niklas/cyclonedds
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DDS Security built-in Access Control plugin

Browse source 
This commit adds the build-in Access Control plugin that is part of the
DDS Security implementation for Cyclone.

The Access Control Plugin API defines the types and operations necessary
to support an access control mechanism for DDS Domain Participants.

Similar to other builtin plugins, the DDS Security access control plugin
is built as a shared library to allow dynamic library loading on runtime.
This enables DDS participants to use specific plugin implementations with
different configurations.

This commit includes some basic tests for the access control functions.
This initial version of the plugin does not support permissions expiry
(not-valid-after date in permissions configuration).

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

Process review comments for access control plugin

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

Part 2 of processing review changes for access control

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

Add test for topicname dcps, add comment for xml date parser

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>

Fixed an bug in leap year count for year 2200, changed the rounding for sub-ns fraction and added an additional overflow test in DDS_Security_parse_xml_date

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
This commit is contained in:
Dennis Potman 2019-11-21 12:01:34 +01:00 committed by eboasson
parent 68f789d77b
commit 3b4facbd45
101 changed files with 19154 additions and 52 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/core/ddsc/src/dds__topic.h
View file

@ -35,6 +35,8 @@ DDS_EXPORT void dds_topic_set_filter_with_ctx
DDS_EXPORT dds_topic_intern_filter_fn dds_topic_get_filter_with_ctx
(dds_entity_t topic);
DDS_EXPORT dds_entity_t dds_create_topic_impl (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist);
#if defined (__cplusplus)
}
#endif

2
src/core/ddsc/src/dds_builtin.c
View file

@ -76,7 +76,7 @@ dds_entity_t dds__get_builtin_topic (dds_entity_t entity, dds_entity_t topic)
}
dds_qos_t *qos = dds__create_builtin_qos ();
tp = dds_create_topic_arbitrary (par->m_entity.m_hdllink.hdl, sertopic, qos, NULL, NULL);
tp = dds_create_topic_impl (par->m_entity.m_hdllink.hdl, sertopic, qos, NULL, NULL);
dds_delete_qos (qos);
dds_entity_unpin (e);
return tp;

11
src/core/ddsc/src/dds_topic.c
View file

@ -280,7 +280,7 @@ const struct dds_entity_deriver dds_entity_deriver_topic = {
.validate_status = dds_topic_status_validate
};
dds_entity_t dds_create_topic_arbitrary (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
dds_entity_t dds_create_topic_impl (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
{
dds_return_t rc;
dds_participant *par;
@ -465,6 +465,15 @@ err_invalid_qos:
return rc;
}
dds_entity_t dds_create_topic_arbitrary (dds_entity_t participant, struct ddsi_sertopic *sertopic, const dds_qos_t *qos, const dds_listener_t *listener, const nn_plist_t *sedp_plist)
{
assert(sertopic);
assert(sertopic->name);
if (!strncmp(sertopic->name, "DCPS", 4))
return DDS_RETCODE_BAD_PARAMETER;
return dds_create_topic_impl (participant, sertopic, qos, listener, sedp_plist);
}
dds_entity_t dds_create_topic (dds_entity_t participant, const dds_topic_descriptor_t *desc, const char *name, const dds_qos_t *qos, const dds_listener_t *listener)
{
struct ddsi_sertopic_default *st;

2
src/core/ddsc/tests/topic.c
View file

@ -177,7 +177,7 @@ CU_Test(ddsc_topic_create, desc_null, .init=ddsc_topic_init, .fini=ddsc_topic_fi
CU_TheoryDataPoints(ddsc_topic_create, invalid_names) = {
CU_DataPoints(char *, NULL, "", "mi-dle", "-start", "end-", "1st", "Thus$", "pl+s", "t(4)"),
CU_DataPoints(char *, NULL, "", "mi-dle", "-start", "end-", "1st", "Thus$", "pl+s", "t(4)", "DCPSmytopic"),
};
CU_Theory((char *name), ddsc_topic_create, invalid_names, .init=ddsc_topic_init, .fini=ddsc_topic_fini)
{

10
src/security/api/include/dds/security/dds_security_api_err.h
View file

@ -97,16 +97,14 @@ extern "C" {
#define DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE 146
#define DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE "Subject name is invalid"
#define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE 147
#define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE "Permissions validity period expired for %s"
#define DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_MESSAGE "Permissions validity period expired for %s (expired: %s)"
#define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_CODE 148
#define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE "Permissions validity period has not started yet for %s"
#define DDS_SECURITY_ERR_VALIDITY_PERIOD_NOT_STARTED_MESSAGE "Permissions validity period has not started yet for %s (start: %s)"
#define DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_CODE 149
#define DDS_SECURITY_ERR_CAN_NOT_FIND_PERMISSIONS_GRANT_MESSAGE "Could not find valid grant in permissions"
#define DDS_SECURITY_ERR_PERMISSIONS_OUT_OF_VALIDITY_DATE_CODE 150
#define DDS_SECURITY_ERR_PERMISSIONS_OUT_OF_VALIDITY_DATE_MESSAGE "Permissions of subject (%s) outside validity date: %s - %s"
#define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE 151
#define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_CODE 150
#define DDS_SECURITY_ERR_URI_TYPE_NOT_SUPPORTED_MESSAGE "Unsupported URI type: %s"
#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_CODE 152
#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_CODE 151
#define DDS_SECURITY_ERR_INVALID_CRYPTO_DATA_NOT_ALIGNED_MESSAGE "The payload is not aligned at 4 bytes"
#define DDS_SECURITY_ERR_UNDEFINED_CODE 200

1
src/security/builtin_plugins/CMakeLists.txt
View file

@ -11,6 +11,7 @@
#
cmake_minimum_required(VERSION 3.7)
add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/access_control")
add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/authentication")
add_subdirectory("${CMAKE_CURRENT_LIST_DIR}/cryptographic")

55
src/security/builtin_plugins/access_control/CMakeLists.txt Normal file
View file

@ -0,0 +1,55 @@
#
# Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
#
# This program and the accompanying materials are made available under the
# terms of the Eclipse Public License v. 2.0 which is available at
# http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
# v. 1.0 which is available at
# http://www.eclipse.org/org/documents/edl-v10.php.
#
# SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
#
include (GenerateExportHeader)
find_package(OpenSSL)
PREPEND(srcs_accesscontrol "${CMAKE_CURRENT_LIST_DIR}/src"
access_control_objects.c
access_control_parser.c
access_control_utils.c
access_control.c
)
add_library(dds_security_ac SHARED "")
generate_export_header(
dds_security_ac
BASE_NAME SECURITY
EXPORT_FILE_NAME "${CMAKE_CURRENT_BINARY_DIR}/include/dds/security/export.h"
)
add_definitions(-DDDSI_INCLUDE_SSL)
target_link_libraries(dds_security_ac PUBLIC ddsc)
target_link_libraries(dds_security_ac PUBLIC OpenSSL::SSL)
target_sources(dds_security_ac
PRIVATE
${srcs_accesscontrol}
)
target_include_directories(dds_security_ac
PUBLIC
"$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
"$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
"$<BUILD_INTERFACE:$<TARGET_PROPERTY:ddsrt,INTERFACE_INCLUDE_DIRECTORIES>>"
"$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/include>"
)
install(
TARGETS
EXPORT "${PROJECT_NAME}"
RUNTIME DESTINATION "${CMAKE_INSTALL_BINDIR}" COMPONENT lib
LIBRARY DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib
ARCHIVE DESTINATION "${CMAKE_INSTALL_LIBDIR}" COMPONENT lib
)

2486
src/security/builtin_plugins/access_control/src/access_control.c Normal file
View file

File diff suppressed because it is too large Load diff

21
src/security/builtin_plugins/access_control/src/access_control.h Normal file
View file

@ -0,0 +1,21 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#ifndef ACCESS_CONTROL_H
#define ACCESS_CONTROL_H
#include "dds/security/dds_security_api.h"
#include "dds/security/export.h"
SECURITY_EXPORT int init_access_control(const char *argument, void **context);
SECURITY_EXPORT int finalize_access_control(void *context);
#endif /* ACCESS_CONTROL_H */

283
src/security/builtin_plugins/access_control/src/access_control_objects.c Normal file
View file

@ -0,0 +1,283 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#include <assert.h>
#include <string.h>
#include "dds/ddsrt/atomics.h"
#include "dds/ddsrt/heap.h"
#include "dds/ddsrt/hopscotch.h"
#include "dds/ddsrt/string.h"
#include "dds/ddsrt/sync.h"
#include "dds/ddsrt/types.h"
#include "access_control_objects.h"
#include "access_control_utils.h"
#include "access_control_parser.h"
struct AccessControlTable
{
struct ddsrt_hh *htab;
ddsrt_mutex_t lock;
};
bool access_control_object_valid(const AccessControlObject *obj, const AccessControlObjectKind_t kind)
{
if (!obj)
return false;
if (obj->kind != kind)
return false;
if (obj->handle != (int64_t)(uintptr_t)obj)
return false;
return true;
}
static uint32_t access_control_object_hash(const void *obj)
{
const AccessControlObject *object = obj;
const uint64_t c = 0xE21B371BEB9E6C05;
const uint32_t x = (uint32_t)object->handle;
return (unsigned)((x * c) >> 32);
}
static int access_control_object_equal(const void *ha, const void *hb)
{
const AccessControlObject *la = ha;
const AccessControlObject *lb = hb;
return la->handle == lb->handle;
}
void access_control_object_init(AccessControlObject *obj, AccessControlObjectKind_t kind, AccessControlObjectDestructor destructor)
{
assert(obj);
obj->kind = kind;
obj->handle = (int64_t)(uintptr_t)obj;
obj->destructor = destructor;
ddsrt_atomic_st32(&obj->refcount, 1);
}
static void access_control_object_deinit(AccessControlObject *obj)
{
assert(obj);
obj->handle = DDS_SECURITY_HANDLE_NIL;
obj->kind = ACCESS_CONTROL_OBJECT_KIND_UNKNOWN;
obj->destructor = NULL;
}
void access_control_object_free(AccessControlObject *obj)
{
if (obj && obj->destructor)
obj->destructor(obj);
}
AccessControlObject *access_control_object_keep(AccessControlObject *obj)
{
if (obj)
ddsrt_atomic_inc32(&obj->refcount);
return obj;
}
void access_control_object_release(AccessControlObject *obj)
{
if (obj)
{
if (ddsrt_atomic_dec32_nv(&obj->refcount) == 0)
access_control_object_free(obj);
}
}
struct AccessControlTable *access_control_table_new(void)
{
struct AccessControlTable *table;
table = ddsrt_malloc(sizeof(*table));
table->htab = ddsrt_hh_new(32, access_control_object_hash, access_control_object_equal);
ddsrt_mutex_init(&table->lock);
return table;
}
void access_control_table_free(struct AccessControlTable *table)
{
struct ddsrt_hh_iter it;
AccessControlObject *obj;
if (!table)
return;
for (obj = ddsrt_hh_iter_first(table->htab, &it); obj; obj = ddsrt_hh_iter_next(&it))
{
(void)ddsrt_hh_remove(table->htab, obj);
access_control_object_release(obj);
}
ddsrt_hh_free(table->htab);
ddsrt_mutex_destroy(&table->lock);
ddsrt_free(table);
}
AccessControlObject *access_control_table_insert(struct AccessControlTable *table, AccessControlObject *object)
{
AccessControlObject template;
AccessControlObject *cur;
assert(table);
assert(object);
template.handle = object->handle;
ddsrt_mutex_lock(&table->lock);
if (!(cur = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template))))
{
cur = access_control_object_keep(object);
(void)ddsrt_hh_add(table->htab, cur);
}
ddsrt_mutex_unlock(&table->lock);
return cur;
}
void access_control_table_remove_object(struct AccessControlTable *table, AccessControlObject *object)
{
assert(table);
assert(object);
ddsrt_mutex_lock(&table->lock);
(void)ddsrt_hh_remove(table->htab, object);
ddsrt_mutex_unlock(&table->lock);
access_control_object_release(object);
}
AccessControlObject *access_control_table_remove(struct AccessControlTable *table, int64_t handle)
{
AccessControlObject template;
AccessControlObject *object;
assert(table);
template.handle = handle;
ddsrt_mutex_lock(&table->lock);
if ((object = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template))))
{
(void)ddsrt_hh_remove(table->htab, object);
access_control_object_release(object);
}
ddsrt_mutex_unlock(&table->lock);
return object;
}
AccessControlObject *access_control_table_find(struct AccessControlTable *table, int64_t handle)
{
AccessControlObject template;
AccessControlObject *object;
assert(table);
template.handle = handle;
ddsrt_mutex_lock(&table->lock);
object = access_control_object_keep(ddsrt_hh_lookup(table->htab, &template));
ddsrt_mutex_unlock(&table->lock);
return object;
}
void access_control_table_walk(struct AccessControlTable *table, AccessControlTableCallback callback, void *arg)
{
struct ddsrt_hh_iter it;
AccessControlObject *obj;
int r = 1;
assert(table);
assert(callback);
ddsrt_mutex_lock(&table->lock);
for (obj = ddsrt_hh_iter_first(table->htab, &it); r && obj; obj = ddsrt_hh_iter_next(&it))
r = callback(obj, arg);
ddsrt_mutex_unlock(&table->lock);
}
static void local_participant_access_rights_free(AccessControlObject *obj)
{
local_participant_access_rights *rights = (local_participant_access_rights *)obj;
if (rights)
{
ddsrt_free(rights->permissions_document);
if (rights->permissions_ca)
X509_free(rights->permissions_ca);
access_control_object_deinit((AccessControlObject *)rights);
if (rights->governance_tree)
ac_return_governance_tree(rights->governance_tree);
if (rights->permissions_tree)
ac_return_permissions_tree(rights->permissions_tree);
ddsrt_free(rights->identity_subject_name);
ddsrt_free(rights);
}
}
local_participant_access_rights *ac_local_participant_access_rights_new(
DDS_Security_IdentityHandle local_identity,
int domain_id,
char *permissions_document,
X509 *permissions_ca,
const char *identity_subject_name,
struct governance_parser *governance_tree,
struct permissions_parser *permissions_tree)
{
local_participant_access_rights *rights = ddsrt_malloc(sizeof(local_participant_access_rights));
memset(rights, 0, sizeof(local_participant_access_rights));
access_control_object_init((AccessControlObject *)rights, ACCESS_CONTROL_OBJECT_KIND_LOCAL_PARTICIPANT, local_participant_access_rights_free);
rights->local_identity = local_identity;
rights->domain_id = domain_id;
rights->permissions_document = permissions_document;
rights->permissions_ca = permissions_ca;
rights->identity_subject_name = ddsrt_strdup(identity_subject_name);
rights->governance_tree = governance_tree;
rights->permissions_tree = permissions_tree;
return rights;
}
static void remote_participant_access_rights_free(AccessControlObject *obj)
{
remote_participant_access_rights *rights = (remote_participant_access_rights *)obj;
if (rights)
{
if (rights->permissions)
{
assert(rights->permissions->ref_cnt > 0);
rights->permissions->ref_cnt--;
if (rights->permissions->ref_cnt == 0)
{
ac_return_permissions_tree(rights->permissions->permissions_tree);
ddsrt_free(rights->permissions->remote_permissions_token_class_id);
ddsrt_free(rights->permissions);
}
}
ddsrt_free(rights->identity_subject_name);
ACCESS_CONTROL_OBJECT_RELEASE(rights->local_rights);
access_control_object_deinit((AccessControlObject *)rights);
ddsrt_free(rights);
}
}
remote_participant_access_rights *
ac_remote_participant_access_rights_new(
DDS_Security_IdentityHandle remote_identity,
const local_participant_access_rights *local_rights,
remote_permissions *permissions,
dds_time_t permission_expiry,
const DDS_Security_PermissionsToken *remote_permissions_token,
const char *identity_subject)
{
remote_participant_access_rights *rights = ddsrt_malloc(sizeof(remote_participant_access_rights));
memset(rights, 0, sizeof(remote_participant_access_rights));
access_control_object_init((AccessControlObject *)rights, ACCESS_CONTROL_OBJECT_KIND_REMOTE_PARTICIPANT, remote_participant_access_rights_free);
rights->remote_identity = remote_identity;
rights->permissions = permissions;
rights->permissions_expiry = permission_expiry;
rights->local_rights = (local_participant_access_rights *)ACCESS_CONTROL_OBJECT_KEEP(local_rights);
if (rights->permissions)
{
rights->permissions->remote_permissions_token_class_id = ddsrt_strdup(remote_permissions_token->class_id);
rights->permissions->ref_cnt++;
rights->identity_subject_name = ddsrt_strdup(identity_subject);
}
else
{
assert(identity_subject == NULL);
rights->identity_subject_name = NULL;
}
return rights;
}

106
src/security/builtin_plugins/access_control/src/access_control_objects.h Normal file
View file

@ -0,0 +1,106 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#ifndef ACCESS_CONTROL_OBJECTS_H
#define ACCESS_CONTROL_OBJECTS_H
#include <openssl/x509.h>
#include "dds/ddsrt/atomics.h"
#include "dds/ddsrt/types.h"
#include "dds/security/dds_security_api.h"
#define ACCESS_CONTROL_OBJECT(o) ((AccessControlObject *)(o))
#define ACCESS_CONTROL_OBJECT_HANDLE(o) ((o) ? ACCESS_CONTROL_OBJECT(o)->handle : DDS_SECURITY_HANDLE_NIL)
#define ACCESS_CONTROL_OBJECT_KEEP(o) access_control_object_keep((AccessControlObject *)(o))
#define ACCESS_CONTROL_OBJECT_RELEASE(o) access_control_object_release((AccessControlObject *)(o))
#define ACCESS_CONTROL_OBJECT_VALID(o,k) access_control_object_valid((AccessControlObject *)(o), k)
typedef enum {
ACCESS_CONTROL_OBJECT_KIND_UNKNOWN,
ACCESS_CONTROL_OBJECT_KIND_LOCAL_PARTICIPANT,
ACCESS_CONTROL_OBJECT_KIND_REMOTE_PARTICIPANT,
} AccessControlObjectKind_t;
typedef struct AccessControlObject AccessControlObject;
typedef void (*AccessControlObjectDestructor)(AccessControlObject *obj);
struct AccessControlObject {
int64_t handle;
ddsrt_atomic_uint32_t refcount;
AccessControlObjectKind_t kind;
AccessControlObjectDestructor destructor;
};
typedef struct local_participant_access_rights {
AccessControlObject _parent;
DDS_Security_ParticipantSecurityAttributes participant_attributes;
DDS_Security_IdentityHandle local_identity;
struct governance_parser *governance_tree;
struct permissions_parser *permissions_tree;
int domain_id;
char *identity_subject_name;
char *permissions_document;
X509 *permissions_ca;
dds_time_t permissions_expiry;
} local_participant_access_rights;
typedef struct remote_permissions {
int ref_cnt;
struct permissions_parser *permissions_tree;
DDS_Security_string remote_permissions_token_class_id;
} remote_permissions;
typedef struct remote_participant_access_rights {
AccessControlObject _parent;
DDS_Security_IdentityHandle remote_identity;
local_participant_access_rights *local_rights;
remote_permissions *permissions;
char *identity_subject_name;
dds_time_t permissions_expiry;
} remote_participant_access_rights;
void access_control_object_init(AccessControlObject *obj, AccessControlObjectKind_t kind, AccessControlObjectDestructor destructor);
AccessControlObject *access_control_object_keep(AccessControlObject *obj);
void access_control_object_release(AccessControlObject *obj);
bool access_control_object_valid(const AccessControlObject *obj, AccessControlObjectKind_t kind);
void access_control_object_free(AccessControlObject *obj);
struct AccessControlTable;
typedef int (*AccessControlTableCallback)(AccessControlObject *obj, void *arg);
struct AccessControlTable *access_control_table_new(void);
void access_control_table_free(struct AccessControlTable *table);
AccessControlObject *access_control_table_insert(struct AccessControlTable *table, AccessControlObject *object);
void access_control_table_remove_object(struct AccessControlTable *table, AccessControlObject *object);
AccessControlObject *access_control_table_remove(struct AccessControlTable *table, int64_t handle);
AccessControlObject *access_control_table_find(struct AccessControlTable *table, int64_t handle);
void access_control_table_walk(struct AccessControlTable *table, AccessControlTableCallback callback, void *arg);
local_participant_access_rights *ac_local_participant_access_rights_new(
DDS_Security_IdentityHandle local_identity,
int domain_id,
char *permissions_document,
X509 *permissions_ca,
const char* identity_subject_name,
struct governance_parser *governance_tree,
struct permissions_parser *permissions_tree);
remote_participant_access_rights *ac_remote_participant_access_rights_new(
DDS_Security_IdentityHandle remote_identity,
const local_participant_access_rights *local_rights,
remote_permissions *permissions,
dds_time_t permission_expiry,
const DDS_Security_PermissionsToken *remote_permissions_token,
const char *identity_subject);
#endif /* ACCESS_CONTROL_OBJECTS_H */

1212
src/security/builtin_plugins/access_control/src/access_control_parser.c Normal file
View file

File diff suppressed because it is too large Load diff

301
src/security/builtin_plugins/access_control/src/access_control_parser.h Normal file
View file

