,
                     "type": "string"
                 },
                 {
-                    "name": "schedule_entry_name",
+                    "name": "format",
                     "in": "path",
                     "required": true,
                     "type": "string"
@@ -752,12 +759,6 @@
                 ]
             },
             "parameters": [
-                {
-                    "name": "format",
-                    "in": "path",
-                    "required": true,
-                    "type": "string"
-                },
                 {
                     "name": "schedule_entry_name",
                     "in": "path",
@@ -770,6 +771,12 @@
                     "description": "The id of the task relative to the result",
                     "required": true,
                     "type": "integer"
+                },
+                {
+                    "name": "format",
+                    "in": "path",
+                    "required": true,
+                    "type": "string"
                 }
             ]
         },
@@ -804,12 +811,6 @@
                 ]
             },
             "parameters": [
-                {
-                    "name": "format",
-                    "in": "path",
-                    "required": true,
-                    "type": "string"
-                },
                 {
                     "name": "schedule_entry_name",
                     "in": "path",
@@ -822,6 +823,12 @@
                     "description": "The id of the task relative to the result",
                     "required": true,
                     "type": "integer"
+                },
+                {
+                    "name": "format",
+                    "in": "path",
+                    "required": true,
+                    "type": "string"
                 }
             ]
         },
@@ -911,13 +918,13 @@
             },
             "parameters": [
                 {
-                    "name": "format",
+                    "name": "schedule_entry_name",
                     "in": "path",
                     "required": true,
                     "type": "string"
                 },
                 {
-                    "name": "schedule_entry_name",
+                    "name": "format",
                     "in": "path",
                     "required": true,
                     "type": "string"
@@ -1570,17 +1577,17 @@
             },
             "parameters": [
                 {
-                    "name": "format",
+                    "name": "id",
                     "in": "path",
+                    "description": "A unique integer value identifying this user.",
                     "required": true,
-                    "type": "string"
+                    "type": "integer"
                 },
                 {
-                    "name": "id",
+                    "name": "format",
                     "in": "path",
-                    "description": "A unique integer value identifying this user.",
                     "required": true,
-                    "type": "integer"
+                    "type": "string"
                 }
             ]
         },

entrypoints/api_entrypoint.sh

@@ -10,17 +10,11 @@ function cleanup_demodb {
 
 trap cleanup_demodb SIGTERM
 trap cleanup_demodb SIGINT
-# This is done to avoid loading actions and connecting to the sigan when migrations are applied and when
-# the super user is created.
-cp sensor/migration_settings.py sensor/settings.py
+RUNNING_MIGRATIONS="True"
+export RUNNING_MIGRATIONS
 echo "Starting Migrations"
 python3.8 manage.py migrate
-
-
-echo "Creating superuser (if managed)"
-python3.8 /scripts/create_superuser.py
-cp sensor/runtime_settings.py sensor/settings.py
-
+RUNNING_MIGRATIONS="False"
 echo "Starting Gunicorn"
 exec gunicorn sensor.wsgi -c ../gunicorn/config.py &
 wait

env.template

@@ -6,76 +6,93 @@
 # Mark all the following variables for export
 set -o allexport
 
-# https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-SECRET_KEY
-# SECURITY WARNING: generate unique key with `manage.py generate_secret_key`
-SECRET_KEY="$(python3 -c 'import secrets; print(secrets.token_urlsafe(64))')"
-ENCRYPT_DATA_FILES=true
-ENCRYPTION_KEY="$(python3 -c 'import secrets; import base64; print(base64.b64encode(secrets.token_bytes(32)).decode("utf-8"))')"
+#Any names here will be added as additional users with the
+#specified additional user password
+ADDITIONAL_USER_NAMES="" # comma separated
+ADDITIONAL_USER_PASSWORD=""
 
-# Get scos-sensor branch name
-SCOS_SENSOR_GIT_TAG="$(git describe --tags)"
+# If admin user email and password set, admin user will be generated.
+ADMIN_EMAIL="[email protected]"
+ADMIN_NAME=admin
+ADMIN_PASSWORD=password
+
+# set to CERT to enable scos-sensor certificate authentication
+AUTHENTICATION=TOKEN
+
+BASE_IMAGE=ghcr.io/ntia/scos-tekrsa/tekrsa_usb:0.2.3
+# Default callback api/results
+# Set to CERT for certificate authentication
+CALLBACK_AUTHENTICATION=TOKEN
+# Set to false to disable SSL cert verification in the callback POST request
+CALLBACK_SSL_VERIFICATION=false
+
+#Set the number of seconds before timeout in postback when a scheduled
+#action completes
+CALLBACK_TIMEOUT=2
 
