niklas/cyclonedds
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add domaingv pointer to security plugins, as a preparation for supporting the permissions_expiry callback (which needs the gv to enumerate participants.

Browse source 
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
This commit is contained in:
Dennis Potman 2020-03-26 13:40:28 +01:00 committed by eboasson
parent a6a9d1f7c1
commit e6500b6528
26 changed files with 682 additions and 915 deletions
Download patch file Download diff file Expand all files Collapse all files

29
src/security/core/include/dds/security/core/dds_security_plugins.h
View file

@ -14,10 +14,11 @@
#ifndef SECURITY_CORE_PLUGINS_H_
#define SECURITY_CORE_PLUGINS_H_
#include <stdint.h>
#include "dds/export.h"
#include "dds/ddsrt/retcode.h"
#include "dds/ddsrt/dynlib.h"
#include <stdint.h>
#include "dds/ddsi/ddsi_domaingv.h"
#include "dds/security/dds_security_api.h"
struct ddsrt_log_cfg;
@ -47,24 +48,14 @@ typedef struct dds_security_plugin_suite_config{
dds_security_plugin_config access_control;
} dds_security_plugin_suite_config;
DDS_EXPORT dds_return_t dds_security_plugin_release(
const dds_security_plugin *security_plugin,
void *context );
DDS_EXPORT dds_return_t dds_security_check_plugin_configuration(
const dds_security_plugin_suite_config *security_suite_config,
const struct ddsrt_log_cfg *logcfg);
DDS_EXPORT dds_return_t dds_security_load_security_library(
const dds_security_plugin_config *plugin_config,
dds_security_plugin *security_plugin, void **security_plugin_context,
const struct ddsrt_log_cfg *logcfg);
DDS_EXPORT dds_return_t dds_security_plugin_release(const dds_security_plugin *security_plugin, void *context);
DDS_EXPORT dds_return_t dds_security_check_plugin_configuration(const dds_security_plugin_suite_config *security_suite_config, struct ddsi_domaingv *gv);
DDS_EXPORT dds_return_t dds_security_load_security_library(const dds_security_plugin_config *plugin_config, dds_security_plugin *security_plugin,
void **security_plugin_context, struct ddsi_domaingv *gv);
DDS_EXPORT dds_return_t dds_security_verify_plugin_functions(
dds_security_authentication *authentication_context, dds_security_plugin *auth_plugin,
dds_security_cryptography *crypto_context, dds_security_plugin *crypto_plugin,
dds_security_access_control *access_control_context, dds_security_plugin *ac_plugin,
const struct ddsrt_log_cfg *logcfg);
dds_security_authentication *authentication_context, dds_security_plugin *auth_plugin,
dds_security_cryptography *crypto_context, dds_security_plugin *crypto_plugin,
dds_security_access_control *access_control_context, dds_security_plugin *ac_plugin,
struct ddsi_domaingv *gv);
#endif /* SECURITY_CORE_PLUGINS_H_ */