@ -0,0 +1,301 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#ifndef ACCESS_CONTROL_PARSER_H
#define ACCESS_CONTROL_PARSER_H
#include "dds/ddsrt/types.h"
#include "dds/security/dds_security_api.h"
typedef enum
{
ELEMENT_KIND_UNDEFINED,
ELEMENT_KIND_DDS,
ELEMENT_KIND_DOMAIN_ACCESS_RULES,
ELEMENT_KIND_DOMAIN_RULE,
ELEMENT_KIND_DOMAINS,
ELEMENT_KIND_DOMAIN_ID_SET,
ELEMENT_KIND_RANGE,
ELEMENT_KIND_ALLOW_UNAUTHENTICATED_PARTICIPANTS,
ELEMENT_KIND_ENABLE_JOIN_ACCESS_CONTROL,
ELEMENT_KIND_RTPS_PROTECTION,
ELEMENT_KIND_DISCOVERY_PROTECTION,
ELEMENT_KIND_LIVELINESS_PROTECTION,
ELEMENT_KIND_TOPIC_ACCESS_RULES,
ELEMENT_KIND_TOPIC_RULE,
ELEMENT_KIND_STRING_VALUE,
ELEMENT_KIND_BOOLEAN_VALUE,
ELEMENT_KIND_DOMAIN_VALUE,
ELEMENT_KIND_PROTECTION_KIND_VALUE,
ELEMENT_KIND_BASICPROTECTION_KIND_VALUE,
ELEMENT_KIND_PERMISSIONS,
ELEMENT_KIND_GRANT,
ELEMENT_KIND_ALLOW_DENY_RULE,
ELEMENT_KIND_CRITERIA,
ELEMENT_KIND_VALIDITY,
ELEMENT_KIND_TOPICS,
ELEMENT_KIND_PARTITIONS,
ELEMENT_KIND_DEFAULT,
ELEMENT_KIND_IGNORED
} element_kind;
typedef enum
{
UNKNOWN_CRITERIA,
SUBSCRIBE_CRITERIA,
PUBLISH_CRITERIA
} permission_criteria_type;
typedef enum
{
ALLOW_RULE,
DENY_RULE
} permission_rule_type;
typedef struct element
{
struct element *parent;
element_kind kind;
struct element *next; /*used in case of string list usage */
} xml_element;
/* TODO: Change the value nodes for specific nodes for
* proper value parsing and validating. */
typedef struct string_value
{
struct element node;
char *value;
} xml_string_value;
typedef struct boolean_value
{
struct element node;
bool value;
} xml_boolean_value;
typedef struct integer_value
{
struct element node;
int32_t value;
} xml_integer_value;
typedef struct protection_kind_value
{
struct element node;
DDS_Security_ProtectionKind value;
} xml_protection_kind_value;
typedef struct basicprotection_kind_value
{
struct element node;
DDS_Security_BasicProtectionKind value;
} xml_basicprotection_kind_value;
typedef struct domain_id_set
{
struct element node;
struct integer_value *min;
struct integer_value *max;
} xml_domain_id_set;
typedef struct domains
{
struct element node;
struct domain_id_set *domain_id_set; /*linked list*/
} xml_domains;
typedef struct topic_rule
{
struct element node;
struct string_value *topic_expression;
struct boolean_value *enable_discovery_protection;
struct boolean_value *enable_liveliness_protection;
struct boolean_value *enable_read_access_control;
struct boolean_value *enable_write_access_control;
struct protection_kind_value *metadata_protection_kind;
struct basicprotection_kind_value *data_protection_kind;
} xml_topic_rule;
typedef struct topic_access_rules
{
struct element node;
struct topic_rule *topic_rule; /*linked_list*/
} xml_topic_access_rules;
typedef struct domain_rule
{
struct element node;
struct domains *domains;
struct boolean_value *allow_unauthenticated_participants;
struct boolean_value *enable_join_access_control;
struct protection_kind_value *discovery_protection_kind;
struct protection_kind_value *liveliness_protection_kind;
struct protection_kind_value *rtps_protection_kind;
struct topic_access_rules *topic_access_rules;
} xml_domain_rule;
typedef struct domain_access_rules
{
struct element node;
struct domain_rule *domain_rule;
} xml_domain_access_rules;
typedef struct governance_dds
{
struct element node;
struct domain_access_rules *domain_access_rules;
} xml_governance_dds;
typedef struct governance_parser
{
struct governance_dds *dds;
struct element *current;
} governance_parser;
/* permissions file specific types */
typedef struct validity
{
struct element node;
struct string_value *not_before;
struct string_value *not_after;
} xml_validity;
typedef struct topics
{
struct element node;
struct string_value *topic;
} xml_topics;
typedef struct partitions
{
struct element node;
struct string_value *partition;
} xml_partitions;
typedef struct criteria
{
struct element node;
permission_criteria_type criteria_type;
struct topics *topics;
struct partitions *partitions;
} xml_criteria;
typedef struct allow_deny_rule
{
struct element node;
permission_rule_type rule_type;
struct domains *domains;
struct criteria *criteria;
} xml_allow_deny_rule;
typedef struct grant
{
struct element node;
char *name;
struct string_value *subject_name;
struct validity *validity;
struct allow_deny_rule *allow_deny_rule;
struct string_value *default_action;
} xml_grant;
typedef struct permissions
{
struct element node;
struct grant *grant;
} xml_permissions;
typedef struct permissions_dds
{
struct element node;
struct permissions *permissions;
} xml_permissions_dds;
typedef struct permissions_parser
{
struct permissions_dds *dds;
struct element *current;
} permissions_parser;
bool ac_parse_governance_xml(const char *xml, struct governance_parser **governance_tree, DDS_Security_SecurityException *ex);
bool ac_parse_permissions_xml(const char *xml, struct permissions_parser **permissions_tree, DDS_Security_SecurityException *ex);
void ac_return_governance_tree(struct governance_parser *parser);
void ac_return_permissions_tree(struct permissions_parser *parser);
#define DDS_SECURITY_DEFAULT_GOVERNANCE "<?xml version=\"1.0\" encoding=\"utf-8\"?> \
<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \
xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd\"> \
<domain_access_rules> \
<domain_rule> \
<domains> \
<!-- All domains --> \
<id_range> \
<min>0</min> \
<max>230</max> \
</id_range> \
</domains> \
\
<allow_unauthenticated_participants>false</allow_unauthenticated_participants> \
<enable_join_access_control>false</enable_join_access_control> \
<discovery_protection_kind>ENCRYPT</discovery_protection_kind> \
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind> \
<rtps_protection_kind>NONE</rtps_protection_kind> \
<topic_access_rules> \
<topic_rule> \
<topic_expression>*</topic_expression> \
<enable_liveliness_protection>true</enable_liveliness_protection> \
<enable_discovery_protection>true</enable_discovery_protection> \
<enable_read_access_control>false</enable_read_access_control> \
<enable_write_access_control>false</enable_write_access_control> \
<metadata_protection_kind>ENCRYPT</metadata_protection_kind> \
<data_protection_kind>ENCRYPT</data_protection_kind> \
</topic_rule> \
</topic_access_rules> \
</domain_rule> \
</domain_access_rules> \
</dds> "
#define DDS_SECURITY_DEFAULT_PERMISSIONS "<?xml version=\"1.0\" encoding=\"utf-8\"?> \
<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \
xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd\"> \
<permissions> \
<grant name=\"DEFAULT_PERMISSIONS\"> \
<subject_name>DEFAULT_SUBJECT</subject_name> \
<validity> \
<not_before>2015-09-15T01:00:00</not_before> \
<not_after>2115-09-15T01:00:00</not_after> \
</validity> \
<deny_rule> \
<domains> \
<id_range> \
<min>0</min> \
<max>230</max> \
</id_range> \
</domains> \
<publish> \
<topics> \
<topic>*</topic> \
</topics> \
<partitions/> \
</publish> \
<subscribe> \
<topics> \
<topic>*</topic> \
</topics> \
<partitions/> \
</subscribe> \
</deny_rule> \
<default>DENY</default> \
</grant> \
</permissions> \
</dds> "
#endif /* ACCESS_CONTROL_UTILS_H */

406
src/security/builtin_plugins/access_control/src/access_control_utils.c Normal file
View file

@ -0,0 +1,406 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <openssl/x509.h>
#include <openssl/pkcs7.h>
#include <openssl/pem.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include "dds/ddsrt/heap.h"
#include "dds/ddsrt/misc.h"
#include "dds/ddsrt/string.h"
#include "dds/ddsrt/time.h"
#include "dds/ddsrt/types.h"
#include "dds/security/dds_security_api.h"
#include "dds/security/core/dds_security_utils.h"
#include "access_control_utils.h"
#define SEQ_ERR -1
#define SEQ_NOMATCH 0
#define SEQ_MATCH 1
bool ac_X509_certificate_from_data(const char *data, int len, X509 **x509Cert, DDS_Security_SecurityException *ex)
{
BIO *bio;
assert(data);
assert(len >= 0);
assert(x509Cert);
/* load certificate in buffer */
if ((bio = BIO_new_mem_buf((void *)data, len)) == NULL)
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
return false;
}
if ((*x509Cert = PEM_read_bio_X509(bio, NULL, NULL, NULL)) == NULL)
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE, 0, DDS_SECURITY_ERR_INVALID_CERTICICATE_MESSAGE ": ");
BIO_free(bio);
return false;
}
BIO_free(bio);
return true;
}
static bool X509_certificate_from_file(const char *filename, X509 **x509Cert, DDS_Security_SecurityException *ex)
{
DDSRT_WARNING_MSVC_OFF(4996);
FILE *fp;
assert(filename);
assert(x509Cert);
/* Check if this is a valid file by getting its size. */
if (ac_regular_file_size(filename) == 0)
{
DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, 0, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filename);
return false;
}
if ((fp = fopen(filename, "r")) == NULL)
{
DDS_Security_Exception_set(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_FILE_PATH_CODE, 0, DDS_SECURITY_ERR_INVALID_FILE_PATH_MESSAGE, filename);
return false;
}
if ((*x509Cert = PEM_read_X509(fp, NULL, NULL, NULL)) == NULL)
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_CERTIFICATE_CODE, 0, DDS_SECURITY_ERR_INVALID_CERTICICATE_MESSAGE ": ");
fclose(fp);
return false;
}
fclose(fp);
return true;
DDSRT_WARNING_MSVC_ON(4996);
}
bool ac_X509_certificate_read(const char *data, X509 **x509Cert, DDS_Security_SecurityException *ex)
{
bool result = false;
char *contents = NULL;
assert(data);
assert(x509Cert);
switch (DDS_Security_get_conf_item_type(data, &contents))
{
case DDS_SECURITY_CONFIG_ITEM_PREFIX_FILE:
result = X509_certificate_from_file(contents, x509Cert, ex);
break;
case DDS_SECURITY_CONFIG_ITEM_PREFIX_DATA:
result = ac_X509_certificate_from_data(contents, (int)strlen(contents), x509Cert, ex);
break;
case DDS_SECURITY_CONFIG_ITEM_PREFIX_PKCS11:
DDS_Security_Exception_set(
ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_CODE, 0,
DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_MESSAGE " (pkcs11)");
break;
default:
DDS_Security_Exception_set(
ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_CODE, 0,
DDS_SECURITY_ERR_CERTIFICATE_TYPE_NOT_SUPPORTED_MESSAGE);
break;
}
ddsrt_free(contents);
return result;
}
char *ac_get_certificate_subject_name(X509 *cert, DDS_Security_SecurityException *ex)
{
X509_NAME *name;
BIO *bio;
char *subject = NULL;
char *pmem;
size_t sz;
assert(cert);
if (!(bio = BIO_new(BIO_s_mem())))
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
goto err_bio_alloc;
}
if (!(name = X509_get_subject_name(cert)))
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE, 0, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE ": ");
goto err_get_subject;
}
/* TODO: check if this is the correct format of the subject name: check spec */
X509_NAME_print_ex(bio, name, 0, XN_FLAG_RFC2253);
sz = (size_t) BIO_get_mem_data(bio, &pmem);
subject = ddsrt_malloc(sz + 1);
if (BIO_gets(bio, subject, (int)sz + 1) < 0)
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_CODE, 0, DDS_SECURITY_ERR_INVALID_SUBJECT_NAME_MESSAGE ": ");
ddsrt_free(subject);
subject = NULL;
}
BIO_free(bio);
return subject;
err_get_subject:
BIO_free(bio);
err_bio_alloc:
return NULL;
}
static bool PKCS7_document_from_data(const char *data, size_t len, PKCS7 **p7, BIO **bcont, DDS_Security_SecurityException *ex)
{
BIO *bio;
assert(data);
assert(p7);
assert(bcont);
*bcont = NULL;
assert (len < INT32_MAX);
if ((bio = BIO_new_mem_buf((void *)data, (int)len)) == NULL)
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
return false;
}
if ((*p7 = SMIME_read_PKCS7(bio, bcont)) == NULL)
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": ");
BIO_free(bio);
return false;
}
BIO_free(bio);
return true;
}
static bool PKCS7_document_verify(PKCS7 *p7, X509 *cert, BIO *inbio, BIO **outbio, DDS_Security_SecurityException *ex)
{
bool result = false;
X509_STORE *store = NULL;
assert(p7);
assert(cert);
assert(inbio);
assert(outbio);
if ((*outbio = BIO_new(BIO_s_mem())) == NULL)
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
else if ((store = X509_STORE_new()) == NULL)
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_ALLOCATION_FAILED_CODE, 0, DDS_SECURITY_ERR_ALLOCATION_FAILED_MESSAGE ": ");
else
{
X509_STORE_add_cert(store, cert);
if (PKCS7_verify(p7, NULL, store, inbio, *outbio, PKCS7_TEXT) != 1)
DDS_Security_Exception_set_with_openssl_error(ex, DDS_ACCESS_CONTROL_PLUGIN_CONTEXT, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_CODE, 0, DDS_SECURITY_ERR_INVALID_SMIME_DOCUMENT_MESSAGE ": ");
else
result = true;
}
if (store)
X509_STORE_free(store);
if (!result && *outbio)
{
BIO_free(*outbio);
*outbio = NULL;
}
return result;
}
bool ac_PKCS7_document_check(const char *data, size_t len, X509 *cert, char **document, DDS_Security_SecurityException *ex)
{
bool result = false;
PKCS7 *p7;
BIO *bcont, *bdoc;
char *pmem;
size_t sz;
assert(data);
assert(cert);
assert(document);
if (!PKCS7_document_from_data(data, len, &p7, &bcont, ex))
goto err_read_data;
if (!PKCS7_document_verify(p7, cert, bcont, &bdoc, ex))
goto err_verify;
sz = (size_t) BIO_get_mem_data(bdoc, &pmem);
*document = ddsrt_malloc(sz + 1);
memcpy(*document, pmem, sz);
(*document)[sz] = '\0';
result = true;
BIO_free(bdoc);
err_verify:
PKCS7_free(p7);
BIO_free(bcont);
err_read_data:
return result;
}
static bool string_to_properties(const char *str, DDS_Security_PropertySeq *properties)
{
char *copy = ddsrt_strdup (str), *cursor = copy, *tok;
while ((tok = ddsrt_strsep (&cursor, ",/|")) != NULL)
{
if (strlen(tok) == 0)
continue;
char *name = ddsrt_strsep (&tok, "=");
if (name == NULL || tok == NULL || properties->_length >= properties->_maximum)
{
ddsrt_free (copy);
return false;
}
properties->_buffer[properties->_length].name = ddsrt_strdup(name);
properties->_buffer[properties->_length].value = ddsrt_strdup(tok);
properties->_length++;
}
ddsrt_free (copy);
return true;
}
bool ac_check_subjects_are_equal(const char *permissions_sn, const char *identity_sn)
{
bool result = false;
char *copy_idsn = ddsrt_strdup (identity_sn), *cursor_idsn = copy_idsn, *tok_idsn;
DDS_Security_PropertySeq prop_pmsn;
prop_pmsn._length = 0;
prop_pmsn._maximum = 20;
prop_pmsn._buffer = ddsrt_malloc(prop_pmsn._maximum * sizeof(DDS_Security_Property_t));
if (!string_to_properties(permissions_sn, &prop_pmsn))
goto check_subj_equal_failed;
while ((tok_idsn = ddsrt_strsep (&cursor_idsn, ",/|")) != NULL)
{
char *value_pmsn;
char *name_idsn = ddsrt_strsep (&tok_idsn, "=");
if (name_idsn == NULL || tok_idsn == NULL)
goto check_subj_equal_failed;
value_pmsn = DDS_Security_Property_get_value(&prop_pmsn, name_idsn);
if (value_pmsn == NULL || strcmp(value_pmsn, value_pmsn) != 0)
{
ddsrt_free(value_pmsn);
goto check_subj_equal_failed;
}
ddsrt_free(value_pmsn);
}
result = true;
check_subj_equal_failed:
ddsrt_free(copy_idsn);
DDS_Security_PropertySeq_deinit(&prop_pmsn);
return result;
}
size_t ac_regular_file_size(const char *filename)
{
if (filename)
{
#if _WIN32
struct _stat stat_info;
if (_stat (filename, &stat_info) == 0)
if (stat_info.st_mode & _S_IFREG)
return (size_t) stat_info.st_size;
#else
struct stat stat_info;
if (stat (filename, &stat_info) == 0)
if (S_ISREG(stat_info.st_mode))
return (size_t) stat_info.st_size;
#endif
}
return 0;
}
static int sequencematch(const char *pat, char c, char **new_pat)
{
char patc = *pat;
char rpatc;
const bool neg = (patc == '!');
bool m = false;
if (neg)
++pat;
for (patc = *pat; patc != ']'; pat++)
{
patc = *pat;
if (patc == '\0')
return SEQ_ERR;
if (*(pat + 1) == '-')
{
rpatc = *(pat + 2);
if (rpatc == '\0' || rpatc == ']')
return SEQ_ERR;
if ((uint8_t)patc <= (uint8_t)c && (uint8_t)c <= (uint8_t)rpatc)
m = true;
pat += 2;
}
else if (patc == c)
m = true;
}
*new_pat = (char *) pat;
return (m != neg) ? SEQ_MATCH : SEQ_NOMATCH;
}
bool ac_fnmatch(const char* pat, const char* str)
{
char patc;
bool ret;
char *new_pat;
assert(pat != NULL);
assert(str != NULL);
for (;;)
{
switch (patc = *pat++)
{
case '\0':
return (*str == '\0');
case '?':
if (*str == '\0')
return false;
++str;
break;
case '*':
patc = *pat;
while (patc == '*')
patc = *++pat;
if (patc == '\0')
return true;
while (*str != '\0')
{
ret = ac_fnmatch(pat, str);
if (ret)
return true;
++str;
}
return false;
break;
case '[':
if (*str == '\0')
return false;
switch (sequencematch(pat, *str, &new_pat))
{
case SEQ_MATCH:
pat = new_pat;
++str;
break;
case SEQ_NOMATCH:
case SEQ_ERR:
return false;
}
break;
default: /* Regular character */
if (*str != patc)
return false;
str++;
break;
}
}
}

30
src/security/builtin_plugins/access_control/src/access_control_utils.h Normal file
View file

@ -0,0 +1,30 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#ifndef ACCESS_CONTROL_UTILS_H
#define ACCESS_CONTROL_UTILS_H
#include <openssl/x509.h>
#include "dds/ddsrt/types.h"
#include "dds/security/dds_security_api.h"
#include "dds/security/export.h"
#define DDS_ACCESS_CONTROL_PLUGIN_CONTEXT "Access Control"
bool ac_X509_certificate_read(const char *data, X509 **x509Cert, DDS_Security_SecurityException *ex);
bool ac_X509_certificate_from_data(const char *data, int len, X509 **x509Cert, DDS_Security_SecurityException *ex);
char *ac_get_certificate_subject_name(X509 *cert, DDS_Security_SecurityException *ex);
bool ac_PKCS7_document_check(const char *data, size_t len, X509 *cert, char **document, DDS_Security_SecurityException *ex);
bool ac_check_subjects_are_equal(const char *permissions_sn, const char *identity_sn);
size_t ac_regular_file_size(const char *filename);
SECURITY_EXPORT bool ac_fnmatch(const char* pattern, const char* string);
#endif /* ACCESS_CONTROL_UTILS_H */

25
src/security/builtin_plugins/tests/CMakeLists.txt
View file

@ -23,6 +23,16 @@ set(security_auth_test_sources
"validate_remote_identity/src/validate_remote_identity_utests.c"
)
set(security_ac_test_sources
"access_control_fnmatch/src/access_control_fnmatch_utests.c"
"get_permissions_credential_token/src/get_permissions_credential_token_utests.c"
"get_permissions_token/src/get_permissions_token_utests.c"
"get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c"
# "listeners_access_control/src/listeners_access_control_utests.c"
"validate_local_permissions/src/validate_local_permissions_utests.c"
"validate_remote_permissions/src/validate_remote_permissions_utests.c"
)
set(security_crypto_test_sources
"common/src/crypto_helper.c"
"create_local_datareader_crypto_tokens/src/create_local_datareader_crypto_tokens_utests.c"
@ -48,8 +58,20 @@ set(security_crypto_test_sources
"set_remote_participant_crypto_tokens/src/set_remote_participant_crypto_tokens_utests.c"
)
add_cunit_executable(cunit_security_plugins ${security_auth_test_sources} ${security_crypto_test_sources})
add_cunit_executable(cunit_security_plugins ${security_auth_test_sources} ${security_ac_test_sources} ${security_crypto_test_sources})
target_include_directories(
cunit_security_plugins PRIVATE
"$<BUILD_INTERFACE:${CMAKE_BINARY_DIR}/src/include/>"
"$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
"$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"
"$<BUILD_INTERFACE:$<TARGET_PROPERTY:ddsrt,INTERFACE_INCLUDE_DIRECTORIES>>"
"$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}>"
"$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}>"
)
target_link_libraries(cunit_security_plugins PRIVATE ddsc security_api)
if(OPENSSL_FOUND)
target_link_libraries(cunit_security_plugins PRIVATE ddsc dds_security_ac)
target_link_libraries(cunit_security_plugins PRIVATE ddsc dds_security_crypto)
target_link_libraries(cunit_security_plugins PRIVATE OpenSSL::SSL)
else()
@ -58,6 +80,7 @@ endif()
target_include_directories(
cunit_security_plugins PRIVATE
"$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}/../access_control/src/>"
"$<BUILD_INTERFACE:${CMAKE_CURRENT_LIST_DIR}/../cryptographic/src/>"
"$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_api,INTERFACE_INCLUDE_DIRECTORIES>>"
"$<BUILD_INTERFACE:$<TARGET_PROPERTY:security_core,INTERFACE_INCLUDE_DIRECTORIES>>"

