niklas/cyclonedds
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add access control test for testing that communication for an allowed topic keeps working when a writer for a denied topic is created

Browse source 
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
This commit is contained in:
Dennis Potman 2020-05-12 21:16:30 +02:00 committed by eboasson
parent edcbe1b22e
commit 24594f68fb
3 changed files with 69 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

57
src/security/core/tests/access_control.c
View file

@ -857,3 +857,60 @@ CU_Test(ddssec_access_control, check_returns)
access_control_fini (2, (void * []) { gov_config, gov_topic_rule, grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 10);
}
CU_Test(ddssec_access_control, denied_topic)
{
char topic_name[100], denied_topic_name[100];
create_topic_name ("ddssec_access_control_", g_topic_nr++, topic_name, sizeof (topic_name));
create_topic_name ("ddssec_access_control_", g_topic_nr++, denied_topic_name, sizeof (denied_topic_name));
char *ca, *id1, *id2, *id1_subj, *id2_subj;
ca = generate_ca ("ca1", TEST_IDENTITY_CA1_PRIVATE_KEY, 0, 3600);
id1 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id1", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id1_subj);
id2 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id2", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id2_subj);
dds_time_t now = dds_time ();
char * sub_rules_xml = get_permissions_rules (NULL, NULL, NULL, denied_topic_name, denied_topic_name);
char * grants_pub[] = { get_permissions_grant ("id1", id1_subj, now, now + DDS_SECS(3600), NULL, "ALLOW") };
char * grants_sub[] = { get_permissions_grant ("id2", id2_subj, now, now + DDS_SECS(3600), sub_rules_xml, "ALLOW") };
char * perm_config_pub = get_permissions_config (grants_pub, 1, true);
char * perm_config_sub = get_permissions_config (grants_sub, 1, true);
char * gov_topic_rule = get_governance_topic_rule (NULL, true, true, true, true, PK_E, BPK_E);
char * gov_config = get_governance_config (false, true, PK_E, PK_E, PK_E, gov_topic_rule, true);
const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem");
access_control_init (
2,
(const char *[]) { id1, id2 },
(const char *[]) { TEST_IDENTITY1_PRIVATE_KEY, TEST_IDENTITY1_PRIVATE_KEY },
(const char *[]) { ca, ca },
(bool []) { false, false },
NULL, NULL,
(bool []) { true, true }, (const char *[]) { gov_config, gov_config },
(bool []) { true, true }, (const char *[]) { perm_config_pub, perm_config_sub },
(bool []) { true, true }, (const char *[]) { def_perm_ca, def_perm_ca });
dds_entity_t pub, sub, pub_tp, sub_tp, wr, rd;
rd_wr_init (g_participant[0], &pub, &pub_tp, &wr, g_participant[1], &sub, &sub_tp, &rd, topic_name);
sync_writer_to_readers (g_participant[0], wr, 1, DDS_SECS (1));
sync_reader_to_writers (g_participant[1], rd, 1, DDS_SECS (1));
/* Create a topic that is denied in the subscriber pp security config */
dds_entity_t denied_pub_tp = dds_create_topic (g_participant[0], &SecurityCoreTests_Type1_desc, denied_topic_name, NULL, NULL);
CU_ASSERT_FATAL (denied_pub_tp > 0);
dds_qos_t * qos = get_default_test_qos ();
dds_entity_t denied_tp_wr = dds_create_writer (pub, denied_pub_tp, qos, NULL);
CU_ASSERT_FATAL (denied_tp_wr > 0);
/* Check that creating denied topic for subscriber fails */
dds_entity_t denied_sub_tp = dds_create_topic (g_participant[1], &SecurityCoreTests_Type1_desc, denied_topic_name, NULL, NULL);
CU_ASSERT_FATAL (denied_sub_tp == DDS_RETCODE_NOT_ALLOWED_BY_SECURITY);
/* Check if communication for allowed topic is still working */
write_read_for (wr, g_participant[1], rd, DDS_MSECS (10), false, false);
dds_delete_qos (qos);
access_control_fini (2, (void * []) { gov_config, gov_topic_rule, sub_rules_xml, grants_pub[0], grants_sub[0], perm_config_pub, perm_config_sub, ca, id1_subj, id2_subj, id1, id2 }, 12);
}

17
src/security/core/tests/common/test_utils.c
View file

@ -398,6 +398,16 @@ bool reader_wait_for_data (dds_entity_t pp, dds_entity_t rd, dds_duration_t dur)
return ret > 0;
}
dds_qos_t * get_default_test_qos (void)
{
dds_qos_t * qos = dds_create_qos ();
CU_ASSERT_FATAL (qos != NULL);
dds_qset_history (qos, DDS_HISTORY_KEEP_ALL, -1);
dds_qset_durability (qos, DDS_DURABILITY_TRANSIENT_LOCAL);
dds_qset_reliability (qos, DDS_RELIABILITY_RELIABLE, DDS_INFINITY);
return qos;
}
void rd_wr_init_fail(
dds_entity_t pp_wr, dds_entity_t *pub, dds_entity_t *pub_tp, dds_entity_t *wr,
dds_entity_t pp_rd, dds_entity_t *sub, dds_entity_t *sub_tp, dds_entity_t *rd,
@ -405,12 +415,7 @@ void rd_wr_init_fail(
bool exp_pubtp_fail, bool exp_wr_fail,
bool exp_subtp_fail, bool exp_rd_fail)
{
dds_qos_t * qos = dds_create_qos ();
CU_ASSERT_FATAL (qos != NULL);
dds_qset_history (qos, DDS_HISTORY_KEEP_ALL, -1);
dds_qset_durability (qos, DDS_DURABILITY_TRANSIENT_LOCAL);
dds_qset_reliability (qos, DDS_RELIABILITY_RELIABLE, DDS_INFINITY);
dds_qos_t * qos = get_default_test_qos ();
*pub = dds_create_publisher (pp_wr, NULL, NULL);
CU_ASSERT_FATAL (*pub > 0);
*sub = dds_create_subscriber (pp_rd, NULL, NULL);

1
src/security/core/tests/common/test_utils.h
View file

@ -71,6 +71,7 @@ char *create_topic_name (const char *prefix, uint32_t nr, char *name, size_t siz
void sync_writer_to_readers (dds_entity_t pp_wr, dds_entity_t wr, uint32_t exp_count, dds_duration_t timeout);
void sync_reader_to_writers (dds_entity_t pp_rd, dds_entity_t rd, uint32_t exp_count, dds_duration_t timeout);
bool reader_wait_for_data (dds_entity_t pp, dds_entity_t rd, dds_duration_t dur);
dds_qos_t * get_default_test_qos (void);
void rd_wr_init (
dds_entity_t pp_wr, dds_entity_t *pub, dds_entity_t *pub_tp, dds_entity_t *wr,
dds_entity_t pp_rd, dds_entity_t *sub, dds_entity_t *sub_tp, dds_entity_t *rd,