niklas/cyclonedds
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Extend access-control tests with validate_local_permissions

Browse source 
Add validate_local_permissions to the set of access control plugin
hooks tests, and add discovery_protection_enabled as an additional
parameter for the access control hook tests.

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
This commit is contained in:
Dennis Potman 2020-04-28 21:25:57 +02:00 committed by eboasson
parent 0348bb2741
commit 45adb6f0c7
3 changed files with 92 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

52
src/security/core/tests/access_control.c
View file

@ -439,31 +439,38 @@ CU_Test(ddssec_access_control, permissions_expiry_multiple, .timeout=20)
CU_TheoryDataPoints(ddssec_access_control, hooks) = { CU_TheoryDataPoints(ddssec_access_control, hooks) = {
CU_DataPoints(const char *, CU_DataPoints(const char *,
/* */"init_test_access_control_local_participant_not_allowed", /* */"init_test_access_control_local_participant_not_allowed",
/* | */"init_test_access_control_local_topic_not_allowed", /* | */"init_test_access_control_local_permissions_not_allowed",
/* | | */"init_test_access_control_local_publishing_not_allowed", /* | | */"init_test_access_control_local_topic_not_allowed",
/* | | | */"init_test_access_control_local_subscribing_not_allowed", /* | | | */"init_test_access_control_local_writer_not_allowed",
/* | | | | */"init_test_access_control_remote_permissions_invalidate", /* | | | | */"init_test_access_control_local_reader_not_allowed",
/* | | | | | */"init_test_access_control_remote_participant_not_allowed", /* | | | | | */"init_test_access_control_remote_permissions_not_allowed",
/* | | | | | | */"init_test_access_control_remote_topic_not_allowed", /* | | | | | | */"init_test_access_control_remote_participant_not_allowed",
/* | | | | | | | */"init_test_access_control_remote_writer_not_allowed", /* | | | | | | | */"init_test_access_control_remote_topic_not_allowed",
/* | | | | | | | | */"init_test_access_control_remote_reader_not_allowed", /* | | | | | | | | */"init_test_access_control_remote_writer_not_allowed",
/* | | | | | | | | | */"init_test_access_control_remote_reader_relay_only"), /* | | | | | | | | | */"init_test_access_control_remote_reader_not_allowed",
CU_DataPoints(bool, true, false, false, false, false, false, false, false, false, false), // exp_pp_fail /* | | | | | | | | | | */"init_test_access_control_remote_reader_relay_only"),
CU_DataPoints(bool, na, true, false, false, false, false, false, false, false, false), // exp_local_topic_fail CU_DataPoints(bool, true, true, false, false, false, false, false, false, false, false, false), // exp_pp_fail
CU_DataPoints(bool, na, false, false, false, false, false, false, false, false, false), // exp_remote_topic_fail CU_DataPoints(bool, na, na, true, false, false, false, false, false, false, false, false), // exp_local_topic_fail
CU_DataPoints(bool, na, na, true, false, false, false, false, false, false, false), // exp_wr_fail CU_DataPoints(bool, na, na, false, false, false, false, false, false, false, false, false), // exp_remote_topic_fail
CU_DataPoints(bool, na, na, false, true, false, false, false, false, false, false), // exp_rd_fail CU_DataPoints(bool, na, na, na, true, false, false, false, false, false, false, false), // exp_wr_fail
CU_DataPoints(bool, na, na, na, na, true, true, true, false, true, true), // exp_wr_rd_sync_fail CU_DataPoints(bool, na, na, na, false, true, false, false, false, false, false, false), // exp_rd_fail
CU_DataPoints(bool, na, na, false, na, true, true, true, true, false, false), // exp_rd_wr_sync_fail CU_DataPoints(bool, na, na, na, na, na, true, true, true, false, true, true), // exp_wr_rd_sync_fail
CU_DataPoints(bool, na, na, na, false, na, true, true, true, true, false, false), // exp_rd_wr_sync_fail
}; };
#undef na #undef na
CU_Theory( CU_Theory(
(const char * init_fn, bool exp_pp_fail, bool exp_local_topic_fail, bool exp_remote_topic_fail, bool exp_wr_fail, bool exp_rd_fail, bool exp_wr_rd_sync_fail, bool exp_rd_wr_sync_fail), (const char * init_fn, bool exp_pp_fail, bool exp_local_topic_fail, bool exp_remote_topic_fail, bool exp_wr_fail, bool exp_rd_fail, bool exp_wr_rd_sync_fail, bool exp_rd_wr_sync_fail),
ddssec_access_control, hooks, .timeout=40) ddssec_access_control, hooks, .timeout=60)
{ {
print_test_msg ("running test access_control_hooks: %s\n", init_fn); for (int i = 0; i <= 1; i++)
{
bool discovery_protection = (i == 0);
print_test_msg ("running test access_control_hooks: %s with discovery protection %s\n", init_fn, discovery_protection ? "enabled" : "disabled");
char * gov_topic_rule = get_governance_topic_rule ("*", discovery_protection, false, true, true, NULL, NULL);
char * gov_config = get_governance_config (false, true, "ENCRYPT", NULL, NULL, gov_topic_rule, true);
const char * def_gov = PF_F COMMON_ETC_PATH("default_governance.p7s");
const char * def_perm = PF_F COMMON_ETC_PATH("default_permissions.p7s"); const char * def_perm = PF_F COMMON_ETC_PATH("default_permissions.p7s");
const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem"); const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem");
@ -474,7 +481,7 @@ CU_Theory(
(const char *[]) { TEST_IDENTITY_CA1_CERTIFICATE, TEST_IDENTITY_CA1_CERTIFICATE }, (const char *[]) { TEST_IDENTITY_CA1_CERTIFICATE, TEST_IDENTITY_CA1_CERTIFICATE },
(bool []) { exp_pp_fail, false }, (bool []) { exp_pp_fail, false },
(const char *[]) { init_fn, "init_test_access_control_wrapped" }, (const char *[]) { "finalize_test_access_control_not_allowed", "finalize_test_access_control_wrapped" }, (const char *[]) { init_fn, "init_test_access_control_wrapped" }, (const char *[]) { "finalize_test_access_control_not_allowed", "finalize_test_access_control_wrapped" },
(bool []) { true, true, true }, (const char *[]) { def_gov, def_gov }, (bool []) { true, true, true }, (const char *[]) { gov_config, gov_config },
(bool []) { true, true, true }, (const char *[]) { def_perm, def_perm }, (bool []) { true, true, true }, (const char *[]) { def_perm, def_perm },
(bool []) { true, true, true }, (const char *[]) { def_perm_ca, def_perm_ca }); (bool []) { true, true, true }, (const char *[]) { def_perm_ca, def_perm_ca });
@ -501,10 +508,11 @@ CU_Theory(
g_participant[0], &lsub, &ltopic[1], &lrd, g_participant[0], &lsub, &ltopic[1], &lrd,
topic_name, exp_remote_topic_fail, false, exp_local_topic_fail, exp_rd_fail); topic_name, exp_remote_topic_fail, false, exp_local_topic_fail, exp_rd_fail);
if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_rd_fail) if (!exp_local_topic_fail && !exp_remote_topic_fail && !exp_rd_fail)
sync_reader_to_writers (g_participant[0], lrd, exp_rd_wr_sync_fail ? 0 : 1, DDS_SECS(2)); sync_reader_to_writers (g_participant[0], lrd, exp_rd_wr_sync_fail ? 0 : 1, DDS_SECS(1));
} }
access_control_fini (2, NULL, 0); access_control_fini (2, (void * []) { gov_topic_rule, gov_config }, 2);
}
} }
#define na false #define na false

