Add read-write protection tests

Introduced a test that checks for the correct matching behavious for combinations of the read/write access control settings in the governance xml (enable read/write access control in the topic rules) and in the permissions xml (the publish/subscribe grants for a topic). Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
2020-04-29 20:53:14 +02:00 · 2020-04-29 20:53:14 +02:00 · 155f8c059d
commit 155f8c059d
parent 45adb6f0c7
4 changed files with 210 additions and 74 deletions
--- a/src/security/core/tests/access_control.c
+++ b/src/security/core/tests/access_control.c
@ -90,6 +90,7 @@ static void access_control_init(
  CU_ASSERT_FATAL (n_nodes <= MAX_DOMAINS);
  for (size_t i = 0; i < n_nodes; i++)
  {
    print_test_msg ("init domain %"PRIuSIZE"\n", i);
    struct kvp config_vars[] = {
      { "TEST_IDENTITY_CERTIFICATE", id_certs[i], 1 },
      { "TEST_IDENTITY_PRIVATE_KEY", id_keys[i], 1 },
@ -256,10 +257,10 @@ CU_Theory(
  /* localtime will be converted to gmtime in get_permissions_grant */
  dds_time_t now = dds_time ();
-  char * perm_topic = get_permissions_topic (topic_name);
+  char * rules_xml = get_permissions_rules (NULL, topic_name, topic_name, NULL, NULL);
  char * grants[] = {
-    get_permissions_grant ("id1", id1_subj, NULL, now + DDS_SECS(perm1_not_before), now + DDS_SECS(perm1_not_after), perm_topic, perm_topic, NULL),
+    get_permissions_grant ("id1", id1_subj, now + DDS_SECS(perm1_not_before), now + DDS_SECS(perm1_not_after), rules_xml, NULL),
-    get_permissions_grant ("id2", id2_subj, NULL, now + DDS_SECS(perm2_not_before), now + DDS_SECS(perm2_not_after), perm_topic, perm_topic, NULL) };
+    get_permissions_grant ("id2", id2_subj, now + DDS_SECS(perm2_not_before), now + DDS_SECS(perm2_not_after), rules_xml, NULL) };
  char * perm_config = get_permissions_config (grants, 2, true);
  dds_sleepfor (DDS_MSECS (delay_perm));
@ -285,7 +286,7 @@ CU_Theory(
    write_read_for (wr, g_participant[1], rd, DDS_MSECS (write_read_dur), false, exp_read_fail);
  }
-  access_control_fini (2, (void * []) { perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 9);
+  access_control_fini (2, (void * []) { rules_xml, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 9);
 }
@ -300,7 +301,7 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20)
  dds_time_t t_perm = dds_time ();
  char *ca = generate_ca ("ca1", TEST_IDENTITY_CA1_PRIVATE_KEY, 0, 3600);
-  char *perm_topic = get_permissions_topic (topic_name);
+  char *rules_xml = get_permissions_rules (NULL, topic_name, topic_name, NULL, NULL);
  // 1st node used as reader, other nodes as writer
  print_test_msg ("creating permissions grants\n");
@ -323,7 +324,7 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20)
    dds_time_t t_exp = ddsrt_time_add_duration (t_perm, v);
    if (i >= N_RD)
      print_test_msg ("w[%d] grant expires at %d.%06d\n", i - N_RD, (int32_t) (t_exp / DDS_NSECS_IN_SEC), (int32_t) (t_exp % DDS_NSECS_IN_SEC) / 1000);
-    grants[i] = get_permissions_grant (id_name, id_subj[i], NULL, t_perm, t_exp, perm_topic, perm_topic, NULL);
+    grants[i] = get_permissions_grant (id_name, id_subj[i], t_perm, t_exp, rules_xml, NULL);
    ddsrt_free (id_name);
  }
@ -427,7 +428,7 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20)
    ddsrt_free ((char *)id[i]);
  }
  ddsrt_free (ca);
-  ddsrt_free (perm_topic);
+  ddsrt_free (rules_xml);
  ddsrt_free (perm_config_str);
 }
 #undef N_RD
@ -547,12 +548,12 @@ CU_Theory(
  id1 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id1", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id1_subj);