41
src/security/core/src/dds_security_plugins.c
View file

@ -19,40 +19,40 @@
#include "dds/ddsrt/dynlib.h"
#include "dds/ddsrt/io.h"
static bool check_plugin_configuration (const dds_security_plugin_config *config, const char *name, const struct ddsrt_log_cfg *logcfg)
static bool check_plugin_configuration (const dds_security_plugin_config *config, const char *name, struct ddsi_domaingv *gv)
{
if (config->library_path == NULL || *config->library_path == 0) {
DDS_CERROR (logcfg, "%s security plugin library path is undefined or empty\n", name);
GVERROR ("%s security plugin library path is undefined or empty\n", name);
return false;
}
if (config->library_init == NULL || *config->library_init == 0) {
DDS_CERROR (logcfg, "%s security plugin init function is undefined or empty\n", name);
GVERROR ("%s security plugin init function is undefined or empty\n", name);
return false;
}
if (config->library_finalize == NULL || *config->library_finalize == 0) {
DDS_CERROR (logcfg, "%s security plugin finalize function is undefined or empty\n", name);
GVERROR ("%s security plugin finalize function is undefined or empty\n", name);
return false;
}
return true;
}
dds_return_t dds_security_check_plugin_configuration (const dds_security_plugin_suite_config *security_suite_config, const struct ddsrt_log_cfg *logcfg)
dds_return_t dds_security_check_plugin_configuration (const dds_security_plugin_suite_config *security_suite_config, struct ddsi_domaingv *gv)
{
if (check_plugin_configuration (&security_suite_config->access_control, "AccessControl", logcfg) &&
check_plugin_configuration (&security_suite_config->authentication, "Authentication", logcfg) &&
check_plugin_configuration (&security_suite_config->cryptography, "Cryptography", logcfg))
if (check_plugin_configuration (&security_suite_config->access_control, "AccessControl", gv) &&
check_plugin_configuration (&security_suite_config->authentication, "Authentication", gv) &&
check_plugin_configuration (&security_suite_config->cryptography, "Cryptography", gv))
return DDS_RETCODE_OK;
else
return DDS_RETCODE_ERROR;
}
static bool verify_function (const void *function_ptr, dds_security_plugin *plugin, const char *function_name, const struct ddsrt_log_cfg *logcfg)
static bool verify_function (const void *function_ptr, dds_security_plugin *plugin, const char *function_name, struct ddsi_domaingv *gv)
{
if (function_ptr != NULL)
return true;
else
{
DDS_CERROR (logcfg, "Could not find the function for %s: %s\n", plugin->name, function_name);
GVERROR ("Could not find the function for %s: %s\n", plugin->name, function_name);
return false;
}
}
@ -62,12 +62,12 @@ struct verify_plugin_functions_tab {
const char *name;
};
static bool verify_plugin_functions (const void *context, dds_security_plugin *plugin, const struct verify_plugin_functions_tab *entries, size_t nentries, const struct ddsrt_log_cfg *logcfg)
static bool verify_plugin_functions (const void *context, dds_security_plugin *plugin, const struct verify_plugin_functions_tab *entries, size_t nentries, struct ddsi_domaingv *gv)
{
for (size_t i = 0; i < nentries; i++)
{
const char *p = (const char *) context + entries[i].off;
if (!verify_function (*((void **) p), plugin, entries[i].name, logcfg))
if (!verify_function (*((void **) p), plugin, entries[i].name, gv))
return false;
}
return true;
@ -77,7 +77,7 @@ dds_return_t dds_security_verify_plugin_functions(
dds_security_authentication *authentication_context, dds_security_plugin *auth_plugin,
dds_security_cryptography *crypto_context, dds_security_plugin *crypto_plugin,
dds_security_access_control *access_control_context, dds_security_plugin *ac_plugin,
const struct ddsrt_log_cfg *logcfg)
struct ddsi_domaingv *gv)
{
#define FGEN(context, name) { offsetof (context, name), #name }
#define F(name) FGEN (dds_security_authentication, name)
@ -170,7 +170,7 @@ dds_return_t dds_security_verify_plugin_functions(
F (decode_serialized_payload)
};
#undef F
#define C(context, plugin, table) verify_plugin_functions (context, plugin, table, sizeof (table) / sizeof (table[0]), logcfg)
#define C(context, plugin, table) verify_plugin_functions (context, plugin, table, sizeof (table) / sizeof (table[0]), gv)
if (C (authentication_context, auth_plugin, auth) &&
C (access_control_context, ac_plugin, ac) &&
C (crypto_context->crypto_key_factory, crypto_plugin, cryptoF) &&
@ -189,7 +189,8 @@ dds_return_t dds_security_verify_plugin_functions(
/**
* All fields of the library properties are supposed to be non-empty
*/
dds_return_t dds_security_load_security_library (const dds_security_plugin_config *plugin_config, dds_security_plugin *security_plugin, void **security_plugin_context, const struct ddsrt_log_cfg *logcfg)
dds_return_t dds_security_load_security_library (const dds_security_plugin_config *plugin_config, dds_security_plugin *security_plugin,
void **security_plugin_context, struct ddsi_domaingv *gv)
{
dds_return_t lib_ret;
char *init_parameters = "";
@ -211,30 +212,30 @@ dds_return_t dds_security_load_security_library (const dds_security_plugin_confi
{
char buffer[256];
ddsrt_dlerror (buffer, sizeof (buffer));
DDS_CERROR (logcfg, "Could not load %s library: %s\n", security_plugin->name, buffer);
GVERROR ("Could not load %s library: %s\n", security_plugin->name, buffer);
goto load_error;
}
void *tmp;
if (ddsrt_dlsym (security_plugin->lib_handle, plugin_config->library_init, &tmp) != DDS_RETCODE_OK)
{
DDS_CERROR (logcfg, "Could not find the function: %s\n", plugin_config->library_init);
GVERROR ("Could not find the function: %s\n", plugin_config->library_init);
goto library_error;
}
security_plugin->func_init = (plugin_init) tmp;
if (ddsrt_dlsym (security_plugin->lib_handle, plugin_config->library_finalize, &tmp) != DDS_RETCODE_OK)
{
DDS_CERROR (logcfg, "Could not find the function: %s\n", plugin_config->library_finalize);
GVERROR ("Could not find the function: %s\n", plugin_config->library_finalize);
goto library_error;
}
security_plugin->func_finalize = (plugin_finalize) tmp;
if (security_plugin->func_init != 0)
{
if (security_plugin->func_init (init_parameters, (void **) security_plugin_context) != DDS_RETCODE_OK)
if (security_plugin->func_init (init_parameters, (void **) security_plugin_context, gv) != DDS_RETCODE_OK)
{
DDS_CERROR (logcfg, "Error occured while initializing %s plugin\n", security_plugin->name);
GVERROR ("Error occured while initializing %s plugin\n", security_plugin->name);
goto library_error;
}
}

