diff --git a/src/security/core/tests/access_control.c b/src/security/core/tests/access_control.c index c508d55..ea08591 100644 --- a/src/security/core/tests/access_control.c +++ b/src/security/core/tests/access_control.c @@ -23,8 +23,6 @@ #include "dds/ddsrt/heap.h" #include "dds/ddsrt/io.h" #include "dds/ddsrt/string.h" -#include "dds/ddsi/q_entity.h" -#include "dds/ddsi/ddsi_entity_index.h" #include "dds/ddsi/ddsi_security_omg.h" #include "dds/ddsi/q_config.h" #include "dds/ddsi/ddsi_domaingv.h" @@ -72,9 +70,6 @@ static const char *config = #define MAX_DOMAINS 10 #define DDS_DOMAINID 0 -#define PF_F "file:" -#define PF_D "data:," - static dds_entity_t g_domain[MAX_DOMAINS]; static dds_entity_t g_participant[MAX_DOMAINS]; static uint32_t g_topic_nr = 0; @@ -125,41 +120,6 @@ static void access_control_fini(size_t n, void * res[], size_t nres) } } -static DDS_Security_DatawriterCryptoHandle get_builtin_writer_crypto_handle(dds_entity_t participant, unsigned entityid) -{ - DDS_Security_DatawriterCryptoHandle crypto_handle; - struct dds_entity *pp_entity; - struct participant *pp; - struct writer *wr; - CU_ASSERT_EQUAL_FATAL(dds_entity_pin(participant, &pp_entity), 0); - thread_state_awake(lookup_thread_state(), &pp_entity->m_domain->gv); - pp = entidx_lookup_participant_guid(pp_entity->m_domain->gv.entity_index, &pp_entity->m_guid); - wr = get_builtin_writer(pp, entityid); - CU_ASSERT_FATAL(wr != NULL); - assert(wr != NULL); /* for Clang's static analyzer */ - crypto_handle = wr->sec_attr->crypto_handle; - thread_state_asleep(lookup_thread_state()); - dds_entity_unpin(pp_entity); - return crypto_handle; -} - -// static DDS_Security_DatawriterCryptoHandle get_writer_crypto_handle(dds_entity_t writer) -// { -// DDS_Security_DatawriterCryptoHandle crypto_handle; -// struct dds_entity *wr_entity; -// struct writer *wr; -// CU_ASSERT_EQUAL_FATAL(dds_entity_pin(writer, &wr_entity), 0); -// thread_state_awake(lookup_thread_state(), &wr_entity->m_domain->gv); -// wr = entidx_lookup_writer_guid(wr_entity->m_domain->gv.entity_index, &wr_entity->m_guid); -// CU_ASSERT_FATAL(wr != NULL); -// assert(wr != NULL); /* for Clang's static analyzer */ -// crypto_handle = wr->sec_attr->crypto_handle; -// thread_state_asleep(lookup_thread_state()); -// dds_entity_unpin(wr_entity); -// return crypto_handle; -// } - - #define GOV_F PF_F COMMON_ETC_PATH("default_governance.p7s") #define GOV_FNE PF_F COMMON_ETC_PATH("default_governance_non_existing.p7s") #define GOV_DI PF_D COMMON_ETC_PATH("default_governance.p7s") @@ -469,8 +429,8 @@ CU_Theory( bool discovery_protection = (i == 0); print_test_msg ("running test access_control_hooks: %s with discovery protection %s\n", init_fn, discovery_protection ? "enabled" : "disabled"); - char * gov_topic_rule = get_governance_topic_rule ("*", discovery_protection, false, true, true, NULL, NULL); - char * gov_config = get_governance_config (false, true, "ENCRYPT", NULL, NULL, gov_topic_rule, true); + char * gov_topic_rule = get_governance_topic_rule ("*", discovery_protection, false, true, true, PK_N, BPK_N); + char * gov_config = get_governance_config (false, true, PK_E, PK_N, PK_N, gov_topic_rule, true); const char * def_perm = PF_F COMMON_ETC_PATH("default_permissions.p7s"); const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem"); @@ -556,9 +516,9 @@ CU_Theory( get_permissions_grant ("id2", id2_subj, now, now + DDS_SECS(3600), rules2_xml, NULL) }; char * perm_config = get_permissions_config (grants, 2, true); - char * gov_topic_rule = get_governance_topic_rule ("*", false, false, true, true, "NONE", "NONE"); - char * gov_config_pp1 = get_governance_config (false, join_ac_pp1, NULL, NULL, NULL, gov_topic_rule, true); - char * gov_config_pp2 = get_governance_config (false, join_ac_pp2, NULL, NULL, NULL, gov_topic_rule, true); + char * gov_topic_rule = get_governance_topic_rule ("*", false, false, true, true, PK_N, BPK_N); + char * gov_config_pp1 = get_governance_config (false, join_ac_pp1, PK_N, PK_N, PK_N, gov_topic_rule, true); + char * gov_config_pp2 = get_governance_config (false, join_ac_pp2, PK_N, PK_N, PK_N, gov_topic_rule, true); const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem"); access_control_init ( @@ -624,10 +584,10 @@ static void test_discovery_liveliness_protection(enum test_discovery_liveliness get_permissions_default_grant ("id2", id2_subj, topic_name) }; char * perm_config = get_permissions_config (grants, 2, true); - char * gov_topic_rule1 = get_governance_topic_rule (topic_name, dp && enable_protection_pp1, lp && enable_protection_pp1, true, true, "ENCRYPT", "NONE"); - char * gov_topic_rule2 = get_governance_topic_rule (topic_name, dp && enable_protection_pp2, lp && enable_protection_pp2, true, true, "ENCRYPT", "NONE"); - char * gov_config1 = get_governance_config (false, true, dp ? pk_to_str (protection_kind_pp1) : NULL, lp ? pk_to_str (protection_kind_pp1) : NULL, "ENCRYPT", gov_topic_rule1, true); - char * gov_config2 = get_governance_config (false, true, dp ? pk_to_str (protection_kind_pp2) : NULL, lp ? pk_to_str (protection_kind_pp2) : NULL, "ENCRYPT", gov_topic_rule2, true); + char * gov_topic_rule1 = get_governance_topic_rule (topic_name, dp && enable_protection_pp1, lp && enable_protection_pp1, true, true, PK_E, BPK_N); + char * gov_topic_rule2 = get_governance_topic_rule (topic_name, dp && enable_protection_pp2, lp && enable_protection_pp2, true, true, PK_E, BPK_N); + char * gov_config1 = get_governance_config (false, true, dp ? protection_kind_pp1 : PK_N, lp ? protection_kind_pp1 : PK_N, PK_E, gov_topic_rule1, true); + char * gov_config2 = get_governance_config (false, true, dp ? protection_kind_pp2 : PK_N, lp ? protection_kind_pp2 : PK_N, PK_E, gov_topic_rule2, true); const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem"); access_control_init ( @@ -705,10 +665,10 @@ static void test_encoding_mismatch( get_permissions_default_grant ("id2", id2_subj, topic_name) }; char * perm_config = get_permissions_config (grants, 2, true); - char * gov_topic_rule1 = get_governance_topic_rule (topic_name, true, true, true, true, pk_to_str (metadata_pk1), bpk_to_str (payload_pk1)); - char * gov_topic_rule2 = get_governance_topic_rule (topic_name, true, true, true, true, pk_to_str (metadata_pk2), bpk_to_str (payload_pk2)); - char * gov_config1 = get_governance_config (false, true, pk_to_str (discovery_pk1), pk_to_str (liveliness_pk1), pk_to_str (rtps_pk1), gov_topic_rule1, true); - char * gov_config2 = get_governance_config (false, true, pk_to_str (discovery_pk2), pk_to_str (liveliness_pk2), pk_to_str (rtps_pk2), gov_topic_rule2, true); + char * gov_topic_rule1 = get_governance_topic_rule (topic_name, true, true, true, true, metadata_pk1, payload_pk1); + char * gov_topic_rule2 = get_governance_topic_rule (topic_name, true, true, true, true, metadata_pk2, payload_pk2); + char * gov_config1 = get_governance_config (false, true, discovery_pk1, liveliness_pk1, rtps_pk1, gov_topic_rule1, true); + char * gov_config2 = get_governance_config (false, true, discovery_pk2, liveliness_pk2, rtps_pk2, gov_topic_rule2, true); const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem"); access_control_init ( @@ -802,8 +762,8 @@ static void test_readwrite_protection ( get_permissions_grant ("id2", id2_subj, now, now + DDS_SECS(3600), rules_xml, default_policy) }; char * perm_config = get_permissions_config (grants, 2, true); - char * gov_topic_rule = get_governance_topic_rule (topic_name, false, false, read_ac, write_ac, pk_to_str (PK_E), bpk_to_str (BPK_E)); - char * gov_config = get_governance_config (false, true, NULL, NULL, NULL, gov_topic_rule, true); + char * gov_topic_rule = get_governance_topic_rule (topic_name, false, false, read_ac, write_ac, PK_E, BPK_E); + char * gov_config = get_governance_config (false, true, PK_N, PK_N, PK_N, gov_topic_rule, true); const char * def_perm_ca = PF_F COMMON_ETC_PATH("default_permissions_ca.pem"); access_control_init ( diff --git a/src/security/core/tests/authentication.c b/src/security/core/tests/authentication.c index 07d637e..79e9cb2 100644 --- a/src/security/core/tests/authentication.c +++ b/src/security/core/tests/authentication.c @@ -20,6 +20,7 @@ #include "dds/ddsrt/cdtors.h" #include "dds/ddsrt/environ.h" #include "dds/ddsrt/heap.h" +#include "dds/ddsrt/io.h" #include "dds/ddsrt/string.h" #include "dds/ddsi/q_config.h" #include "dds/ddsi/ddsi_domaingv.h" @@ -65,7 +66,7 @@ static const char *config = " " " " " file:" COMMON_ETC_PATH("default_permissions_ca.pem") "" - " " + " " " " " " " " @@ -73,10 +74,21 @@ static const char *config = " " ""; +static const char *config_non_secure = + "${CYCLONEDDS_URI}${CYCLONEDDS_URI:+,}" + "" + " " + " 0" + " \\${CYCLONEDDS_PID}" + " " + ""; + + #define DDS_DOMAINID1 0 #define DDS_DOMAINID2 1 #define DEF_PERM_CONF "file:" COMMON_ETC_PATH("default_permissions.p7s") +#define DEF_GOV_CONF "file:" COMMON_ETC_PATH("default_governance.p7s") static dds_entity_t g_domain1; static dds_entity_t g_participant1; @@ -92,56 +104,48 @@ static dds_entity_t g_rd; static uint32_t g_topic_nr = 0; -static void authentication_init( - const char * id1_cert, const char * id1_key, const char * id1_ca, - const char * id2_cert, const char * id2_key, const char * id2_ca, - const char * trusted_ca_dir, const char * perm_config, - bool exp_pp1_fail, bool exp_pp2_fail) +static void init_domain_pp (bool pp_secure, bool exp_pp_fail, + dds_domainid_t domain_id, const char *id_cert, const char * id_key, const char * id_ca, const char * gov_config, const char * perm_config, const char * trusted_ca_dir, + dds_entity_t *domain, dds_entity_t *pp) { - if (perm_config == NULL) - perm_config = DEF_PERM_CONF; - - char * gov_topic_rule = get_governance_topic_rule ("*", false, false, true, true, "NONE", "NONE"); - char * gov_config_signed = get_governance_config (false, false, NULL, NULL, NULL, gov_topic_rule, true); - - struct kvp config_vars1[] = { - { "TEST_IDENTITY_CERTIFICATE", id1_cert, 1 }, - { "TEST_IDENTITY_PRIVATE_KEY", id1_key, 1 }, - { "TEST_IDENTITY_CA_CERTIFICATE", id1_ca, 1 }, - { "TRUSTED_CA_DIR", trusted_ca_dir, 3 }, - { "PERM_CONFIG", perm_config, 1 }, - { "GOVERNANCE_CONFIG", gov_config_signed, 1 }, - { NULL, NULL, 0 } - }; - - struct kvp config_vars2[] = { - { "TEST_IDENTITY_CERTIFICATE", id2_cert, 1 }, - { "TEST_IDENTITY_PRIVATE_KEY", id2_key, 