Make insecure default for Databroker

Reverts previous change.
Short term decision is that we will not change default behavior,
KUKSA.val Databroker shall unless indicated by arguments start
in insecure mode, i.e.e. accepting non-TLS connections (only).

We agreed that this MAY change in the future, so a warning shall be given.

Author: erikbosch

doc/tls.md

@@ -8,8 +8,10 @@ KUKSA.val supports TLS for connection between KUKSA.val Databroker/Server and cl
 
 General design concept in short:
 
-* KUKSA.val Server and KUKSA.val Databroker by default only accept TLS connection. Insecure connections can be allowed by a configuration setting
-* Mutual authentication not supported, i.e. KUKSA.val Server and KUKSA.val Databroker does not authenticate clients
+* KUKSA.val Server and KUKSA.val Databroker supports to use either connections secured with TLS or insecure connections.
+* You can use configuration settings to control whether Server or databroker shall require secure connections.
+* Default connection type may vary between tools, and may be changed in future releases.
+* Mutual authentication is not supported, i.e. KUKSA.val Server and KUKSA.val Databroker does not authenticate clients
 * A set of example certificates and keys exist in the [kuksa_certificates](kuksa_certificates) repository
 * The example certificates are used as default by some applications
 * The example certificates shall only be used during development and re not suitable for production use
@@ -19,20 +21,31 @@ General design concept in short:
 
 For more information see the [README.md](kuksa_certificates/README.md).
 
-**NOTE: The example keys and certificates shall not be used in your production environment!  **
+**NOTE: The example keys and certificates shall not be used in your production environment!**
 
 ## Examples using example certificates
 
 This section intends to give guidelines on how you can verify TLS functionality with KUKSA.val.
 It is based on using the example certificates.
 
 
-## KUKSA.val databroker
+## KUKSA.val Databroker
 
 KUKSA.val Databroker supports TLS, but not mutual authentication.
-You cannot start KUKSA.val Databroker just using default arguments as you either must specify that insecure connections
-shall be used (`--insecure`) or provide data for a secure connection.
-To use a secure connection specify `--tls-cert`and `--tls-private-key`
+As of today, if not specified KUKSA.val Databroker will accept only insecure connecttions.
+
+```
+~/kuksa.val/kuksa_databroker$ cargo run --bin databroker -- --metadata ../data/vss-core/vss_release_4.0.json
+```
+
+The default behavior may change in the future. By that reason, it is recommended to use the `--insecure` argument
+if you want to use insecure connections.
+
+```
+~/kuksa.val/kuksa_databroker$ cargo run --bin databroker -- --metadata ../data/vss-core/vss_release_4.0.json --insecure
+```
+
+To use a secure connection specify both `--tls-cert`and `--tls-private-key`
 
 ```
 ~/kuksa.val/kuksa_databroker$ cargo run --bin databroker -- --metadata ../data/vss-core/vss_release_4.0.json --tls-cert ../kuksa_certificates/Server.pem --tls-private-key ../kuksa_certificates/Server.key
@@ -64,13 +77,14 @@ docker run --rm -it --net=host -v /home/user/kuksa.val/kuksa_certificates:/certs
 
 ## KUKSA.val Server
 
-Uses TLS by default, but doe not support mutual TLS. By default it uses KUKSA.val example certificates/keys `Server.key`, `Server.pem` and `CA.pem`.
+KUKSA.val Server uses TLS by default, but does not support mutual TLS.
+By default it uses KUKSA.val example certificates/keys `Server.key`, `Server.pem` and `CA.pem`.
 
 ```
 ~/kuksa.val/kuksa-val-server/build/src$ ./kuksa-val-server  --vss ./vss_release_4.0.json
 ```
 
-It is posible to specify a different certificate path, but the file names must be the same as listed above.
+It is possible to specify a different certificate path, but the file names must be the same as listed above.
 
 ```
 ~/kuksa.val/kuksa-val-server/build/src$ ./kuksa-val-server  --vss ./vss_release_4.0.json -cert-path ../../../kuksa_certificates