6
src/security/core/tests/common/access_control_wrapper.c
View file

@ -514,10 +514,11 @@ static struct dds_security_access_control_impl * init_test_access_control_common
return impl;
}
int32_t init_test_access_control_all_ok(const char *argument, void **context)
int32_t init_test_access_control_all_ok(const char *argument, void **context, struct ddsi_domaingv *gv)
{
DDSRT_UNUSED_ARG(argument);
DDSRT_UNUSED_ARG(context);
DDSRT_UNUSED_ARG(gv);
struct dds_security_access_control_impl *impl = init_test_access_control_common();
impl->mode = PLUGIN_MODE_ALL_OK;
*context = impl;
@ -531,10 +532,11 @@ int32_t finalize_test_access_control_all_ok(void *context)
return 0;
}
int32_t init_test_access_control_missing_func(const char *argument, void **context)
int32_t init_test_access_control_missing_func(const char *argument, void **context, struct ddsi_domaingv *gv)
{
DDSRT_UNUSED_ARG(argument);
DDSRT_UNUSED_ARG(context);
DDSRT_UNUSED_ARG(gv);
struct dds_security_access_control_impl *impl = init_test_access_control_common();
impl->base.check_create_datareader = NULL;
impl->mode = PLUGIN_MODE_MISSING_FUNC;

5
src/security/core/tests/common/access_control_wrapper.h
View file

@ -12,15 +12,16 @@
#ifndef SECURITY_CORE_TEST_ACCESS_CONTROL_WRAPPER_H_
#define SECURITY_CORE_TEST_ACCESS_CONTROL_WRAPPER_H_
#include "dds/ddsi/ddsi_domaingv.h"
#include "dds/security/dds_security_api.h"
#include "dds/security/access_control_wrapper_export.h"
/* Init in all-ok mode: all functions return success without calling the actual plugin */
SECURITY_EXPORT int32_t init_test_access_control_all_ok(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_access_control_all_ok(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_access_control_all_ok(void *context);
/* Init in missing function mode: one of the function pointers is null */
SECURITY_EXPORT int32_t init_test_access_control_missing_func(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_access_control_missing_func(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_access_control_missing_func(void *context);
#endif /* SECURITY_CORE_TEST_ACCESS_CONTROL_WRAPPER_H_ */