67
src/security/builtin_plugins/tests/access_control_fnmatch/src/access_control_fnmatch_utests.c Normal file
View file

@ -0,0 +1,67 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#include <stdio.h>
#include <string.h>
#include "CUnit/CUnit.h"
#include "CUnit/Test.h"
#include "assert.h"
#include "access_control_utils.h"
CU_Test(ddssec_builtin_access_control_fnmatch, basic)
{
CU_ASSERT(ac_fnmatch("", ""));
CU_ASSERT(ac_fnmatch("abc", "abc"));
CU_ASSERT(!ac_fnmatch("abc", "ab"));
CU_ASSERT(!ac_fnmatch("", "a"));
CU_ASSERT(!ac_fnmatch("a", ""));
CU_ASSERT(ac_fnmatch("a?", "ab"));
CU_ASSERT(ac_fnmatch("?b", "ab"));
CU_ASSERT(ac_fnmatch("a?c", "abc"));
CU_ASSERT(!ac_fnmatch("a?", "abc"));
CU_ASSERT(!ac_fnmatch("?c", "abc"));
CU_ASSERT(ac_fnmatch("a*", "a"));
CU_ASSERT(ac_fnmatch("a*", "abc"));
CU_ASSERT(ac_fnmatch("a*c", "abc"));
CU_ASSERT(ac_fnmatch("a*c", "abbc"));
CU_ASSERT(ac_fnmatch("*c", "abc"));
CU_ASSERT(ac_fnmatch("*c", "c"));
CU_ASSERT(!ac_fnmatch("a*", ""));
CU_ASSERT(!ac_fnmatch("a*c", "bc"));
CU_ASSERT(ac_fnmatch("[ab]", "a"));
CU_ASSERT(ac_fnmatch("[ab]", "b"));
CU_ASSERT(ac_fnmatch("a[bc]", "ab"));
CU_ASSERT(ac_fnmatch("a[bc]", "ac"));
CU_ASSERT(ac_fnmatch("a[bc]d", "abd"));
CU_ASSERT(ac_fnmatch("a[b-d]", "ab"));
CU_ASSERT(ac_fnmatch("a[b-d]", "ac"));
CU_ASSERT(ac_fnmatch("a[b-d]", "ad"));
CU_ASSERT(ac_fnmatch("a[-b]", "ab"));
CU_ASSERT(ac_fnmatch("a[!b]", "ac"));
CU_ASSERT(ac_fnmatch("a[!bc]d", "aad"));
CU_ASSERT(ac_fnmatch("a]", "a]"));
CU_ASSERT(!ac_fnmatch("[ab]", "c"));
CU_ASSERT(!ac_fnmatch("a[bc]", "ad"));
CU_ASSERT(!ac_fnmatch("a[bc]", "abc"));
CU_ASSERT(!ac_fnmatch("a[b-]", "ab"));
CU_ASSERT(!ac_fnmatch("a[-", "a"));
CU_ASSERT(!ac_fnmatch("a[", "a["));
CU_ASSERT(!ac_fnmatch("a[-", "a[-"));
CU_ASSERT(!ac_fnmatch("a[!b]", "ab"));
CU_ASSERT(!ac_fnmatch("a[!bc]d", "abd"));
CU_ASSERT(!ac_fnmatch("a[!b-d]", "ac"));
CU_ASSERT(!ac_fnmatch("a[!-b]", "ab"));
}

114
src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Governance_ok.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
This is an S/MIME signed message
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
20170801/omg_shared_ca_domain_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>true</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
------DB94A190D9780A24156FB0E8F1E76B5F--

85
src/security/builtin_plugins/tests/get_permissions_credential_token/etc/Test_Permissions_ok.p7s Normal file
View file

@ -0,0 +1,85 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
This is an S/MIME signed message
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
aNQ=
------6B91005B007BBA8EDE10CD1CE487DB27--

497
src/security/builtin_plugins/tests/get_permissions_credential_token/src/get_permissions_credential_token_utests.c Normal file
View file

@ -0,0 +1,497 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#include <assert.h>
#include <string.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include "dds/ddsrt/environ.h"
#include "dds/ddsrt/heap.h"
#include "dds/ddsrt/io.h"
#include "dds/ddsrt/string.h"
#include "dds/ddsrt/types.h"
#include "dds/security/dds_security_api.h"
#include "dds/security/core/dds_security_utils.h"
#include "CUnit/CUnit.h"
#include "CUnit/Test.h"
#include "common/src/loader.h"
#include "config_env.h"
static const char *PERMISSIONS_FILE_NAME = "Test_Permissions_ok.p7s";
static const char *GOVERNANCE_FILE_NAME = "Test_Governance_ok.p7s";
static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_permissions_credential_token/etc/";
static const char *IDENTITY_CERTIFICATE =
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
"BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
"ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
"MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
"CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
"MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
"ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
"gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
"3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
"ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
"qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
"ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
"/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
"KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
"AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
"gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
"KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
"BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
"Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
"yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
"I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
"iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
"nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
"-----END CERTIFICATE-----\n";
static const char *IDENTITY_CA =
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
"BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
"ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
"MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
"CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
"MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
"DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
"ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
"2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
"zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
"pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
"FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
"BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
"gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
"Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
"BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
"KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
"KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
"AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
"hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
"iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
"LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
"geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
"Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
"sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
"-----END CERTIFICATE-----\n";
static const char *PRIVATE_KEY =
"data:,-----BEGIN RSA PRIVATE KEY-----\n"
"MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
"Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
"JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
"AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
"psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
"A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
"m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
"GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
"BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
"iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
"Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
"2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
"T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
"D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
"Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
"eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
"2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
"0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
"O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
"pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
"VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
"X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
"NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
"nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
"w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
"-----END RSA PRIVATE KEY-----\n";
static const char *PERMISSIONS_CA =
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
"BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
"aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
"MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
"ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
"BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
"CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
"uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
"NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
"cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
"FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
"kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
"ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
"DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
"LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
"eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
"KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
"PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
"hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
"HQ==\n"
"-----END CERTIFICATE-----\n";
static char *permissions = NULL;
static char *g_path_to_etc_dir = NULL;
static struct plugins_hdl *plugins = NULL;
static dds_security_authentication *auth = NULL;
static dds_security_access_control *access_control = NULL;
static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
static void reset_exception(DDS_Security_SecurityException *ex)
{
ex->code = 0;
ex->minor_code = 0;
ddsrt_free(ex->message);
ex->message = NULL;
}
static DDS_Security_Property_t *find_property(DDS_Security_DataHolder *token, const char *name)
{
DDS_Security_Property_t *result = NULL;
uint32_t i;
for (i = 0; i < token->properties._length && !result; i++)
if (token->properties._buffer[i].name && (strcmp(token->properties._buffer[i].name, name) == 0))
result = &token->properties._buffer[i];
return result;
}
static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
{
seq->_length = size;
seq->_maximum = size;
seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
}
static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
{
uint32_t i;
for (i = 0; i < seq->_length; i++)
{
ddsrt_free(seq->_buffer[i].name);
ddsrt_free(seq->_buffer[i].value);
}
ddsrt_free(seq->_buffer);
}
static char *read_document_from_file(const char *filename)
{
char *document;
char *normalized;
char *name;
/* Get proper file name. */
ddsrt_asprintf(&name, "%s%s", g_path_to_etc_dir, filename);
normalized = DDS_Security_normalize_file(name);
ddsrt_free(name);
document = load_file_contents(normalized);
ddsrt_free(normalized);
return document;
}
static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename, const char *governance_filename)
{
char *permission_uri;
char *governance_uri;
ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
memset(qos, 0, sizeof(*qos));
dds_security_property_init(&qos->property.value, 6);
qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
qos->property.value._buffer[0].value = ddsrt_strdup(IDENTITY_CERTIFICATE);
qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
qos->property.value._buffer[1].value = ddsrt_strdup(IDENTITY_CA);
qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
qos->property.value._buffer[2].value = ddsrt_strdup(PRIVATE_KEY);
qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
qos->property.value._buffer[3].value = ddsrt_strdup(PERMISSIONS_CA);
qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
ddsrt_free(permission_uri);
ddsrt_free(governance_uri);
}
static int local_permissions_init(DDS_Security_DomainId domain_id)
{
int res = 0;
DDS_Security_ValidationResult_t result;
DDS_Security_Qos participant_qos;
DDS_Security_GUID_t local_participant_guid;
DDS_Security_GUID_t candidate_participant_guid;
DDS_Security_SecurityException exception = {NULL, 0, 0};
DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
memset(&local_participant_guid, 0, sizeof(local_participant_guid));
memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
fill_participant_qos(&participant_qos, PERMISSIONS_FILE_NAME, GOVERNANCE_FILE_NAME);
result = auth->validate_local_identity(
auth,
&local_identity_handle,
&local_participant_guid,
domain_id,
&participant_qos,
&candidate_participant_guid,
&exception);
if (result != DDS_SECURITY_VALIDATION_OK)
{
res = -1;
printf("validate_local_identity_failed: %s\n", exception.message ? exception.message : "Error message missing");
}
reset_exception(&exception);
if (res == 0)
{
local_permissions_handle = access_control->validate_local_permissions(
access_control,
auth,
local_identity_handle,
domain_id,
&participant_qos,
&exception);
if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
{
res = -1;
printf("validate_local_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
}
}
reset_exception(&exception);
dds_security_property_deinit(&participant_qos.property.value);
return res;
}
static void local_permissions_clean(void)
{
DDS_Security_SecurityException exception = {NULL, 0, 0};
DDS_Security_boolean success;
if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
{
success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
if (!success)
{
printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
}
reset_exception(&exception);
}
if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
{
success = auth->return_identity_handle(auth, local_identity_handle, &exception);
if (!success)
{
printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
}
reset_exception(&exception);
}
}
static void set_path_to_etc_dir(void)
{
ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
}
static void suite_get_permissions_credential_token_init(void)
{
plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
CU_ASSERT_FATAL (plugins != NULL);
set_path_to_etc_dir();
local_permissions_init(0);
permissions = read_document_from_file(PERMISSIONS_FILE_NAME);
CU_ASSERT_FATAL (permissions != NULL);
}
static void suite_get_permissions_credential_token_fini(void)
{
local_permissions_clean();
unload_plugins(plugins);
ddsrt_free(g_path_to_etc_dir);
ddsrt_free(permissions);
}
static bool validate_permissions_token(DDS_Security_PermissionsCredentialToken *token)
{
DDS_Security_Property_t *property;
if (!token->class_id || strcmp(token->class_id, "DDS:Access:PermissionsCredential") != 0)
{
CU_FAIL("PermissionsCredentialToken incorrect class_id");
return false;
}
property = find_property(token, "dds.perm.cert");
if (property == NULL)
{
CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' not found");
return false;
}
if (property->value == NULL)
{
CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' does not have a value");
return false;
}
if (strcmp(property->value, permissions) != 0)
{
CU_FAIL("PermissionsCredentialToken property 'dds.perm.cert' content does not match the permissions file");
return false;
}
return true;
}
CU_Test(ddssec_builtin_get_permissions_credential_token, happy_day, .init = suite_get_permissions_credential_token_init, .fini = suite_get_permissions_credential_token_fini)
{
DDS_Security_PermissionsCredentialToken token;
DDS_Security_SecurityException exception;
DDS_Security_boolean result;
/* Pre-requisites. */
CU_ASSERT_FATAL(access_control != NULL);
CU_ASSERT_FATAL(access_control->get_permissions_credential_token != NULL);
memset(&exception, 0, sizeof(DDS_Security_SecurityException));
memset(&token, 0, sizeof(token));
/* Test function call. */
result = access_control->get_permissions_credential_token(
access_control,
&token,
local_permissions_handle,
&exception);
if (!result)
{
printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT_FATAL(result);
CU_ASSERT(exception.code == 0);
CU_ASSERT(exception.message == NULL);
/* Test token contents. */
CU_ASSERT(validate_permissions_token(&token));
/* Post-requisites. */
DDS_Security_DataHolder_deinit(&token);
reset_exception(&exception);
}
CU_Test(ddssec_builtin_get_permissions_credential_token, invalid_args, .init = suite_get_permissions_credential_token_init, .fini = suite_get_permissions_credential_token_fini)
{
DDS_Security_PermissionsCredentialToken token;
DDS_Security_SecurityException exception;
DDS_Security_boolean result;
/* Pre-requisites. */
CU_ASSERT_FATAL(access_control != NULL);
CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
memset(&exception, 0, sizeof(DDS_Security_SecurityException));
memset(&token, 0, sizeof(token));
/* Test function calls with different invalid args. */
result = access_control->get_permissions_credential_token(
NULL,
&token,
local_permissions_handle,
&exception);
if (!result)
{
printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
CU_ASSERT(exception.message != NULL);
reset_exception(&exception);
result = access_control->get_permissions_credential_token(
access_control,
NULL,
local_permissions_handle,
&exception);
if (!result)
{
printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
CU_ASSERT(exception.message != NULL);
reset_exception(&exception);
result = access_control->get_permissions_credential_token(
access_control,
&token,
0,
&exception);
if (!result)
{
printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
CU_ASSERT(exception.message != NULL);
reset_exception(&exception);
result = access_control->get_permissions_credential_token(
access_control,
&token,
local_permissions_handle,
NULL);
if (!result)
{
printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == 0);
CU_ASSERT(exception.message == NULL);
reset_exception(&exception);
result = access_control->get_permissions_credential_token(
access_control,
&token,
local_permissions_handle + 12345 /* invalid handle */,
&exception);
if (!result)
{
printf("get_permissions_credential_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
CU_ASSERT(exception.message != NULL);
reset_exception(&exception);
}

114
src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Governance_ok.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
This is an S/MIME signed message
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
20170801/omg_shared_ca_domain_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>true</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
------DB94A190D9780A24156FB0E8F1E76B5F--

85
src/security/builtin_plugins/tests/get_permissions_token/etc/Test_Permissions_ok.p7s Normal file
View file

@ -0,0 +1,85 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
This is an S/MIME signed message
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
aNQ=
------6B91005B007BBA8EDE10CD1CE487DB27--

439
src/security/builtin_plugins/tests/get_permissions_token/src/get_permissions_token_utests.c Normal file
View file

@ -0,0 +1,439 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#include <assert.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include "dds/ddsrt/environ.h"
#include "dds/ddsrt/heap.h"
#include "dds/ddsrt/io.h"
#include "dds/ddsrt/string.h"
#include "dds/ddsrt/types.h"
#include "dds/security/dds_security_api.h"
#include "dds/security/core/dds_security_utils.h"
#include "CUnit/CUnit.h"
#include "CUnit/Test.h"
#include "common/src/loader.h"
#include "config_env.h"
static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_permissions_token/etc/";
static const char *IDENTITY_CERTIFICATE =
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
"BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
"ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
"MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
"CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
"MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
"ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
"gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
"3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
"ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
"qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
"ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
"/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
"KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
"AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
"gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
"KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
"BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
"Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
"yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
"I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
"iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
"nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
"-----END CERTIFICATE-----\n";
static const char *IDENTITY_CA =
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
"BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
"ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
"MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
"CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
"MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
"DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
"ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
"2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
"zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
"pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
"FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
"BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
"gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
"Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
"BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
"KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
"KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
"AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
"hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
"iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
"LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
"geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
"Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
"sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
"-----END CERTIFICATE-----\n";
static const char *PRIVATE_KEY =
"data:,-----BEGIN RSA PRIVATE KEY-----\n"
"MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
"Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
"JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
"AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
"psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
"A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
"m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
"GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
"BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
"iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
"Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
"2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
"T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
"D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
"Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
"eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
"2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
"0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
"O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
"pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
"VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
"X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
"NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
"nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
"w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
"-----END RSA PRIVATE KEY-----\n";
static const char *PERMISSIONS_CA =
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
"BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
"aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
"MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
"ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
"BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
"CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
"uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
"NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
"cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
"FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
"kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
"ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
"DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
"LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
"eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
"KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
"PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
"hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
"HQ==\n"
"-----END CERTIFICATE-----\n";
static char *g_path_to_etc_dir = NULL;
static struct plugins_hdl *plugins = NULL;
static dds_security_authentication *auth = NULL;
static dds_security_access_control *access_control = NULL;
static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
static void reset_exception(DDS_Security_SecurityException *ex)
{
ex->code = 0;
ex->minor_code = 0;
ddsrt_free(ex->message);
ex->message = NULL;
}
static DDS_Security_Property_t *find_property(DDS_Security_DataHolder *token, const char *name)
{
DDS_Security_Property_t *result = NULL;
uint32_t i;
for (i = 0; i < token->properties._length && !result; i++)
if (token->properties._buffer[i].name && (strcmp(token->properties._buffer[i].name, name) == 0))
result = &token->properties._buffer[i];
return result;
}
static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
{
seq->_length = size;
seq->_maximum = size;
seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
}
static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
{
uint32_t i;
for (i = 0; i < seq->_length; i++)
{
ddsrt_free(seq->_buffer[i].name);
ddsrt_free(seq->_buffer[i].value);
}
ddsrt_free(seq->_buffer);
}
static void fill_participant_qos(DDS_Security_Qos *qos, const char *permission_filename, const char *governance_filename)
{
char *permission_uri;
char *governance_uri;
ddsrt_asprintf(&permission_uri, "file:%s%s", g_path_to_etc_dir, permission_filename);
ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
memset(qos, 0, sizeof(*qos));
dds_security_property_init(&qos->property.value, 6);
qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
qos->property.value._buffer[0].value = ddsrt_strdup(IDENTITY_CERTIFICATE);
qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
qos->property.value._buffer[1].value = ddsrt_strdup(IDENTITY_CA);
qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
qos->property.value._buffer[2].value = ddsrt_strdup(PRIVATE_KEY);
qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
qos->property.value._buffer[3].value = ddsrt_strdup(PERMISSIONS_CA);
qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
ddsrt_free(permission_uri);
ddsrt_free(governance_uri);
}
static void local_permissions_init(DDS_Security_DomainId domain_id)
{
DDS_Security_ValidationResult_t result;
DDS_Security_Qos participant_qos;
DDS_Security_GUID_t local_participant_guid;
DDS_Security_GUID_t candidate_participant_guid;
DDS_Security_SecurityException exception = {NULL, 0, 0};
DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
memset(&local_participant_guid, 0, sizeof(local_participant_guid));
memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
fill_participant_qos(&participant_qos, "Test_Permissions_ok.p7s", "Test_Governance_ok.p7s");
result = auth->validate_local_identity(
auth,
&local_identity_handle,
&local_participant_guid,
domain_id,
&participant_qos,
&candidate_participant_guid,
&exception);
CU_ASSERT_EQUAL_FATAL (result, DDS_SECURITY_VALIDATION_OK);
reset_exception(&exception);
local_permissions_handle = access_control->validate_local_permissions(
access_control,
auth,
local_identity_handle,
domain_id,
&participant_qos,
&exception);
CU_ASSERT_FATAL (local_permissions_handle != DDS_SECURITY_HANDLE_NIL);
reset_exception(&exception);
dds_security_property_deinit(&participant_qos.property.value);
}
static void local_permissions_clean(void)
{
DDS_Security_SecurityException exception = {NULL, 0, 0};
DDS_Security_boolean success;
if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
{
success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
if (!success)
{
printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
}
reset_exception(&exception);
}
if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
{
success = auth->return_identity_handle(auth, local_identity_handle, &exception);
if (!success)
{
printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
}
reset_exception(&exception);
}
}
static void set_path_to_etc_dir(void)
{
ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
}
static void suite_get_permissions_token_init(void)
{
plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
CU_ASSERT_FATAL (plugins != NULL);
set_path_to_etc_dir();
local_permissions_init(0);
}
static void suite_get_permissions_token_fini(void)
{
local_permissions_clean();
unload_plugins(plugins);
ddsrt_free(g_path_to_etc_dir);
}
static bool validate_permissions_token(
DDS_Security_PermissionsToken *token)
{
if (!token->class_id || strcmp(token->class_id, "DDS:Access:Permissions:1.0") != 0)
{
CU_FAIL("PermissionsToken incorrect class_id");
return false;
}
/* Optional. */
if (find_property(token, "dds.perm_ca.sn") == NULL)
printf("Optional PermissionsToken property 'dds.perm_ca.sn' not found\n");
if (find_property(token, "dds.perm_ca.algo") == NULL)
printf("Optional PermissionsToken property 'dds.perm_ca.algo' not found\n");
return true;
}
CU_Test(ddssec_builtin_get_permissions_token, happy_day, .init = suite_get_permissions_token_init, .fini = suite_get_permissions_token_fini)
{
DDS_Security_SecurityException exception;
DDS_Security_PermissionsToken token;
DDS_Security_boolean result;
/* Pre-requisites. */
CU_ASSERT_FATAL(access_control != NULL);
CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
memset(&exception, 0, sizeof(DDS_Security_SecurityException));
memset(&token, 0, sizeof(token));
/* Test function call. */
result = access_control->get_permissions_token(
access_control,
&token,
local_permissions_handle,
&exception);
if (!result)
{
printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT_FATAL(result);
CU_ASSERT(exception.code == 0);
CU_ASSERT(exception.message == NULL);
/* Test token contents. */
CU_ASSERT(validate_permissions_token(&token));
/* Post-requisites. */
DDS_Security_DataHolder_deinit(&token);
reset_exception(&exception);
}
CU_Test(ddssec_builtin_get_permissions_token, invalid_args, .init = suite_get_permissions_token_init, .fini = suite_get_permissions_token_fini)
{
DDS_Security_SecurityException exception;
DDS_Security_PermissionsToken token;
DDS_Security_boolean result;
/* Pre-requisites. */
CU_ASSERT_FATAL(access_control != NULL);
CU_ASSERT_FATAL(access_control->get_permissions_token != NULL);
memset(&exception, 0, sizeof(DDS_Security_SecurityException));
memset(&token, 0, sizeof(token));
/* Test function calls with different invalid args. */
result = access_control->get_permissions_token(
NULL,
&token,
local_permissions_handle,
&exception);
if (!result)
{
printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
CU_ASSERT(exception.message != NULL);
reset_exception(&exception);
result = access_control->get_permissions_token(
access_control,
NULL,
local_permissions_handle,
&exception);
if (!result)
{
printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
CU_ASSERT(exception.message != NULL);
reset_exception(&exception);
result = access_control->get_permissions_token(
access_control,
&token,
0,
&exception);
if (!result)
{
printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
CU_ASSERT(exception.message != NULL);
reset_exception(&exception);
result = access_control->get_permissions_token(
access_control,
&token,
local_permissions_handle,
NULL);
if (!result)
{
printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == 0);
CU_ASSERT(exception.message == NULL);
reset_exception(&exception);
result = access_control->get_permissions_token(
access_control,
&token,
local_permissions_handle + 12345 /* invalid handle */,
&exception);
if (!result)
{
printf("get_permissions_token: %s\n", exception.message ? exception.message : "Error message missing");
}
CU_ASSERT(!result);
CU_ASSERT(exception.code == DDS_SECURITY_ERR_INVALID_PARAMETER_CODE);
CU_ASSERT(exception.message != NULL);
reset_exception(&exception);
}