  id2 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id2", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id2_subj);
  /* localtime will be converted to gmtime in get_permissions_grant */
  dds_time_t now = dds_time ();
-  char * perm_topic = get_permissions_topic (topic_name);
+  char * rules1_xml = get_permissions_rules (perm_inv_pp1 ? "99" : NULL, topic_name, topic_name, NULL, NULL);
  char * rules2_xml = get_permissions_rules (perm_inv_pp2 ? "99" : NULL, topic_name, topic_name, NULL, NULL);
  char * grants[] = {
-    get_permissions_grant ("id1", id1_subj, perm_inv_pp1 ? "99" : NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL),
+    get_permissions_grant ("id1", id1_subj, now, now + DDS_SECS(3600), rules1_xml, NULL),
-    get_permissions_grant ("id2", id2_subj, perm_inv_pp2 ? "99" : NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL) };
+    get_permissions_grant ("id2", id2_subj, now, now + DDS_SECS(3600), rules2_xml, NULL) };
  char * perm_config = get_permissions_config (grants, 2, true);
  char * gov_topic_rule = get_governance_topic_rule ("*", false, false, true, true, "NONE", "NONE");
@ -573,7 +574,7 @@ CU_Theory(
  if (!exp_pp1_fail && !exp_pp2_fail)
    validate_handshake (DDS_DOMAINID, exp_hs_fail, NULL, NULL, NULL, DDS_SECS(2));
-  access_control_fini (2, (void * []) { gov_config_pp1, gov_config_pp2, gov_topic_rule, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 12);
+  access_control_fini (2, (void * []) { gov_config_pp1, gov_config_pp2, gov_topic_rule, rules1_xml, rules2_xml, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 13);
 }
 #define na false
@ -618,12 +619,9 @@ static void test_discovery_liveliness_protection(enum test_discovery_liveliness
  id1 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id1", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id1_subj);
  id2 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id2", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id2_subj);
  /* localtime will be converted to gmtime in get_permissions_grant */
  dds_time_t now = dds_time ();
  char * perm_topic = get_permissions_topic (topic_name);
  char * grants[] = {
-    get_permissions_grant ("id1", id1_subj, NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL),
+    get_permissions_default_grant ("id1", id1_subj, topic_name),
-    get_permissions_grant ("id2", id2_subj, NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL) };
+    get_permissions_default_grant ("id2", id2_subj, topic_name) };
  char * perm_config = get_permissions_config (grants, 2, true);
  char * gov_topic_rule1 = get_governance_topic_rule (topic_name, dp && enable_protection_pp1, lp && enable_protection_pp1, true, true, "ENCRYPT", "NONE");
@ -667,7 +665,7 @@ static void test_discovery_liveliness_protection(enum test_discovery_liveliness
    ddsrt_free (log);
  }
-  access_control_fini (2, (void * []) { gov_config1, gov_config2, gov_topic_rule1, gov_topic_rule2, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 13);
+  access_control_fini (2, (void * []) { gov_config1, gov_config2, gov_topic_rule1, gov_topic_rule2, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 12);
 }
 CU_Theory(
@ -702,12 +700,9 @@ static void test_encoding_mismatch(
  id1 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id1", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id1_subj);
  id2 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id2", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id2_subj);
  /* localtime will be converted to gmtime in get_permissions_grant */
  dds_time_t now = dds_time ();
  char * perm_topic = get_permissions_topic (topic_name);
  char * grants[] = {
-    get_permissions_grant ("id1", id1_subj, NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL),