36
src/security/core/tests/common/access_control_wrapper.c
View file

@ -33,26 +33,28 @@ enum ac_plugin_mode {
enum ac_plugin_not_allowed { enum ac_plugin_not_allowed {
NOT_ALLOWED_ID_LOCAL_PP, NOT_ALLOWED_ID_LOCAL_PP,
NOT_ALLOWED_ID_LOCAL_TOPIC, NOT_ALLOWED_ID_LOCAL_TOPIC,
NOT_ALLOWED_ID_LOCAL_PUB, NOT_ALLOWED_ID_LOCAL_WRITER,
NOT_ALLOWED_ID_LOCAL_SUB, NOT_ALLOWED_ID_LOCAL_READER,
NOT_ALLOWED_ID_REMOTE_PERM, NOT_ALLOWED_ID_LOCAL_PERM,
NOT_ALLOWED_ID_REMOTE_PP, NOT_ALLOWED_ID_REMOTE_PP,
NOT_ALLOWED_ID_REMOTE_TOPIC, NOT_ALLOWED_ID_REMOTE_TOPIC,
NOT_ALLOWED_ID_REMOTE_WRITER, NOT_ALLOWED_ID_REMOTE_WRITER,
NOT_ALLOWED_ID_REMOTE_READER, NOT_ALLOWED_ID_REMOTE_READER,
NOT_ALLOWED_ID_REMOTE_READER_RELAY_ONLY NOT_ALLOWED_ID_REMOTE_READER_RELAY_ONLY,
NOT_ALLOWED_ID_REMOTE_PERM,
}; };
#define NOT_ALLOWED_LOCAL_PP (1u << NOT_ALLOWED_ID_LOCAL_PP) #define NOT_ALLOWED_LOCAL_PP (1u << NOT_ALLOWED_ID_LOCAL_PP)
#define NOT_ALLOWED_LOCAL_TOPIC (1u << NOT_ALLOWED_ID_LOCAL_TOPIC) #define NOT_ALLOWED_LOCAL_TOPIC (1u << NOT_ALLOWED_ID_LOCAL_TOPIC)
#define NOT_ALLOWED_LOCAL_PUB (1u << NOT_ALLOWED_ID_LOCAL_PUB) #define NOT_ALLOWED_LOCAL_WRITER (1u << NOT_ALLOWED_ID_LOCAL_WRITER)
#define NOT_ALLOWED_LOCAL_SUB (1u << NOT_ALLOWED_ID_LOCAL_SUB) #define NOT_ALLOWED_LOCAL_READER (1u << NOT_ALLOWED_ID_LOCAL_READER)
#define NOT_ALLOWED_REMOTE_PERM (1u << NOT_ALLOWED_ID_REMOTE_PERM) #define NOT_ALLOWED_LOCAL_PERM (1u << NOT_ALLOWED_ID_LOCAL_PERM)
#define NOT_ALLOWED_REMOTE_PP (1u << NOT_ALLOWED_ID_REMOTE_PP) #define NOT_ALLOWED_REMOTE_PP (1u << NOT_ALLOWED_ID_REMOTE_PP)
#define NOT_ALLOWED_REMOTE_TOPIC (1u << NOT_ALLOWED_ID_REMOTE_TOPIC) #define NOT_ALLOWED_REMOTE_TOPIC (1u << NOT_ALLOWED_ID_REMOTE_TOPIC)
#define NOT_ALLOWED_REMOTE_WRITER (1u << NOT_ALLOWED_ID_REMOTE_WRITER) #define NOT_ALLOWED_REMOTE_WRITER (1u << NOT_ALLOWED_ID_REMOTE_WRITER)
#define NOT_ALLOWED_REMOTE_READER (1u << NOT_ALLOWED_ID_REMOTE_READER) #define NOT_ALLOWED_REMOTE_READER (1u << NOT_ALLOWED_ID_REMOTE_READER)
#define NOT_ALLOWED_REMOTE_READER_RELAY_ONLY (1u << NOT_ALLOWED_ID_REMOTE_READER_RELAY_ONLY) #define NOT_ALLOWED_REMOTE_READER_RELAY_ONLY (1u << NOT_ALLOWED_ID_REMOTE_READER_RELAY_ONLY)
#define NOT_ALLOWED_REMOTE_PERM (1u << NOT_ALLOWED_ID_REMOTE_PERM)
/** /**
* Implementation structure for storing encapsulated members of the instance * Implementation structure for storing encapsulated members of the instance
@ -76,8 +78,15 @@ static DDS_Security_PermissionsHandle validate_local_permissions(
struct dds_security_access_control_impl *impl = (struct dds_security_access_control_impl *)instance; struct dds_security_access_control_impl *impl = (struct dds_security_access_control_impl *)instance;
switch (impl->mode) switch (impl->mode)
{ {
case PLUGIN_MODE_WRAPPED:
case PLUGIN_MODE_NOT_ALLOWED: case PLUGIN_MODE_NOT_ALLOWED:
if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_PERM)
{
ex->code = 1;
ex->message = ddsrt_strdup ("not_allowed: validate_local_permissions");
return 0;
}