 # SECURITY WARNING: don't run with debug turned on in production!
 # Use either true or false
 DEBUG=true
 
+DEVICE_MODEL=RSA507A
+
+# Use latest as default for local development
+DOCKER_TAG=latest
+
 # A space-separated list of domain names and IPs
 DOMAINS="localhost $(hostname -d) $(hostname -s).local"
-IPS="$(hostname -I) 127.0.0.1"
+
+ENCRYPT_DATA_FILES=true
+
+ENCRYPTION_KEY="$(python3 -c 'import secrets; import base64; print(base64.b64encode(secrets.token_bytes(32)).decode("utf-8"))')"
+
 FQDN="$(hostname -f)"
 
-# SECURITY WARNING: You should be using certs from a trusted authority.
-#                   If you don't have any, try letsencrypt or a similar service.
-# Provide the absolute path to your ssl certificate and key
-# Paths relative to configs/certs
-REPO_ROOT=$(git rev-parse --show-toplevel)
-SSL_CERT_PATH=sensor01.pem
-SSL_KEY_PATH=sensor01.pem
-SSL_CA_PATH=scos_test_ca.crt
-# Use latest as default for local development
-DOCKER_TAG=latest
 GIT_BRANCH="git:$(git rev-parse --abbrev-ref HEAD)@$(git rev-parse --short HEAD)"
 
-# If admin user email and password set, admin user will be generated.
-ADMIN_EMAIL="[email protected]"
-ADMIN_PASSWORD=password
+IPS="$(hostname -I) 127.0.0.1"
 
 # Session password for Postgres. Username is "postgres".
 # SECURITY WARNING: generate unique key with something like
 #                   `openssl rand -base64 12`
 POSTGRES_PASSWORD="$(python3 -c 'import secrets; import base64; print(base64.b64encode(secrets.token_bytes(32)).decode("utf-8"))')"
 
-# Set to enable monitoring sensors with your sentry.io account
-SENTRY_DSN=
+# set default manager FQDN and IP to this machine
+MANAGER_FQDN="$(hostname -f)"
+MANAGER_IP="$(hostname -I | cut -d' ' -f1)"
+
+# Sensor certificate with private key used as client cert for callback URL
+# Paths relative to configs/certs
+PATH_TO_CLIENT_CERT=sensor01.pem
+# Trusted Certificate Authority certificate to verify callback URL server certificate
+PATH_TO_VERIFY_CERT=scos_test_ca.crt
+
+REPO_ROOT=$(git rev-parse --show-toplevel)
+# Get scos-sensor branch name
+SCOS_SENSOR_GIT_TAG="$(git describe --tags)"
+
+# https://docs.djangoproject.com/en/1.11/ref/settings/#std:setting-SECRET_KEY
+# SECURITY WARNING: generate unique key with `manage.py generate_secret_key`
+SECRET_KEY="$(python3 -c 'import secrets; print(secrets.token_urlsafe(64))')"
+
+SIGAN_CLASS=TekRSASigan
+SIGAN_MODULE=scos_tekrsa.hardware.tekrsa_sigan
+
+# SECURITY WARNING: You should be using certs from a trusted authority.
+#                   If you don't have any, try letsencrypt or a similar service.
+# Provide the absolute path to your ssl certificate and key
+# Paths relative to configs/certs
+SSL_CA_PATH=scos_test_ca.crt
+SSL_CERT_PATH=sensor01.pem
+SSL_KEY_PATH=sensor01.pem
 
+USB_DEVICE=Tektronix
+
+
+# Debug dependant settings
 if $DEBUG; then
     GUNICORN_LOG_LEVEL=debug
     RAY_record_ref_creation_sites=1
 else
     GUNICORN_LOG_LEVEL=info
 fi
-
-# Set to false to disable SSL cert verification in the callback POST request
-CALLBACK_SSL_VERIFICATION=true
-
-# set default manager FQDN and IP to this machine
-MANAGER_FQDN="$(hostname -f)"
-MANAGER_IP="$(hostname -I | cut -d' ' -f1)"
-
-BASE_IMAGE=ghcr.io/ntia/scos-tekrsa/tekrsa_usb:0.2.3
-# Default callback api/results
-# Set to OAUTH if using OAuth Password Flow Authentication, callback url needs to be api/v2/results
-CALLBACK_AUTHENTICATION=TOKEN
-CALLBACK_TIMEOUT=2
-
-CLIENT_ID=sensor01.sms.internal
-CLIENT_SECRET=sensor-secret
-
-# Sensor certificate with private key used as client cert
-PATH_TO_CLIENT_CERT=sensor01.pem
-# Trusted Certificate Authority certificate to verify authserver and callback URL server certificate
-PATH_TO_VERIFY_CERT=scos_test_ca.crt
-# Path relative to configs/certs
-PATH_TO_JWT_PUBLIC_KEY=jwt_pubkey.pem
-# set to JWT to enable JWT authentication
-AUTHENTICATION=TOKEN