lf-edge
diff --git a/‎docs/CONFIG-PROPERTIES.md
+1 b/‎docs/CONFIG-PROPERTIES.md
+1
diff --git a/‎docs/EDGEVIEW-CONTAINER-API.md
+66 b/‎docs/EDGEVIEW-CONTAINER-API.md
+66
diff --git a/‎docs/images/edgeview-authen-enhance-cert.png
-28.2 KB b/‎docs/images/edgeview-authen-enhance-cert.png
-28.2 KB
diff --git a/‎pkg/edgeview/go.mod
+1-1 b/‎pkg/edgeview/go.mod
+1-1
diff --git a/‎pkg/edgeview/go.sum
+2 b/‎pkg/edgeview/go.sum
+2
diff --git a/‎pkg/edgeview/src/basics.go
+29-16 b/‎pkg/edgeview/src/basics.go
+29-16
diff --git a/‎pkg/edgeview/src/copyfile.go
+4-4 b/‎pkg/edgeview/src/copyfile.go
+4-4
@@ -75,6 +75,7 @@
 | msrv.prometheus.metrics.rps | integer | 1 | The maximum number of requests per second (RPS) for the Prometheus metrics endpoint. |
 | msrv.prometheus.metrics.burst | integer | 10 | The maximum burst size for the Prometheus metrics endpoint. |
 | msrv.prometheus.metrics.idletimeout.seconds | integer | 240 | The idle timeout in seconds for the Prometheus metrics endpoint. If the connection is idle for this duration, the limit is reset. |
+| edgeview.authen.publickey | string | "" | Specifies SSH RSA public keys for Edgeview client command authentication. The user must provide the path to the SSH private key in the client script, and the device verifies the command using one of the configured public keys. Separate multiple public keys with newline characters. |
 
 ## Log levels
 
 
@@ -23,3 +23,69 @@ For security reasons, the Edge-View container has all the volumes mounted in 're
 ## Logging to Event
 
 Edge-View logging is similar to other containers. For any user command received by Edge-View, it will log the client endpoint(IP address/port), the command and its parameters. The log entry will also be tagged with object-type of `log-to-event`, and the controller can optionally process those log entries and generate them as device events or alerts.
+
+## Edge-View Client Authentication
+
+To address limitations in controlling and tracking user access to Edge-View commands, the authentication enhancements to Edge-View aim to strengthen user authentication, enforce stricter access controls, and improve user tracking.
+
+### Key Enhancements
+
+1. **Authentication Enhancements**
+   Stricter authentication methods will be implemented to ensure that commands originate from authorized sources. These sources include the Controller webpage session or authenticated remote users. JWT token is extended to support types of client authentication.
+
+2. **Edgeview Policy Addition**
+   A new optional "Controller Auth Only" item will be added to the controller Edge-View policy. This policy, definable at the project level, enforces that Edgeview commands must originate from the Controller.
+
+3. **Client Authentication (Controller Cert Signed Type)**
+   Commands issued from the Edge-View UI will be signed by the Zedcloud/Controller's private signing key, if the policy requires it. The device will verify these commands using the corresponding public certificate from the controller.
+
+4. **Remote User Authentication (SSH Key Pairs Type)**
+   Remote users can authenticate using SSH RSA keys, providing an additional secure access method for Edge-View. These public keys will be installed via the Edge-node ConfigItem "edgeview.authen.publickey". If there are changes to the "edgeview.authen.publickey" ConfigItem, any active Edge-View sessions on the Edge-node will be terminated. Users will need to re-enable the Edge-View session to apply the updated authentication settings. This ensures that only authorized keys are used for remote access.
+
+5. **UserInfo Logging**
+   A new "UserInfo" field will be added to the Edge-View command payload. This field logs the username of the user issuing the command, improving accountability and tracking. For the remote users using SSH key for authentication, the user public key comment field will be logged for the user tracking.
+
+6. **Struct Definition Changes**
+   Updates to the Zedcloud protocol buffers definition include:
+   - Adding an `EvAuthType` enum in the `EvjwtInfo` struct to support different authentication methods (e.g., Controller Cert, SSH Keys).
+   - Introducing a new `EvjwtInfo` struct to encapsulate JWT-related information with enhanced authentication support. The struct is defined as follows:
+
+     ```go
+     type EvjwtInfo struct {
+         Dep string     `json:"dep"` // dispatcher end-point string e.g. ip:port
+         Sub string     `json:"sub"` // jwt subject, the device UUID string
+         Exp uint64     `json:"exp"` // expiration time for the token
+         Key string     `json:"key"` // key or nonce for payload hmac authentication
+         Num uint8      `json:"num"` // number of instances, default is 1
+         Enc bool       `json:"enc"` // payload with encryption, default is authentication
+         Aut EvAuthType `json:"aut"` // authentication type
+     }
+     ```
+
+   - The `EvAuthType` enum defines the supported authentication types for Edge-View:
+
+     ```go
+     // EvAuthType - enum for authentication type of edge-view
+     type EvAuthType int32
+
+     const (
+         EvAuthTypeUnspecified    EvAuthType = iota
+         EvAuthTypeControllerCert
+         EvAuthTypeSshRsaKeys
+     )
+     ```
+
+   These additions enhance the flexibility and security of the Edge-View authentication mechanism by supporting multiple authentication methods and encapsulating JWT-related details in a structured format.
+
+7. **Command Payload Signing and Verifying**
+   When Edgeview authentication is enabled, the Edgeview command payload will include a new `username` field to carry the user name from the controller side. Additionally, the original `Hash auth` field will be used as the `Signature`, which is signed using either the controller's private signing key or the SSH private key, depending on the authentication type.
+
+   On the Edge-node side, the authentication will be verified using either the controller's public signing key or the SSH public key. This ensures secure and authenticated communication between the controller and the Edge-node.
+
+   Below is the diagram for the authentication type of `Controller Cert`.
+
+   ![edgeview-authen-cert](./images/edgeview-authen-enhance-cert.png)
+
+   And the diagram for the `SSH Keys` type of authentication:
+
+   ![edgeview-authen-sshkey](./images/edgeview-authen-enhance-sshkey.png)
@@ -15,6 +15,7 @@ require (
 	github.com/sirupsen/logrus v1.9.3
 	github.com/tatsushid/go-fastping v0.0.0-20160109021039-d7bb493dee3e
 	github.com/vishvananda/netlink v1.2.1-beta.2
+	golang.org/x/crypto v0.35.0
 	golang.org/x/sys v0.30.0
 	golang.org/x/time v0.5.0
 )
@@ -37,7 +38,6 @@ require (
 	github.com/tklauser/numcpus v0.6.0 // indirect
 	github.com/vishvananda/netns v0.0.0-20210104183010-2eb08e3e575f // indirect
 	github.com/yusufpapurcu/wmi v1.2.3 // indirect
-	golang.org/x/crypto v0.35.0 // indirect
 	golang.org/x/net v0.36.0 // indirect
 	golang.org/x/text v0.22.0 // indirect
 	google.golang.org/protobuf v1.36.1 // indirect
 