23
src/security/core/tests/common/authentication_wrapper.c
View file

@ -22,7 +22,7 @@
#include "test_identity.h"
#include "plugin_wrapper_msg_q.h"
int32_t init_authentication(const char *argument, void **context);
int32_t init_authentication(const char *argument, void **context, struct ddsi_domaingv *gv);
int32_t finalize_authentication(void *context);
enum auth_plugin_mode {
@ -41,7 +41,6 @@ struct dds_security_authentication_impl
dds_security_authentication base;
dds_security_authentication *instance;
struct message_queue msg_queue;
const struct ddsi_domaingv *gv;
enum auth_plugin_mode mode;
};
@ -439,7 +438,7 @@ static struct dds_security_authentication_impl * get_impl_for_domain(dds_domaini
{
for (size_t i = 0; i < auth_impl_idx; i++)
{
if (auth_impl[i] && auth_impl[i]->gv->config.domainId == domain_id)
if (auth_impl[i] && auth_impl[i]->instance->gv->config.domainId == domain_id)
{
return auth_impl[i];
}
@ -483,10 +482,11 @@ static struct dds_security_authentication_impl * init_test_authentication_common
return impl;
}
int32_t init_test_authentication_all_ok(const char *argument, void **context)
int32_t init_test_authentication_all_ok(const char *argument, void **context, struct ddsi_domaingv *gv)
{
DDSRT_UNUSED_ARG(argument);
DDSRT_UNUSED_ARG(context);
DDSRT_UNUSED_ARG(gv);
struct dds_security_authentication_impl *impl = init_test_authentication_common();
impl->mode = PLUGIN_MODE_ALL_OK;
*context = impl;
@ -500,10 +500,11 @@ int32_t finalize_test_authentication_all_ok(void *context)
return 0;
}
int32_t init_test_authentication_missing_func(const char *argument, void **context)
int32_t init_test_authentication_missing_func(const char *argument, void **context, struct ddsi_domaingv *gv)
{
DDSRT_UNUSED_ARG(argument);
DDSRT_UNUSED_ARG(context);
DDSRT_UNUSED_ARG(gv);
struct dds_security_authentication_impl *impl = init_test_authentication_common();
impl->base.get_shared_secret = NULL;
impl->mode = PLUGIN_MODE_MISSING_FUNC;
@ -518,10 +519,11 @@ int32_t finalize_test_authentication_missing_func(void *context)
return 0;
}
int32_t init_test_authentication_init_error(const char *argument, void **context)
int32_t init_test_authentication_init_error(const char *argument, void **context, struct ddsi_domaingv *gv)
{
DDSRT_UNUSED_ARG(argument);
DDSRT_UNUSED_ARG(context);
DDSRT_UNUSED_ARG(gv);
return 1;
}
@ -535,19 +537,14 @@ int32_t finalize_test_authentication_init_error(void *context)
* Init and fini functions for using wrapped mode for the authentication plugin.
* These functions assumes that there are no concurrent calls, as the static
* variables used here are not protected by a lock. */
int32_t init_test_authentication_wrapped(const char *argument, void **context)
int32_t init_test_authentication_wrapped(const char *argument, void **context, struct ddsi_domaingv *gv)
{
int32_t ret;
struct dds_security_authentication_impl *impl = init_test_authentication_common();
impl->mode = PLUGIN_MODE_WRAPPED;
init_message_queue(&impl->msg_queue);
struct thread_state1 * const ts1 = lookup_thread_state ();
struct ddsi_domaingv const * const gv = ddsrt_atomic_ldvoidp (&ts1->gv);
impl->gv = gv;
ret = init_authentication(argument, (void **)&impl->instance);
ret = init_authentication(argument, (void **)&impl->instance, gv);
auth_impl_idx++;
auth_impl = ddsrt_realloc(auth_impl, auth_impl_idx * sizeof(*auth_impl));
auth_impl[auth_impl_idx - 1] = impl;

9
src/security/core/tests/common/authentication_wrapper.h
View file

@ -12,24 +12,25 @@
#ifndef SECURITY_CORE_TEST_AUTHENTICATION_WRAPPER_H_
#define SECURITY_CORE_TEST_AUTHENTICATION_WRAPPER_H_
#include "dds/ddsi/ddsi_domaingv.h"
#include "dds/security/dds_security_api.h"
#include "dds/security/authentication_wrapper_export.h"
#include "plugin_wrapper_msg_q.h"
/* Init in wrapper mode */
SECURITY_EXPORT int32_t init_test_authentication_wrapped(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_authentication_wrapped(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_authentication_wrapped(void *context);
/* Init in all-ok mode: all functions return success without calling the actual plugin */
SECURITY_EXPORT int32_t init_test_authentication_all_ok(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_authentication_all_ok(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_authentication_all_ok(void *context);
/* Init in missing function mode: one of the function pointers is null */
SECURITY_EXPORT int32_t init_test_authentication_missing_func(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_authentication_missing_func(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_authentication_missing_func(void *context);
/* Init function fails */
SECURITY_EXPORT int32_t init_test_authentication_init_error(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_authentication_init_error(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_authentication_init_error(void *context);
SECURITY_EXPORT struct message * test_authentication_plugin_take_msg(dds_domainid_t domain_id, message_kind_t kind, DDS_Security_IdentityHandle lidHandle, DDS_Security_IdentityHandle ridHandle, DDS_Security_IdentityHandle hsHandle, dds_duration_t timeout);