+    get_permissions_default_grant ("id1", id1_subj, topic_name),
-    get_permissions_grant ("id2", id2_subj, NULL, now, now + DDS_SECS(3600), perm_topic, perm_topic, NULL) };
+    get_permissions_default_grant ("id2", id2_subj, topic_name) };
  char * perm_config = get_permissions_config (grants, 2, true);
  char * gov_topic_rule1 = get_governance_topic_rule (topic_name, true, true, true, true, pk_to_str (metadata_pk1), bpk_to_str (payload_pk1));
@ -739,7 +734,7 @@ static void test_encoding_mismatch(
    sync_writer_to_readers (g_participant[0], wr, exp_rd_wr_fail ? 0 : 1, DDS_SECS(1));
  }
-  access_control_fini (2, (void * []) { gov_config1, gov_config2, gov_topic_rule1, gov_topic_rule2, perm_topic, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 13);
+  access_control_fini (2, (void * []) { gov_config1, gov_config2, gov_topic_rule1, gov_topic_rule2, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 12);
 }
 static DDS_Security_ProtectionKind pk[] = { PK_N, PK_S, PK_E, PK_SOA, PK_EOA };
@ -779,3 +774,83 @@ CU_Test(ddssec_access_control, encoding_mismatch_payload, .timeout=30)
    for (size_t pk2 = pk1 + 1; pk2 < sizeof (bpk) / sizeof (bpk[0]); pk2++)
      test_encoding_mismatch (false, pk1 != pk2, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, PK_N, bpk[pk1], bpk[pk2]);
 }
 static void test_readwrite_protection (
  bool allow_pub, bool allow_sub, bool deny_pub, bool deny_sub, bool write_ac, bool read_ac,
  bool exp_pub_pp_fail, bool exp_pub_tp_fail, bool exp_wr_fail,
  bool exp_sub_pp_fail, bool exp_sub_tp_fail, bool exp_rd_fail,
  bool exp_sync_fail, const char * default_policy)
 {
  print_test_msg ("running test readwrite_protection: \n");
  print_test_msg ("- allow_pub=%d | allow_sub=%d | deny_pub=%d | deny_sub=%d | write_ac=%d | read_ac=%d | default_policy=%s\n", allow_pub, allow_sub, deny_pub, deny_sub, write_ac, read_ac, default_policy);
  print_test_msg ("- exp_pub_pp_fail=%d | exp_pub_tp_fail=%d | exp_wr_fail=%d | exp_sub_pp_fail=%d | exp_sub_tp_fail=%d | exp_rd_fail=%d | exp_sync_fail=%d\n", exp_pub_pp_fail, exp_pub_tp_fail, exp_wr_fail, exp_sub_pp_fail, exp_sub_tp_fail, exp_rd_fail, exp_sync_fail);
  char topic_name[100];
  create_topic_name ("ddssec_access_control_", g_topic_nr++, topic_name, sizeof (topic_name));
  /* create ca and id1/id2 certs that will not expire during this test */
  char *ca, *id1, *id2, *id1_subj, *id2_subj;
  ca = generate_ca ("ca1", TEST_IDENTITY_CA1_PRIVATE_KEY, 0, 3600);
  id1 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id1", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id1_subj);
  id2 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id2", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id2_subj);
  dds_time_t now = dds_time ();
  char * rules_xml = get_permissions_rules (NULL, allow_pub ? topic_name : NULL, allow_sub ? topic_name : NULL, deny_pub ? topic_name : NULL, deny_sub ? topic_name : NULL);
  char * grants[] = {
    get_permissions_grant ("id1", id1_subj, now, now + DDS_SECS(3600), rules_xml, default_policy),
    get_permissions_grant ("id2", id2_subj, now, now + DDS_SECS(3600), rules_xml, default_policy) };
  char * perm_config = get_permissions_config (grants, 2, true);
  char * gov_topic_rule = get_governance_topic_rule (topic_name, false, false, read_ac, write_ac, pk_to_str (PK_E), bpk_to_str (BPK_E));
  char * gov_config = get_governance_config (false, true, NULL, NULL, NULL, gov_topic_rule, true);
  const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem");
  access_control_init (
      2,
      (const char *[]) { id1, id2 },
      (const char *[]) { TEST_IDENTITY1_PRIVATE_KEY, TEST_IDENTITY1_PRIVATE_KEY },
