bootstrap

package
v0.30.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 12, 2026 License: Apache-2.0 Imports: 22 Imported by: 1

README

BOOTSTRAP SERVICE

New devices need to be configured properly and connected to the Magistrala. Bootstrap service is used in order to accomplish that. This service provides the following features:

  1. Creating new Magistrala Clients
  2. Providing basic configuration for the newly created Clients
  3. Enabling/disabling bootstrap enrollments

Pre-provisioning a new Client is as simple as sending Configuration data to the Bootstrap service. Once the Client is online, it sends a request for initial config to Bootstrap service. Bootstrap service provides an API for enabling and disabling bootstrap enrollments. Bootstrapping does not implicitly enable an enrollment; it has to be done manually.

In order to bootstrap successfully, the Client needs to send bootstrapping request to the specific URL, as well as a secret key. This key and URL are pre-provisioned during the manufacturing process. If the Client is provisioned on the Bootstrap service side, the corresponding configuration will be sent as a response. Otherwise, the Client will be saved so that it can be provisioned later.

Client Configuration Entity

Client Configuration consists of two logical parts: the custom configuration that can be interpreted by the Client itself and Magistrala-related configuration. Magistrala config contains:

  1. corresponding Magistrala Client ID
  2. corresponding Magistrala Client key
  3. list of the Magistrala channels the Client is connected to

Note: list of channels contains IDs of the Magistrala channels. These channels are pre-provisioned on the Magistrala side and, unlike corresponding Magistrala Client, Bootstrap service is not able to create Magistrala Channels.

Enabling and disabling a bootstrap enrollment is an enrollment toggle. Configuration keeps a status:

Status What it means
disabled Enrollment exists, but bootstrap is not allowed
enabled Enrollment can be used to fetch bootstrap configuration

Switching between statuses enabled and disabled enables and disables the enrollment, respectively.

Client configuration also contains the so-called external ID and external key. An external ID is a unique identifier of corresponding Client. For example, a device MAC address is a good choice for external ID. External key is a secret key that is used for authentication during the bootstrapping procedure.

Configuration

The service is configured using the environment variables presented in the following table. Note that any unset variables will be replaced with their default values.

Variable Description Default
MG_BOOTSTRAP_LOG_LEVEL Log level for Bootstrap (debug, info, warn, error) info
MG_BOOTSTRAP_DB_HOST Database host address localhost
MG_BOOTSTRAP_DB_PORT Database host port 5432
MG_BOOTSTRAP_DB_USER Database user magistrala
MG_BOOTSTRAP_DB_PASS Database password magistrala
MG_BOOTSTRAP_DB_NAME Name of the database used by the service bootstrap
MG_BOOTSTRAP_DB_SSL_MODE Database connection SSL mode (disable, require, verify-ca, verify-full) disable
MG_BOOTSTRAP_DB_SSL_CERT Path to the PEM encoded certificate file ""
MG_BOOTSTRAP_DB_SSL_KEY Path to the PEM encoded key file ""
MG_BOOTSTRAP_DB_SSL_ROOT_CERT Path to the PEM encoded root certificate file ""
MG_BOOTSTRAP_ENCRYPT_KEY Secret key for secure bootstrapping encryption 12345678910111213141516171819202
MG_BOOTSTRAP_HTTP_HOST Bootstrap service HTTP host ""
MG_BOOTSTRAP_HTTP_PORT Bootstrap service HTTP port 9013
MG_BOOTSTRAP_HTTP_SERVER_CERT Path to server certificate in pem format ""
MG_BOOTSTRAP_HTTP_SERVER_KEY Path to server key in pem format ""
MG_BOOTSTRAP_EVENT_CONSUMER Bootstrap service event source consumer name bootstrap
MG_ES_URL Event store URL nats://localhost:4222
MG_AUTH_GRPC_URL Auth service Auth gRPC URL localhost:8181
MG_AUTH_GRPC_TIMEOUT Auth service Auth gRPC request timeout in seconds 1s
MG_AUTH_GRPC_CLIENT_CERT Path to the PEM encoded auth service Auth gRPC client certificate file ""
MG_AUTH_GRPC_CLIENT_KEY Path to the PEM encoded auth service Auth gRPC client key file ""
MG_AUTH_GRPC_SERVER_CERTS Path to the PEM encoded auth server Auth gRPC server trusted CA certificate file ""
MG_CLIENTS_URL Base URL for Magistrala Clients http://localhost:9000
MG_JAEGER_URL Jaeger server URL http://localhost:4318/v1/traces
MG_JAEGER_TRACE_RATIO Jaeger sampling ratio 1.0
MG_SEND_TELEMETRY Send telemetry to magistrala call home server true
MG_BOOTSTRAP_INSTANCE_ID Bootstrap service instance ID ""