18
src/security/core/tests/common/cryptography_wrapper.c
View file

@ -22,7 +22,7 @@
#include "dds/security/core/dds_security_utils.h"
#include "cryptography_wrapper.h"
int32_t init_crypto(const char *argument, void **context);
int32_t init_crypto(const char *argument, void **context, struct ddsi_domaingv *gv);
int32_t finalize_crypto(void *context);
enum crypto_plugin_mode {
@ -700,14 +700,14 @@ static DDS_Security_boolean decode_serialized_payload(
/**
* Init and finalize functions
*/
static struct dds_security_cryptography_impl * init_test_cryptography_common(const char *argument, bool wrapped)
static struct dds_security_cryptography_impl * init_test_cryptography_common(const char *argument, bool wrapped, struct ddsi_domaingv *gv)
{
struct dds_security_cryptography_impl *impl = (struct dds_security_cryptography_impl*) ddsrt_malloc(sizeof(*impl));
memset(impl, 0, sizeof(*impl));
if (wrapped)
{
if (init_crypto(argument, (void **)&impl->instance) != DDS_SECURITY_SUCCESS)
if (init_crypto(argument, (void **)&impl->instance, gv) != DDS_SECURITY_SUCCESS)
return NULL;
impl->transform_wrap.instance = impl->instance->crypto_transform;
@ -763,9 +763,9 @@ static int32_t finalize_test_cryptography_common(struct dds_security_cryptograph
return DDS_SECURITY_SUCCESS;
}
int32_t init_test_cryptography_all_ok(const char *argument, void **context)
int32_t init_test_cryptography_all_ok(const char *argument, void **context, struct ddsi_domaingv *gv)
{
struct dds_security_cryptography_impl *impl = init_test_cryptography_common(argument, false);
struct dds_security_cryptography_impl *impl = init_test_cryptography_common(argument, false, gv);
if (!impl)
return DDS_SECURITY_FAILED;
impl->mode = PLUGIN_MODE_ALL_OK;
@ -780,9 +780,9 @@ int32_t finalize_test_cryptography_all_ok(void *context)
return finalize_test_cryptography_common(impl, false);
}
int32_t init_test_cryptography_missing_func(const char *argument, void **context)
int32_t init_test_cryptography_missing_func(const char *argument, void **context, struct ddsi_domaingv *gv)
{
struct dds_security_cryptography_impl *impl = init_test_cryptography_common(argument, false);
struct dds_security_cryptography_impl *impl = init_test_cryptography_common(argument, false, gv);
if (!impl)
return DDS_SECURITY_FAILED;
impl->base.crypto_key_exchange->set_remote_participant_crypto_tokens = NULL;
@ -798,9 +798,9 @@ int32_t finalize_test_cryptography_missing_func(void *context)
return finalize_test_cryptography_common(impl, false);
}
int32_t init_test_cryptography_wrapped(const char *argument, void **context)
int32_t init_test_cryptography_wrapped(const char *argument, void **context, struct ddsi_domaingv *gv)
{
struct dds_security_cryptography_impl *impl = init_test_cryptography_common(argument, true);
struct dds_security_cryptography_impl *impl = init_test_cryptography_common(argument, true, gv);
if (!impl)
return DDS_SECURITY_FAILED;
impl->mode = PLUGIN_MODE_WRAPPED;

7
src/security/core/tests/common/cryptography_wrapper.h
View file

@ -12,6 +12,7 @@
#ifndef SECURITY_CORE_TEST_CRYPTO_WRAPPER_H_
#define SECURITY_CORE_TEST_CRYPTO_WRAPPER_H_
#include "dds/ddsi/ddsi_domaingv.h"
#include "dds/security/dds_security_api.h"
#include "dds/security/dds_security_api_defs.h"
#include "dds/security/cryptography_wrapper_export.h"
@ -34,15 +35,15 @@ SECURITY_EXPORT void set_disc_protection_kinds(
SECURITY_EXPORT void set_entity_data_secret(struct dds_security_cryptography_impl * impl, const char * pp_secret, const char * groupdata_secret, const char * ep_secret);
/* Init in all-ok mode: all functions return success without calling the actual plugin */
SECURITY_EXPORT int32_t init_test_cryptography_all_ok(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_cryptography_all_ok(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_cryptography_all_ok(void *context);
/* Init in missing function mode: one of the function pointers is null */
SECURITY_EXPORT int32_t init_test_cryptography_missing_func(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_cryptography_missing_func(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_cryptography_missing_func(void *context);
/* Init in wrapper mode */
SECURITY_EXPORT int32_t init_test_cryptography_wrapped(const char *argument, void **context);
SECURITY_EXPORT int32_t init_test_cryptography_wrapped(const char *argument, void **context, struct ddsi_domaingv *gv);
SECURITY_EXPORT int32_t finalize_test_cryptography_wrapped(void *context);
#endif /* SECURITY_CORE_TEST_CRYPTO_WRAPPER_H_ */