Device auto-provision and auto-create may use invalid device id

[harism]

It seems possible that gateway device auto-provision and certificate based device auto-create may create a device with invalid device id. Invalid in a sense that you cannot access that device id using Device Registry API in any way.

Would it be better to add similar validation for auto-provision and auto-create as Device Registry HTTP calls have to ensure it the created device or gateway has always valid device id which works with Device Registry API calls also?

To test this:

1. Create an auto-provisioning gateway with http-credentials
2. Send PUT /telemetry/{tenant_id}/**invalid to http-adapter with previous step gateway credentials
3. Device with **invalid -device id is created which is inaccessible with Device Registry API

[sophokles73]

Would it be better to add similar validation for auto-provision and auto-create as Device Registry HTTP calls have to ensure it the created device or gateway has always valid device id which works with Device Registry API calls also?

I guess the check, if it is currently missing, should be added to the component that both the Registry Management API endpoint as well as the (adapter facing) AMQP based service Device Registration endpoint are using.

[harism]

Ok, I could make a PR for this change for evaluation for its need. There is configurable validator already in device registry for device and tenant ids but it seems to be in use only for incoming HTTP requests parameters unless I'm mistaken. It should be somewhat straightforward to bring same validator into use for automated device creation paths also.

[harism]

Sorry for the long delay but now finally I had time to look at this again, and there is one question I'd like to clarify first before starting any actual implementation;

The current deviceId regexp pattern is defined in the property hono.registry.http.deviceIdPattern and now I would need to extend its use and bring a properties object containing it ServiceConfigProperties into use for AMQP or more specifically the EdgeDeviceAutoProvisioner class's use. It depends a bit also on how early the deviceId check is wanted to be made as part of device assertion.

And the question is how would you like to see this property hono.registry.http.deviceIdPattern handled now if its use gets extended above default HTTP device create only?