267
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_full.p7s Normal file
View file

@ -0,0 +1,267 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----05DBD6F6E587875751A79EAC78048D60"
This is an S/MIME signed message
------05DBD6F6E587875751A79EAC78048D60
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShip?ata</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>SIGN</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>Kinematics</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*other</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>20</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id>200</id>
<id>30</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>0</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShipData</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------05DBD6F6E587875751A79EAC78048D60
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GyBZYdNlmQT2Nv1CHrUEB6+
C0U0yXvpmj5+mlGojPAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJXrVHO7KdgYM20uGGNL
P4VRPmYVWoWIkl5/OEzZ8uirs+oGJR7tYLiFl1wzXUzPBB/03qsANmlshDpFgbmV
thTV7AGRg3SXUDa/cG4N9PupE5VRZaVdbcbdH1DfoIZCLLp4HK3HgqUXkH9vnC92
tdtgzxZOCrQ4A6WbGiBkWr5LtMWg2lnwPp55vrfRoh6u0qVEumD+VQi+Lroo9M1E
659LB2dwEcNb1g1HyoodpKlUSsbGsY/JA7bbNrw/KIGVYcoXfmpgWmtzUjfpkPDj
zVPImqr6jdxP4quGmGWRmrLHPrEYJscJqCwjNTi6naXnAvaE4nxQ4HBgveEodTuP
8tM=
------05DBD6F6E587875751A79EAC78048D60--

114
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D5AADCFDEEF9EC8B0B116AC356AF41CA"
This is an S/MIME signed message
------D5AADCFDEEF9EC8B0B116AC356AF41CA
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>NONE</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------D5AADCFDEEF9EC8B0B116AC356AF41CA
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg1l4l1hEFvxsjc65MThWHhvCb
YoBySw0UQA61LL+lSsEwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAF88Gg525eeqmgAtBky5
lMnQehnA0c37pSL5uTklEcb0xwkQcdWQVerkAwKQb8CJGz4ttwvVqIde2Jn8boJP
Tb8xYvk38HXFHOpzSEv0qAj0u6dVB+go3OnrdhcM1R7jrHfReBRgnict8pLOPb+Y
khdlqzOMVxoTpJSiXUWdt5ucKbNvuWROG6TsNs4S5+lJ3EEvDn3++g32VRX9V3h4
5Hni4AMGmZrjBbmL/S02iR33ltwXYqfipUQjR5S5V/HS0LHX/mjYwuiWCtHNiSIi
s+8mqW8vNebYA9LeK7bvWXCygqnVr3qJT+ryeXUXtBl7dCTV+QVAlUzbW1wgHSuq
wtc=
------D5AADCFDEEF9EC8B0B116AC356AF41CA--

62
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_clear.xml Normal file
View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>NONE</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

114
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----37F7530AAA327BE7C00C18ECA28FFF95"
This is an S/MIME signed message
------37F7530AAA327BE7C00C18ECA28FFF95
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>false</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------37F7530AAA327BE7C00C18ECA28FFF95
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgqqTuijPzgi5UyYnaRmfKMSwt
M8Mbr6egpAxWLt7vkkAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACmMVANcUvNpeIpdG6is
IbAJWbvoIh68B4nMLMU8gij1ZcNavWg6dDU709AJcrCU2ZbVsHKPyBvRuSctkbKe
XHCRv5bAkcqkLsEVPc4Yu8w2hIC8nSTW1E2l1I+tChcXepcSsmrRFjZI8myDWmre
Slzcq0nSwKayhMSkv0CJeSzhQGCHBhRnVCb7ZDJXL94VKh1OBxlqTWGLRNQcIk0p
WXI0B2j5n8nM+neQd1gnKKuvqjSh2/IwUPariRfqpfVm1e8Mc0zNAubHOfuZ/hXj
tDAPBcJq8gz3sKSbwvN4Rk1J7YV0AnA8pPq3nfoZWvqcUzbdExn2zvzawRgteUyf
luw=
------37F7530AAA327BE7C00C18ECA28FFF95--

62
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_different.xml Normal file
View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>NONE</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>false</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

114
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E6FE6351D381785F2D971BF5DB266909"
This is an S/MIME signed message
------E6FE6351D381785F2D971BF5DB266909
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------E6FE6351D381785F2D971BF5DB266909
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg7ee1YxacZ9KtXJCLUCzhZB8p
Sv4SXMFrKtVchg886ZkwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAB3tqkFmfwnk2HXgn9H1
Ap6Hk7I3TIYBMMQkDTZHbPj3EMOls02+QI++ztvwaBzG7bS6f7qfxhHnNgXF/52t
Qf20nOXjxAUL82UxVxNmJjqE+FHksSTqEjtKFMy8V+wz9doVSUgdfKKD8SUOOr1I
nakp0o/Vk/E5bbYOoWaDXJKAo7iiEssbsw33/8eZgPpVOyPS0pqk7w6d/fmo2OMm
niCl24qiXjdQbkuUT+zuhjKIfBjxqIPRKnOxK+HheR77m/EhkNsYYbsOgLaSXQVW
O3Kv0GmJGKg0N2KXW5VH+6FhS5KA6TL/6Xz6LzLZFsSyAmhWsBK0l1Ted+z4Tgw3
fP8=
------E6FE6351D381785F2D971BF5DB266909--

62
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted.xml Normal file
View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

114
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----4375434DF6819FB7435B04810D502609"
This is an S/MIME signed message
------4375434DF6819FB7435B04810D502609
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------4375434DF6819FB7435B04810D502609
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQglibSNHDswKA0PDJrsz8tZiXT
1UrMUhYJJbXsLdvTGVowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACLqhHS8kapMUhLBjAfI
17FuvzGjgJ2CSy7/yJDz1+OsUdbCofV8jA1rxxPIGv9Koq/BaKHtJdtzpLaag/CD
SITepCjU+rRoGnZ5vOeSgaHJlDWcRBtAoFME3NrgdYT7ldUABuiPngR5HuwNAUTA
aY2rPaSds2eWluqH6WJqO+qvRvSZEsypy+OSpRAu954rDfkFGyZ00aQnTpzJTVJT
MLF8rXziOY9CAHXFN0w6jEBy7Y4pBjnp/bQQFmE41NH9KuATEGPLChInQOYEEeNK
2rr96Z/rgfhcBE1qyZdt4RNgGNFNCRzeGIX5Kti/jTeas1430sQ+DYJypObVhrhY
S/M=
------4375434DF6819FB7435B04810D502609--

62
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_encrypted_and_authenticated.xml Normal file
View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

114
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----CAAC97AAFA02CB29461AE6EEFCBDADE0"
This is an S/MIME signed message
------CAAC97AAFA02CB29461AE6EEFCBDADE0
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>SIGN</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------CAAC97AAFA02CB29461AE6EEFCBDADE0
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgUQGGQlfgFH2GTdp8QcQHAf7c
ytQO0EMxvnsXNDiWmfcwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBABl+6OuVlW5UltPGg+9c
6DlnX12Ah1feD0c/cmOkWjKW9A/soc+5npXvLcbxlkO/+MEkHlH00QKQmX7uY+3Z
NybUU/2KbzEeqo8WwkqJPFBBPrjbHTAuIIPDHFcSq9oY6zUWMcHDFVjaXcNOfyiA
clECqfcXesxfwGNXv5x58y0rJdxGiyptryLvJnZozwjNJ08ggY6d2mnitxbtSowY
InQ02I95vWHYquonVAihvKX9NhaCSDEMyJb/ckL8tJuzQ3qUsEfc5DJVUSOEyCo8
C7cZbfCpM9R+ZwyhRQOaleHs4kLvli7Q8OkpH8ecUBeg9gQmriju1G2/irvTg4t+
Tlw=
------CAAC97AAFA02CB29461AE6EEFCBDADE0--

62
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed.xml Normal file
View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>SIGN</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

114
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7D08A7D2B4B01785900B9A7208F12A69"
This is an S/MIME signed message
------7D08A7D2B4B01785900B9A7208F12A69
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------7D08A7D2B4B01785900B9A7208F12A69
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgu4lTESCOlPw4ua2e8RFY0V80
KDwe7OyvA7k5OJvb70MwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAE6icR4lmUwDahVEA4BA
QIl2Pp+WGo1wDLHRdR1YnKt9narfgi6YHlt37sppOuKYPZSrjkcE07nlj9IN3PNR
2RxeUogt5fLHPll2E+GIfXRkPq5MtCscko+7MyrPkaMOPCv0pQ8e+nEvDkLeKqvS
jinelekFzICvUd8vg9UozxyUQciPLvjmEVwe+czFiM0oFqN9O9d1y5n985HXc/T5
RfhSXpXUk2KBPvU+tN9UtdInMylPs8PK8wbONTem7uG9nP/tKL7VCjLiTQm5zAuo
ecEvLybuALPVwylTppB2a8jMwb3Qt3ERY/do9s9RyFszvMOqBXsDOpSGtjBHT2uU
Bhs=
------7D08A7D2B4B01785900B9A7208F12A69--

62
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Governance_liveliness_discovery_signed_and_authenticated.xml Normal file
View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

85
src/security/builtin_plugins/tests/get_xxx_sec_attributes/etc/Test_Permissions_ok.p7s Normal file
View file

@ -0,0 +1,85 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
This is an S/MIME signed message
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
aNQ=
------6B91005B007BBA8EDE10CD1CE487DB27--

1649
src/security/builtin_plugins/tests/get_xxx_sec_attributes/src/get_xxx_sec_attributes_utests.c Normal file
View file

File diff suppressed because it is too large Load diff

114
src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Governance_ok.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
This is an S/MIME signed message
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
20170801/omg_shared_ca_domain_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>true</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
------DB94A190D9780A24156FB0E8F1E76B5F--

22
src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca.pem Normal file
View file

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj
aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx
MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM
ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV
BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD
uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO
NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r
cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L
FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu
kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK
ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND
LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI
eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0
KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl
PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs
hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF
HQ==
-----END CERTIFICATE-----

27
src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_ca_key.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxr
nGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSp
ZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0q
n2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx
+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmK
hysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABAoIBABWqhMSCr+7Mr3O3
bIymOr+CT4xWI8S47hmKGFCLTrNsfy7cQZ9PdHkm7Ez+rCx+KwQaTrwz7EM/e8aH
q2zimMn4YXxeS7MFdM+Xvp/Y0BhXMd1j8Nk0x14+WHmQ88YfA4szdrHDekR+6oB6
5Lc2fAfNbCGdpRksCQWDndrvIOda1swKW1RsGWHPGtSM1qOg09A4CeASqbsxZfdL
9MgI7aJKYnvJrUhqsNZU3fuOrLDNl7/JvdI08nYLnNkEvbDYbdfH0Q/4laKsSJcp
0jM6tPrxbHMDmBEwullVPrVqJX+n6Hvz3E8C9QiZq8NWbJUc5FntLx8ynbiJg6Lb
1w49WxECgYEA8yVky++3v0ZMKZeSeGj3MuKuEJ2q3UdmsKXA+Pyq0rL/hh7r2oUY
dQDs23BIuaHeIZxAGaMeMjoYQBi+G50XfwHZSMqivxX/yYkXxOJfPQvVLDbqCIWS
94qU4/xo50IkCNxpvRwfpKG2ce5YG7jrQkfb5I6TfKUWAaXpmaQnbYsCgYEAxaVn
Hzw3OdY7q6kURSY6a8KqtcuN0lNKeUb68vZemmZ0FNKmyh+xGVFXXlvmJpQgr5Zm
2W2a1C1oPq2DEdvSKt/aTHVIazG9TtFK1WAXpLxmlXlyqWRv+IvdVkph+p/3dIT0
Ilaglgbndth4xk0c1zqy3g4VlAgWgKKi5owZ/j8CgYEAndsFGbHEJZZKFCannSzo
cEzinT7/kzGr5bt3ES9Y5/n2Euk4TmJignPbUowPaxU/1apPo1VXYVx+Kf7mTZ8r
hfV5T9ze1BhAPGOY3uXo1wU7nLz6LBYsWDHMgEd7A8jZBDe1HmWH1aZ3gHgxE652
bk2g4T3/WskDBIbmpi0AvAkCgYBKAfFnRMj5IzscwCcS7YmaqD377MiiJQYR+34k
VBSAhDSbR3Wk4dESxd6NOqQndff3R74jVGNRZ99M+PPHUCSWYVQApToEyY81YDFB
TMYNrW5MMjm5LB6xVs3+bcPacOPcAZzY7s8a3mL1oYE339AY16X6eBOkZpLmf/+3
jGZ/SQKBgQDkyxymL4xJGV8HCDontJZiBStD954GH1AgqEAOdQxU5vW4ySQ7yRoT
ajb8tH052yWW11Mxd0TRW9qbVI0/4/4lR86sODYLFbgrHAMBl7mxJ8Qwi4zdI9Am
FXGkj5SX2bYrf2f0YvCHNUbELTd4mF6kAH0Eg6kHRXLsSbhtWC7D3Q==
-----END RSA PRIVATE KEY-----

51
src/security/builtin_plugins/tests/listeners_access_control/etc/Test_Permissions_listener.p7s Normal file
View file

@ -0,0 +1,51 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----3900963D3572093F6AEC654A72CAEE5A"
This is an S/MIME signed message
------3900963D3572093F6AEC654A72CAEE5A
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?> <dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd"> <permissions> <grant name="DEFAULT_PERMISSIONS"> <subject_name>/C=NL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CHAM500 cert</subject_name> <validity> <not_before>2015-09-15T01:00:00</not_before> <not_after>2019-11-18T11:48:49</not_after> </validity> <deny_rule> <domains> <id_range> <min>0</min> <max>230</max> </id_range> </domains> <publish> <topics> <topic>*</topic> </topics> <partitions/> </publish> <subscribe> <topics> <topic>*</topic> </topics> <partitions/> </subscribe> </deny_rule> <default>DENY</default> </grant> </permissions> </dds>
------3900963D3572093F6AEC654A72CAEE5A
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkxMTE4MTE0ODQ4WjAvBgkqhkiG9w0BCQQxIgQgaLNNlFwfVR0PrziT9wCAy5bM
qCZJX9yO3xJgut3/o7EweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
hvcNAQEBBQAEggEAWCFrUIvdYKBeT0lmpkRdmYJuvdmQ/Ro7k9iyreVofpB1/70B
hVOEeRjrlmhv/TUjSgQyli56wmXFmexcNRzSzpPNycz0gjwP9kX5BMnhAkKd08fC
4rgoirScmNxvxEkj5+wyq7s7rBEJOgVQ9ofwiZXEBVDMVvW2ENZhVF3FyoNulDQe
6BjXkuLw/QrJLWjywPy5naSSda2T7V3+Ssdu5/2vEjXPIJMM+xPOCaqGHJsSb72s
KiP48jZ95Wruvj3QAlpGxDaazWPTgn7tfThYrY3Kgiz5zyZM7FhFyIqxRF/89Ngo
hbu2mWzcXFF7wBLy+CvK5Foajro9t/PzD8uNuA==
------3900963D3572093F6AEC654A72CAEE5A--

671
src/security/builtin_plugins/tests/listeners_access_control/src/listeners_access_control_utests.c Normal file
View file

