niklas/cyclonedds
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Implement on_revoke_identity_cb

Browse source 
Impement the revoke identity callback in ddsi that is called when
the identity certificate of a participant expires. In case the
identity handle that expires is from a local participant, all
proxy pp connections will be dropped for this participant. In case
the identity that expires is from a remote participant, the
corresponding proxy participant is deleted.

Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
This commit is contained in:
Dennis Potman 2020-03-30 09:32:21 +02:00 committed by eboasson
parent 736d0a027a
commit e3056402fc
2 changed files with 60 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

51
src/core/ddsi/src/ddsi_security_omg.c
View file

@ -817,7 +817,7 @@ static DDS_Security_boolean on_revoke_permissions_cb(const dds_security_access_c
struct entidx_enum_proxy_participant eproxypp; struct entidx_enum_proxy_participant eproxypp;
struct participant *pp; struct participant *pp;
struct proxy_participant *proxypp; struct proxy_participant *proxypp;
bool local_perm = false; bool local = false;
thread_state_awake (lookup_thread_state (), gv); thread_state_awake (lookup_thread_state (), gv);
/* Find participants using this permissions handle */ /* Find participants using this permissions handle */
@ -830,7 +830,7 @@ static DDS_Security_boolean on_revoke_permissions_cb(const dds_security_access_c
{ {
uint32_t i = 0; uint32_t i = 0;
ddsrt_avl_citer_t it; ddsrt_avl_citer_t it;
local_perm = true; local = true;
for (struct pp_proxypp_match *ppm = ddsrt_avl_citer_first (&pp_proxypp_treedef, &pp->sec_attr->proxy_participants, &it); ppm; ppm = ddsrt_avl_citer_next (&it), i++) for (struct pp_proxypp_match *ppm = ddsrt_avl_citer_first (&pp_proxypp_treedef, &pp->sec_attr->proxy_participants, &it); ppm; ppm = ddsrt_avl_citer_next (&it), i++)
pp_proxypp_unrelate_locked (sc, pp, &ppm->proxypp_guid); pp_proxypp_unrelate_locked (sc, pp, &ppm->proxypp_guid);
} }
@ -839,7 +839,7 @@ static DDS_Security_boolean on_revoke_permissions_cb(const dds_security_access_c
entidx_enum_participant_fini (&epp); entidx_enum_participant_fini (&epp);
/* Find proxy participants using this permissions handle */ /* Find proxy participants using this permissions handle */
if (!local_perm) if (!local)
{ {
entidx_enum_proxy_participant_init (&eproxypp, gv->entity_index); entidx_enum_proxy_participant_init (&eproxypp, gv->entity_index);
while ((proxypp = entidx_enum_proxy_participant_next (&eproxypp)) != NULL) while ((proxypp = entidx_enum_proxy_participant_next (&eproxypp)) != NULL)
@ -868,8 +868,49 @@ static DDS_Security_boolean on_revoke_permissions_cb(const dds_security_access_c
static DDS_Security_boolean on_revoke_identity_cb(const dds_security_authentication *plugin, const DDS_Security_IdentityHandle handle) static DDS_Security_boolean on_revoke_identity_cb(const dds_security_authentication *plugin, const DDS_Security_IdentityHandle handle)
{ {
(void)plugin; struct ddsi_domaingv *gv = plugin->gv;
(void)handle; struct entidx_enum_participant epp;
struct entidx_enum_proxy_participant eproxypp;
struct participant *pp;
struct proxy_participant *proxypp;
bool local = false;
thread_state_awake (lookup_thread_state (), gv);
/* Find participants using this identity handle */
entidx_enum_participant_init (&epp, gv->entity_index);
while ((pp = entidx_enum_participant_next (&epp)) != NULL)
{
struct dds_security_context *sc = q_omg_security_get_secure_context(pp);
ddsrt_mutex_lock (&pp->sec_attr->lock);
if (pp->sec_attr->local_identity_handle == handle)
{
uint32_t i = 0;
ddsrt_avl_citer_t it;
local = true;
for (struct pp_proxypp_match *ppm = ddsrt_avl_citer_first (&pp_proxypp_treedef, &pp->sec_attr->proxy_participants, &it); ppm; ppm = ddsrt_avl_citer_next (&it), i++)
pp_proxypp_unrelate_locked (sc, pp, &ppm->proxypp_guid);
}
ddsrt_mutex_unlock (&pp->sec_attr->lock);
}
entidx_enum_participant_fini (&epp);
/* Find proxy participants using this permissions handle */
if (!local)
{
entidx_enum_proxy_participant_init (&eproxypp, gv->entity_index);
while ((proxypp = entidx_enum_proxy_participant_next (&eproxypp)) != NULL)
{
bool del_pp;
ddsrt_mutex_lock (&proxypp->sec_attr->lock);
del_pp = proxypp->sec_attr->remote_identity_handle == handle;
ddsrt_mutex_unlock (&proxypp->sec_attr->lock);
if (del_pp)
delete_proxy_participant_by_guid (gv, &proxypp->e.guid, ddsrt_time_wallclock (), false);
}
entidx_enum_proxy_participant_fini (&eproxypp);
}
thread_state_asleep (lookup_thread_state ());
return true; return true;
} }