kuksa_databroker/README.md

@@ -1,17 +1,18 @@
 # Kuksa Databroker
 
+## Table of contents
+
+<!-- TOC generated by https://luciopaiva.com/markdown-toc/ with 2 levels -->
+
 - [Kuksa Databroker](#kuksa-databroker)
   - [Intro](#intro)
   - [Relation to the COVESA Vehicle Signal Specification (VSS)](#relation-to-the-covesa-vehicle-signal-specification-vss)
-  - [Building](#building)
-    - [Build all](#build-all)
-    - [Build all release](#build-all-release)
-  - [Running](#running)
-    - [Broker](#databroker)
-    - [Test the broker - run client/cli](#test-the-databroker)
-    - [Kuksa Data Broker Query Syntax](#data-broker-query-syntax)
-    - [Configuration](#configuration)
-    - [Build and run databroker container](#build-and-run-databroker)
+  - [Building KUKSA.val Databroker](#building-kuksaval-databroker)
+  - [Running KUKSA.val Databroker](#running-kuksaval-databroker)
+  - [Test the Databroker using CLI](#test-the-databroker-using-cli)
+  - [KUKSA.val Databroker Configuration](#kuksaval-databroker-configuration)
+  - [Run Databroker test cases](#run-databroker-test-cases)
+  - [Build and run Databroker using Docker](#build-and-run-databroker-using-docker)
   - [Limitations](#limitations)
   - [GRPC overview](#grpc-overview)
   - [GRPC Interfaces](#grpc-interfaces)
@@ -78,12 +79,14 @@ OPTIONS:
 ```
 
 Before starting KUKSA.val Databroker you must decide if you want to use TLS for incoming connections or not.
-It is is recommended to use TLS and the you must provide server key by `--tls-private-key`
-and server certificate by `--tls-cert`. If you want to run without TLS you must give `--insecure`.
+It is is recommended to use TLS and then you must provide server key by `--tls-private-key`
+and server certificate by `--tls-cert`. If you do not give those arguments KUKSA.val Databroker will only accept
+insecure connections. The default behavior may change in the future, so if you want insecure connections it is
+recommended to use the `--insecure` argument.
 
 *Note: Unless stated otherwise, the examples below show KUKSA.val Databroker running in insecure mode!*
 
-Run the broker in insecure mode with:
+Run the Databroker in insecure mode with:
 
 `cargo run --bin databroker -- --insecure`
 
@@ -190,7 +193,7 @@ WHERE
 Subscription is now running in the background. Received data is identified by [1].
 ```
 
-### Configuration
+## KUKSA.val Databroker Configuration
 
 | parameter      | default value | cli parameter    | environment variable              | description                                  |
 |----------------|---------------|------------------|-----------------------------------|----------------------------------------------|
@@ -200,10 +203,10 @@ Subscription is now running in the background. Received data is identified by [1
 | listen_port    | 55555         | --port           | KUKSA_DATA_BROKER_PORT            | Listen for rpc calls                         |
 | jwt_public_key | <no active>   | --jwt-public-key | <no active>                       | Public key used to verify JWT access tokens |
 | tls_cert | <no active> | --tls-cert | <no active> | TLS certificate file (.pem) |
-| tls_private_key | <no active> | --tls-private-key | <no active> | TLS private key file (.pem) |
-| insecure | <no active> | --insecure | <no active> | Allow insecure connections |
+| tls_private_key | <no active> | --tls-private-key | <no active> | TLS private key file (.key) |
+| insecure | <no active> | --insecure | <no active> | Allow insecure connections (default unless tls_cert and tls_private_key given)|
 
-To change the default configuration use the arguments during startup see [run section](#running) or environment variables.
+To change the default configuration use the arguments during startup see [run section](#running-kuksaval-databroker) or environment variables.
 
 ## Run Databroker test cases
 
@@ -237,6 +240,7 @@ tar -czvf databroker_x86_64.tar.gz \
     target/release/examples/perf_setter \
     target/release/examples/perf_subscriber
 ```
+
 ```shell
 # For aarch64
 tar -czvf databroker_aarch64.tar.gz \
@@ -245,12 +249,15 @@ tar -czvf databroker_aarch64.tar.gz \
     target/aarch64-unknown-linux-gnu/release/examples/perf_setter \
     target/aarch64-unknown-linux-gnu/release/examples/perf_subscriber
 ```
+
 To build the image execute following commands from root directory as context.
+
 ```shell
 docker build -f kuksa_databroker/Dockerfile -t databroker:<tag> .
 ```
 
 Use following command if buildplatform is required
+
 ```shell
 DOCKER_BUILDKIT=1 docker build -f kuksa_databroker/Dockerfile -t databroker:<tag> .
 ```

kuksa_databroker/databroker/src/main.rs

@@ -17,7 +17,7 @@ static ALLOC: jemallocator::Jemalloc = jemallocator::Jemalloc;
 
 use databroker::broker::RegistrationError;
 use databroker::grpc::server::{Authorization, ServerTLS};
-use tracing::{debug, error, info};
+use tracing::{debug, error, info, warn};
 
 use tokio::select;
 use tokio::signal::unix::{signal, SignalKind};
@@ -378,9 +378,11 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
                 );
             }
             (None, None) => {
-                return Err(
-                    "You must either provide TLS certificate and key or request insecure mode by --insecure.".into(),
+                warn!(
+                    "Default behavior may change in the future, \
+                       please use --insecure if you want an insecure connection!"
                 );
+                ServerTLS::Disabled
             }
         }
     };