1 }, - { "TEST_IDENTITY_CA_CERTIFICATE", id2_ca, 1 }, - { "TRUSTED_CA_DIR", trusted_ca_dir, 3 }, - { "PERM_CONFIG", perm_config, 1 }, - { "GOVERNANCE_CONFIG", gov_config_signed, 1 }, - { NULL, NULL, 0 } - }; - - char *conf1 = ddsrt_expand_vars_sh (config, &expand_lookup_vars_env, config_vars1); - char *conf2 = ddsrt_expand_vars_sh (config, &expand_lookup_vars_env, config_vars2); - CU_ASSERT_EQUAL_FATAL (expand_lookup_unmatched (config_vars1), 0); - CU_ASSERT_EQUAL_FATAL (expand_lookup_unmatched (config_vars2), 0); - g_domain1 = dds_create_domain (DDS_DOMAINID1, conf1); - g_domain2 = dds_create_domain (DDS_DOMAINID2, conf2); - g_participant1 = dds_create_participant (DDS_DOMAINID1, NULL, NULL); - g_participant2 = dds_create_participant (DDS_DOMAINID2, NULL, NULL); - CU_ASSERT_EQUAL_FATAL (exp_pp1_fail, g_participant1 <= 0); - CU_ASSERT_EQUAL_FATAL (exp_pp2_fail, g_participant2 <= 0); - - ddsrt_free (gov_config_signed); - ddsrt_free (gov_topic_rule); - ddsrt_free (conf1); - ddsrt_free (conf2); + char *conf; + if (pp_secure) + { + struct kvp config_vars[] = + { + { "TEST_IDENTITY_CERTIFICATE", id_cert, 1 }, + { "TEST_IDENTITY_PRIVATE_KEY", id_key, 1 }, + { "TEST_IDENTITY_CA_CERTIFICATE", id_ca, 1 }, + { "TRUSTED_CA_DIR", trusted_ca_dir, 3 }, + { "PERMISSIONS_CONFIG", perm_config, 1 }, + { "GOVERNANCE_CONFIG", gov_config, 1 }, + { NULL, NULL, 0 } + }; + conf = ddsrt_expand_vars_sh (config, &expand_lookup_vars_env, config_vars); + CU_ASSERT_EQUAL_FATAL (expand_lookup_unmatched (config_vars), 0); + } + else + { + struct kvp config_vars[] = { { NULL, NULL, 0 } }; + conf = ddsrt_expand_vars_sh (config_non_secure, &expand_lookup_vars_env, config_vars); + CU_ASSERT_EQUAL_FATAL (expand_lookup_unmatched (config_vars), 0); + } + *domain = dds_create_domain (domain_id, conf); + *pp = dds_create_participant (domain_id, NULL, NULL); + CU_ASSERT_EQUAL_FATAL (exp_pp_fail, *pp <= 0); + ddsrt_free (conf); } -static void authentication_fini(bool delete_pp1, bool delete_pp2) +static void authentication_init( + bool pp1_secure, const char * id1_cert, const char * id1_key, const char * id1_ca, bool exp_pp1_fail, const char * gov_conf1, const char * perm_conf1, + bool pp2_secure, const char * id2_cert, const char * id2_key, const char * id2_ca, bool exp_pp2_fail, const char * gov_conf2, const char * perm_conf2, + const char * trusted_ca_dir) +{ + init_domain_pp (pp1_secure, exp_pp1_fail, DDS_DOMAINID1, id1_cert, id1_key, id1_ca, gov_conf1, perm_conf1, trusted_ca_dir, &g_domain1, &g_participant1); + init_domain_pp (pp2_secure, exp_pp2_fail, DDS_DOMAINID2, id2_cert, id2_key, id2_ca, gov_conf2, perm_conf2, trusted_ca_dir, &g_domain2, &g_participant2); +} + +static void authentication_fini(bool delete_pp1, bool delete_pp2, void * res[], size_t nres) { if (delete_pp1) CU_ASSERT_EQUAL_FATAL (dds_delete (g_participant1), DDS_RETCODE_OK); @@ -149,6 +153,11 @@ static void authentication_fini(bool delete_pp1, bool delete_pp2) CU_ASSERT_EQUAL_FATAL (dds_delete (g_participant2), DDS_RETCODE_OK); CU_ASSERT_EQUAL_FATAL (dds_delete (g_domain1), DDS_RETCODE_OK); CU_ASSERT_EQUAL_FATAL (dds_delete (g_domain2), DDS_RETCODE_OK); + if (res != NULL) + { + for (size_t i = 0; i < nres; i++) + ddsrt_free (res[i]); + } } #define FM_CA "error: unable to get local issuer certificate" @@ -185,7 +194,10 @@ CU_Theory((const char * test_descr, const char * id2, const char *key2, const ch struct Handshake *hs_list; int