Extend access-control tests with validate_local_permissions

Add validate_local_permissions to the set of access control plugin hooks tests, and add discovery_protection_enabled as an additional parameter for the access control hook tests. Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
2020-04-28 21:25:57 +02:00 · 2020-04-28 21:25:57 +02:00 · 45adb6f0c7
commit 45adb6f0c7
parent 0348bb2741
3 changed files with 92 additions and 73 deletions
--- a/src/security/core/tests/access_control.c
+++ b/src/security/core/tests/access_control.c
@ -439,72 +439,80 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20)
 CU_TheoryDataPoints(ddssec_access_control, hooks) = {
    CU_DataPoints(const char *,
    /*                 */"init_test_access_control_local_participant_not_allowed",
-    /*                  |     */"init_test_access_control_local_topic_not_allowed",
-    /*                  |      |     */"init_test_access_control_local_publishing_not_allowed",
-    /*                  |      |      |      */"init_test_access_control_local_subscribing_not_allowed",
-    /*                  |      |      |      |     */"init_test_access_control_remote_permissions_invalidate",
-    /*                  |      |      |      |      |     */"init_test_access_control_remote_participant_not_allowed",
-    /*                  |      |      |      |      |      |     */"init_test_access_control_remote_topic_not_allowed",
-    /*                  |      |      |      |      |      |      |     */"init_test_access_control_remote_writer_not_allowed",
-    /*                  |      |      |      |      |      |      |      |     */"init_test_access_control_remote_reader_not_allowed",
-    /*                  |      |      |      |      |      |      |      |      |     */"init_test_access_control_remote_reader_relay_only"),
-    CU_DataPoints(bool, true,  false, false, false, false, false, false, false, false, false),  // exp_pp_fail
-    CU_DataPoints(bool, na,    true,  false, false, false, false, false, false, false, false),  // exp_local_topic_fail
-    CU_DataPoints(bool, na,    false, false, false, false, false, false, false, false, false),  // exp_remote_topic_fail
-    CU_DataPoints(bool, na,    na,    true,  false, false, false, false, false, false, false),  // exp_wr_fail
-    CU_DataPoints(bool, na,    na,    false, true,  false, false, false, false, false, false),  // exp_rd_fail
-    CU_DataPoints(bool, na,    na,    na,    na,    true,  true,  true,  false, true,  true),   // exp_wr_rd_sync_fail
-    CU_DataPoints(bool, na,    na,    false, na,    true,  true,  true,  true,  false, false),  // exp_rd_wr_sync_fail
+    /*                  |     */"init_test_access_control_local_permissions_not_allowed",
+    /*                  |      |     */"init_test_access_control_local_topic_not_allowed",
+    /*                  |      |      |     */"init_test_access_control_local_writer_not_allowed",
+    /*                  |      |      |      |      */"init_test_access_control_local_reader_not_allowed",
+    /*                  |      |      |      |      |     */"init_test_access_control_remote_permissions_not_allowed",
+    /*                  |      |      |      |      |      |     */"init_test_access_control_remote_participant_not_allowed",