@@ -122,6 +122,8 @@ golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
 golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
 
@@ -85,6 +85,7 @@ func initOpts() {
 		"edgeview",
 		"global",
 		"loguploader",
+		"msrv",
 		"newlogd",
 		"nim",
 		"nodeagent",
@@ -177,29 +178,30 @@ func isDefinedOpt(value string, optslice []string) bool {
 }
 
 // get url and path from JWT token string
-func getAddrFromJWT(token string, isServer bool, instID int) (string, string, error) {
+func getAddrFromJWT(token string, isServer bool, instID int) (string, string, types.EvAuthType, error) {
 	var addrport, path string
+	var evAuth types.EvAuthType
 	tparts := strings.Split(token, ".")
 	if len(tparts) != 3 {
-		return addrport, path, fmt.Errorf("no ip:port or invalid JWT")
+		return addrport, path, evAuth, fmt.Errorf("no ip:port or invalid JWT")
 	}
 
 	if instID > 0 {
 		if instID > types.EdgeviewMaxInstNum {
-			return addrport, path, fmt.Errorf("JWT inst number incorrect")
+			return addrport, path, evAuth, fmt.Errorf("JWT inst number incorrect")
 		}
 		edgeviewInstID = instID
 	}
 
 	data, err := base64.RawURLEncoding.DecodeString(tparts[1])
 	if err != nil {
-		return addrport, path, err
+		return addrport, path, evAuth, err
 	}
 
 	var jdata types.EvjwtInfo
 	err = json.Unmarshal(data, &jdata)
 	if err != nil {
-		return addrport, path, err
+		return addrport, path, evAuth, err
 	}
 
 	var uuidStr string
@@ -210,33 +212,36 @@ func getAddrFromJWT(token string, isServer bool, instID int) (string, string, er
 		}
 	}
 
+	// get the client authentication method
+	evAuth = types.EvAuthType(jdata.Aut)
+
 	if jdata.Exp == 0 || jdata.Dep == "" {
-		return addrport, path, fmt.Errorf("read JWT data failed")
+		return addrport, path, evAuth, fmt.Errorf("read JWT data failed")
 	}
 	if uuidStr != "" && jdata.Sub != uuidStr {
-		return addrport, path, fmt.Errorf("uuid does not match JWT jti")
+		return addrport, path, evAuth, fmt.Errorf("uuid does not match JWT jti")
 	}
 
 	now := time.Now()
 	nowSec := uint64(now.Unix())
 	if nowSec > jdata.Exp {
-		return addrport, path, fmt.Errorf("JWT expired %d sec ago", nowSec-jdata.Exp)
+		return addrport, path, evAuth, fmt.Errorf("JWT expired %d sec ago", nowSec-jdata.Exp)
 	}
 