      (const char *[]) { ca, ca },
      (bool []) { exp_pub_pp_fail, exp_sub_pp_fail }, NULL, NULL,
      (bool []) { true, true }, (const char *[]) { gov_config, gov_config },
      (bool []) { true, true }, (const char *[]) { perm_config, perm_config },
      (bool []) { true, true }, (const char *[]) { def_perm_ca, def_perm_ca });
  if (!exp_pub_pp_fail && !exp_sub_pp_fail)
  {
    dds_entity_t pub, sub, pub_tp, sub_tp, wr, rd;
    validate_handshake_nofail (DDS_DOMAINID, DDS_MSECS(500));
    rd_wr_init_fail (g_participant[0], &pub, &pub_tp, &wr, g_participant[1], &sub, &sub_tp, &rd, topic_name, exp_pub_tp_fail, exp_wr_fail, exp_sub_tp_fail, exp_rd_fail);
    if (!exp_pub_tp_fail && !exp_wr_fail && !exp_sub_tp_fail && !exp_rd_fail)
      sync_writer_to_readers (g_participant[0], wr, exp_sync_fail ? 0 : 1, DDS_SECS(1));
  }
  access_control_fini (2, (void * []) { gov_config, gov_topic_rule, rules_xml, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 11);
 }
 CU_Test(ddssec_access_control, readwrite_protection, .timeout=60)
 {
  for (int allow_pub = 0; allow_pub <= 1; allow_pub++)
    for (int allow_sub = 0; allow_sub <= 1; allow_sub++)
      for (int deny_pub = 0; deny_pub <= 1 && !(allow_pub && deny_pub); deny_pub++)
        for (int deny_sub = 0; deny_sub <= 1 && !(allow_sub && deny_sub); deny_sub++)
          for (int write_ac = 0; write_ac <= 1; write_ac++)
            for (int read_ac = 0; read_ac <= 1; read_ac++)
              for (int default_deny = 0; default_deny <= 1; default_deny++)
              {
                /* creating local writer/reader fails if write_ac/read_ac enabled and no allow-pub/sub or a deny-pub/sub rule exists */
                bool exp_wr_fail = write_ac && !allow_pub && (deny_pub || default_deny);
                bool exp_rd_fail = read_ac && !allow_sub && (deny_sub || default_deny);
                /* if both read_ac and write_ac are enabled, and pub and sub not allowed, topic creation should fail */
                bool exp_tp_fail = write_ac && read_ac && !allow_pub && !allow_sub && (deny_pub || deny_sub || default_deny);
                /* participant creation should fail under same conditions as topic creation (as opposed to the DDS Security spec,
                  table 63, that states that participant creation fails when there is not any topic that has enable_read/write_ac
                  set to false and join_ac is enabled; it seems that the allow_rule condition is missing there) */
                bool exp_pp_fail = write_ac && read_ac && !allow_pub && !allow_sub && default_deny;
                /* join-ac is enabled in this test, so check_remote_pp fails (and therefore the reader/writer sync) in case not any allow rule exists */
                bool exp_sync_fail = !allow_pub && !allow_sub && default_deny;
                test_readwrite_protection (allow_pub, allow_sub, deny_pub, deny_sub, write_ac, read_ac,
                  exp_pp_fail, exp_tp_fail, exp_wr_fail, exp_pp_fail, exp_tp_fail, exp_rd_fail, exp_sync_fail, default_deny ? "DENY" : "ALLOW");
              }
 }
--- a/src/security/core/tests/authentication.c
+++ b/src/security/core/tests/authentication.c
@ -263,10 +263,9 @@ CU_Theory(
  id2 = generate_identity (ca, CA1K, "id2", ID1K, id2_not_before, id2_not_after, &id2_subj);
  dds_sleepfor (DDS_MSECS (delay));
  dds_time_t now = dds_time ();
  char * grants[] = {
-    get_permissions_grant ("id1", id1_subj, NULL, now - DDS_SECS(D(1)), now + DDS_SECS(D(1)), NULL, NULL, NULL),
+    get_permissions_default_grant ("id1", id1_subj, topic_name),
-    get_permissions_grant ("id2", id2_subj, NULL, now - DDS_SECS(D(1)), now + DDS_SECS(D(1)), NULL, NULL, NULL) };