+    /*                  |      |      |      |      |      |      |     */"init_test_access_control_remote_topic_not_allowed",
+    /*                  |      |      |      |      |      |      |      |     */"init_test_access_control_remote_writer_not_allowed",
+    /*                  |      |      |      |      |      |      |      |      |     */"init_test_access_control_remote_reader_not_allowed",
+    /*                  |      |      |      |      |      |      |      |      |      |     */"init_test_access_control_remote_reader_relay_only"),
+    CU_DataPoints(bool, true,  true,  false, false, false, false, false, false, false, false, false),  // exp_pp_fail
+    CU_DataPoints(bool, na,    na,    true,  false, false, false, false, false, false, false, false),  // exp_local_topic_fail
+    CU_DataPoints(bool, na,    na,    false, false, false, false, false, false, false, false, false),  // exp_remote_topic_fail
+    CU_DataPoints(bool, na,    na,    na,    true,  false, false, false, false, false, false, false),  // exp_wr_fail
+    CU_DataPoints(bool, na,    na,    na,    false, true,  false, false, false, false, false, false),  // exp_rd_fail
+    CU_DataPoints(bool, na,    na,    na,    na,    na,    true,  true,  true,  false, true,  true),   // exp_wr_rd_sync_fail
+    CU_DataPoints(bool, na,    na,    na,    false, na,    true,  true,  true,  true,  false, false),  // exp_rd_wr_sync_fail
 };
 #undef na
+
 CU_Theory(
  (const char * init_fn, bool exp_pp_fail, bool exp_local_topic_fail, bool exp_remote_topic_fail, bool exp_wr_fail, bool exp_rd_fail, bool exp_wr_rd_sync_fail, bool exp_rd_wr_sync_fail),
-  ddssec_access_control, hooks, .timeout=40)
+  ddssec_access_control, hooks, .timeout=60)
 {
-  print_test_msg ("running test access_control_hooks: %s\n", init_fn);
-
-  const char * def_gov = PF_F COMMON_ETC_PATH("default_governance.p7s");
-  const char * def_perm = PF_F COMMON_ETC_PATH("default_permissions.p7s");
-  const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem");
-
-  access_control_init (
-      2,
-      (const char *[]) { TEST_IDENTITY1_CERTIFICATE, TEST_IDENTITY1_CERTIFICATE },
-      (const char *[]) { TEST_IDENTITY1_PRIVATE_KEY, TEST_IDENTITY1_PRIVATE_KEY },
-      (const char *[]) { TEST_IDENTITY_CA1_CERTIFICATE, TEST_IDENTITY_CA1_CERTIFICATE },
-      (bool []) { exp_pp_fail, false },
-      (const char *[]) { init_fn, "init_test_access_control_wrapped" }, (const char *[]) { "finalize_test_access_control_not_allowed", "finalize_test_access_control_wrapped" },
-      (bool []) { true, true, true }, (const char *[]) { def_gov, def_gov },
-      (bool []) { true, true, true }, (const char *[]) { def_perm, def_perm },
-      (bool []) { true, true, true }, (const char *[]) { def_perm_ca, def_perm_ca });
-
-  if (!exp_pp_fail)
+  for (int i = 0; i <= 1; i++)
  {
-    dds_entity_t lwr = 0, rwr = 0, lrd = 0, rrd = 0;
-    dds_entity_t ltopic[2], rtopic[2];
-    dds_entity_t lpub, lsub, rpub, rsub;
-    char topic_name[100];
+    bool discovery_protection = (i == 0);
+    print_test_msg ("running test access_control_hooks: %s with discovery protection %s\n", init_fn, discovery_protection ? "enabled" : "disabled");