@ -0,0 +1,671 @@
/*
* Copyright(c) 2006 to 2019 ADLINK Technology Limited and others
*
* This program and the accompanying materials are made available under the
* terms of the Eclipse Public License v. 2.0 which is available at
* http://www.eclipse.org/legal/epl-2.0, or the Eclipse Distribution License
* v. 1.0 which is available at
* http://www.eclipse.org/org/documents/edl-v10.php.
*
* SPDX-License-Identifier: EPL-2.0 OR BSD-3-Clause
*/
#include <assert.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/pkcs7.h>
#include <openssl/pem.h>
#include "dds/ddsrt/environ.h"
#include "dds/ddsrt/heap.h"
#include "dds/ddsrt/io.h"
#include "dds/ddsrt/misc.h"
#include "dds/ddsrt/string.h"
#include "dds/ddsrt/types.h"
#include "dds/security/dds_security_api.h"
#include "dds/security/core/dds_security_utils.h"
#include "CUnit/CUnit.h"
#include "CUnit/Test.h"
#include "common/src/loader.h"
#include "config_env.h"
#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
#define REMOVE_THREAD_STATE() ERR_remove_thread_state(NULL);
#elif OPENSSL_VERSION_NUMBER < 0x10000000L
#define REMOVE_THREAD_STATE() ERR_remove_state(0);
#else
#define REMOVE_THREAD_STATE()
#endif
static const char *ACCESS_PERMISSIONS_TOKEN_ID = "DDS:Access:Permissions:1.0";
static const char *AUTH_PROTOCOL_CLASS_ID = "DDS:Auth:PKI-DH:1.0";
static const char *PROPERTY_IDENTITY_CA = "dds.sec.auth.identity_ca";
static const char *PROPERTY_PRIVATE_KEY = "dds.sec.auth.private_key";
static const char *PROPERTY_IDENTITY_CERT = "dds.sec.auth.identity_certificate";
static const char *PROPERTY_PERMISSIONS_CA = "dds.sec.access.permissions_ca";
static const char *PROPERTY_PERMISSIONS = "dds.sec.access.permissions";
static const char *PROPERTY_GOVERNANCE = "dds.sec.access.governance";
static const char *PROPERTY_PERMISSIONS_CA_SN = "dds.perm_ca.sn";
static const char *PROPERTY_PERMISSIONS_CA_ALGO = "dds.perm_ca.algo";
static const char *PROPERTY_C_ID = "c.id";
static const char *PROPERTY_C_PERM = "c.perm";
static const char *SUBJECT_NAME_PERMISSIONS_CA = "C=NL, ST=Some-State, O=ADLINK Technolocy Inc., CN=adlinktech.com";
static const char *RSA_2048_ALGORITHM_NAME = "RSA-2048";
static const char *RELATIVE_PATH_TO_ETC_DIR = "/listeners_access_control/etc/";
static const char *PERMISSIONS_CA_CERT_FILE = "Test_Permissions_ca.pem";
static const char *PERMISSIONS_CA_KEY_FILE = "Test_Permissions_ca_key.pem";
static const char *PERMISSIONS_FILE = "Test_Permissions_listener.p7s";
static dds_security_access_control_listener ac_listener;
static const char *identity_certificate =
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIEQTCCAymgAwIBAgIINpuaAAnrQZIwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
"BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
"ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE3MDIy\n"
"MjIyMjIwMFoYDzIyMjIwMjIyMjIyMjAwWjBcMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
"CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
"MRUwEwYDVQQDEwxDSEFNNTAwIGNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n"
"ggEKAoIBAQDCpVhivH/wBIyu74rvQncnSZqKyspN6CvD1pmV9wft5PHhVt9jV79v\n"
"gSub5LADoRHAgFdv9duYgBr17Ob6uRrIY4B18CcrCjhQcC4gjx8y2jl9PeYm+qYD\n"
"3o44FYBrBq0QCnrQgKsb/qX9Z+Mw/VUiw65x68W876LEHQQoEgT4kxSuagwBoVRk\n"
"ePD6fYAKmT4XS3x+O0v+rHESTcsKF6yMadgp7h3eH1b8kJTzSx8JV9Zzq++mxjox\n"
"qhbBVP5nDze2hhSIeCkCvSrx7efkgKS4AQXa5/Z44GiAu1TfXXUqdic9rxwD0edn\n"
"ajNElnZe7sjok/0yuqvH+2hSqpNva/zpAgMBAAGjggEAMIH9MAwGA1UdDwQFAwMH\n"
"/4AwgewGA1UdJQSB5DCB4QYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYI\n"
"KwYBBQUHAwQGCCsGAQUFBwMIBgorBgEEAYI3AgEVBgorBgEEAYI3AgEWBgorBgEE\n"
"AYI3CgMBBgorBgEEAYI3CgMDBgorBgEEAYI3CgMEBglghkgBhvhCBAEGCysGAQQB\n"
"gjcKAwQBBggrBgEFBQcDBQYIKwYBBQUHAwYGCCsGAQUFBwMHBggrBgEFBQgCAgYK\n"
"KwYBBAGCNxQCAgYIKwYBBQUHAwkGCCsGAQUFBwMNBggrBgEFBQcDDgYHKwYBBQID\n"
"BTANBgkqhkiG9w0BAQsFAAOCAQEAawdHy0Xw7nTK2ltp91Ion6fJ7hqYuj///zr7\n"
"Adt6uonpDh/xl3esuwcFimIJrJrHujnGkL0nLddRCikmnzuBMNDWS6yq0/Ckl/YG\n"
"yjNr44dlX24wo+MVAgkj3/8CyWDZ3a8kBg9QT3bs2SqbjmhTrXN1DRyf9S5vJysE\n"
"I7V1gTN66BeKL64hOrAlRVrEu8Ds6TWL6Q/YH+61ViZkoLTeSaPjH4nknaFr4C35\n"
"iji0JhkyfRHRRVPHFnaj25AkxOrSV64qVKoTMjDl5fji5iMGtjm6iJ7q05ml/qDl\n"
"nLotHXemZNvYhbwUmRzbt4Dls9EMH4VRbP85I94nM5TAvtHVNA==\n"
"-----END CERTIFICATE-----\n";
static const char *identity_ca =
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIEmTCCA4GgAwIBAgIIZ5gEIUFhO5wwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE\n"
"BhMCTkwxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdp\n"
"ZGdpdHMgUHR5IEx0ZDEYMBYGA1UEAxMPQ0hBTTUwMCByb290IGNhMCAXDTE4MDIx\n"
"MjE1MDUwMFoYDzIyMjIwMjIyMjIyMjAwWjBfMQswCQYDVQQGEwJOTDETMBEGA1UE\n"
"CBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRk\n"
"MRgwFgYDVQQDEw9DSEFNNTAwIHJvb3QgY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\n"
"DwAwggEKAoIBAQC6Fa3TheL+UrdZCp9GhU/2WbneP2t/avUa3muwDttPxeI2XU9k\n"
"ZjBR95mAXme4SPXHk5+YDN319AqIje3oKhzky/ngvKH2GkoJKYxWnuDBfMEHdViz\n"
"2Q9/xso2ZvH50ukwWa0pfx2/EVV1wRxeQcRd/UVfq3KTJizG0M88mOYvGEAw3LFf\n"
"zef7k1aCuOofQmBvLukUudcYpMzfyHFp7lQqU4CcrrR5RtmfiUfrWfdGLea2iPDB\n"
"pJgN8ESOMwEHtOTEBDclYnH9L4t7CHQz+fXXS5IWFsDK9fCMQjnxDsDVeNrNzTYL\n"
"FaZrMg9S6IUQCEsQWsnq5weS8omOpVLUm9klAgMBAAGjggFVMIIBUTAMBgNVHRME\n"
"BTADAQH/MB0GA1UdDgQWBBQg2FZB/j8uWDVnJhjwXkX278znSTAfBgNVHSMEGDAW\n"
"gBQg2FZB/j8uWDVnJhjwXkX278znSTAPBgNVHQ8BAf8EBQMDB/+AMIHvBgNVHSUB\n"
"Af8EgeQwgeEGCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwME\n"
"BggrBgEFBQcDCAYKKwYBBAGCNwIBFQYKKwYBBAGCNwIBFgYKKwYBBAGCNwoDAQYK\n"
"KwYBBAGCNwoDAwYKKwYBBAGCNwoDBAYJYIZIAYb4QgQBBgsrBgEEAYI3CgMEAQYI\n"
"KwYBBQUHAwUGCCsGAQUFBwMGBggrBgEFBQcDBwYIKwYBBQUIAgIGCisGAQQBgjcU\n"
"AgIGCCsGAQUFBwMJBggrBgEFBQcDDQYIKwYBBQUHAw4GBysGAQUCAwUwDQYJKoZI\n"
"hvcNAQELBQADggEBAKHmwejWRwGE1wf1k2rG8SNRV/neGsZ6Qfqf6co3TpR/Wi1s\n"
"iZDvSeT/rbqNBS7z34xnG88NIUwu00y78e8Mfon31ZZbK4Uo7fla9/D3ukdJqPQC\n"
"LKdbKJjR2kH+KCukY/1rghjJ8/X+t2egBit0LCOdsFCl07Sfksb9kpGUIZSFcYYm\n"
"geqhjhoNwxazzHiw+QWHC5HG9248JIizBmy1aymNWuMnPudhjHAnPcsIlqMVNq3t\n"
"Rv9ap7S8JeCxHVRPJvJeCwXWvW3dW/v3xH52Yn/fqRblN1w9Fxz5NhopKx0gj/Jd\n"
"sw2N4Fk4gaOWEolFpa0bwNw8nAx7moehZpowzfw=\n"
"-----END CERTIFICATE-----\n";
static const char *private_key =
"data:,-----BEGIN RSA PRIVATE KEY-----\n"
"MIIEogIBAAKCAQEAwqVYYrx/8ASMru+K70J3J0maisrKTegrw9aZlfcH7eTx4Vbf\n"
"Y1e/b4Erm+SwA6ERwIBXb/XbmIAa9ezm+rkayGOAdfAnKwo4UHAuII8fMto5fT3m\n"
"JvqmA96OOBWAawatEAp60ICrG/6l/WfjMP1VIsOucevFvO+ixB0EKBIE+JMUrmoM\n"
"AaFUZHjw+n2ACpk+F0t8fjtL/qxxEk3LChesjGnYKe4d3h9W/JCU80sfCVfWc6vv\n"
"psY6MaoWwVT+Zw83toYUiHgpAr0q8e3n5ICkuAEF2uf2eOBogLtU3111KnYnPa8c\n"
"A9HnZ2ozRJZ2Xu7I6JP9Mrqrx/toUqqTb2v86QIDAQABAoIBAC1q32DKkx+yMBFx\n"
"m32QiLUGG6VfBC2BixS7MkMnzRXZYgcuehl4FBc0kLRjfB6cqsO8LqrVN1QyMBhK\n"
"GutN3c38SbE7RChqzhEW2+yE+Mao3Nk4ZEecHLiyaYT0n25ZtHAVwep823BAzwJ+\n"
"BykbM45VEpNKbG1VjSktjBa9faNyZiZAEJEjVyla+6R8N4kHV52LbZcLjvJv3IQ2\n"
"iPYRrmMyI5C23qTni0vy7yJbAXBo3CqgSlwie9FARBWT7Puu7F4mF1O1c/SnTysw\n"
"Tm3e5FzgfHipQbnRVn0w4rDprPMKmPxMnvf/Wkw0zVgNadp1Tc1I6Yj525DEQ07i\n"
"2gIn/gECgYEA4jNnY1u2Eu7x3pAQF3dRO0x35boVtuq9iwQk7q+uaZaK4RJRr+0Y\n"
"T68S3bPnfer6SHvcxtST89Bvs/j/Ky4SOaX037UYjFh6T7OIzPl+MzO1yb+VOBT6\n"
"D6FVGEJGp8ZAITU1OfJPeTYViUeEC8tHFGoKUCk50FbB6jOf1oKtv/ECgYEA3EnB\n"
"Y7kSbJJaUuj9ciFUL/pAno86Cim3VjegK1wKgEiyDb610bhoMErovPwfVJbtcttG\n"
"eKJNuwizkRcVbj+vpjDvqqaP5eMxLl6/Nd4haPMJYzGo88Z8NJpwFRNF2KEWjOpQ\n"
"2NEvoCeRtVulCJyka2Tpljzw8cOXkxhPOe2UhHkCgYBo3entj0QO7QXm56T+LAvV\n"
"0PK45xdQEO3EuCwjGAFk5C0IgUSrqeCeeIzniZMltj1IQ1wsNbtNynEu3530t8wt\n"
"O7oVyFBUKGSz9IjUdkpClJOPr6kPMfJoMqRPtdIpz+hFPPSrI6IikKdVWHloOlp+\n"
"pVaYqTQrWT1XRY2xli3VEQKBgGySmZN6Cx+h/oywswIGdUT0VdcQhq2to+QFpJba\n"
"VX6m1cM6hMip2Ag9U3qZ1SNPBBdBBfm9HQybHE3dj713/C2wHuAAGhpXIM1W+20k\n"
"X1knuC/AsSH9aQhQOf/ZMOq1crTfZBuI9q0782/sjGmzMsKPySU4QhUWruVb7OiD\n"
"NVkZAoGAEvihW7G+8/iOE40vGHyBqUeopAAWLciTAUIEwM/Oi3BYfNWNTWF/FWNc\n"
"nMvCZPYigY8C1vO+1iT2Frtd3CIU+f01Q3fJNJoRLlEiKLNZUJRF48OKUqjKSmsi\n"
"w6pucFO40z05YW7utApj4L82rZnOS0pd1tUI1yexqvj0i4ThJfk=\n"
"-----END RSA PRIVATE KEY-----\n";
static const char *permissions_ca = /*Test_Permissions_ca.pem */
"data:,-----BEGIN CERTIFICATE-----\n"
"MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV\n"
"BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj\n"
"aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx\n"
"MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM\n"
"ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV\n"
"BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"
"CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD\n"
"uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO\n"
"NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r\n"
"cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L\n"
"FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu\n"
"kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK\n"
"ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw\n"
"DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND\n"
"LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI\n"
"eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0\n"
"KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl\n"
"PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs\n"
"hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF\n"
"HQ==\n"
"-----END CERTIFICATE-----\n";
#define PERMISSIONS_DOCUMENT "<?xml version=\"1.0\" encoding=\"utf-8\"?> \
<dds xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \
xsi:noNamespaceSchemaLocation=\"https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd\"> \
<permissions> \
<grant name=\"DEFAULT_PERMISSIONS\"> \
<subject_name>/C=NL/ST=Some-State/O=Internet Widgits Pty Ltd/CN=CHAM500 cert</subject_name> \
<validity> \
<not_before>2015-09-15T01:00:00</not_before> \
<not_after>PERMISSION_EXPIRY_DATE</not_after> \
</validity> \
<deny_rule> \
<domains> \
<id_range> \
<min>0</min> \
<max>230</max> \
</id_range> \
</domains> \
<publish> \
<topics> \
<topic>*</topic> \
</topics> \
<partitions/> \
</publish> \
<subscribe> \
<topics> \
<topic>*</topic> \
</topics> \
<partitions/> \
</subscribe> \
</deny_rule> \
<default>DENY</default> \
</grant> \
</permissions> \
</dds> "
static struct plugins_hdl *plugins = NULL;
static dds_security_authentication *auth = NULL;
static dds_security_access_control *access_control = NULL;
static DDS_Security_IdentityHandle local_identity_handle = DDS_SECURITY_HANDLE_NIL;
static DDS_Security_IdentityHandle remote_identity_handle = DDS_SECURITY_HANDLE_NIL;
static DDS_Security_PermissionsHandle local_permissions_handle = DDS_SECURITY_HANDLE_NIL;
static DDS_Security_PermissionsHandle remote_permissions_handle = DDS_SECURITY_HANDLE_NIL;
static DDS_Security_GUID_t local_participant_guid;
static char *g_path_to_etc_dir = NULL;
static DDS_Security_PermissionsHandle permission_handle_for_callback1 = DDS_SECURITY_HANDLE_NIL;
static DDS_Security_PermissionsHandle permission_handle_for_callback2 = DDS_SECURITY_HANDLE_NIL;
static dds_time_t local_expiry_date;
static dds_time_t remote_expiry_date;
static void dds_security_property_init(DDS_Security_PropertySeq *seq, DDS_Security_unsigned_long size)
{
seq->_length = size;
seq->_maximum = size;
seq->_buffer = ddsrt_malloc(size * sizeof(DDS_Security_Property_t));
memset(seq->_buffer, 0, size * sizeof(DDS_Security_Property_t));
}
static void dds_security_property_deinit(DDS_Security_PropertySeq *seq)
{
uint32_t i;
for (i = 0; i < seq->_length; i++)
{
ddsrt_free(seq->_buffer[i].name);
ddsrt_free(seq->_buffer[i].value);
}
ddsrt_free(seq->_buffer);
}
static void reset_exception(DDS_Security_SecurityException *ex)
{
ex->code = 0;
ex->minor_code = 0;
ddsrt_free(ex->message);
ex->message = NULL;
}
static void get_future_xsdate(char *str, size_t len, int32_t delta)
{
time_t rawtime;
struct tm *future;
/* Get future time. */
rawtime = time(NULL) + delta;
future = gmtime(&rawtime);
/* Put the future time in a xsDate format. */
strftime(str, len, "%Y-%m-%dT%H:%M:%S", future);
}
static int smime_sign(const char *certificate_file, const char *key_file, const char *data, const char *out_file)
{
BIO *in = NULL, *out = NULL, *tbio = NULL, *keybio = NULL;
X509 *scert = NULL;
EVP_PKEY *skey = NULL;
PKCS7 *p7 = NULL;
int ret = 1;
int flags = PKCS7_DETACHED | PKCS7_STREAM | PKCS7_TEXT;
/* Read in signer certificate and private key */
tbio = BIO_new_file(certificate_file, "r");
if (!tbio)
goto err;
scert = PEM_read_bio_X509(tbio, NULL, 0, NULL);
keybio = BIO_new_file(key_file, "r");
if (!keybio)
goto err;
skey = PEM_read_bio_PrivateKey(keybio, NULL, 0, NULL);
if (!scert || !skey)
goto err;
/* Open content being signed */
in = BIO_new_mem_buf(data, (int)strlen(data));
if (!in)
goto err;
/* Sign content */
p7 = PKCS7_sign(scert, skey, NULL, in, flags);
if (!p7)
goto err;
out = BIO_new_file(out_file, "w");
if (!out)
goto err;
//if (!(flags & PKCS7_STREAM))
// BIO_reset(in);
/* Write out S/MIME message */
if (!SMIME_write_PKCS7(out, p7, in, flags))
goto err;
ret = 0;
err:
if (ret)
{
fprintf(stderr, "Error Signing Data\n");
ERR_print_errors_fp(stderr);
}
if (p7)
PKCS7_free(p7);
if (scert)
X509_free(scert);
if (skey)
EVP_PKEY_free(skey);
if (in)
BIO_free(in);
if (keybio)
BIO_free(keybio);
if (out)
BIO_free(out);
if (tbio)
BIO_free(tbio);
return ret;
}
static void fill_participant_qos(DDS_Security_Qos *qos, int32_t permission_expiry, const char *governance_filename)
{
char *permission_uri;
char *governance_uri;
char *permissions_ca_cert_file;
char *permissions_ca_key_file;
char *permissions_file;
char *permissions_xml_with_expiry;
char permission_expiry_date_str[30];
/*get time in future */
get_future_xsdate(permission_expiry_date_str, 30, permission_expiry);
local_expiry_date = DDS_Security_parse_xml_date(permission_expiry_date_str);
permissions_xml_with_expiry = ddsrt_str_replace(PERMISSIONS_DOCUMENT, "PERMISSION_EXPIRY_DATE", permission_expiry_date_str, 1);
ddsrt_asprintf(&permissions_ca_cert_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_CERT_FILE);
ddsrt_asprintf(&permissions_ca_key_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_KEY_FILE);
ddsrt_asprintf(&permissions_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_FILE);
smime_sign(permissions_ca_cert_file, permissions_ca_key_file, permissions_xml_with_expiry, permissions_file);
//check sign result
ddsrt_asprintf(&permission_uri, "file:%s", permissions_file);
ddsrt_asprintf(&governance_uri, "file:%s%s", g_path_to_etc_dir, governance_filename);
memset(qos, 0, sizeof(*qos));
dds_security_property_init(&qos->property.value, 6);
qos->property.value._buffer[0].name = ddsrt_strdup(PROPERTY_IDENTITY_CERT);
qos->property.value._buffer[0].value = ddsrt_strdup(identity_certificate);
qos->property.value._buffer[1].name = ddsrt_strdup(PROPERTY_IDENTITY_CA);
qos->property.value._buffer[1].value = ddsrt_strdup(identity_ca);
qos->property.value._buffer[2].name = ddsrt_strdup(PROPERTY_PRIVATE_KEY);
qos->property.value._buffer[2].value = ddsrt_strdup(private_key);
qos->property.value._buffer[3].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA);
qos->property.value._buffer[3].value = ddsrt_strdup(permissions_ca);
qos->property.value._buffer[4].name = ddsrt_strdup(PROPERTY_PERMISSIONS);
qos->property.value._buffer[4].value = ddsrt_strdup(permission_uri);
qos->property.value._buffer[5].name = ddsrt_strdup(PROPERTY_GOVERNANCE);
qos->property.value._buffer[5].value = ddsrt_strdup(governance_uri);
ddsrt_free(permission_uri);
ddsrt_free(governance_uri);
ddsrt_free(permissions_xml_with_expiry);
ddsrt_free(permissions_ca_key_file);
ddsrt_free(permissions_ca_cert_file);
ddsrt_free(permissions_file);
}
static void fill_permissions_token(DDS_Security_PermissionsToken *token)
{
memset(token, 0, sizeof(DDS_Security_PermissionsToken));
token->class_id = ddsrt_strdup(ACCESS_PERMISSIONS_TOKEN_ID);
token->properties._length = token->properties._maximum = 2;
token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_SN);
token->properties._buffer[0].value = ddsrt_strdup(SUBJECT_NAME_PERMISSIONS_CA);
token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_PERMISSIONS_CA_ALGO);
token->properties._buffer[1].value = ddsrt_strdup(RSA_2048_ALGORITHM_NAME);
}
static int fill_peer_credential_token(DDS_Security_AuthenticatedPeerCredentialToken *token, int32_t permission_expiry)
{
int result = 1;
char *permission_data;
char *permissions_ca_cert_file;
char *permissions_ca_key_file;
char *permissions_file;
char *permissions_xml_with_expiry;
char permission_expiry_date_str[30];
/*get time in future */
get_future_xsdate(permission_expiry_date_str, 30, permission_expiry);
remote_expiry_date = DDS_Security_parse_xml_date(permission_expiry_date_str);
permissions_xml_with_expiry = ddsrt_str_replace(PERMISSIONS_DOCUMENT, "PERMISSION_EXPIRY_DATE", permission_expiry_date_str, 1);
ddsrt_asprintf(permissions_ca_cert_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_CERT_FILE);
ddsrt_asprintf(permissions_ca_key_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_CA_KEY_FILE);
ddsrt_asprintf(permissions_file, "%s%s", g_path_to_etc_dir, PERMISSIONS_FILE);
smime_sign(permissions_ca_cert_file, permissions_ca_key_file, permissions_xml_with_expiry, permissions_file);
memset(token, 0, sizeof(DDS_Security_AuthenticatedPeerCredentialToken));
permission_data = load_file_contents(permissions_file);
if (permission_data)
{
token->class_id = ddsrt_strdup(AUTH_PROTOCOL_CLASS_ID);
token->properties._length = token->properties._maximum = 2;
token->properties._buffer = DDS_Security_PropertySeq_allocbuf(2);
token->properties._buffer[0].name = ddsrt_strdup(PROPERTY_C_ID);
token->properties._buffer[0].value = ddsrt_strdup(&identity_certificate[6]);
token->properties._buffer[1].name = ddsrt_strdup(PROPERTY_C_PERM);
token->properties._buffer[1].value = permission_data;
}
else
{
ddsrt_free(permission_data);
result = 0;
}
ddsrt_free(permissions_xml_with_expiry);
ddsrt_free(permissions_ca_key_file);
ddsrt_free(permissions_ca_cert_file);
ddsrt_free(permissions_file);
return result;
}
static DDS_Security_long
validate_local_identity_and_permissions(int32_t permission_expiry)
{
DDS_Security_long res = DDS_SECURITY_ERR_OK_CODE;
DDS_Security_ValidationResult_t result;
DDS_Security_DomainId domain_id = 0;
DDS_Security_Qos participant_qos;
DDS_Security_GUID_t candidate_participant_guid;
DDS_Security_SecurityException exception = {NULL, 0, 0};
DDS_Security_GuidPrefix_t prefix = {0xb0, 0xb1, 0xb2, 0xb3, 0xb4, 0xb5, 0xb6, 0xb7, 0xb8, 0xb9, 0xba, 0xbb};
DDS_Security_EntityId_t entityId = {{0xb0, 0xb1, 0xb2}, 0x1};
memset(&local_participant_guid, 0, sizeof(local_participant_guid));
memcpy(&candidate_participant_guid.prefix, &prefix, sizeof(prefix));
memcpy(&candidate_participant_guid.entityId, &entityId, sizeof(entityId));
fill_participant_qos(&participant_qos, permission_expiry, "Test_Governance_ok.p7s");
/* Now call the function. */
result = auth->validate_local_identity(
auth,
&local_identity_handle,
&local_participant_guid,
domain_id,
&participant_qos,
&candidate_participant_guid,
&exception);
if (result != DDS_SECURITY_VALIDATION_OK)
{
res = DDS_SECURITY_ERR_UNDEFINED_CODE;
printf("validate_local_identity_failed: (%d) %s\n", (int)exception.code, exception.message ? exception.message : "Error message missing");
}
reset_exception(&exception);
if (res == 0)
{
local_permissions_handle = access_control->validate_local_permissions(
access_control,
auth,
local_identity_handle,
0,
&participant_qos,
&exception);
if (local_permissions_handle == DDS_SECURITY_HANDLE_NIL)
{
printf("validate_local_permissions_failed: (%d) %s\n", (int)exception.code, exception.message ? exception.message : "Error message missing");
if (exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE)
/* This can happen on very slow platforms or when doing a valgrind run. */
res = DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE;
else
res = DDS_SECURITY_ERR_UNDEFINED_CODE;
}
}
dds_security_property_deinit(&participant_qos.property.value);
ddsrt_free(exception.message);
return res;
}
static void clear_local_identity_and_permissions(void)
{
DDS_Security_SecurityException exception = {NULL, 0, 0};
DDS_Security_boolean success;
if (local_permissions_handle != DDS_SECURITY_HANDLE_NIL)
{
success = access_control->return_permissions_handle(access_control, local_permissions_handle, &exception);
if (!success)
printf("return_permission_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
reset_exception(&exception);
}
if (local_identity_handle != DDS_SECURITY_HANDLE_NIL)
{
success = auth->return_identity_handle(auth, local_identity_handle, &exception);
if (!success)
printf("return_identity_handle failed: %s\n", exception.message ? exception.message : "Error message missing");
reset_exception(&exception);
}
}
static void set_path_to_etc_dir(void)
{
ddsrt_asprintf(&g_path_to_etc_dir, "%s%s", CONFIG_ENV_TESTS_DIR, RELATIVE_PATH_TO_ETC_DIR);
}
static void suite_listeners_access_control_init(void)
{
plugins = load_plugins(&access_control, &auth, NULL /* Cryptograpy */);
CU_ASSERT_FATAL(plugins != NULL);
set_path_to_etc_dir();
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
}
static void suite_listeners_access_control_fini(void)
{
unload_plugins(plugins);
ddsrt_free(g_path_to_etc_dir);
EVP_cleanup();
CRYPTO_cleanup_all_ex_data();
REMOVE_THREAD_STATE();
ERR_free_strings();
}
static DDS_Security_boolean on_revoke_permissions_cb(dds_security_access_control_listener *instance, const dds_security_access_control *plugin, const DDS_Security_PermissionsHandle handle)
{
DDSRT_UNUSED_ARG(instance);
DDSRT_UNUSED_ARG(plugin);
if (permission_handle_for_callback1 == DDS_SECURITY_HANDLE_NIL)
permission_handle_for_callback1 = handle;
else if (permission_handle_for_callback2 == DDS_SECURITY_HANDLE_NIL)
permission_handle_for_callback2 = handle;
printf("Listener called for handle: %lld Local:%ld Remote:%ld\n", (long long)handle, local_permissions_handle, remote_permissions_handle);
return true;
}
CU_Test(ddssec_builtin_listeners_access_control, local_2secs, .init = suite_listeners_access_control_init, .fini = suite_listeners_access_control_fini)
{
DDS_Security_PermissionsHandle result;
DDS_Security_PermissionsToken permissions_token;
DDS_Security_AuthenticatedPeerCredentialToken credential_token;
DDS_Security_SecurityException exception = {NULL, 0, 0};
DDS_Security_long valid;
int r;
dds_duration_t time_left = DDS_MSECS(10000);
bool local_expired = false;
bool remote_expired = false;
local_expiry_date = 0;
remote_expiry_date = 0;
ac_listener.on_revoke_permissions = &on_revoke_permissions_cb;
valid = validate_local_identity_and_permissions(2);
if (valid == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE)
{
/* This can happen on very slow platforms or when doing a valgrind run.
* Just take our losses and quit, simulating a success. */
return;
}
CU_ASSERT_FATAL(valid == DDS_SECURITY_ERR_OK_CODE);
/* Check if we actually have validate_remote_permissions function. */
CU_ASSERT_FATAL(access_control != NULL);
CU_ASSERT_FATAL(local_identity_handle != DDS_SECURITY_HANDLE_NIL);
CU_ASSERT_FATAL(access_control->validate_remote_permissions != NULL);
CU_ASSERT_FATAL(access_control->return_permissions_handle != NULL);
fill_permissions_token(&permissions_token);
r = fill_peer_credential_token(&credential_token, 1);
CU_ASSERT_FATAL(r);
remote_identity_handle++;
access_control->set_listener(access_control, &ac_listener, &exception);
result = access_control->validate_remote_permissions(
access_control,
auth,
local_identity_handle,
remote_identity_handle,
&permissions_token,
&credential_token,
&exception);
if (result == 0)
{
printf("validate_remote_permissions_failed: %s\n", exception.message ? exception.message : "Error message missing");
/* Expiry can happen on very slow platforms or when doing a valgrind run.
* Just take our losses and quit, simulating a success. */
CU_ASSERT(exception.code == DDS_SECURITY_ERR_VALIDITY_PERIOD_EXPIRED_CODE);
goto end;
}
remote_permissions_handle = result;
reset_exception(&exception);
while (time_left > 0 && (!local_expired || !remote_expired))
{
/* Normally, it is expected that the remote expiry is triggered before the
* local one. However, that can change on slow platforms. */
if (remote_expiry_date < local_expiry_date)
{
if (permission_handle_for_callback1 == remote_permissions_handle)
{
remote_expired = true;
}
if (permission_handle_for_callback2 == local_permissions_handle)
{
local_expired = true;
}
}
else
{
if (permission_handle_for_callback2 == remote_permissions_handle)
{
remote_expired = true;
}
if (permission_handle_for_callback1 == local_permissions_handle)
{
local_expired = true;
}
}
dds_sleepfor(DDS_MSECS(100));
time_left -= DDS_MSECS(100);
}
CU_ASSERT(local_expired);
CU_ASSERT(remote_expired);
access_control->return_permissions_handle(access_control, result, &exception);
end:
reset_exception(&exception);
DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&permissions_token);
DDS_Security_DataHolder_deinit((DDS_Security_DataHolder *)&credential_token);
clear_local_identity_and_permissions();
}