27
src/security/core/tests/authentication.c
View file

@ -262,7 +262,8 @@ CU_Theory((const char * ca_dir, bool exp_fail), ddssec_authentication, trusted_c
authentication_fini (!exp_fail, !exp_fail); authentication_fini (!exp_fail, !exp_fail);
} }
#define M(n) ((n)*60) #define S(n) (n)
#define M(n) (S(n)*60)
#define H(n) (M(n)*60) #define H(n) (M(n)*60)
#define D(n) (H(n)*24) #define D(n) (H(n)*24)
CU_TheoryDataPoints(ddssec_authentication, expired_cert) = { CU_TheoryDataPoints(ddssec_authentication, expired_cert) = {
@ -274,18 +275,18 @@ CU_TheoryDataPoints(ddssec_authentication, expired_cert) = {
/* | | | | */"ca and id1 1min valid", /* | | | | */"ca and id1 1min valid",
/* | | | | | */"id1 and id2 1s valid, delay 1100ms", /* | | | | | */"id1 and id2 1s valid, delay 1100ms",
/* | | | | | | */"id1 valid after 1s, delay 1100ms", /* | | | | | | */"id1 valid after 1s, delay 1100ms",
/* | | | | | | | *//*"ca and id1 expire during session"*/), /* | | | | | | | */"id1 expire during session"),
CU_DataPoints(int32_t, 0, -M(1), 0, 0, 0, 0, 0, /*0*/ ), /* CA1 not before */ CU_DataPoints(int32_t, 0, -M(1), 0, 0, 0, 0, 0, 0 ), /* CA1 not before */
CU_DataPoints(int32_t, D(1), 0, D(1), D(1), M(1), D(1), D(1), /*2*/ ), /* CA1 not after (offset from local time) */ CU_DataPoints(int32_t, D(1), 0, D(1), D(1), M(1), D(1), D(1), D(1) ), /* CA1 not after (offset from local time) */
CU_DataPoints(int32_t, 0, 0, -D(1), 0, 0, 0, 1, /*0*/ ), /* ID1 not before (offset from local time) */ CU_DataPoints(int32_t, 0, 0, -D(1), 0, 0, 0, S(1), 0 ), /* ID1 not before (offset from local time) */
CU_DataPoints(int32_t, D(1), D(1), 0, D(1), M(1), 1, D(1), /*2*/ ), /* ID1 not after (offset from local time) */ CU_DataPoints(int32_t, D(1), D(1), 0, D(1), M(1), S(1), D(1), S(2) ), /* ID1 not after (offset from local time) */
CU_DataPoints(bool, false, true, true, false, false, true, false, /*false*/ ), /* expect validate local ID1 fail */ CU_DataPoints(bool, false, true, true, false, false, true, false, false ), /* expect validate local ID1 fail */
CU_DataPoints(int32_t, 0, 0, 0, -D(1), 0, 0, 0, /*0*/ ), /* ID2 not before (offset from local time) */ CU_DataPoints(int32_t, 0, 0, 0, -D(1), 0, 0, 0, 0 ), /* ID2 not before (offset from local time) */
CU_DataPoints(int32_t, D(1), D(1), D(1), 0, D(1), 1, D(1), /*D(1)*/ ), /* ID2 not after (offset from local time) */ CU_DataPoints(int32_t, D(1), D(1), D(1), 0, D(1), S(1), D(1), D(1) ), /* ID2 not after (offset from local time) */
CU_DataPoints(bool, false, true, false, true, false, true, false, /*false*/ ), /* expect validate local ID2 fail */ CU_DataPoints(bool, false, true, false, true, false, true, false, false ), /* expect validate local ID2 fail */
CU_DataPoints(uint32_t, 0, 0, 0, 0, 0, 1100, 1100, /*0*/ ), /* delay (ms) after generating certificate */ CU_DataPoints(uint32_t, 0, 0, 0, 0, 0, 1100, 1100, 0 ), /* delay (ms) after generating certificate */
CU_DataPoints(uint32_t, 1, 0, 0, 0, 1, 0, 1, /*3500*/ ), /* write/read data during x ms */ CU_DataPoints(uint32_t, 1, 0, 0, 0, 1, 0, 1, 3500 ), /* write/read data during x ms */
CU_DataPoints(bool, false, false, false, false, false, false, false, /*true*/ ), /* expect read data failure */ CU_DataPoints(bool, false, false, false, false, false, false, false, true ), /* expect read data failure */
}; };
CU_Theory( CU_Theory(
(const char * test_descr, int32_t ca_not_before, int32_t ca_not_after, (const char * test_descr, int32_t ca_not_before, int32_t ca_not_after,