+    get_permissions_default_grant ("id2", id2_subj, topic_name) };
  char * perm_config = get_permissions_config (grants, 2, true);
  authentication_init (id1, ID1K, ca, id2, ID1K, ca, NULL, perm_config, id1_local_fail, id2_local_fail);
  validate_handshake (DDS_DOMAINID1, id1_local_fail, NULL, NULL, NULL, DDS_SECS(2));
--- a/src/security/core/tests/common/security_config_test_utils.c
+++ b/src/security/core/tests/common/security_config_test_utils.c
@ -27,6 +27,7 @@
 #include "dds/ddsrt/string.h"
 #include "dds/ddsrt/io.h"
 #include "common/config_env.h"
 #include "common/test_utils.h"
 #include "security_config_test_utils.h"
 static const char *topic_rule =
@ -63,24 +64,37 @@ static const char *governance_xml =
    "  </domain_access_rules>"
    "</dds>";
-static const char *topic_xml =
+static const char *permissions_xml_pub =
-    "<topic>${TOPIC_NAME}</topic>";
+    "        <publish>"
    "          <topics><topic>${TOPIC_NAME}</topic></topics>"
    "          <partitions><partition>*</partition></partitions>"
    "        </publish>";
 static const char *permissions_xml_sub =
    "        <subscribe>"
    "          <topics><topic>${TOPIC_NAME}</topic></topics>"
    "          <partitions><partition>*</partition></partitions>"
    "        </subscribe>";
 static const char *permissions_xml_allow_rule =
    "      <allow_rule>"
    "        <domains>${DOMAIN_ID:+<id>}${DOMAIN_ID:-<id_range><min>0</min><max>230</max></id_range>}${DOMAIN_ID:+</id>}</domains>"
    "        ${PUBLISH}"
    "        ${SUBSCRIBE}"
    "      </allow_rule>";
 static const char *permissions_xml_deny_rule =
    "      <deny_rule>"
    "        <domains>${DOMAIN_ID:+<id>}${DOMAIN_ID:-<id_range><min>0</min><max>230</max></id_range>}${DOMAIN_ID:+</id>}</domains>"
    "        ${PUBLISH}"
    "        ${SUBSCRIBE}"
    "      </deny_rule>";
 static const char *permissions_xml_grant =
    "    <grant name=\"${GRANT_NAME}\">"
    "      <subject_name>${SUBJECT_NAME}</subject_name>"
    "      <validity><not_before>${NOT_BEFORE:-2015-09-15T01:00:00}</not_before><not_after>${NOT_AFTER:-2115-09-15T01:00:00}</not_after></validity>"
-    "      <allow_rule>"
+    "      ${RULES}"
    "        <domains>${DOMAIN_ID:+<id>}${DOMAIN_ID:-<id_range><min>0</min><max>230</max></id_range>}${DOMAIN_ID:+</id>}</domains>"
    "        <publish>"
    "          <topics>${PUB_TOPICS:-<topic>*</topic>}</topics>"
    "          <partitions><partition>*</partition></partitions>"
    "        </publish>"
    "        <subscribe>"
    "          <topics>${SUB_TOPICS:-<topic>*</topic>}</topics>"
    "          <partitions><partition>*</partition></partitions>"
    "        </subscribe>"
    "      </allow_rule>"
    "      <default>${DEFAULT_POLICY:-DENY}</default>"
    "    </grant>";
@ -130,6 +144,20 @@ int32_t expand_lookup_unmatched (const struct kvp * lookup_table)
  return unmatched;
 }
 static char * get_xml_datetime(dds_time_t t, char * buf, size_t len)
 {
  struct tm tm;
  time_t sec = (time_t)(t / DDS_NSECS_IN_SEC);
 #if _WIN32
  (void)gmtime_s(&tm, &sec);
 #else
  (void)gmtime_r(&sec, &tm);
 #endif /* _WIN32 */
  strftime(buf, len, "%FT%TZ", &tm);
  return buf;
 }
 static char * smime_sign(char * ca_cert_path, char * ca_priv_key_path, const char * data)
 {
  // Read CA certificate
@ -232,7 +260,7 @@ char * get_governance_topic_rule(const char * topic_expr, bool discovery_protect
  return ddsrt_expand_vars (topic_rule, &expand_lookup_vars, vars);
 }
-char * get_governance_config(bool allow_unauth_pp, bool enable_join_ac, const char * discovery_protection_kind, const char * liveliness_protection_kind,