0
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_empty.txt Normal file
View file

3
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_File_text.txt Normal file
View file

@ -0,0 +1,3 @@
This is just a file to see how the Security Plugin
reacts when it receives a file that doesn't contain
expected content, but just some text.

199
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.p7s Normal file
View file

@ -0,0 +1,199 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----988CFBB47A225358D7A5B33A4CA9AD64"
This is an S/MIME signed message
------988CFBB47A225358D7A5B33A4CA9AD64
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<!-- No access control by any topic and participant is access protected -->
<domains>
<id>1</id>
</domains>
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<rtps_protection_kind>NONE</rtps_protection_kind>
<discovery_protection_kind>SIGN</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<topic_access_rules>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic1</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
</topic_rule>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic2</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<!-- No write access control by one topic -->
<domains>
<id>2</id>
</domains>
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<rtps_protection_kind>NONE</rtps_protection_kind>
<discovery_protection_kind>SIGN</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<topic_access_rules>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic1</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
</topic_rule>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic2</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<!-- No write and read access control by all topic -->
<domains>
<id>3</id>
</domains>
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<rtps_protection_kind>NONE</rtps_protection_kind>
<discovery_protection_kind>SIGN</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<topic_access_rules>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic1</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
</topic_rule>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic2</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<!-- Participant is access protected -->
<domains>
<id>4</id>
</domains>
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<rtps_protection_kind>NONE</rtps_protection_kind>
<discovery_protection_kind>SIGN</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>FALSE</enable_join_access_control>
<topic_access_rules>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic1</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------988CFBB47A225358D7A5B33A4CA9AD64
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAyWjAvBgkqhkiG9w0BCQQxIgQg9ZheySVcKVr9eNKQTeuBdR0z
Cbgnm4HbSvO8/V0a7CAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBACn66JQOghwlIQUMDQ0s
vMCGMl7OcZtxDdNQ2BYajufv+JGaf46xP6TWk4+c+bDq+9XTDFoTr/KY2XP7vKVD
RSAm9nlqChzzsKF/7yYdzOP8hILF644PT837mP+E5ss4EYPoPByQLVPWr1B52xWB
N/kixmZcMxe4btXqE8LGlSsPNioniZsDBRlDOcdFjxTL/3Ksgv6fX2gSEJgYVBH/
xZ+Cpf4TsdtVDrQwUynck1+BogRtcofnkBFuKozqzwvzDQoLfW2fMnct5Jd7KPwM
6kN/bRvOEMGYTKYRgfJVdM4rZqbfdRlVnCj+pza4dIHmf5BDSOlsbRqWyJPRmQ8S
JkM=
------988CFBB47A225358D7A5B33A4CA9AD64--

147
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_check_create_participant.xml Normal file
View file

@ -0,0 +1,147 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<!-- No access control by any topic and participant is access protected -->
<domains>
<id>1</id>
</domains>
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<rtps_protection_kind>NONE</rtps_protection_kind>
<discovery_protection_kind>SIGN</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<topic_access_rules>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic1</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
</topic_rule>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic2</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<!-- No write access control by one topic -->
<domains>
<id>2</id>
</domains>
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<rtps_protection_kind>NONE</rtps_protection_kind>
<discovery_protection_kind>SIGN</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<topic_access_rules>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic1</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
</topic_rule>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic2</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<!-- No write and read access control by all topic -->
<domains>
<id>3</id>
</domains>
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<rtps_protection_kind>NONE</rtps_protection_kind>
<discovery_protection_kind>SIGN</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<topic_access_rules>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic1</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
</topic_rule>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic2</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<!-- Participant is access protected -->
<domains>
<id>4</id>
</domains>
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<rtps_protection_kind>NONE</rtps_protection_kind>
<discovery_protection_kind>SIGN</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>FALSE</enable_join_access_control>
<topic_access_rules>
<topic_rule>
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<data_protection_kind>ENCRYPT</data_protection_kind>
<enable_discovery_protection>TRUE</enable_discovery_protection>
<metadata_protection_kind>SIGN</metadata_protection_kind>
<topic_expression>Topic1</topic_expression>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

267
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.p7s Normal file
View file

@ -0,0 +1,267 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----05DBD6F6E587875751A79EAC78048D60"
This is an S/MIME signed message
------05DBD6F6E587875751A79EAC78048D60
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShip?ata</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>SIGN</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>Kinematics</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*other</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>20</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id>200</id>
<id>30</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>0</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShipData</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------05DBD6F6E587875751A79EAC78048D60
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GyBZYdNlmQT2Nv1CHrUEB6+
C0U0yXvpmj5+mlGojPAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJXrVHO7KdgYM20uGGNL
P4VRPmYVWoWIkl5/OEzZ8uirs+oGJR7tYLiFl1wzXUzPBB/03qsANmlshDpFgbmV
thTV7AGRg3SXUDa/cG4N9PupE5VRZaVdbcbdH1DfoIZCLLp4HK3HgqUXkH9vnC92
tdtgzxZOCrQ4A6WbGiBkWr5LtMWg2lnwPp55vrfRoh6u0qVEumD+VQi+Lroo9M1E
659LB2dwEcNb1g1HyoodpKlUSsbGsY/JA7bbNrw/KIGVYcoXfmpgWmtzUjfpkPDj
zVPImqr6jdxP4quGmGWRmrLHPrEYJscJqCwjNTi6naXnAvaE4nxQ4HBgveEodTuP
8tM=
------05DBD6F6E587875751A79EAC78048D60--

215
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_full.xml Normal file
View file

@ -0,0 +1,215 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShip?ata</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>SIGN</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>Kinematics</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*other</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>20</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id>200</id>
<id>30</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>1</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>0</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShipData</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

175
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.p7s Normal file
View file

@ -0,0 +1,175 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----1A6607CDB3CA97628720C3874B28523D"
This is an S/MIME signed message
------1A6607CDB3CA97628720C3874B28523D
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShip?ata</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>SIGN</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>Kinematics</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------1A6607CDB3CA97628720C3874B28523D
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg16RVkhnhbWczLVFXDHVD6lPy
G5w7StRkpXgPtz/r+5MwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJsBPV85r3vm0jr/YWKo
J1j054f+gdqnrfH9kv6dvhg/IAK67mfWDHYUUah6D/1HFJve5KMR8tBu2j770M42
rDjUBVQADqwWc+9ymiGcIjav9r1+YVTzOCHZnASJyqWPakCwwrdMthb2bB//ASmL
rHOxsJZs68r0ci8ZC4bPbe0m8gAC8lkAvfhIr0/WLO4zhdhVaSrKNKptEjTVGRan
KcjoHAiNOhxWZfwZ+OVEp6Rnax4xcpGK3oyCcg9v8zGKj9rDX917K3VfW9Guo+Px
fZ1u+ukL2GgvzPMdJuU0Uw6mPbWMPeAKbIFwLR9P8iXtKuj2HHqteFVbcyIQXZSE
nRM=
------1A6607CDB3CA97628720C3874B28523D--

123
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_data.xml Normal file
View file

@ -0,0 +1,123 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShip?ata</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>SIGN</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>Kinematics</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

178
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.p7s Normal file
View file

@ -0,0 +1,178 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----4B1AFE4A648D807454B86C7DDD6F392C"
This is an S/MIME signed message
------4B1AFE4A648D807454B86C7DDD6F392C
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<ufo>Unidentified Flying Object</ufo>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShip?ata</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>SIGN</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>Kinematics</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------4B1AFE4A648D807454B86C7DDD6F392C
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgLhPNfJcKb6QszZuyFWmmLGOQ
ZDTY0NBpcqMym1+AijAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBABwNsFseYbpH+mGslN/g
UY1RNq8f9pFOhTn89NAu94xJgZ2wu5izmSsaEK8K8nrPnxTouD7b5P5w5JQnEVU5
m2yDD62ZdrlNm51u6VS1JoleHleTEyseagVYlLk+R2FYIH8xfjT0e6jc93qIlm+f
XehwwbCsVUUdy3ViV9APoFP6b5YB+bXe6AtMMTobhEzplqs7GzOFzzC4YuhHSvi2
sVFXmlHFwOKKIS7he8467breo+SYunv5IttcyqypltydmEcOndCQ2uAWiPvsJIat
DyIkewjrWFL/0l/uTDmk3EUcTmmugVkhykmkfb9subqMHXKbDkcXgZgggR57/9+n
eOU=
------4B1AFE4A648D807454B86C7DDD6F392C--

126
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_invalid_element.xml Normal file
View file

@ -0,0 +1,126 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>TRUE</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>SIGN_WITH_ORIGIN_AUTHENTICATION</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<ufo>Unidentified Flying Object</ufo>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT_WITH_ORIGIN_AUTHENTICATION</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>OwnShip?ata</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>FALSE</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>false</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>true</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>SIGN</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>Kinematics</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>true</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>NONE</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>NONE</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

62
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_not_signed.p7s Normal file
View file

@ -0,0 +1,62 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>true</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>

114
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_ok.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
This is an S/MIME signed message
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
20170801/omg_shared_ca_domain_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>true</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
------DB94A190D9780A24156FB0E8F1E76B5F--

117
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Governance_unknown_ca.p7s Normal file
View file

@ -0,0 +1,117 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F38FD3F34A584E774726CA12090D0B48"
This is an S/MIME signed message
------F38FD3F34A584E774726CA12090D0B48
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
20170801/omg_shared_ca_domain_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>true</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------F38FD3F34A584E774726CA12090D0B48
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIyMzha
MC8GCSqGSIb3DQEJBDEiBCBe/wOS+XB5tczAcNs1zT89zfSDIbfFYKfB63j1NExY
WzB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQAy
baJVxRJcZ3wYtb/TfQUDKNmaz7pYWNoKNxkPyKUerMOAZ9n0yvySNJUpzG+kJJNi
Ib792GXdmP4hdz4qC4Zx3S7H26OAYcOsTwd6+O/xcv8H7PQoPD+3fplhIvLtpIlS
//9ghpBXbUowdgzeDrYBpzRLqUth58IxsHd9cJQCCboKZIv8+6eP9fn1OD/CLGV3
BNMvmeP88LU8UgtiivmmEJZ0fRtDVAGRIWykT1AvTfl69Pv9VKDuUW3qkuMwz7lW
Dv0c624BYPbQWdU7W5//iy4kSfwrtXtag7aovUbcwkmb2qb5v5c5ZqNoLPUvUpIG
KZUh0/aBuBovjwHZMcgl
------F38FD3F34A584E774726CA12090D0B48--

22
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca.pem Normal file
View file

@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEBCwUAMFwxCzAJBgNV
BAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQKDBZBRExJTksgVGVj
aG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNvbTAgFw0xODA3MzAx
MjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMCTkwxEzARBgNVBAgM
ClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4xFzAV
BgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxrnGXusTCD
uFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSpZZax/TcO
NjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0qn2RFh37r
cWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx+wVD951L
FNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmKhysLQudu
kHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNVHQ4EFgQURWMbWvBK
ZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJvRV1/tyc1R82k0+gw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+ysVtvHnk2hpu9yND
LCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9XVh0rGoR/6nHzo3TI
eiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9yghhKHHqNDvSsAL0
KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbtlLX3QnwVOmaRyzyl
PiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42+OyLqcH1rKT6Xhcs
hjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb6SDB340BFmtgDHbF
HQ==
-----END CERTIFICATE-----

27
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ca_key.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blIDehV6XCxr
nGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9wicp3BGSp
ZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLsDFFC+a0q
n2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074BRDXVivx
+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiySogRWAmK
hysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABAoIBABWqhMSCr+7Mr3O3
bIymOr+CT4xWI8S47hmKGFCLTrNsfy7cQZ9PdHkm7Ez+rCx+KwQaTrwz7EM/e8aH
q2zimMn4YXxeS7MFdM+Xvp/Y0BhXMd1j8Nk0x14+WHmQ88YfA4szdrHDekR+6oB6
5Lc2fAfNbCGdpRksCQWDndrvIOda1swKW1RsGWHPGtSM1qOg09A4CeASqbsxZfdL
9MgI7aJKYnvJrUhqsNZU3fuOrLDNl7/JvdI08nYLnNkEvbDYbdfH0Q/4laKsSJcp
0jM6tPrxbHMDmBEwullVPrVqJX+n6Hvz3E8C9QiZq8NWbJUc5FntLx8ynbiJg6Lb
1w49WxECgYEA8yVky++3v0ZMKZeSeGj3MuKuEJ2q3UdmsKXA+Pyq0rL/hh7r2oUY
dQDs23BIuaHeIZxAGaMeMjoYQBi+G50XfwHZSMqivxX/yYkXxOJfPQvVLDbqCIWS
94qU4/xo50IkCNxpvRwfpKG2ce5YG7jrQkfb5I6TfKUWAaXpmaQnbYsCgYEAxaVn
Hzw3OdY7q6kURSY6a8KqtcuN0lNKeUb68vZemmZ0FNKmyh+xGVFXXlvmJpQgr5Zm
2W2a1C1oPq2DEdvSKt/aTHVIazG9TtFK1WAXpLxmlXlyqWRv+IvdVkph+p/3dIT0
Ilaglgbndth4xk0c1zqy3g4VlAgWgKKi5owZ/j8CgYEAndsFGbHEJZZKFCannSzo
cEzinT7/kzGr5bt3ES9Y5/n2Euk4TmJignPbUowPaxU/1apPo1VXYVx+Kf7mTZ8r
hfV5T9ze1BhAPGOY3uXo1wU7nLz6LBYsWDHMgEd7A8jZBDe1HmWH1aZ3gHgxE652
bk2g4T3/WskDBIbmpi0AvAkCgYBKAfFnRMj5IzscwCcS7YmaqD377MiiJQYR+34k
VBSAhDSbR3Wk4dESxd6NOqQndff3R74jVGNRZ99M+PPHUCSWYVQApToEyY81YDFB
TMYNrW5MMjm5LB6xVs3+bcPacOPcAZzY7s8a3mL1oYE339AY16X6eBOkZpLmf/+3
jGZ/SQKBgQDkyxymL4xJGV8HCDontJZiBStD954GH1AgqEAOdQxU5vW4ySQ7yRoT
ajb8tH052yWW11Mxd0TRW9qbVI0/4/4lR86sODYLFbgrHAMBl7mxJ8Qwi4zdI9Am
FXGkj5SX2bYrf2f0YvCHNUbELTd4mF6kAH0Eg6kHRXLsSbhtWC7D3Q==
-----END RSA PRIVATE KEY-----

243
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.p7s Normal file
View file

@ -0,0 +1,243 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----11798C99B4C31493D0479BB8A2064C72"
This is an S/MIME signed message
------11798C99B4C31493D0479BB8A2064C72
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2016-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------11798C99B4C31493D0479BB8A2064C72
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgXPEkUvQgZwRMdZgxT8k/mrsJ
delB0E3RjpayHUkKYzowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAA/TNULF62fO5mfjXm1L
Yk4Dg/5ZxAF/grDAjamo5v2fxGn6B1rrkj8YtyB1FEA0moM/cL31kNXNMqLvFdhY
lHCmX8x5PHkKzLihTIMx6diSCupBvvqUACeA7Ir1A3tMqW5tYYMg6sZ/YolgLLFG
8XmhttpEibtZm90MN3Xpsa4TiW5PlEWHC5ai3tyeyd/RCVoeQJVA0pAytmjdf2Mw
C3W/28tUxVCAjdlqXYap6jWZlNv/43P5HED837bF5iqoa1dTvDirca6WPanNjp28
GQDi4bnD1kAk8wAKIm14qwS+fzxM3SKxJtdQuUCx+s/tPma4bLCqt843ok35SoWo
QKM=
------11798C99B4C31493D0479BB8A2064C72--

191
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_expired.xml Normal file
View file

@ -0,0 +1,191 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2016-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

243
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.p7s Normal file
View file

@ -0,0 +1,243 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----D2957343698C311655D075C56A04A68D"
This is an S/MIME signed message
------D2957343698C311655D075C56A04A68D
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------D2957343698C311655D075C56A04A68D
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgcYMSlCRiboSPUqMbBIKL7lBv
QJlEFiHrJ5t/aOJZbi0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAJsR4q4Eeorhd4sQaw+D
PErzkTuI1PEDzv2oYy3U/w4ZdGF2TJQqZ/OqiKEtmwqVAKfuPb9XQLPSENtn2uZC
wz9ZcvMJ4/GOOMWezN6J65pfuAeEWa0oGCcAASl7tuk+QpAK3MY8L5hxCPb6sfr9
jslfMqJ+WYgrOVuqWMAYZoXwIgJ1GdREXOXoCnyEkwy6Prk6NhSDO6Jl91PxcZWG
ZITu7y/mklX8cSx09MNyOfefFhCIfNnXGJu0HUTYluTFd1LgRan6f0uyPR2zBLlE
qzuaetvpNlUclf8dywlazI8oRjfrusYo3tiKG+hHkjrXc7WHOh+I08Tqeyue+0tg
cjw=
------D2957343698C311655D075C56A04A68D--

191
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_full.xml Normal file
View file

@ -0,0 +1,191 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

219
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.p7s Normal file
View file