/* fall through */
case PLUGIN_MODE_WRAPPED:
return impl->instance->validate_local_permissions(impl->instance, auth_plugin, identity, domain_id, participant_qos, ex); return impl->instance->validate_local_permissions(impl->instance, auth_plugin, identity, domain_id, participant_qos, ex);
default: default:
@ -154,7 +163,7 @@ static DDS_Security_boolean check_create_datawriter(
switch (impl->mode) switch (impl->mode)
{ {
case PLUGIN_MODE_NOT_ALLOWED: case PLUGIN_MODE_NOT_ALLOWED:
if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_PUB) if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_WRITER)
{ {
if (topic_name && strncmp (topic_name, AC_WRAPPER_TOPIC_PREFIX, strlen (AC_WRAPPER_TOPIC_PREFIX)) == 0) if (topic_name && strncmp (topic_name, AC_WRAPPER_TOPIC_PREFIX, strlen (AC_WRAPPER_TOPIC_PREFIX)) == 0)
{ {
@ -186,7 +195,7 @@ static DDS_Security_boolean check_create_datareader(
switch (impl->mode) switch (impl->mode)
{ {
case PLUGIN_MODE_NOT_ALLOWED: case PLUGIN_MODE_NOT_ALLOWED:
if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_SUB) if (impl->not_allowed_mask & NOT_ALLOWED_LOCAL_READER)
{ {
ex->code = 1; ex->code = 1;
ex->message = ddsrt_strdup ("not_allowed: check_create_datareader"); ex->message = ddsrt_strdup ("not_allowed: check_create_datareader");
@ -838,14 +847,15 @@ int finalize_test_access_control_missing_func(void *context)
INIT_NOT_ALLOWED(local_participant_not_allowed, NOT_ALLOWED_LOCAL_PP) INIT_NOT_ALLOWED(local_participant_not_allowed, NOT_ALLOWED_LOCAL_PP)
INIT_NOT_ALLOWED(local_topic_not_allowed, NOT_ALLOWED_LOCAL_TOPIC) INIT_NOT_ALLOWED(local_topic_not_allowed, NOT_ALLOWED_LOCAL_TOPIC)
INIT_NOT_ALLOWED(local_publishing_not_allowed, NOT_ALLOWED_LOCAL_PUB) INIT_NOT_ALLOWED(local_writer_not_allowed, NOT_ALLOWED_LOCAL_WRITER)
INIT_NOT_ALLOWED(local_subscribing_not_allowed, NOT_ALLOWED_LOCAL_SUB) INIT_NOT_ALLOWED(local_reader_not_allowed, NOT_ALLOWED_LOCAL_READER)
INIT_NOT_ALLOWED(remote_permissions_invalidate, NOT_ALLOWED_REMOTE_PERM) INIT_NOT_ALLOWED(local_permissions_not_allowed, NOT_ALLOWED_LOCAL_PERM)
INIT_NOT_ALLOWED(remote_participant_not_allowed, NOT_ALLOWED_REMOTE_PP) INIT_NOT_ALLOWED(remote_participant_not_allowed, NOT_ALLOWED_REMOTE_PP)
INIT_NOT_ALLOWED(remote_topic_not_allowed, NOT_ALLOWED_REMOTE_TOPIC) INIT_NOT_ALLOWED(remote_topic_not_allowed, NOT_ALLOWED_REMOTE_TOPIC)
INIT_NOT_ALLOWED(remote_writer_not_allowed, NOT_ALLOWED_REMOTE_WRITER) INIT_NOT_ALLOWED(remote_writer_not_allowed, NOT_ALLOWED_REMOTE_WRITER)
INIT_NOT_ALLOWED(remote_reader_not_allowed, NOT_ALLOWED_REMOTE_READER) INIT_NOT_ALLOWED(remote_reader_not_allowed, NOT_ALLOWED_REMOTE_READER)
INIT_NOT_ALLOWED(remote_reader_relay_only, NOT_ALLOWED_REMOTE_READER_RELAY_ONLY) INIT_NOT_ALLOWED(remote_reader_relay_only, NOT_ALLOWED_REMOTE_READER_RELAY_ONLY)
INIT_NOT_ALLOWED(remote_permissions_not_allowed, NOT_ALLOWED_REMOTE_PERM)
int finalize_test_access_control_not_allowed(void *context) int finalize_test_access_control_not_allowed(void *context)
{ {