+char * get_governance_config (bool allow_unauth_pp, bool enable_join_ac, const char * discovery_protection_kind, const char * liveliness_protection_kind,
    const char * rtps_protection_kind, const char * topic_rules, bool add_prefix)
 {
  struct kvp vars[] = {
@ -248,57 +276,89 @@ char * get_governance_config(bool allow_unauth_pp, bool enable_join_ac, const ch
  char * config_signed = get_signed_data (config);
  ddsrt_free (config);
-  printf("Governance configuration: ");
+  print_test_msg ("governance configuration: ");
-  print_config_vars(vars);
+  print_config_vars (vars);
  printf("\n");
  return prefix_data (config_signed, add_prefix);
 }
-
+static char * expand_permissions_pubsub (const char * template, const char * topic_name)
 char * get_permissions_topic(const char * name)
 {
  struct kvp vars[] = {
-    { "TOPIC_NAME", name, 1 },
+    { "TOPIC_NAME", topic_name, 1 },
    { NULL, NULL, 0 }
  };
-  return ddsrt_expand_vars (topic_xml, &expand_lookup_vars, vars);
+  return ddsrt_expand_vars (template, &expand_lookup_vars, vars);
 }
-static char * get_xml_datetime(dds_time_t t, char * buf, size_t len)
+static char * expand_permissions_rule (const char * template, const char * domain_id, const char * pub_xml, const char * sub_xml)
 {
-  struct tm tm;
+  struct kvp vars[] = {
-  time_t sec = (time_t)(t / DDS_NSECS_IN_SEC);
+    { "DOMAIN_ID", domain_id, 3 },
-#if _WIN32
+    { "PUBLISH", pub_xml, 1 },
-  (void)gmtime_s(&tm, &sec);
+    { "SUBSCRIBE", sub_xml, 1 },
-#else
+    { NULL, NULL, 0 }
-  (void)gmtime_r(&sec, &tm);
+  };
-#endif /* _WIN32 */
+  return ddsrt_expand_vars (template, &expand_lookup_vars, vars);
  strftime(buf, len, "%FT%TZ", &tm);
  return buf;
 }
-char * get_permissions_grant(const char * name, const char * subject, const char * domain_id,
+char * get_permissions_rules (const char * domain_id, const char * allow_pub_topic, const char * allow_sub_topic, const char * deny_pub_topic, const char * deny_sub_topic)
-    dds_time_t not_before, dds_time_t not_after, const char * pub_topics, const char * sub_topics, const char * default_policy)
+{
  char * allow_pub_xml = NULL, * allow_sub_xml = NULL, * deny_pub_xml = NULL, * deny_sub_xml = NULL;
  char * allow_rule_xml = NULL, * deny_rule_xml = NULL, * rules_xml;
  if (allow_pub_topic != NULL) allow_pub_xml = expand_permissions_pubsub (permissions_xml_pub, allow_pub_topic);
  if (allow_sub_topic != NULL) allow_sub_xml = expand_permissions_pubsub (permissions_xml_sub, allow_sub_topic);
  if (deny_pub_topic != NULL) deny_pub_xml = expand_permissions_pubsub (permissions_xml_pub, deny_pub_topic);
  if (deny_sub_topic != NULL) deny_sub_xml = expand_permissions_pubsub (permissions_xml_sub, deny_sub_topic);
  if (allow_pub_xml != NULL || allow_sub_xml != NULL)
  {
    allow_rule_xml = expand_permissions_rule (permissions_xml_allow_rule, domain_id, allow_pub_xml, allow_sub_xml);
    if (allow_pub_xml != NULL) ddsrt_free (allow_pub_xml);
    if (allow_sub_xml != NULL) ddsrt_free (allow_sub_xml);
  }
  if (deny_pub_xml != NULL || deny_sub_xml != NULL)
  {
    deny_rule_xml = expand_permissions_rule (permissions_xml_deny_rule, domain_id, deny_pub_xml, deny_sub_xml);
    if (deny_pub_xml != NULL) ddsrt_free (deny_pub_xml);
    if (deny_sub_xml != NULL) ddsrt_free (deny_sub_xml);
  }
  ddsrt_asprintf (&rules_xml, "%s%s", allow_rule_xml != NULL ? allow_rule_xml : "", deny_rule_xml != NULL ? deny_rule_xml : "");
  if (allow_rule_xml != NULL) ddsrt_free (allow_rule_xml);
  if (deny_rule_xml != NULL) ddsrt_free (deny_rule_xml);
  return rules_xml;
 }
 char * get_permissions_grant (const char * grant_name, const char * subject_name, dds_time_t not_before, dds_time_t not_after, const char * rules_xml, const char * default_policy)