Deployment

The service itself is distributed as Docker container. Check the bootstrap service section in docker-compose file to see how service is deployed.

To start the service outside of the container, execute the following shell script:

# download the latest version of the service
git clone https://github.com/absmach/magistrala

cd magistrala

# compile the servic e
make bootstrap

# copy binary to bin
make install

# set the environment variables and run the service
MG_BOOTSTRAP_LOG_LEVEL=info \
MG_BOOTSTRAP_DB_HOST=localhost \
MG_BOOTSTRAP_DB_PORT=5432 \
MG_BOOTSTRAP_DB_USER=magistrala \
MG_BOOTSTRAP_DB_PASS=magistrala \
MG_BOOTSTRAP_DB_NAME=bootstrap \
MG_BOOTSTRAP_DB_SSL_MODE=disable \
MG_BOOTSTRAP_DB_SSL_CERT="" \
MG_BOOTSTRAP_DB_SSL_KEY="" \
MG_BOOTSTRAP_DB_SSL_ROOT_CERT="" \
MG_BOOTSTRAP_HTTP_HOST=localhost \
MG_BOOTSTRAP_HTTP_PORT=9013 \
MG_BOOTSTRAP_HTTP_SERVER_CERT="" \
MG_BOOTSTRAP_HTTP_SERVER_KEY="" \
MG_BOOTSTRAP_EVENT_CONSUMER=bootstrap \
MG_ES_URL=nats://localhost:4222 \
MG_AUTH_GRPC_URL=localhost:8181 \
MG_AUTH_GRPC_TIMEOUT=1s \
MG_AUTH_GRPC_CLIENT_CERT="" \
MG_AUTH_GRPC_CLIENT_KEY="" \
MG_AUTH_GRPC_SERVER_CERTS="" \
MG_CLIENTS_URL=http://localhost:9000 \
MG_JAEGER_URL=http://localhost:14268/api/traces \
MG_JAEGER_TRACE_RATIO=1.0 \
MG_SEND_TELEMETRY=true \
MG_BOOTSTRAP_INSTANCE_ID="" \
$GOBIN/magistrala-bootstrap

Setting MG_BOOTSTRAP_HTTP_SERVER_CERT and MG_BOOTSTRAP_HTTP_SERVER_KEY will enable TLS against the service. The service expects a file in PEM format for both the certificate and the key.

Setting MG_AUTH_GRPC_CLIENT_CERT and MG_AUTH_GRPC_CLIENT_KEY will enable TLS against the auth service. The service expects a file in PEM format for both the certificate and the key. Setting MG_AUTH_GRPC_SERVER_CERTS will enable TLS against the auth service trusting only those CAs that are provided. The service expects a file in PEM format of trusted CAs.

Usage

For more information about service capabilities and its usage, please check out the API documentation.

Documentation

Overview

Package bootstrap contains the domain concept definitions needed to support Magistrala bootstrap service functionality.

Index

Constants

View Source 
const (
	Disabled = "disabled"
	Enabled  = "enabled"
	All      = "all"
	Unknown  = "unknown"
)

String representation of bootstrap status values.

View Source 
const (
	Inactive = DisabledStatus
	Active   = EnabledStatus
)

Backward-compatible aliases kept while callers move off the old names.