7
src/security/core/tests/common/access_control_wrapper.h
View file

@ -37,14 +37,15 @@ SECURITY_EXPORT int finalize_test_access_control_wrapped(void *context);
INIT_NOT_ALLOWED_DECL(local_participant_not_allowed) INIT_NOT_ALLOWED_DECL(local_participant_not_allowed)
INIT_NOT_ALLOWED_DECL(local_topic_not_allowed) INIT_NOT_ALLOWED_DECL(local_topic_not_allowed)
INIT_NOT_ALLOWED_DECL(local_publishing_not_allowed) INIT_NOT_ALLOWED_DECL(local_writer_not_allowed)
INIT_NOT_ALLOWED_DECL(local_subscribing_not_allowed) INIT_NOT_ALLOWED_DECL(local_reader_not_allowed)
INIT_NOT_ALLOWED_DECL(remote_permissions_invalidate) INIT_NOT_ALLOWED_DECL(local_permissions_not_allowed)
INIT_NOT_ALLOWED_DECL(remote_participant_not_allowed) INIT_NOT_ALLOWED_DECL(remote_participant_not_allowed)
INIT_NOT_ALLOWED_DECL(remote_topic_not_allowed) INIT_NOT_ALLOWED_DECL(remote_topic_not_allowed)
INIT_NOT_ALLOWED_DECL(remote_writer_not_allowed) INIT_NOT_ALLOWED_DECL(remote_writer_not_allowed)
INIT_NOT_ALLOWED_DECL(remote_reader_not_allowed) INIT_NOT_ALLOWED_DECL(remote_reader_not_allowed)
INIT_NOT_ALLOWED_DECL(remote_reader_relay_only) INIT_NOT_ALLOWED_DECL(remote_reader_relay_only)
INIT_NOT_ALLOWED_DECL(remote_permissions_not_allowed)
SECURITY_EXPORT int finalize_test_access_control_not_allowed(void *context); SECURITY_EXPORT int finalize_test_access_control_not_allowed(void *context);