@ -0,0 +1,219 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62BE4CE8CF1FCB0420A2F2884B1618E6"
This is an S/MIME signed message
------62BE4CE8CF1FCB0420A2F2884B1618E6
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>430</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------62BE4CE8CF1FCB0420A2F2884B1618E6
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQghoicue+FOmdIHF9rpsNCfmjP
+ZyN+t9kCdmR68JCJU0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAI0BX2tu2DbQjvuzKG35
myNBcOC9ZzRDqJEtmQhcY/2hAJzurlnclJVTEXFyXdpV4ywtA+lQvbtToh11AvnY
IY1QWNVm19mfO1J6m6PFu18tizd30sG7p1TZKxGB3zDeVVqmedZ+o7QJHv9/ixzz
Pyo2B9tG5Su94+ADc0LQNyGICjeMr7L6dhFDsm7fXBi8pMBKy/zEAynTA3r1ibsn
5zlizPMlad2HCaYv44x7Xksg9FSbzJwJpTiprbQbZSUPYk4WlfVz0l4plzRKu4AP
lCOsdRE6C6GQFnK5bLyndu3Ycp10niwfkfobruCDyigu+gjZtmmF/T7A8Xkk1uvx
fAM=
------62BE4CE8CF1FCB0420A2F2884B1618E6--

167
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_data.xml Normal file
View file

@ -0,0 +1,167 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>430</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

219
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.p7s Normal file
View file

@ -0,0 +1,219 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----3EE420429594FF1492D49B1EEBFBAF0E"
This is an S/MIME signed message
------3EE420429594FF1492D49B1EEBFBAF0E
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<ufo>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</ufo>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------3EE420429594FF1492D49B1EEBFBAF0E
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgk4Y6Rw4+DVfETNs8Ddv6rnhK
w7EwwZ9nE7SiujxSsDEwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAGkiiP+V49XZIwqbpqwN
RHv0tn06/BAuRGNybse1GkVzlNmuwbGObUUpKtKh4VxN8XuTfH5uuLEqftN2LvGG
zEiyosHX0gjsX6hihqoIcbfdsKpxd/OPCr/iNdOKWCSyV0aqaP3fc9Y2L1xVdXfn
avjfd8wief+ERfwKlsbHYsgh6/zwhVeMt2mzr8T0c+ICC99+XXmSvpnGJ89amYub
NnQwdxTp4PBQhudXixG3LrZ1CZafoLRz+x9vEIVF9oFyy7kMkeFtjd7aXc346Ama
djOu1LtzvWZKOMeGYVaSiQMl4HhpOh/embx+AClH/Hf1o7AA+ivF8vZgUDAAK2GD
rx8=
------3EE420429594FF1492D49B1EEBFBAF0E--

167
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_invalid_element.xml Normal file
View file

@ -0,0 +1,167 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<ufo>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</ufo>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

95
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.p7s Normal file
View file

@ -0,0 +1,95 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E9994989EF5BC12DCCE6563CF088037D"
This is an S/MIME signed message
------E9994989EF5BC12DCCE6563CF088037D
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
</subscribe>
</allow_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------E9994989EF5BC12DCCE6563CF088037D
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgVn6yZWB0OOqW+6/ubhU1M4pT
tL+lh8qj9izsf/c3gKMwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAKhwx+Ew2m6lHQxL0I0K
Z0fdN8+19XGKYPWNuGwDR5MYpMX5jin/w/FgzeG5gSHqB51PRLJjH81incNVcRCf
bRKvwOv8b4J8D14ZG28SoNCsKejbXccFuA967ir+GHYrh0V9ikM/TwPuhosxclM5
hZQuvRKig6Fum+PmGO7sLNyIPB1ODE8gbz0IiY9l6Zlp0xEe/+4YYpBL+GKamnlS
boRrfgGaTaWWi9EnjZWmJkFBO9vC08XZQ1akCubC0G8Kki0X3ZXJVXkX3AxjvZJY
XDdstpKWbfqlWzkYlJSI/I96BO2ZXY7nnsQU+8tvPV/6k6BaC80m0FhoTQJfDdLR
WnA=
------E9994989EF5BC12DCCE6563CF088037D--

43
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_after.xml Normal file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
</subscribe>
</allow_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

95
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.p7s Normal file
View file

@ -0,0 +1,95 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----E0088C6C0B487BC746E35E87718DA89E"
This is an S/MIME signed message
------E0088C6C0B487BC746E35E87718DA89E
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
</subscribe>
</allow_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------E0088C6C0B487BC746E35E87718DA89E
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgOCgkm0Mu6pRSDhlMd5/7OGhr
3TedLdpw5DQNC60vDgYwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALYwxGivvBYfCdRADnYd
ysgBOITPhEY+TqqqEtiX4cIyeEdZGMFxcciMxbXVB1qy7js7PM+tbZ/+ICutyA7J
dkU9cNO9hLM/LYASv9B9zpgxMecYcA9rx7OEpM3Sr2eXOTbu2j3gUoCun7y8f+yv
iiYUORa0cX8oFnq++rQXHE/0rOVd17tboLvsy97Tro8o1e7WFA2gkJsCyo4QF+Lg
yz8IKdKMIRLpEl07bGIcIq4gvarQnN3qT1KuOMrDQD29CFZMwCO/TSGVeZYRHdW9
s1hhmrTlkmlhPyXG9yxm9PH9UHZyfhkbrhIXZtN6M/7SO8VfTMfotyTbFtuatzzL
fz4=
------E0088C6C0B487BC746E35E87718DA89E--

43
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_lack_of_not_before.xml Normal file
View file

@ -0,0 +1,43 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
</subscribe>
</allow_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

33
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_not_signed.p7s Normal file
View file

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

243
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.p7s Normal file
View file

@ -0,0 +1,243 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F87E07CA6CCEAB50B03A143AC2354EB4"
This is an S/MIME signed message
------F87E07CA6CCEAB50B03A143AC2354EB4
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2035-09-15T01:00:00</not_before>
<not_after>2046-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------F87E07CA6CCEAB50B03A143AC2354EB4
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GGu1gWhHWhfWnmg55AIr4tv
zMK0kIxNfJYQbb7LpJ8wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALsPI2+b0w+iUPJGJeMd
VdrY7s/GZYm6M8qOA5fmh3144bY1rZRjdHjXtLdaNDNN1Z5buRCiQcklAilf6O14
7u6a5HR12N4LTbg3OYQplwz4ed/wBsL726htmkAK3JogGk5OVLqmmdrz3UOD8IaZ
wAfx2tpj3VJOVuW0XsqOrzQpnOjGWcPeOw6NAxRH1gLsxBP9HDz5+wrsKXjV/zG8
dFTaZ0bKnBXTp5ccc9jB4qbcllC9nlJkJszGqvwOP7zWBAOXeU+joUGM4Bt+8Pmt
pKsVAmEqMpc368RMayDBWtTqUWpUKvDh4HSkuOGD4Hj5ViAoLFjisROhIK2d98XI
cRQ=
------F87E07CA6CCEAB50B03A143AC2354EB4--

191
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_notyet.xml Normal file
View file

@ -0,0 +1,191 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2035-09-15T01:00:00</not_before>
<not_after>2046-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

85
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.p7s Normal file
View file

@ -0,0 +1,85 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
This is an S/MIME signed message
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
aNQ=
------6B91005B007BBA8EDE10CD1CE487DB27--

33
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_ok.xml Normal file
View file

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

87
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_ca.p7s Normal file
View file

@ -0,0 +1,87 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7FBACED8776E5A4CF7612C83F9C33E17"
This is an S/MIME signed message
------7FBACED8776E5A4CF7612C83F9C33E17
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/C=NL/ST=Some-State/O=ADLINK Technolocy Inc./CN=adlinktech.com</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------7FBACED8776E5A4CF7612C83F9C33E17
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIzMDNa
MC8GCSqGSIb3DQEJBDEiBCCvP08gFBO7651mPPDFQ2suhL+eprGCGuRLXmiBmdvx
ITB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQB/
4EQel+0LsmiNFCUjWM68u4ZvPtFBpeDe456DJuG6QR0LIzW42U7N4P2ZTIqjpGZx
YekBCNdkiVy6ER5IA4WfcKd6zXZEuXVxkMrGpJlqGdd+IdZpTsrBygGZJS4vMUfD
/6ty6OycET88RmJIu4V/TM3yLVKzHuj6TxCXb4OIYx8g3mdXUwUrp6DGgqggRSPJ
tatbpnqGZGcvty8MusXVnjnEwUWnJ/jojypY3MyL4MTbjufjv0K6NKQ3RzoLssot
SLq0YDLwvX/s9sLXDCedAwFXBS/6Qv56v0M2x4o8e3Eul7gGTMuCd/dJ0BhF8CW+
IGxR5I3xXssh/AuWRRtV
------7FBACED8776E5A4CF7612C83F9C33E17--

85
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.p7s Normal file
View file

@ -0,0 +1,85 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7B161F9203F175A7F82A389A3E044741"
This is an S/MIME signed message
------7B161F9203F175A7F82A389A3E044741
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>gibberish</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------7B161F9203F175A7F82A389A3E044741
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg44QSCYJrKGm9hdPbOKQjrnQ8
LXMSbo0mve1cRKvrm3gwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAH/fJ90OwloC73faPAGC
VRZrhW/gSsy/1VnprvWdDAU1ZZK+srIISFZAy19LcApTis0Vy9yz2PG8pue49R+y
UF6mCDSuN/l9SRBdUN+CXQdQ8sGq5SHXNhGzSX/nbR20ol4cSUMpKlEGx66E0KUW
tkk8HzYw7aHMiwK2E2Y0sbm/M/rdmAbgEoywYfvc25V4FHP66TstfCLBjN9Hz3bH
WcrCZuPjZo6vBd/rIJQSlgH81aCWn5RfCIccbc3iogwzIhYxAr6d+4do3LNa6H80
W6CMgl0AnWFfa4QwnXFUzb1/W2rFjHp453w1Cbqk4Ll4ZlVJr4fzIuyuJMQlMrmK
1P0=
------7B161F9203F175A7F82A389A3E044741--

33
src/security/builtin_plugins/tests/validate_local_permissions/etc/Test_Permissions_unknown_subject.xml Normal file
View file

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>gibberish</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

1020
src/security/builtin_plugins/tests/validate_local_permissions/src/validate_local_permissions_utests.c Normal file
View file

File diff suppressed because it is too large Load diff

114
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Governance_ok.p7s Normal file
View file

@ -0,0 +1,114 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DB94A190D9780A24156FB0E8F1E76B5F"
This is an S/MIME signed message
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDSSecurity/
20170801/omg_shared_ca_domain_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<!-- All domains -->
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<!-- DomainParticipant that cann not authenticate or fail the authentication should be
allowed to join the domain and see any any discovery data that are configured as "unprotected"
and topics that are configured as "unprotected" -->
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<!-- Only and any authenticated DomainParticipant should be allowed to join the domain and
see the discovery data without checking access control -->
<enable_join_access_control>true</enable_join_access_control>
<!-- Discovery information should be protected with encryption followed by MAC (Message Authentication Codes) -->
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<!-- Liveliness messages are also encrypted -->
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<!-- Whole RTPS message is not protected -->
<rtps_protection_kind>NONE</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<!-- All (non-builtin) topics -->
<topic_expression>*</topic_expression>
<!-- Liveliness QoS data is protected -->
<enable_liveliness_protection>true</enable_liveliness_protection>
<!-- The discovery information on specific Topics should be sent
using the secure (protected) discovery writers -->
<enable_discovery_protection>true</enable_discovery_protection>
<!-- The read access to all topics should be open to all. -->
<enable_read_access_control>false</enable_read_access_control>
<!-- The write access to all topics should be open to all. -->
<enable_write_access_control>false</enable_write_access_control>
<!-- Whole RTPS sub-message is protected. This includes metadata information
like sequence numbers, heartbeats, key hashes, gaps,
acknowledgment messages, etc. It also includes th possible payload. -->
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<!-- The payload data sent on the Topic (serialized application level data) should be
protected with Encrypt then MAC. -->
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
------DB94A190D9780A24156FB0E8F1E76B5F
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGSAYJKoZIhvcNAQcCoIIGOTCCBjUCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCAnswggJ3AgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggeQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTgwOTEzMDczOTUwWjAvBgkqhkiG9w0BCQQxIgQgXv8DkvlwebXMwHDbNc0/Pc30
gyG3xWCnwet49TRMWFsweQYJKoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJ
YIZIAWUDBAEWMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZI
hvcNAQEBBQAEggEANy8t0EFmv5j1n0+mMn2ut3Chu8PSJceC8gd34IiKq79uC1O3
PbL9xgiJ2vz7QiTEEeNL2q+CG77cXOcHGUWa4nvbggr/9CqLfHEKGQxDfyXlJZfM
8l550xIXRRBOQ7ilOGLD4QJFfbf9XA4rMuRe8WEYN3FleAaYBJag1tMPg1SS6tgA
BBDM9b1kXHU319zYOk6kZFjlbwHv6XO22SEVRUpXrKudAI8hrGvwksF/+W0S/jS5
NmYtj/1oMGlCGIaA5rs27H9CkgwrzoMQ3MsR98JlwEUSa4PEe8CClsIziOulQxsp
MicBlMWL0rzpBPVfPTE4gZ/kP7hGBDEQlRzVTA==
------DB94A190D9780A24156FB0E8F1E76B5F--

96
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.p7s Normal file
View file

@ -0,0 +1,96 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----57B71E0E17C33E9E1569D11B98DA1D03"
This is an S/MIME signed message
------57B71E0E17C33E9E1569D11B98DA1D03
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
</subscribe>
</allow_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------57B71E0E17C33E9E1569D11B98DA1D03
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgocQS4FLDqU6X3kzlYhW9GLLt
ItKIWQ9ghIL29OEyHPcwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBADPtNnKmzgMNaoeAiyxH
0oO3D9qsLWlon9eG+ri3e4O4IBGAwPtwN92ah3OmqXeB7xqBlZwnR4jQIxwVl8eL
Zs2y7lJ6LxPYHJj6qERlYbRjS55X7Wnjcwy81w+yQelSLFcKvdmrV5HIuLbeskWw
WiJxu3Sxtett3NnJxV5za6C27pxGXmv+xdspUe1Zeoz7WjAA0ljOazSUXAyCriQH
LXSGjTM8Lgn/P8xJTVzGgxmLmGm9fAhhYk+25G9Fspomigvnj+B6HobEf4xKA/Mm
WPaLsNkLtbi954g5+EM9AOjpCR/2Ii1NB4lWeKGZLtbEm71dEUe2VDePy2ju+oOB
9ec=
------57B71E0E17C33E9E1569D11B98DA1D03--

44
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_different_subject_representation.xml Normal file
View file

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/C=NL/CN=CHAM500 cert</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
</subscribe>
</allow_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

243
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.p7s Normal file
View file

@ -0,0 +1,243 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----11798C99B4C31493D0479BB8A2064C72"
This is an S/MIME signed message
------11798C99B4C31493D0479BB8A2064C72
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2016-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------11798C99B4C31493D0479BB8A2064C72
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgXPEkUvQgZwRMdZgxT8k/mrsJ
delB0E3RjpayHUkKYzowgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAA/TNULF62fO5mfjXm1L
Yk4Dg/5ZxAF/grDAjamo5v2fxGn6B1rrkj8YtyB1FEA0moM/cL31kNXNMqLvFdhY
lHCmX8x5PHkKzLihTIMx6diSCupBvvqUACeA7Ir1A3tMqW5tYYMg6sZ/YolgLLFG
8XmhttpEibtZm90MN3Xpsa4TiW5PlEWHC5ai3tyeyd/RCVoeQJVA0pAytmjdf2Mw
C3W/28tUxVCAjdlqXYap6jWZlNv/43P5HED837bF5iqoa1dTvDirca6WPanNjp28
GQDi4bnD1kAk8wAKIm14qwS+fzxM3SKxJtdQuUCx+s/tPma4bLCqt843ok35SoWo
QKM=
------11798C99B4C31493D0479BB8A2064C72--

191
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_expired.xml Normal file
View file

@ -0,0 +1,191 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2016-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

219
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.p7s Normal file
View file

@ -0,0 +1,219 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----62BE4CE8CF1FCB0420A2F2884B1618E6"
This is an S/MIME signed message
------62BE4CE8CF1FCB0420A2F2884B1618E6
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>430</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------62BE4CE8CF1FCB0420A2F2884B1618E6
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQghoicue+FOmdIHF9rpsNCfmjP
+ZyN+t9kCdmR68JCJU0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAI0BX2tu2DbQjvuzKG35
myNBcOC9ZzRDqJEtmQhcY/2hAJzurlnclJVTEXFyXdpV4ywtA+lQvbtToh11AvnY
IY1QWNVm19mfO1J6m6PFu18tizd30sG7p1TZKxGB3zDeVVqmedZ+o7QJHv9/ixzz
Pyo2B9tG5Su94+ADc0LQNyGICjeMr7L6dhFDsm7fXBi8pMBKy/zEAynTA3r1ibsn
5zlizPMlad2HCaYv44x7Xksg9FSbzJwJpTiprbQbZSUPYk4WlfVz0l4plzRKu4AP
lCOsdRE6C6GQFnK5bLyndu3Ycp10niwfkfobruCDyigu+gjZtmmF/T7A8Xkk1uvx
fAM=
------62BE4CE8CF1FCB0420A2F2884B1618E6--

167
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_invalid_data.xml Normal file
View file

@ -0,0 +1,167 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>430</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

96
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.p7s Normal file
View file

@ -0,0 +1,96 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----DE8A6693E9678989859C23D21F4587AD"
This is an S/MIME signed message
------DE8A6693E9678989859C23D21F4587AD
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/CN=CHAM500 cert</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
</subscribe>
</allow_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------DE8A6693E9678989859C23D21F4587AD
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgrFwsV4SyJfHq+dBhrRXj6PlS
nZYIo1hJ+L29+U2Xpk0wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAAt1pbdIgmqHNrruevrr
TUptMNDw6YzlmXpWAq3KZBGaeaiHpYbkI+WhJJee9hG7bF9NGI/SfjPhiaiTjk2X
XCgmFZJUQhY8pOWkVPSAhBxd+r4kQtRxo2Na148Z2nrxeqcLbk+SE1hxTwT2OgLh
HWHBoQofZcRFp36Z9v51fZHAZLbQ8pD45+oAe/7ElyrO80MnJc+2RUxcnLScT1J0
ykgTsgrQxcVVZX6EFHhQxnzpqCbjGvpdGSnyojAFI4PuQ3uNiOTPTYqad4jf/vIq
YHngEXSMN8wkd8bopl1EPVdxDqKkXuwAb29Q6UvDWLQ4IDZkdHTWc/ojiKjxWsKF
wuQ=
------DE8A6693E9678989859C23D21F4587AD--

44
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_missing_subject_component.xml Normal file
View file

@ -0,0 +1,44 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/O=Internet Widgits Pty Ltd/ST=Some-State/CN=CHAM500 cert</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
</subscribe>
</allow_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

33
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_not_signed.p7s Normal file
View file

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

243
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.p7s Normal file
View file

@ -0,0 +1,243 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----F87E07CA6CCEAB50B03A143AC2354EB4"
This is an S/MIME signed message
------F87E07CA6CCEAB50B03A143AC2354EB4
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2035-09-15T01:00:00</not_before>
<not_after>2046-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>
------F87E07CA6CCEAB50B03A143AC2354EB4
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg0GGu1gWhHWhfWnmg55AIr4tv
zMK0kIxNfJYQbb7LpJ8wgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBALsPI2+b0w+iUPJGJeMd
VdrY7s/GZYm6M8qOA5fmh3144bY1rZRjdHjXtLdaNDNN1Z5buRCiQcklAilf6O14
7u6a5HR12N4LTbg3OYQplwz4ed/wBsL726htmkAK3JogGk5OVLqmmdrz3UOD8IaZ
wAfx2tpj3VJOVuW0XsqOrzQpnOjGWcPeOw6NAxRH1gLsxBP9HDz5+wrsKXjV/zG8
dFTaZ0bKnBXTp5ccc9jB4qbcllC9nlJkJszGqvwOP7zWBAOXeU+joUGM4Bt+8Pmt
pKsVAmEqMpc368RMayDBWtTqUWpUKvDh4HSkuOGD4Hj5ViAoLFjisROhIK2d98XI
cRQ=
------F87E07CA6CCEAB50B03A143AC2354EB4--

191
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_notyet.xml Normal file
View file

@ -0,0 +1,191 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2035-09-15T01:00:00</not_before>
<not_after>2046-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</deny_rule>
<default>DENY</default>
</grant>
<grant name="SpareNodeOpenSplicePermissions">
<subject_name>CN=Spare cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<!-- All domains -->
<id>20</id>
<id>30</id>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>K*</topic>
<topic>*OldMessage</topic>
<topic>OldMessanger</topic>
<topic>NewMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</subscribe>
</allow_rule>
<deny_rule>
<domains>
<id_range>
<min>0</min>
<max>23</max>
</id_range>
<id_range>
<min>100</min>
<max>120</max>
</id_range>
<id>200</id>
</domains>
<publish>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
</publish>
<subscribe>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</subscribe>
<relay>
<topics>
<topic>P*</topic>
<topic>*WrongMessage</topic>
<topic>FakeMessanger</topic>
<topic>ChangedMessage</topic>
</topics>
<partitions>
<partition>Apart</partition>
<partition>Bpa?t*</partition>
</partitions>
<data_tags>
<tag>
<name>aTagName1</name>
<value>aTagValue1</value>
</tag>
</data_tags>
</relay>
</deny_rule>
<default>ALLOW</default>
</grant>
</permissions>
</dds>

85
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.p7s Normal file
View file

@ -0,0 +1,85 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----6B91005B007BBA8EDE10CD1CE487DB27"
This is an S/MIME signed message
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------6B91005B007BBA8EDE10CD1CE487DB27
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQgl3LfUhn9L0vG/3QRPVYptcYw
/NH5HMN99aMe9JAT+LAwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAHe9vakfXPvbpgMeqlhG
SW6Z3uVA3Yri9bgQDpJ9daIUsM0/TLBSQVs85twTMXvqUSntKbfSGehxDQ9F+yje
mOEPMIwxOqcVyc2jpqoYsUWqpwiiZyk49DHUFrOfWJUx+rKdBftZWkxD05Wkovhk
2d4hGS/65Haoho4Z0AZwcyH+F52FZMiqw7I9FKrPlhxvJfQXmhIjOKtnvWnQ+Ar7
YYiSrBEHMCy82LF1aKzz0nkL1SYWQHuQX475qoU4LMYY1J8WsD3rSBeq4GYZrl2K
X/JcOquMYqjfJLMYZY4fsc3FgEBkKNqJz1tDZ3ir24VMl+WsbEjVK8oXe/wt4V0U
aNQ=
------6B91005B007BBA8EDE10CD1CE487DB27--