Variables

View Source 
var (
	// ErrExternalKey indicates a non-existent bootstrap configuration for given external key.
	ErrExternalKey = errors.NewAuthZError("failed to get bootstrap configuration for given external key")

	// ErrExternalKeySecure indicates error in getting bootstrap configuration for given encrypted external key.
	ErrExternalKeySecure = errors.NewAuthZError("failed to get bootstrap configuration for given encrypted external key")

	// ErrBootstrap indicates error in getting bootstrap configuration.
	ErrBootstrap = errors.New("failed to read bootstrap configuration")

	// ErrAddBootstrap indicates error in adding bootstrap configuration.
	ErrAddBootstrap = errors.NewServiceError("failed to add bootstrap configuration")

	// ErrBootstrapStatus indicates an invalid bootstrap status.
	ErrBootstrapStatus = errors.NewRequestError("invalid bootstrap status")
)
View Source 
var ErrRenderFailed = errors.New("failed to render profile template")

ErrRenderFailed is returned when template execution or output validation fails.

Functions

This section is empty.

Types

type BindingContext added in v0.30.0 

type BindingContext struct {
	Type     string
	ID       string
	Snapshot map[string]any
	Secret   map[string]any
}

BindingContext holds the resolved resource data available inside templates for a specific slot.

type BindingRequest added in v0.30.0 

type BindingRequest struct {
	Slot       string `json:"slot"`
	Type       string `json:"type"`        // "client" | "channel" | "cert"
	ResourceID string `json:"resource_id"` // ID of the resource in its owning service
}

BindingRequest carries a user's intent to bind a named profile slot to a concrete resource.

type BindingResolver added in v0.30.0 

type BindingResolver interface {
	Resolve(ctx context.Context, req ResolveRequest) ([]BindingSnapshot, error)
}

BindingResolver validates that requested resources exist in their owning services, verifies type and slot compatibility, and returns snapshots ready for storage. It is called at binding time only; the render path must not call it.

func NewSDKResolver added in v0.30.0 

func NewSDKResolver(sdk mgsdk.SDK) BindingResolver

NewSDKResolver returns a BindingResolver that validates resources against the Magistrala clients and channels services using the SDK. This resolver is called only at binding time; the render path must never call it.

type BindingSlot added in v0.30.0 

type BindingSlot struct {
	Name     string   `json:"name"`
	Type     string   `json:"type"`
	Required bool     `json:"required"`
	Fields   []string `json:"fields,omitempty"`
}

BindingSlot declares a named resource placeholder that a profile template can use.

type BindingSnapshot added in v0.30.0 

type BindingSnapshot struct {
	ConfigID       string         `json:"config_id"`
	Slot           string         `json:"slot"`
	Type           string         `json:"type"`
	ResourceID     string         `json:"resource_id"`
	Snapshot       map[string]any `json:"snapshot,omitempty"`
	SecretSnapshot map[string]any `json:"secret_snapshot,omitempty"` // encrypted at rest
	UpdatedAt      time.Time      `json:"updated_at,omitempty"`
}

BindingSnapshot is a Bootstrap-owned point-in-time copy of the resource fields needed for template rendering. It is populated at binding time so that the render path never calls external services.

type BindingStore added in v0.30.0 

type BindingStore interface {
	// Save upserts all given snapshots for the config.
	Save(ctx context.Context, configID string, bindings []BindingSnapshot) error

	// Retrieve returns all snapshots for the given config.
	Retrieve(ctx context.Context, configID string) ([]BindingSnapshot, error)

	// Delete removes the snapshot for a specific slot of a config.
	Delete(ctx context.Context, configID, slot string) error
}

BindingStore is the persistence interface for BindingSnapshots.