 	if jdata.Num > 1 && instID < 1 {
 		if runOnServer {
-			return addrport, path, fmt.Errorf("Edgeview is in multi-instance mode, '-inst 1-%d' needs to be specified", jdata.Num)
+			return addrport, path, evAuth, fmt.Errorf("Edgeview is in multi-instance mode, '-inst 1-%d' needs to be specified", jdata.Num)
 		} else {
 			warnStr := fmt.Sprintf("Edgeview is in multi-instance mode, use '-inst 1-%d', try '-inst 1' here", jdata.Num)
 			fmt.Printf("%s\n", getColorStr(warnStr, colorCYAN))
 			edgeviewInstID = 1
 		}
 	} else if jdata.Num == 1 && instID > 0 {
 		if runOnServer {
-			return addrport, path, fmt.Errorf("Edgeview is not in multi-instance mode, no need to specify inst-ID")
+			return addrport, path, evAuth, fmt.Errorf("Edgeview is not in multi-instance mode, no need to specify inst-ID")
 		} else {
 			if instID > 1 {
-				return addrport, path, fmt.Errorf("Maximum instance is 1, can not use inst %d", instID)
+				return addrport, path, evAuth, fmt.Errorf("Maximum instance is 1, can not use inst %d", instID)
 			}
 			fmt.Printf("%s\n", getColorStr("Edgeview is not in multi-instance mode, instance ignored here", colorCYAN))
 			edgeviewInstID = 0
@@ -249,7 +254,7 @@ func getAddrFromJWT(token string, isServer bool, instID int) (string, string, er
 	if strings.Contains(jdataDep, "/") {
 		urls := strings.SplitN(jdataDep, "/", 2)
 		if len(urls) != 2 {
-			return addrport, path, fmt.Errorf("JWT url invalid")
+			return addrport, path, evAuth, fmt.Errorf("JWT url invalid")
 		}
 		addrport = urls[0]
 		path = "/" + urls[1]
@@ -261,7 +266,7 @@ func getAddrFromJWT(token string, isServer bool, instID int) (string, string, er
 	evStatus.StartedOn = now
 	encryptVarInit(jdata)
 
-	return addrport, path, nil
+	return addrport, path, evAuth, nil
 }
 
 func checkClientIPMsg(msg string) bool {
@@ -350,26 +355,34 @@ func getBasics() {
 
 	if basics.server != "" {
 		var printed bool
+		var authenStr string
+		if clientAuthType != types.EvAuthTypeUnspecified {
+			authen := "certs"
+			if clientAuthType == types.EvAuthTypeSSHRsaKeys {
+				authen = "ssh-keys"
+			}
+			authenStr = fmt.Sprintf(", (authen %s)", authen)
+		}
 		conts := strings.Split(basics.server, "zedcloud.")
 		if len(conts) == 2 {
 			cont2s := strings.Split(conts[1], ".zededa.net")
 			if len(cont2s) == 2 { // color highlight the cluster name string
 				cluster := cont2s[0]
 				colorCluster := getColorStr(cluster, colorYELLOW)
 				controller := strings.Replace(basics.server, cluster, colorCluster, 1)
-				fmt.Printf("  Controller: %s", controller)
+				fmt.Printf("  Controller: %s%s\n", controller, authenStr)
 				printed = true
 			}
 		}
 		if !printed {
-			fmt.Printf("  Controller: %s", basics.server)
+			fmt.Printf("  Controller: %s%s\n", basics.server, authenStr)
 		}
 	}
 
 	if basics.release == "" {
 		retbytes, err := os.ReadFile("/run/eve-release")
 		if err == nil {
-			basics.release = string(retbytes)
+			basics.release = strings.TrimSuffix(string(retbytes), "\n")
 		}
 	}
 
 
@@ -125,7 +125,7 @@ func runCopy(opt string, tarDirSize *int64) error {
 	}
 
 	// send file information to client side and wait for signal to start copy
-	err = addEnvelopeAndWriteWss(jbytes, false)
+	err = addEnvelopeAndWriteWss(jbytes, false, false)
 	if err != nil {
 		fmt.Printf("sign and write error: %v\n", err)
 		return fmt.Errorf("cp command write file header error")
@@ -205,7 +205,7 @@ func runCopy(opt string, tarDirSize *int64) error {
 			return fmt.Errorf("cp command error")
 		}
 
-		err = addEnvelopeAndWriteWss(buffer[:n], false)
+		err = addEnvelopeAndWriteWss(buffer[:n], false, false)
 		if err != nil {
 			fmt.Printf("file write to wss error %v\n", err)
 			return fmt.Errorf("cp command error")
@@ -275,7 +275,7 @@ func recvCopyFile(msg []byte, fstatus *fileCopyStatus, mtype int) {
 		fstatus.gotFileInfo = true
 
 		// send to server, go ahead and start transfer
-		err = addEnvelopeAndWriteWss([]byte(startCopyMessage), false)
+		err = addEnvelopeAndWriteWss([]byte(startCopyMessage), false, false)
 		if err != nil {
 			sendCopyDone("write start copy failed", err)
 		}
@@ -438,7 +438,7 @@ func sendCopyDone(context string, err error) {
 	if err != nil {
 		fmt.Printf("%s error: %v\n", context, err)
 	}
-	err = addEnvelopeAndWriteWss([]byte(context), true)
+	err = addEnvelopeAndWriteWss([]byte(context), true, false)
 	if err != nil {
 		fmt.Printf("sign and write error: %v\n", err)
 	}