nhs; print_test_msg ("running test id_ca_certs: %s\n", test_descr); - authentication_init (ID1, ID1K, CA1, id2, key2, ca2, NULL, NULL, exp_fail_pp1, exp_fail_pp2); + authentication_init ( + true, ID1, ID1K, CA1, exp_fail_pp1, DEF_GOV_CONF, DEF_PERM_CONF, + true, id2, key2, ca2, exp_fail_pp2, DEF_GOV_CONF, DEF_PERM_CONF, + NULL); // Domain 1 validate_handshake (DDS_DOMAINID1, false, NULL, &hs_list, &nhs, DDS_SECS(2)); @@ -199,7 +211,7 @@ CU_Theory((const char * test_descr, const char * id2, const char *key2, const ch validate_handshake_result (&hs_list[n], exp_fail_hs_req, fail_hs_req_msg, exp_fail_hs_reply, fail_hs_reply_msg); handshake_list_fini (hs_list, nhs); - authentication_fini (!exp_fail_pp1, !exp_fail_pp2); + authentication_fini (!exp_fail_pp1, !exp_fail_pp2, NULL, 0); } CU_TheoryDataPoints(ddssec_authentication, trusted_ca_dir) = { @@ -209,13 +221,16 @@ CU_TheoryDataPoints(ddssec_authentication, trusted_ca_dir) = { CU_Theory((const char * ca_dir, bool exp_fail), ddssec_authentication, trusted_ca_dir) { print_test_msg ("Testing custom CA dir: %s\n", ca_dir); - authentication_init (ID1, ID1K, CA1, ID1, ID1K, CA1, ca_dir, NULL, exp_fail, exp_fail); + authentication_init ( + true, ID1, ID1K, CA1, exp_fail, DEF_GOV_CONF, DEF_PERM_CONF, + true, ID1, ID1K, CA1, exp_fail, DEF_GOV_CONF, DEF_PERM_CONF, + ca_dir); if (!exp_fail) { validate_handshake_nofail (DDS_DOMAINID1, DDS_SECS (2)); validate_handshake_nofail (DDS_DOMAINID2, DDS_SECS (2)); } - authentication_fini (!exp_fail, !exp_fail); + authentication_fini (!exp_fail, !exp_fail, NULL, 0); } #define S(n) (n) @@ -267,7 +282,10 @@ CU_Theory( get_permissions_default_grant ("id1", id1_subj, topic_name), get_permissions_default_grant ("id2", id2_subj, topic_name) }; char * perm_config = get_permissions_config (grants, 2, true); - authentication_init (id1, ID1K, ca, id2, ID1K, ca, NULL, perm_config, id1_local_fail, id2_local_fail); + authentication_init ( + true, id1, ID1K, ca, id1_local_fail, DEF_GOV_CONF, perm_config, + true, id2, ID1K, ca, id2_local_fail, DEF_GOV_CONF, perm_config, + NULL); validate_handshake (DDS_DOMAINID1, id1_local_fail, NULL, NULL, NULL, DDS_SECS(2)); validate_handshake (DDS_DOMAINID2, id2_local_fail, NULL, NULL, NULL, DDS_SECS(2)); if (write_read_dur > 0) @@ -276,17 +294,51 @@ CU_Theory( sync_writer_to_readers(g_participant1, g_wr, 1, DDS_SECS(2)); write_read_for (g_wr, g_participant2, g_rd, DDS_MSECS (write_read_dur), false, exp_read_fail); } - authentication_fini (!id1_local_fail, !id2_local_fail); - ddsrt_free (grants[0]); - ddsrt_free (grants[1]); - ddsrt_free (perm_config); - ddsrt_free (ca); - ddsrt_free (id1_subj); - ddsrt_free (id2_subj); - ddsrt_free (id1); - ddsrt_free (id2); + authentication_fini (!id1_local_fail, !id2_local_fail, (void * []){ grants[0], grants[1], perm_config, ca, id1_subj, id2_subj, id1, id2 }, 8); } #undef D #undef H #undef M + +CU_Test(ddssec_authentication, unauthenticated_pp) +{ + char topic_name_secure[100]; + char topic_name_plain[100]; + create_topic_name ("ddssec_authentication_secure_", g_topic_nr++, topic_name_secure, sizeof (topic_name_secure)); + create_topic_name ("ddssec_authentication_plain_", g_topic_nr++, topic_name_plain, sizeof (topic_name_plain)); + + /* create ca and id1 cert that will not expire during this test */ + char *ca, *id1, *id1_subj; + ca = generate_ca ("ca1", TEST_IDENTITY_CA1_PRIVATE_KEY, 0, 3600); + id1 = generate_identity (ca, TEST_IDENTITY_CA1_PRIVATE_KEY, "id1", TEST_IDENTITY1_PRIVATE_KEY, 0, 3600, &id1_subj); + + char * grants[] = { get_permissions_default_grant ("id1", id1_subj, topic_name_secure) }; + char * perm_config = get_permissions_config (grants, 1, true); + + char * topic_rule_sec = get_governance_topic_rule (topic_name_secure, true, true, true, true, PK_E, BPK_N); + char * topic_rule_plain = get_governance_topic_rule (topic_name_plain, false, false, false, false, PK_N, BPK_N); + char * gov_topic_rules; + ddsrt_asprintf(&gov_topic_rules, "%s%s", topic_rule_sec, topic_rule_plain); + char * gov_config = get_governance_config (true, true, PK_N, PK_N, PK_N, gov_topic_rules, true); + + authentication_init ( + true, id1, TEST_IDENTITY1_PRIVATE_KEY, ca, false, gov_config, perm_config, + false, NULL, NULL, NULL, false, NULL, NULL, + NULL); + + print_test_msg ("writing sample for plain topic\n"); + dds_entity_t pub, sub, pub_tp, sub_tp, wr, rd; + rd_wr_init (g_participant1, &pub, &pub_tp, &wr, g_participant2, &sub, &sub_tp, &rd, topic_name_plain); + sync_writer_to_readers(g_participant1, wr, 1, DDS_SECS(5)); + write_read_for (wr, g_participant2, rd, DDS_MSECS (10), false, false); + + print_test_msg ("writing sample for secured topic\n"); + dds_entity_t spub, ssub, spub_tp, ssub_tp, swr, srd; + rd_wr_init (g_participant1, &spub, &spub_tp, &swr, g_participant2, &ssub, &ssub_tp, &srd, topic_name_secure); + sync_writer_to_readers(g_participant1, swr, 0, DDS_SECS(2)); + write_read_for (swr, g_participant2, srd, DDS_MSECS (10), false, true); + + authentication_fini (true, true, (void * []) { gov_config, gov_topic_rules, topic_rule_sec, topic_rule_plain, grants[0], perm_config, ca, id1_subj, id1 }, 9); +} + diff --git a/src/security/core/tests/common/security_config_test_utils.c b/src/security/core/tests/common/security_config_test_utils.c index 8c46848..ea8158b 100644 --- a/src/security/core/tests/common/security_config_test_utils.c +++ b/src/security/core/tests/common/security_config_test_utils.c @@ -245,7 +245,7 @@ static void print_config_vars(struct kvp *vars) } char * get_governance_topic_rule(const char * topic_expr, bool discovery_protection, bool liveliness_protection, - bool read_ac, bool write_ac, const char * metadata_protection_kind, const char * data_protection_kind) + bool read_ac, bool write_ac, DDS_Security_ProtectionKind metadata_protection_kind, DDS_Security_BasicProtectionKind data_protection_kind) { struct kvp vars[] = { { "TOPIC_EXPRESSION", topic_expr != NULL ? topic_expr : "*", 1 }, @@ -253,23 +253,23 @@ char * get_governance_topic_rule(const char * topic_expr, bool discovery_protect { "ENABLE_LIVELINESS_PROTECTION", liveliness_protection ? "true" : "false", 1 }, { "ENABLE_READ_AC", read_ac ? "true" : "false", 1 }, { "ENABLE_WRITE_AC", write_ac ? "true" : "false", 1 }, - { "METADATA_PROTECTION_KIND", metadata_protection_kind != NULL ? metadata_protection_kind : "NONE", 1 }, - { "DATA_PROTECTION_KIND", data_protection_kind != NULL ? data_protection_kind : "NONE", 1 }, + { "METADATA_PROTECTION_KIND", pk_to_str (metadata_protection_kind), 1 }, + { "DATA_PROTECTION_KIND", bpk_to_str (data_protection_kind), 1 }, { NULL, NULL, 0 } }; return ddsrt_expand_vars (topic_rule, &expand_lookup_vars, vars); } -char * get_governance_config (bool allow_unauth_pp, bool enable_join_ac, const char * discovery_protection_kind, const char * liveliness_protection_kind, - const char * rtps_protection_kind, const