type Config 

type Config struct {
	ID            string         `json:"id"`
	DomainID      string         `json:"domain_id,omitempty"`
	Name          string         `json:"name,omitempty"`
	ClientCert    string         `json:"client_cert,omitempty"`
	ClientKey     string         `json:"client_key,omitempty"`
	CACert        string         `json:"ca_cert,omitempty"`
	ExternalID    string         `json:"external_id"`
	ExternalKey   string         `json:"external_key"`
	Content       string         `json:"content,omitempty"`
	Status        Status         `json:"status"`
	ProfileID     string         `json:"profile_id,omitempty"`
	RenderContext map[string]any `json:"render_context,omitempty"`
}

Config represents a bootstrap enrollment.

type ConfigReader 

type ConfigReader interface {
	ReadConfig(Config, bool) (any, error)
}

ConfigReader is used to parse Config into format which will be encoded as a JSON and consumed from the client side. The purpose of this interface is to provide convenient way to generate custom configuration response based on the specific Config which will be consumed by the client.

func NewConfigReader 

func NewConfigReader(encKey []byte) ConfigReader

NewConfigReader return new reader which is used to generate response from the config.

type ConfigRepository 

type ConfigRepository interface {
	// Save persists the Config. Successful operation is indicated by non-nil
	// error response.
	Save(ctx context.Context, cfg Config) (string, error)

	// RetrieveByID retrieves the Config having the provided identifier, that is owned
	// by the specified user.
	RetrieveByID(ctx context.Context, domainID, id string) (Config, error)

	// RetrieveAll retrieves a subset of Configs that belong to the given domain,
	// with given filter parameters.
	RetrieveAll(ctx context.Context, domainID string, filter Filter, offset, limit uint64) ConfigsPage

	// RetrieveByExternalID returns Config for given external ID.
	RetrieveByExternalID(ctx context.Context, externalID string) (Config, error)

	// Update updates an existing Config. A non-nil error is returned
	// to indicate operation failure.
	Update(ctx context.Context, cfg Config) error

	// AssignProfile sets the profile reference for the given Config.
	AssignProfile(ctx context.Context, domainID, id, profileID string) error

	// UpdateCerts updates and returns an existing Config certificate and domainID.
	// A non-nil error is returned to indicate operation failure.
	UpdateCert(ctx context.Context, domainID, id, clientCert, clientKey, caCert string) (Config, error)

	// Remove removes the Config having the provided identifier, that is owned
	// by the specified user.
	Remove(ctx context.Context, domainID, id string) error

	// ChangeStatus changes the Status of the Config owned by the specific user.
	ChangeStatus(ctx context.Context, domainID, id string, status Status) error
}

ConfigRepository specifies a Config persistence API.

type ConfigsPage 

type ConfigsPage struct {
	Total   uint64   `json:"total"`
	Offset  uint64   `json:"offset"`
	Limit   uint64   `json:"limit"`
	Configs []Config `json:"configs"`
}

ConfigsPage contains page related metadata as well as list of Configs that belong to this page.

type ContentFormat added in v0.30.0 

type ContentFormat string

ContentFormat enumerates the supported output formats for rendered profile templates. 

const (
	ContentFormatGoTemplate ContentFormat = "go-template"
	ContentFormatRaw        ContentFormat = "raw"
	ContentFormatJSON       ContentFormat = "json"
	ContentFormatYAML       ContentFormat = "yaml"
	ContentFormatTOML       ContentFormat = "toml"
)

type DeviceContext added in v0.30.0 

type DeviceContext struct {
	ID         string
	ExternalID string
	DomainID   string
}

DeviceContext holds enrollment identity fields available inside templates.

type Filter 

type Filter struct {
	FullMatch    map[string]string
	PartialMatch map[string]string
}

Filter is used for the search filters.

type Hasher added in v0.30.0 

type Hasher interface {
	// Hash generates the hashed string from plain-text.
	Hash(string) (string, error)

	// Compare compares plain-text version to the hashed one. An error should
	// indicate failed comparison.
	Compare(string, string) error
}

Hasher specifies an API for generating hashes of arbitrary textual content.