-    // Local writer, remote reader
-    create_topic_name (AC_WRAPPER_TOPIC_PREFIX, g_topic_nr++, topic_name, sizeof (topic_name));
-    rd_wr_init_fail (
-      g_participant[0], &lpub, &ltopic[0], &lwr,
-      g_participant[1], &rsub, &rtopic[0], &rrd,
-      topic_name, exp_local_topic_fail, exp_wr_fail, exp_remote_topic_fail, false);
-    if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_wr_fail)
-      sync_writer_to_readers (g_participant[0], lwr, exp_wr_rd_sync_fail ? 0 : 1, DDS_SECS(2));
+    char * gov_topic_rule = get_governance_topic_rule ("*", discovery_protection, false, true, true, NULL, NULL);
+    char * gov_config = get_governance_config (false, true, "ENCRYPT", NULL, NULL, gov_topic_rule, true);

-    // Local reader, remote writer
-    create_topic_name (AC_WRAPPER_TOPIC_PREFIX, g_topic_nr++, topic_name, sizeof (topic_name));
-    rd_wr_init_fail (
-      g_participant[1], &rpub, &rtopic[1], &rwr,
-      g_participant[0], &lsub, &ltopic[1], &lrd,
-      topic_name, exp_remote_topic_fail, false, exp_local_topic_fail, exp_rd_fail);
-    if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_rd_fail)
-      sync_reader_to_writers (g_participant[0], lrd, exp_rd_wr_sync_fail ? 0 : 1, DDS_SECS(2));
+    const char * def_perm = PF_F COMMON_ETC_PATH("default_permissions.p7s");
+    const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem");
+
+    access_control_init (
+        2,
+        (const char *[]) { TEST_IDENTITY1_CERTIFICATE, TEST_IDENTITY1_CERTIFICATE },
+        (const char *[]) { TEST_IDENTITY1_PRIVATE_KEY, TEST_IDENTITY1_PRIVATE_KEY },
+        (const char *[]) { TEST_IDENTITY_CA1_CERTIFICATE, TEST_IDENTITY_CA1_CERTIFICATE },
+        (bool []) { exp_pp_fail, false },
+        (const char *[]) { init_fn, "init_test_access_control_wrapped" }, (const char *[]) { "finalize_test_access_control_not_allowed", "finalize_test_access_control_wrapped" },
+        (bool []) { true, true, true }, (const char *[]) { gov_config, gov_config },
+        (bool []) { true, true, true }, (const char *[]) { def_perm, def_perm },
+        (bool []) { true, true, true }, (const char *[]) { def_perm_ca, def_perm_ca });
+
+    if (!exp_pp_fail)
+    {
+      dds_entity_t lwr = 0, rwr = 0, lrd = 0, rrd = 0;
+      dds_entity_t ltopic[2], rtopic[2];
+      dds_entity_t lpub, lsub, rpub, rsub;
+      char topic_name[100];
+
+      // Local writer, remote reader
+      create_topic_name (AC_WRAPPER_TOPIC_PREFIX, g_topic_nr++, topic_name, sizeof (topic_name));
+      rd_wr_init_fail (
+        g_participant[0], &lpub, &ltopic[0], &lwr,
+        g_participant[1], &rsub, &rtopic[0], &rrd,
+        topic_name, exp_local_topic_fail, exp_wr_fail, exp_remote_topic_fail, false);
+      if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_wr_fail)
+        sync_writer_to_readers (g_participant[0], lwr, exp_wr_rd_sync_fail ? 0 : 1, DDS_SECS(2));
+
+      // Local reader, remote writer
+      create_topic_name (AC_WRAPPER_TOPIC_PREFIX, g_topic_nr++, topic_name, sizeof (topic_name));
+      rd_wr_init_fail (
+        g_participant[1], &rpub, &rtopic[1], &rwr,
+        g_participant[0], &lsub, &ltopic[1], &lrd,
+        topic_name, exp_remote_topic_fail, false, exp_local_topic_fail, exp_rd_fail);
+      if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_rd_fail)
+        sync_reader_to_writers (g_participant[0], lrd, exp_rd_wr_sync_fail ? 0 : 1, DDS_SECS(1));
+    }
+
+    access_control_fini (2, (void * []) { gov_topic_rule, gov_config }, 2);
  }
-
-  access_control_fini (2, NULL, 0);
 }