char * topic_rules, bool add_prefix) +char * get_governance_config (bool allow_unauth_pp, bool enable_join_ac, DDS_Security_ProtectionKind discovery_protection_kind, DDS_Security_ProtectionKind liveliness_protection_kind, + DDS_Security_ProtectionKind rtps_protection_kind, const char * topic_rules, bool add_prefix) { struct kvp vars[] = { { "ALLOW_UNAUTH_PP", allow_unauth_pp ? "true" : "false", 1 }, { "ENABLE_JOIN_AC", enable_join_ac ? "true" : "false", 1 }, - { "DISCOVERY_PROTECTION_KIND", discovery_protection_kind != NULL ? discovery_protection_kind : "NONE", 1 }, - { "LIVELINESS_PROTECTION_KIND", liveliness_protection_kind != NULL ? liveliness_protection_kind : "NONE", 1 }, - { "RTPS_PROTECTION_KIND", rtps_protection_kind != NULL ? rtps_protection_kind : "NONE", 1 }, - { "TOPIC_RULES", topic_rules != NULL ? topic_rules : get_governance_topic_rule (NULL, false, false, false, false, NULL, NULL), 1 }, + { "DISCOVERY_PROTECTION_KIND", pk_to_str (discovery_protection_kind), 1 }, + { "LIVELINESS_PROTECTION_KIND", pk_to_str (liveliness_protection_kind), 1 }, + { "RTPS_PROTECTION_KIND", pk_to_str (rtps_protection_kind), 1 }, + { "TOPIC_RULES", topic_rules != NULL ? topic_rules : get_governance_topic_rule (NULL, false, false, false, false, PK_N, BPK_N), 1 }, { NULL, NULL, 0 } }; char * config = ddsrt_expand_vars (governance_xml, &expand_lookup_vars, vars); diff --git a/src/security/core/tests/common/security_config_test_utils.h b/src/security/core/tests/common/security_config_test_utils.h index e70b98e..eaac17b 100644 --- a/src/security/core/tests/common/security_config_test_utils.h +++ b/src/security/core/tests/common/security_config_test_utils.h @@ -26,9 +26,9 @@ const char * expand_lookup_vars_env (const char *name, void * data); int32_t expand_lookup_unmatched (const struct kvp * lookup_table); char * get_governance_topic_rule (const char * topic_expr, bool discovery_protection, bool liveliness_protection, - bool read_ac, bool write_ac, const char * metadata_protection_kind, const char * data_protection_kind); -char * get_governance_config (bool allow_unauth_pp, bool enable_join_ac, const char * discovery_protection_kind, const char * liveliness_protection_kind, - const char * rtps_protection_kind, const char * topic_rules, bool add_prefix); + bool read_ac, bool write_ac, DDS_Security_ProtectionKind metadata_protection_kind, DDS_Security_BasicProtectionKind data_protection_kind); +char * get_governance_config (bool allow_unauth_pp, bool enable_join_ac, DDS_Security_ProtectionKind discovery_protection_kind, DDS_Security_ProtectionKind liveliness_protection_kind, + DDS_Security_ProtectionKind rtps_protection_kind, const char * topic_rules, bool add_prefix); char * get_permissions_rules (const char * domain_id, const char * allow_pub_topic, const char * allow_sub_topic, const char * deny_pub_topic, const char * deny_sub_topic); diff --git a/src/security/core/tests/common/test_utils.c b/src/security/core/tests/common/test_utils.c index 89d22f3..eff8f51 100644 --- a/src/security/core/tests/common/test_utils.c +++ b/src/security/core/tests/common/test_utils.c @@ -538,3 +538,37 @@ const char * bpk_to_str(DDS_Security_BasicProtectionKind bpk) assert (false); return NULL; } + +DDS_Security_DatawriterCryptoHandle get_builtin_writer_crypto_handle(dds_entity_t participant, unsigned entityid) +{ + DDS_Security_DatawriterCryptoHandle crypto_handle; + struct dds_entity *pp_entity; + struct