type Profile added in v0.30.0 

type Profile struct {
	ID              string         `json:"id"`
	DomainID        string         `json:"domain_id,omitempty"`
	Name            string         `json:"name"`
	Description     string         `json:"description,omitempty"`
	ContentFormat   ContentFormat  `json:"content_format"`
	ContentTemplate string         `json:"content_template,omitempty"`
	Defaults        map[string]any `json:"defaults,omitempty"`
	BindingSlots    []BindingSlot  `json:"binding_slots,omitempty"`
	Version         int            `json:"version,omitempty"`
	CreatedAt       time.Time      `json:"created_at,omitempty"`
	UpdatedAt       time.Time      `json:"updated_at,omitempty"`
}

Profile is a user-managed device configuration template.

type ProfileRepository added in v0.30.0 

type ProfileRepository interface {
	// Save persists a new Profile and returns it with server-assigned fields set.
	Save(ctx context.Context, p Profile) (Profile, error)

	// RetrieveByID returns the Profile with the given ID inside the given domain.
	RetrieveByID(ctx context.Context, domainID, id string) (Profile, error)

	// RetrieveAll returns a page of Profiles belonging to the given domain, optionally filtered by name.
	RetrieveAll(ctx context.Context, domainID string, offset, limit uint64, name string) (ProfilesPage, error)

	// Update updates editable fields of the given Profile and returns the updated Profile.
	Update(ctx context.Context, p Profile) (Profile, error)

	// Delete removes the Profile with the given ID from the given domain.
	Delete(ctx context.Context, domainID, id string) error
}

ProfileRepository specifies the persistence API for Profiles.

type ProfilesPage added in v0.30.0 

type ProfilesPage struct {
	Total    uint64    `json:"total"`
	Offset   uint64    `json:"offset"`
	Limit    uint64    `json:"limit"`
	Profiles []Profile `json:"profiles"`
}

ProfilesPage contains pagination metadata and a slice of Profiles.

type RenderContext added in v0.30.0 

type RenderContext struct {
	Device   DeviceContext
	Vars     map[string]any
	Bindings map[string]BindingContext
}

RenderContext is the typed value injected into Go templates during rendering.

type Renderer added in v0.30.0 

type Renderer interface {
	Render(profile Profile, enrollment Config, bindings []BindingSnapshot) ([]byte, error)
}

Renderer renders a Profile's content template into a concrete device configuration. All input data must already be stored in Bootstrap — no external service calls are allowed inside Render.

func NewRenderer added in v0.30.0 

func NewRenderer() Renderer

NewRenderer returns the default Renderer implementation using Go text/template.

type ResolveRequest added in v0.30.0 

type ResolveRequest struct {
	Enrollment Config
	Token      string
	Requested  []BindingRequest
}

ResolveRequest carries everything the BindingResolver needs to snapshot a set of resource bindings.

type Service 

type Service interface {
	// Add adds new Client Config to the user identified by the provided token.
	Add(ctx context.Context, session smqauthn.Session, token string, cfg Config) (Config, error)

	// View returns Client Config with given ID belonging to the user identified by the given token.
	View(ctx context.Context, session smqauthn.Session, id string) (Config, error)

	// Update updates editable fields of the provided Config.
	Update(ctx context.Context, session smqauthn.Session, cfg Config) error

	// UpdateCert updates an existing Config certificate and token.
	// A non-nil error is returned to indicate operation failure.
	UpdateCert(ctx context.Context, session smqauthn.Session, id, clientCert, clientKey, caCert string) (Config, error)

	// List returns subset of Configs with given search params that belong to the
	// user identified by the given token.
	List(ctx context.Context, session smqauthn.Session, filter Filter, offset, limit uint64) (ConfigsPage, error)

	// Remove removes Config with specified token that belongs to the user identified by the given token.
	Remove(ctx context.Context, session smqauthn.Session, id string) error

	// Bootstrap returns Config to the Client with provided external ID using external key.
	Bootstrap(ctx context.Context, externalKey, externalID string, secure bool) (Config, error)