 #define na false
--- a/src/security/core/tests/common/access_control_wrapper.c
+++ b/src/security/core/tests/common/access_control_wrapper.c
@ -33,26 +33,28 @@ enum ac_plugin_mode {
 enum ac_plugin_not_allowed {
  NOT_ALLOWED_ID_LOCAL_PP,
  NOT_ALLOWED_ID_LOCAL_TOPIC,
-  NOT_ALLOWED_ID_LOCAL_PUB,
-  NOT_ALLOWED_ID_LOCAL_SUB,
-  NOT_ALLOWED_ID_REMOTE_PERM,
+  NOT_ALLOWED_ID_LOCAL_WRITER,
+  NOT_ALLOWED_ID_LOCAL_READER,
+  NOT_ALLOWED_ID_LOCAL_PERM,
  NOT_ALLOWED_ID_REMOTE_PP,
  NOT_ALLOWED_ID_REMOTE_TOPIC,
  NOT_ALLOWED_ID_REMOTE_WRITER,
  NOT_ALLOWED_ID_REMOTE_READER,
-  NOT_ALLOWED_ID_REMOTE_READER_RELAY_ONLY
+  NOT_ALLOWED_ID_REMOTE_READER_RELAY_ONLY,
+  NOT_ALLOWED_ID_REMOTE_PERM,
 };

 #define NOT_ALLOWED_LOCAL_PP                      (1u << NOT_ALLOWED_ID_LOCAL_PP)
 #define NOT_ALLOWED_LOCAL_TOPIC                   (1u << NOT_ALLOWED_ID_LOCAL_TOPIC)
-#define NOT_ALLOWED_LOCAL_PUB                     (1u << NOT_ALLOWED_ID_LOCAL_PUB)
-#define NOT_ALLOWED_LOCAL_SUB                     (1u << NOT_ALLOWED_ID_LOCAL_SUB)
-#define NOT_ALLOWED_REMOTE_PERM                   (1u << NOT_ALLOWED_ID_REMOTE_PERM)
+#define NOT_ALLOWED_LOCAL_WRITER                  (1u << NOT_ALLOWED_ID_LOCAL_WRITER)
+#define NOT_ALLOWED_LOCAL_READER                  (1u << NOT_ALLOWED_ID_LOCAL_READER)
+#define NOT_ALLOWED_LOCAL_PERM                    (1u << NOT_ALLOWED_ID_LOCAL_PERM)
 #define NOT_ALLOWED_REMOTE_PP                     (1u << NOT_ALLOWED_ID_REMOTE_PP)
 #define NOT_ALLOWED_REMOTE_TOPIC                  (1u << NOT_ALLOWED_ID_REMOTE_TOPIC)
 #define NOT_ALLOWED_REMOTE_WRITER                 (1u << NOT_ALLOWED_ID_REMOTE_WRITER)
 #define NOT_ALLOWED_REMOTE_READER                 (1u << NOT_ALLOWED_ID_REMOTE_READER)
 #define NOT_ALLOWED_REMOTE_READER_RELAY_ONLY      (1u << NOT_ALLOWED_ID_REMOTE_READER_RELAY_ONLY)
+#define NOT_ALLOWED_REMOTE_PERM                   (1u << NOT_ALLOWED_ID_REMOTE_PERM)

 /**
 * Implementation structure for storing encapsulated members of the instance
@ -76,8 +78,15 @@ static DDS_Security_PermissionsHandle validate_local_permissions(
  struct dds_security_access_control_impl *impl = (struct dds_security_access_control_impl *)instance;
  switch (impl->mode)
  {
-    case PLUGIN_MODE_WRAPPED:
    case PLUGIN_MODE_NOT_ALLOWED:
+      if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_PERM)
+      {
+        ex->code = 1;
+        ex->message = ddsrt_strdup ("not_allowed: validate_local_permissions");
+        return 0;
+      }
+      /* fall through */
+    case PLUGIN_MODE_WRAPPED:
      return impl->instance->validate_local_permissions(impl->instance, auth_plugin, identity, domain_id, participant_qos, ex);

    default:
@ -154,7 +163,7 @@ static DDS_Security_boolean check_create_datawriter(
  switch (impl->mode)
  {
    case PLUGIN_MODE_NOT_ALLOWED:
-      if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_PUB)
+      if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_WRITER)
      {
        if (topic_name && strncmp (topic_name, AC_WRAPPER_TOPIC_PREFIX, strlen (AC_WRAPPER_TOPIC_PREFIX)) == 0)
        {
@ -186,7 +195,7 @@ static DDS_Security_boolean check_create_datareader(
  switch (impl->mode)
  {
    case PLUGIN_MODE_NOT_ALLOWED:
-      if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_SUB)
+      if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_READER)
      {
        ex->code = 1;
        ex->message = ddsrt_strdup ("not_allowed: check_create_datareader");
@ -838,14 +847,15 @@ int finalize_test_access_control_missing_func(void *context)