participant *pp; + struct writer *wr; + CU_ASSERT_EQUAL_FATAL(dds_entity_pin(participant, &pp_entity), 0); + thread_state_awake(lookup_thread_state(), &pp_entity->m_domain->gv); + pp = entidx_lookup_participant_guid(pp_entity->m_domain->gv.entity_index, &pp_entity->m_guid); + wr = get_builtin_writer(pp, entityid); + CU_ASSERT_FATAL(wr != NULL); + assert(wr != NULL); /* for Clang's static analyzer */ + crypto_handle = wr->sec_attr->crypto_handle; + thread_state_asleep(lookup_thread_state()); + dds_entity_unpin(pp_entity); + return crypto_handle; +} + +DDS_Security_DatawriterCryptoHandle get_writer_crypto_handle(dds_entity_t writer) +{ + DDS_Security_DatawriterCryptoHandle crypto_handle; + struct dds_entity *wr_entity; + struct writer *wr; + CU_ASSERT_EQUAL_FATAL(dds_entity_pin(writer, &wr_entity), 0); + thread_state_awake(lookup_thread_state(), &wr_entity->m_domain->gv); + wr = entidx_lookup_writer_guid(wr_entity->m_domain->gv.entity_index, &wr_entity->m_guid); + CU_ASSERT_FATAL(wr != NULL); + assert(wr != NULL); /* for Clang's static analyzer */ + crypto_handle = wr->sec_attr->crypto_handle; + thread_state_asleep(lookup_thread_state()); + dds_entity_unpin(wr_entity); + return crypto_handle; +} diff --git a/src/security/core/tests/common/test_utils.h b/src/security/core/tests/common/test_utils.h index 2a68327..7fe1487 100644 --- a/src/security/core/tests/common/test_utils.h +++ b/src/security/core/tests/common/test_utils.h @@ -26,6 +26,9 @@ #define BPK_S DDS_SECURITY_BASICPROTECTION_KIND_SIGN #define BPK_E DDS_SECURITY_BASICPROTECTION_KIND_ENCRYPT +#define PF_F "file:" +#define PF_D "data:," + #define MAX_LOCAL_IDENTITIES 8 #define MAX_REMOTE_IDENTITIES 8 #define MAX_HANDSHAKES 32 @@ -82,5 +85,7 @@ void write_read_for (dds_entity_t wr, dds_entity_t pp_rd, dds_entity_t rd, dds_d struct dds_security_cryptography_impl * get_crypto_context (dds_entity_t participant); const char * pk_to_str (DDS_Security_ProtectionKind pk); const char * bpk_to_str (DDS_Security_BasicProtectionKind bpk); +DDS_Security_DatawriterCryptoHandle get_builtin_writer_crypto_handle(dds_entity_t participant, unsigned entityid); +DDS_Security_DatawriterCryptoHandle get_writer_crypto_handle(dds_entity_t writer); #endif /* SECURITY_CORE_TEST_UTILS_H_ */ diff --git a/src/security/core/tests/secure_communication.c b/src/security/core/tests/secure_communication.c index 4b3e790..94f8c13 100644 --- a/src/security/core/tests/secure_communication.c +++ b/src/security/core/tests/secure_communication.c @@ -154,9 +154,8 @@ static void test_init(const struct domain_sec_config * domain_config, size_t n_s assert (n_pub_domains < MAX_DOMAINS); assert (n_pub_participants < MAX_PARTICIPANTS); - char * gov_topic_rule = get_governance_topic_rule ("*", true, true, true, true, pk_to_str (domain_config->metadata_pk), bpk_to_str (domain_config->payload_pk)); - char * gov_config_signed = get_governance_config (false, true, pk_to_str (domain_config->discovery_pk), pk_to_str (domain_config->liveliness_pk), - pk_to_str (domain_config->rtps_pk), gov_topic_rule, false); + char * gov_topic_rule = get_governance_topic_rule ("*", true, true, true, true, domain_config->metadata_pk, domain_config->payload_pk); + char * gov_config_signed = get_governance_config (false, true, domain_config->discovery_pk, domain_config->liveliness_pk, domain_config->rtps_pk, gov_topic_rule, false); struct kvp config_vars[] = { { "GOVERNANCE_DATA", gov_config_signed, 1 },