	// EnableConfig enables the Config so its device can successfully bootstrap.
	EnableConfig(ctx context.Context, session smqauthn.Session, id string) (Config, error)

	// DisableConfig disables the Config, preventing its device from bootstrapping.
	DisableConfig(ctx context.Context, session smqauthn.Session, id string) (Config, error)

	// CreateProfile persists a new device Profile.
	CreateProfile(ctx context.Context, session smqauthn.Session, p Profile) (Profile, error)

	// ViewProfile returns the Profile with the given ID.
	ViewProfile(ctx context.Context, session smqauthn.Session, profileID string) (Profile, error)

	// UpdateProfile updates editable fields of the given Profile and returns the updated Profile.
	UpdateProfile(ctx context.Context, session smqauthn.Session, p Profile) (Profile, error)

	// ListProfiles returns a page of Profiles belonging to the domain.
	ListProfiles(ctx context.Context, session smqauthn.Session, offset, limit uint64, name string) (ProfilesPage, error)

	// DeleteProfile removes the Profile with the given ID.
	DeleteProfile(ctx context.Context, session smqauthn.Session, profileID string) error

	// AssignProfile sets the ProfileID on an existing enrollment (Config).
	AssignProfile(ctx context.Context, session smqauthn.Session, configID, profileID string) error

	// BindResources resolves the requested bindings through their owning services,
	// stores snapshots, and marks the enrollment renderable when all required slots
	// are satisfied.
	BindResources(ctx context.Context, session smqauthn.Session, token, configID string, bindings []BindingRequest) error

	// ListBindings returns all stored binding snapshots for an enrollment.
	ListBindings(ctx context.Context, session smqauthn.Session, configID string) ([]BindingSnapshot, error)

	// RefreshBindings re-resolves all existing bindings for an enrollment and
	// updates the stored snapshots.
	RefreshBindings(ctx context.Context, session smqauthn.Session, token, configID string) error
}

Service specifies an API that must be fulfilled by the domain service implementation, and all of its decorators (e.g. logging & metrics).

func New 

func New(
	configs ConfigRepository,
	profiles ProfileRepository,
	bindings BindingStore,
	resolver BindingResolver,
	renderer Renderer,
	sdk mgsdk.SDK,
	hasher Hasher,
	encKey []byte,
	idp magistrala.IDProvider,
) Service

New returns new Bootstrap service.

type Status added in v0.30.0 

type Status uint8

Status represents bootstrap enrollment availability. 

const (
	EnabledStatus Status = iota
	DisabledStatus
	// AllStatus is used for querying purposes to list configs irrespective
	// of their status. It is never stored in the database.
	AllStatus
)

Possible bootstrap enrollment statuses.

func ToStatus added in v0.30.0 

func ToStatus(status string) (Status, error)

ToStatus converts a string or legacy numeric string value to Status.

func (Status) MarshalJSON added in v0.30.0 

func (s Status) MarshalJSON() ([]byte, error)

MarshalJSON renders bootstrap status as a string literal.

func (Status) String added in v0.30.0 

func (s Status) String() string

String returns string representation of Status.

func (*Status) UnmarshalJSON added in v0.30.0 

func (s *Status) UnmarshalJSON(data []byte) error

UnmarshalJSON accepts both string and legacy numeric bootstrap statuses.

Source Files

View all Source files

Directories

Path Synopsis
Package api contains implementation of bootstrap service HTTP API.
 Package api contains implementation of bootstrap service HTTP API.
Package events provides the domain concept definitions needed to support bootstrap events functionality.
 Package events provides the domain concept definitions needed to support bootstrap events functionality.
producer
Package producer contains the domain events needed to support event sourcing of Bootstrap service actions.
 Package producer contains the domain events needed to support event sourcing of Bootstrap service actions.
Package postgres contains repository implementations using PostgreSQL as the underlying database.
 Package postgres contains repository implementations using PostgreSQL as the underlying database.
Package tracing provides tracing instrumentation for Magistrala Users service.
 Package tracing provides tracing instrumentation for Magistrala Users service.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.