 {
  char not_before_str[] = "0000-00-00T00:00:00Z";
  char not_after_str[] = "0000-00-00T00:00:00Z";
-  get_xml_datetime(not_before, not_before_str, sizeof(not_before_str));
+  get_xml_datetime (not_before, not_before_str, sizeof(not_before_str));
-  get_xml_datetime(not_after, not_after_str, sizeof(not_after_str));
+  get_xml_datetime (not_after, not_after_str, sizeof(not_after_str));
  struct kvp vars[] = {
-    { "GRANT_NAME", name, 1 },
+    { "GRANT_NAME", grant_name, 1 },
-    { "SUBJECT_NAME", subject, 1 },
+    { "SUBJECT_NAME", subject_name, 1 },
    { "NOT_BEFORE", not_before_str, 1 },
    { "NOT_AFTER", not_after_str, 1 },
-    { "DOMAIN_ID", domain_id, 3 },
+    { "RULES", rules_xml, 1 },
    { "PUB_TOPICS", pub_topics, 1 },
    { "SUB_TOPICS", sub_topics, 1 },
    { "DEFAULT_POLICY", default_policy, 1 },
    { NULL, NULL, 0 }
  };
-  return ddsrt_expand_vars (permissions_xml_grant, &expand_lookup_vars, vars);
+  char * res = ddsrt_expand_vars (permissions_xml_grant, &expand_lookup_vars, vars);
  CU_ASSERT_FATAL (expand_lookup_unmatched (vars) == 0);
  return res;
 }
 char * get_permissions_default_grant (const char * grant_name, const char * subject_name, const char * topic_name)
 {
  dds_time_t now = dds_time ();
  char * rules_xml = get_permissions_rules (NULL, topic_name, topic_name, NULL, NULL);
  char * grant_xml = get_permissions_grant (grant_name, subject_name, now, now + DDS_SECS(3600), rules_xml, "DENY");
  ddsrt_free (rules_xml);
  return grant_xml;
 }
 char * get_permissions_config(char * grants[], size_t ngrants, bool add_prefix)
--- a/src/security/core/tests/common/security_config_test_utils.h
+++ b/src/security/core/tests/common/security_config_test_utils.h
@ -25,14 +25,16 @@ const char * expand_lookup_vars (const char *name, void * data);
 const char * expand_lookup_vars_env (const char *name, void * data);
 int32_t expand_lookup_unmatched (const struct kvp * lookup_table);
-char * get_governance_topic_rule(const char * topic_expr, bool discovery_protection, bool liveliness_protection,
+char * get_governance_topic_rule (const char * topic_expr, bool discovery_protection, bool liveliness_protection,
    bool read_ac, bool write_ac, const char * metadata_protection_kind, const char * data_protection_kind);
-char * get_governance_config(bool allow_unauth_pp, bool enable_join_ac, const char * discovery_protection_kind, const char * liveliness_protection_kind,
+char * get_governance_config (bool allow_unauth_pp, bool enable_join_ac, const char * discovery_protection_kind, const char * liveliness_protection_kind,
    const char * rtps_protection_kind, const char * topic_rules, bool add_prefix);
-char * get_permissions_topic(const char * name);
+char * get_permissions_rules (const char * domain_id, const char * allow_pub_topic, const char * allow_sub_topic,
-char * get_permissions_grant(const char * name, const char * subject, const char * domain_id,
+    const char * deny_pub_topic, const char * deny_sub_topic);
-    dds_time_t not_before, dds_time_t not_after, const char * pub_topics, const char * sub_topics, const char * default_policy);
+char * get_permissions_grant (const char * grant_name, const char * subject_name, dds_time_t not_before, dds_time_t not_after,
-char * get_permissions_config(char * grants[], size_t ngrants, bool add_prefix);
+    const char * rules_xml, const char * default_policy);
 char * get_permissions_default_grant (const char * grant_name, const char * subject_name, const char * topic_name);
 char * get_permissions_config (char * grants[], size_t ngrants, bool add_prefix);
 #endif /* SECURITY_CORE_TEST_SECURITY_CONFIG_TEST_UTILS_H_ */