 INIT_NOT_ALLOWED(local_participant_not_allowed, NOT_ALLOWED_LOCAL_PP)
 INIT_NOT_ALLOWED(local_topic_not_allowed, NOT_ALLOWED_LOCAL_TOPIC)
-INIT_NOT_ALLOWED(local_publishing_not_allowed, NOT_ALLOWED_LOCAL_PUB)
-INIT_NOT_ALLOWED(local_subscribing_not_allowed, NOT_ALLOWED_LOCAL_SUB)
-INIT_NOT_ALLOWED(remote_permissions_invalidate, NOT_ALLOWED_REMOTE_PERM)
+INIT_NOT_ALLOWED(local_writer_not_allowed, NOT_ALLOWED_LOCAL_WRITER)
+INIT_NOT_ALLOWED(local_reader_not_allowed, NOT_ALLOWED_LOCAL_READER)
+INIT_NOT_ALLOWED(local_permissions_not_allowed, NOT_ALLOWED_LOCAL_PERM)
 INIT_NOT_ALLOWED(remote_participant_not_allowed, NOT_ALLOWED_REMOTE_PP)
 INIT_NOT_ALLOWED(remote_topic_not_allowed, NOT_ALLOWED_REMOTE_TOPIC)
 INIT_NOT_ALLOWED(remote_writer_not_allowed, NOT_ALLOWED_REMOTE_WRITER)
 INIT_NOT_ALLOWED(remote_reader_not_allowed, NOT_ALLOWED_REMOTE_READER)
 INIT_NOT_ALLOWED(remote_reader_relay_only, NOT_ALLOWED_REMOTE_READER_RELAY_ONLY)
+INIT_NOT_ALLOWED(remote_permissions_not_allowed, NOT_ALLOWED_REMOTE_PERM)

 int finalize_test_access_control_not_allowed(void *context)
 {
--- a/src/security/core/tests/common/access_control_wrapper.h
+++ b/src/security/core/tests/common/access_control_wrapper.h
@ -37,14 +37,15 @@ SECURITY_EXPORT int finalize_test_access_control_wrapped(void *context);

 INIT_NOT_ALLOWED_DECL(local_participant_not_allowed)
 INIT_NOT_ALLOWED_DECL(local_topic_not_allowed)
-INIT_NOT_ALLOWED_DECL(local_publishing_not_allowed)
-INIT_NOT_ALLOWED_DECL(local_subscribing_not_allowed)
-INIT_NOT_ALLOWED_DECL(remote_permissions_invalidate)
+INIT_NOT_ALLOWED_DECL(local_writer_not_allowed)
+INIT_NOT_ALLOWED_DECL(local_reader_not_allowed)
+INIT_NOT_ALLOWED_DECL(local_permissions_not_allowed)
 INIT_NOT_ALLOWED_DECL(remote_participant_not_allowed)
 INIT_NOT_ALLOWED_DECL(remote_topic_not_allowed)
 INIT_NOT_ALLOWED_DECL(remote_writer_not_allowed)
 INIT_NOT_ALLOWED_DECL(remote_reader_not_allowed)
 INIT_NOT_ALLOWED_DECL(remote_reader_relay_only)
+INIT_NOT_ALLOWED_DECL(remote_permissions_not_allowed)

 SECURITY_EXPORT int finalize_test_access_control_not_allowed(void *context);