33
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_ok.xml Normal file
View file

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>CN=CHAM500 cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=NL</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

87
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_ca.p7s Normal file
View file

@ -0,0 +1,87 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7FBACED8776E5A4CF7612C83F9C33E17"
This is an S/MIME signed message
------7FBACED8776E5A4CF7612C83F9C33E17
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>/C=NL/ST=Some-State/O=ADLINK Technolocy Inc./CN=adlinktech.com</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------7FBACED8776E5A4CF7612C83F9C33E17
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGywYJKoZIhvcNAQcCoIIGvDCCBrgCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggPKMIIDxjCCAq4CCQCBuTktP0h8BDANBgkqhkiG9w0BAQsFADCB
pDEWMBQGA1UEBwwNTG9jYWxpdHkgTmFtZTEhMB8GA1UECwwYT3JnYW5pemF0aW9u
YWwgVW5pdCBOYW1lMRwwGgYJKoZIhvcNAQkBFg1FbWFpbCBBZGRyZXNzMQswCQYD
VQQGEwJVUzELMAkGA1UECAwCTkoxGjAYBgNVBAoMEUV4YW1wbGUgU2lnbmVyIENB
MRMwEQYDVQQDDApFeGFtcGxlIENBMB4XDTE4MDgxNTA4NTE0MVoXDTQzMDgwOTA4
NTE0MVowgaQxFjAUBgNVBAcMDUxvY2FsaXR5IE5hbWUxITAfBgNVBAsMGE9yZ2Fu
aXphdGlvbmFsIFVuaXQgTmFtZTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVz
czELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5KMRowGAYDVQQKDBFFeGFtcGxlIFNp
Z25lciBDQTETMBEGA1UEAwwKRXhhbXBsZSBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALStAQ0yjM2qAWwsOXdX3hiyoZ6DDHWOTNI5LoCZGaN9rUZe
MY0waSxWNQ0ruURgZISeOFkdQTAE81Em+UaZI+MZvfYcEcSlVtF6yve/WnIzRYWu
f917moMCAInktfch4E6mskr4h7n+9sEz+3GsQS8SQRtwUe+PiXzjZrqHSbLC4Kn3
/b8Mt+Ww3a4FyjHDZQJZsGSvrScr0Gq3xeKfMwb+KYNEnmh0o4os0gEGA4KUR+/1
YDl1NmxQnm/AIMqwJzeaezBoMn0Nsi+OlAms85imGURNj9BCEJZBWwuuNL5ECDAq
WLOM3AKUsApVgtGd8/OLWW1RwYkW8uqTtkIR87MCAwEAATANBgkqhkiG9w0BAQsF
AAOCAQEAokKC77/kvxlObLSwkT5+7+S+DeznLBRiGVEh8+9PQw1q91sjiOZWf0e3
T3XPH7CR/NDYoQJkrsqzIwKYrj41z/1jAs+HkH45NpTFiGlUFXNs5iwNh4RUqgf4
e78Mge4q7pHMFzWTEwEn4DJMGcDDjLW1kN8GobGwHR7O0MpAJKrqcBSo+SPomnQv
TgiEMQ+Vlz0EJx6JPsq8c7HrxlSdeDAAWIOww/wcGyzlpYEoyz6voSSfdhMt5iy5
k5BvhBJnTiJTasCHy9KRuis/6qpTZKEj0d7J7LAqpGh8oRIphMwCbFYQT0QBgV6p
gM8Ufss/RZ6CshMNxz7KtIYpvmxPPTGCAsUwggLBAgEBMIGyMIGkMRYwFAYDVQQH
DA1Mb2NhbGl0eSBOYW1lMSEwHwYDVQQLDBhPcmdhbml6YXRpb25hbCBVbml0IE5h
bWUxHDAaBgkqhkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJOSjEaMBgGA1UECgwRRXhhbXBsZSBTaWduZXIgQ0ExEzARBgNVBAMM
CkV4YW1wbGUgQ0ECCQCBuTktP0h8BDANBglghkgBZQMEAgEFAKCB5DAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xODA5MTMwOTIzMDNa
MC8GCSqGSIb3DQEJBDEiBCCvP08gFBO7651mPPDFQ2suhL+eprGCGuRLXmiBmdvx
ITB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgBZQMEARYwCwYJ
YIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQB/
4EQel+0LsmiNFCUjWM68u4ZvPtFBpeDe456DJuG6QR0LIzW42U7N4P2ZTIqjpGZx
YekBCNdkiVy6ER5IA4WfcKd6zXZEuXVxkMrGpJlqGdd+IdZpTsrBygGZJS4vMUfD
/6ty6OycET88RmJIu4V/TM3yLVKzHuj6TxCXb4OIYx8g3mdXUwUrp6DGgqggRSPJ
tatbpnqGZGcvty8MusXVnjnEwUWnJ/jojypY3MyL4MTbjufjv0K6NKQ3RzoLssot
SLq0YDLwvX/s9sLXDCedAwFXBS/6Qv56v0M2x4o8e3Eul7gGTMuCd/dJ0BhF8CW+
IGxR5I3xXssh/AuWRRtV
------7FBACED8776E5A4CF7612C83F9C33E17--

85
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.p7s Normal file
View file

@ -0,0 +1,85 @@
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----7B161F9203F175A7F82A389A3E044741"
This is an S/MIME signed message
------7B161F9203F175A7F82A389A3E044741
Content-Type: text/plain
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>gibberish</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>
------7B161F9203F175A7F82A389A3E044741
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
MIIGXgYJKoZIhvcNAQcCoIIGTzCCBksCAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggORMIIDjTCCAnWgAwIBAgIJANsr3sm0NrypMA0GCSqGSIb3DQEB
CwUAMFwxCzAJBgNVBAYTAk5MMRMwEQYDVQQIDApTb21lLVN0YXRlMR8wHQYDVQQK
DBZBRExJTksgVGVjaG5vbG9jeSBJbmMuMRcwFQYDVQQDDA5hZGxpbmt0ZWNoLmNv
bTAgFw0xODA3MzAxMjQ1NTVaGA8yMTE4MDcwNjEyNDU1NVowXDELMAkGA1UEBhMC
TkwxEzARBgNVBAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9s
b2N5IEluYy4xFzAVBgNVBAMMDmFkbGlua3RlY2guY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAu7jfnJ0wYVuXgG+PgNawdN38+dRpa8jceqi+blID
ehV6XCxrnGXusTCDuFmo7HMOBVMVNDXlcBWgoGd+u5EultnOEiIeGTgtHc1O6V9w
icp3BGSpZZax/TcONjMVORaqHCADbQ2J8wsz1FHxuKDwX6BJElYOlK77lb/x3yLs
DFFC+a0qn2RFh37rcWBRAHy8VEASXKZElT9ZmfKd+KUq34KojhNJ4DepKStTq074
BRDXVivx+wVD951LFNPiQXq+mgHcLj1k37KlZflTFhdP5oEMtATNsXNJPHlEymiy
SogRWAmKhysLQudukHfNKN+r0FEQMk/hzpYcFeZSOvbfNQIDAQABo1AwTjAdBgNV
HQ4EFgQURWMbWvBKZwJvRV1/tyc1R82k0+gwHwYDVR0jBBgwFoAURWMbWvBKZwJv
RV1/tyc1R82k0+gwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAkPF+
ysVtvHnk2hpu9yNDLCJ96ZzIoKOyY7uRj4ovzlAHFdpNOJQdcJihTmN8i7Trht9X
Vh0rGoR/6nHzo3TIeiogRC80RlDtuA3PF2dDQBMVDStlZMTZPb693hfjdAjhyyw9
yghhKHHqNDvSsAL0KfBqjG4yGfGpJylYXIT5fWuKlo/ln/yyPa5s54T5XDo+CMbt
lLX3QnwVOmaRyzylPiTcPCDIkdLBdXmlfyJcmW6fWa6kPx+35MOxPsXZbujCo+42
+OyLqcH1rKT6XhcshjXBEf+kdgUfSClrM1pNRWsw2ChIYim0F+nry5JFy0Y+8Hbb
6SDB340BFmtgDHbFHTGCApEwggKNAgEBMGkwXDELMAkGA1UEBhMCTkwxEzARBgNV
BAgMClNvbWUtU3RhdGUxHzAdBgNVBAoMFkFETElOSyBUZWNobm9sb2N5IEluYy4x
FzAVBgNVBAMMDmFkbGlua3RlY2guY29tAgkA2yveybQ2vKkwDQYJYIZIAWUDBAIB
BQCggfowGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcN
MTkwMzI5MTMwODAzWjAvBgkqhkiG9w0BCQQxIgQg44QSCYJrKGm9hdPbOKQjrnQ8
LXMSbo0mve1cRKvrm3gwgY4GCSqGSIb3DQEJDzGBgDB+MAsGCWCGSAFlAwQBKjAI
BgYqhQMCAgkwCAYGKoUDAgIVMAsGCWCGSAFlAwQBFjALBglghkgBZQMEAQIwCgYI
KoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIH
MA0GCCqGSIb3DQMCAgEoMA0GCSqGSIb3DQEBAQUABIIBAH/fJ90OwloC73faPAGC
VRZrhW/gSsy/1VnprvWdDAU1ZZK+srIISFZAy19LcApTis0Vy9yz2PG8pue49R+y
UF6mCDSuN/l9SRBdUN+CXQdQ8sGq5SHXNhGzSX/nbR20ol4cSUMpKlEGx66E0KUW
tkk8HzYw7aHMiwK2E2Y0sbm/M/rdmAbgEoywYfvc25V4FHP66TstfCLBjN9Hz3bH
WcrCZuPjZo6vBd/rIJQSlgH81aCWn5RfCIccbc3iogwzIhYxAr6d+4do3LNa6H80
W6CMgl0AnWFfa4QwnXFUzb1/W2rFjHp453w1Cbqk4Ll4ZlVJr4fzIuyuJMQlMrmK
1P0=
------7B161F9203F175A7F82A389A3E044741--

33
src/security/builtin_plugins/tests/validate_remote_permissions/etc/Test_Permissions_unknown_subject.xml Normal file
View file

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="utf-8"?>
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_permissions.xsd">
<permissions>
<grant name="OpenSplicePermissions">
<subject_name>gibberish</subject_name>
<validity>
<!-- Format is CCYY-MM-DDThh:mm:ss[Z|(+|-)hh:mm] in GMT -->
<not_before>2015-09-15T01:00:00</not_before>
<not_after>2115-09-15T01:00:00</not_after>
</validity>
<allow_rule>
<domains>
<id_range>
<min>0</min>
<max>230</max>
</id_range>
</domains>
<publish>
<topics>
<topic>*</topic>
</topics>
</publish>
<subscribe>
<topics>
<topic>*</topic>
</topics>
</subscribe>
</allow_rule>
<default>DENY</default>
</grant>
</permissions>
</dds>

1068
src/security/builtin_plugins/tests/validate_remote_permissions/src/validate_remote_permissions_utests.c Normal file
View file

File diff suppressed because it is too large Load diff

8
src/security/core/include/dds/security/core/dds_security_utils.h
View file

@ -13,10 +13,12 @@
#ifndef DSCMN_SECURITY_UTILS_H_
#define DSCMN_SECURITY_UTILS_H_
#include "dds/export.h"
#include <stddef.h>
#include <stdint.h>
#include <stdbool.h>
#include "dds/export.h"
#include "dds/ddsrt/strtol.h"
#include "dds/ddsrt/time.h"
#include "dds/security/core/dds_security_types.h"
#include "dds/security/dds_security_api.h"
@ -339,6 +341,10 @@ ddssec_strchrs (
const char *chrs,
bool inc);
DDS_EXPORT dds_time_t
DDS_Security_parse_xml_date(
char *buf);
#define DDS_Security_ParticipantCryptoTokenSeq_alloc() \
DDS_Security_DataHolderSeq_alloc())

224
src/security/core/src/dds_security_utils.c
View file

@ -811,43 +811,30 @@ DDS_Security_Exception_set_with_openssl_error(
const char *context,
int code,
int minor_code,
const char *error_area
)
const char *error_area)
{
BIO *bio;
char *buf = NULL;
char *str;
size_t len; /*BIO_get_mem_data requires long int */
assert(context);
assert(error_area);
assert(ex);
DDSRT_UNUSED_ARG(context);
bio = BIO_new(BIO_s_mem());
if (bio) {
size_t exception_msg_len;
if ((bio = BIO_new(BIO_s_mem()))) {
ERR_print_errors(bio);
len = (size_t)BIO_get_mem_data (bio, &buf);
exception_msg_len = len + strlen(error_area) + 1;
str = ddsrt_malloc( exception_msg_len );
char *buf = NULL;
size_t len = (size_t)BIO_get_mem_data(bio, &buf);
size_t exception_msg_len = len + strlen(error_area) + 1;
char *str = ddsrt_malloc(exception_msg_len);
ddsrt_strlcpy(str, error_area, exception_msg_len);
memcpy(str + strlen(error_area), buf, len);
str[exception_msg_len - 1] = '\0';
//snprintf( str, exception_msg_len, "%s%s", error_area, buf );
ex->message = str;
ex->code = code;
ex->minor_code = minor_code;
BIO_free(bio);
} else {
DDS_Security_Exception_set(ex, context, code, minor_code, "BIO_new failed");
}
}
#endif
@ -1104,6 +1091,203 @@ DDS_Security_normalize_file(
}
#undef __FILESEPCHAR
return norm;
}
/**
* Parses an XML date string and returns this as a dds_time_t value. As leap seconds are not permitted
* in the XML date format (as stated in the XML Schema specification), this parser function does not
* accept leap seconds in its input string. This complies with the dds_time_t representation on posix,
* which is a unix timestamp (that also ignores leap seconds).
*
* As a dds_time_t is expressed as nanoseconds, the fractional seconds part of the input string will
* be rounded in case the fractional part has more than 9 digits.
*/
dds_time_t
DDS_Security_parse_xml_date(
char *buf)
{
int32_t year = -1;
int32_t month = -1;
int32_t day = -1;
int32_t hour = -1;
int32_t minute = -1;
int32_t second = -1;
int32_t hour_offset = -1;
int32_t minute_offset = -1;
int64_t frac_ns = 0;
size_t cnt = 0;
size_t cnt_frac_sec = 0;
assert(buf != NULL);
/* Make an integrity check of the string before the conversion*/
while (buf[cnt] != '\0')
{
if (cnt == 4 || cnt == 7)
{
if (buf[cnt] != '-')
return DDS_TIME_INVALID;
}
else if (cnt == 10)
{
if (buf[cnt] != 'T')
return DDS_TIME_INVALID;
}
else if (cnt == 13 || cnt == 16)
{
if (buf[cnt] != ':')
return DDS_TIME_INVALID;
}
else if (cnt == 19)
{
if (buf[cnt] != 'Z' && buf[cnt] != '+' && buf[cnt] != '-' && buf[cnt] != '.')
return DDS_TIME_INVALID;
/* If a dot is found then a variable number of fractional seconds is present.
A second integrity loop to account for the variability is used */
if (buf[cnt] == '.' && !cnt_frac_sec)
{
cnt_frac_sec = 1;
while (buf[cnt + 1] != '\0' && buf[cnt + 1] >= '0' && buf[cnt + 1] <= '9')
{
cnt_frac_sec++;
cnt++;
}
}
}
else if (cnt == 19 + cnt_frac_sec)
{
if (buf[cnt] != 'Z' && buf[cnt] != '+' && buf[cnt] != '-')
return DDS_TIME_INVALID;
}
else if (cnt == 22 + cnt_frac_sec)
{
if (buf[cnt] != ':')
return DDS_TIME_INVALID;
}
else
{
if (buf[cnt] < '0' || buf[cnt] > '9')
return DDS_TIME_INVALID;
}
cnt++;
}
/* Do not allow more than 12 (13 including the dot) and less than 1 fractional second digits if they are used */
if (cnt_frac_sec && (cnt_frac_sec < 2 || cnt_frac_sec > 13))
return DDS_TIME_INVALID;
/* Valid string length value at this stage are 19, 20 and 25 plus the fractional seconds part */
if (cnt != 19 + cnt_frac_sec && cnt != 20 + cnt_frac_sec && cnt != 25 + cnt_frac_sec)
return DDS_TIME_INVALID;
year = ddsrt_todigit(buf[0]) * 1000 + ddsrt_todigit(buf[1]) * 100 + ddsrt_todigit(buf[2]) * 10 + ddsrt_todigit(buf[3]);
month = ddsrt_todigit(buf[5]) * 10 + ddsrt_todigit(buf[6]);
day = ddsrt_todigit(buf[8]) * 10 + ddsrt_todigit(buf[9]);
hour = ddsrt_todigit(buf[11]) * 10 + ddsrt_todigit(buf[12]);
minute = ddsrt_todigit(buf[14]) * 10 + ddsrt_todigit(buf[15]);
second = ddsrt_todigit(buf[17]) * 10 + ddsrt_todigit(buf[18]);
{
int64_t frac_ns_pow = DDS_NSECS_IN_SEC / 10;
size_t n = 0;
for (n = 0; cnt_frac_sec && n < cnt_frac_sec - 1; n++)
{
/* Maximum granularity is nanosecond so round to maximum 9 digits */
if (n == 9)
{
if (ddsrt_todigit(buf[20 + n]) >= 5)
frac_ns++;
break;
}
frac_ns += ddsrt_todigit(buf[20 + n]) * frac_ns_pow;
frac_ns_pow = frac_ns_pow / 10;
}
}
/* If the length is 20 the last character must be a Z representing UTC time zone */
if (cnt == 19 + cnt_frac_sec || (cnt == 20 + cnt_frac_sec && buf[19 + cnt_frac_sec] == 'Z'))
{
hour_offset = 0;
minute_offset = 0;
}
else if (cnt == 25 + cnt_frac_sec)
{
hour_offset = ddsrt_todigit(buf[20 + cnt_frac_sec]) * 10 + ddsrt_todigit(buf[21 + cnt_frac_sec]);
minute_offset = ddsrt_todigit(buf[23 + cnt_frac_sec]) * 10 + ddsrt_todigit(buf[24 + cnt_frac_sec]);
}
else
return DDS_TIME_INVALID;
/* Make a limit check to make sure that all the numbers are within absolute boundaries.
Note that leap seconds are not allowed in XML dates and therefore not supported. */
if (year < 1970 || year > 2262 || month < 1 || month > 12 || day < 1 || day > 31 ||
hour < 0 || hour > 23 || minute < 0 || minute > 59 || second < 0 || second > 59 ||
((hour_offset < 0 || hour_offset > 11 || minute_offset < 0 || minute_offset > 59) && (hour_offset != 12 || minute_offset != 0)))
{
return DDS_TIME_INVALID;
}
/* Boundary check including consideration for month and leap years */
if (!(((month == 4 || month == 6 || month == 9 || month == 11) && (day >= 1 && day <= 30)) ||
((month == 1 || month == 3 || month == 5 || month == 7 || month == 8 || month == 10 || month == 12) && (day >= 1 && day <= 31)) ||
(month == 2 && ((year % 100 != 0 && year % 4 == 0) || (year % 400 == 0)) && (day >= 1 && day <= 29)) ||
(month == 2 && (day >= 1 && day <= 28))))
{
return DDS_TIME_INVALID;
}
/* Convert the year-month-day to total number of days */
int32_t total_leap_years = (year - 1970 + 1) / 4;
/* Leap year count decreased by the number of xx00 years before current year because these are not leap years,
except for 2000. The year 2400 is not in the valid year range so we don't take that into account. */
if (year > 2100)
total_leap_years -= year / 100 - 20;
if (year == 2200)
total_leap_years++;
int32_t total_reg_years = year - 1970 - total_leap_years;
int32_t total_num_days = total_leap_years * 366 + total_reg_years * 365;
int32_t month_cnt;
for (month_cnt = 1; month_cnt < month; month_cnt++)
{
if (month_cnt == 4 || month_cnt == 6 || month_cnt == 9 || month_cnt == 11)
total_num_days += 30;
else if (month_cnt == 2)
{
if (year % 400 == 0 || (year % 100 != 0 && year % 4 == 0))
total_num_days += 29;
else
total_num_days += 28;
}
else
total_num_days += 31;
}
total_num_days += day - 1;
/* Correct the offset sign if negative */
if (buf[19 + cnt_frac_sec] == '-')
{
hour_offset = -hour_offset;
minute_offset = -minute_offset;
}
/* Convert the total number of days to seconds */
int64_t ts_days = (int64_t)total_num_days * 24 * 60 * 60;
int64_t ts_hms = hour * 60 * 60 + minute * 60 + second;
if (ts_days + ts_hms > INT64_MAX / DDS_NSECS_IN_SEC)
return DDS_TIME_INVALID;
int64_t ts = DDS_SECS(ts_days + ts_hms);
/* Apply the hour and minute offset */
int64_t ts_offset = DDS_SECS((int64_t)hour_offset * 60 * 60 + minute_offset * 60);
/* Prevent the offset from making the timestamp negative or overflow it */
if ((ts_offset <= 0 || (ts_offset > 0 && ts_offset < ts)) && INT64_MAX - ts - frac_ns >= -ts_offset)
return ts - ts_offset + frac_ns;
return DDS_TIME_INVALID;
}

1
src/security/core/tests/CMakeLists.txt
View file

@ -15,6 +15,7 @@ include (CUnit)
set(security_core_test_sources
"tc_fsm.c"
"dds_security_core.c"
"security_utils.c"
)
add_definitions(-DDDSI_INCLUDE_SECURITY)

Some files were not shown because too many files have changed in this diff Show more