niklas/cyclonedds
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Implement on_revoke_identity_cb

Browse source 
Impement the revoke identity callback in ddsi that is called when
the identity certificate of a participant expires. In case the
identity handle that expires is from a local participant, all
proxy pp connections will be dropped for this participant. In case
the identity that expires is from a remote participant, the
corresponding proxy participant is deleted.

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
This commit is contained in:
Dennis Potman 2020-03-30 09:32:21 +02:00 committed by eboasson
parent 736d0a027a
commit e3056402fc
2 changed files with 60 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

51
src/core/ddsi/src/ddsi_security_omg.c
View file

@ -817,7 +817,7 @@ static DDS_Security_boolean on_revoke_permissions_cb(const dds_security_access_c
struct entidx_enum_proxy_participant eproxypp;
struct participant *pp;
struct proxy_participant *proxypp;
bool local_perm = false;
bool local = false;
thread_state_awake (lookup_thread_state (), gv);
/* Find participants using this permissions handle */
@ -830,7 +830,7 @@ static DDS_Security_boolean on_revoke_permissions_cb(const dds_security_access_c
{
uint32_t i = 0;
ddsrt_avl_citer_t it;
local_perm = true;
local = true;
for (struct pp_proxypp_match *ppm = ddsrt_avl_citer_first (&pp_proxypp_treedef, &pp->sec_attr->proxy_participants, &it); ppm; ppm = ddsrt_avl_citer_next (&it), i++)
pp_proxypp_unrelate_locked (sc, pp, &ppm->proxypp_guid);
}
@ -839,7 +839,7 @@ static DDS_Security_boolean on_revoke_permissions_cb(const dds_security_access_c
entidx_enum_participant_fini (&epp);
/* Find proxy participants using this permissions handle */
if (!local_perm)
if (!local)
{
entidx_enum_proxy_participant_init (&eproxypp, gv->entity_index);
while ((proxypp = entidx_enum_proxy_participant_next (&eproxypp)) != NULL)
@ -868,8 +868,49 @@ static DDS_Security_boolean on_revoke_permissions_cb(const dds_security_access_c
static DDS_Security_boolean on_revoke_identity_cb(const dds_security_authentication *plugin, const DDS_Security_IdentityHandle handle)
{
(void)plugin;
(void)handle;
struct ddsi_domaingv *gv = plugin->gv;
struct entidx_enum_participant epp;
struct entidx_enum_proxy_participant eproxypp;
struct participant *pp;
struct proxy_participant *proxypp;
bool local = false;
thread_state_awake (lookup_thread_state (), gv);
/* Find participants using this identity handle */
entidx_enum_participant_init (&epp, gv->entity_index);
while ((pp = entidx_enum_participant_next (&epp)) != NULL)
{
struct dds_security_context *sc = q_omg_security_get_secure_context(pp);
ddsrt_mutex_lock (&pp->sec_attr->lock);
if (pp->sec_attr->local_identity_handle == handle)
{
uint32_t i = 0;
ddsrt_avl_citer_t it;
local = true;
for (struct pp_proxypp_match *ppm = ddsrt_avl_citer_first (&pp_proxypp_treedef, &pp->sec_attr->proxy_participants, &it); ppm; ppm = ddsrt_avl_citer_next (&it), i++)
pp_proxypp_unrelate_locked (sc, pp, &ppm->proxypp_guid);
}
ddsrt_mutex_unlock (&pp->sec_attr->lock);
}
entidx_enum_participant_fini (&epp);
/* Find proxy participants using this permissions handle */
if (!local)
{
entidx_enum_proxy_participant_init (&eproxypp, gv->entity_index);
while ((proxypp = entidx_enum_proxy_participant_next (&eproxypp)) != NULL)
{
bool del_pp;
ddsrt_mutex_lock (&proxypp->sec_attr->lock);
del_pp = proxypp->sec_attr->remote_identity_handle == handle;
ddsrt_mutex_unlock (&proxypp->sec_attr->lock);
if (del_pp)
delete_proxy_participant_by_guid (gv, &proxypp->e.guid, ddsrt_time_wallclock (), false);
}
entidx_enum_proxy_participant_fini (&eproxypp);
}
thread_state_asleep (lookup_thread_state ());
return true;
}