Add test cases for the join_access_control governance setting and for
the access control plugin check_create_ and check_remote_ hooks,
using a wrapper plugin that simulates failure for each of these,
to test the DDSI integration with the access control plugin.
This commit also contains fixes for:
- an assert on DDS_RETCODE_OK in dds_create_reader and
dds_create_writer that cased the application to terminate in case
creation of a reader or writer is not allowed by security
- do not match a proxy reader that has the 'relay_only' set to
true, which is currently unsupported
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
The conversion of incoming discovery data (in "parameter list" format)
check for the presence of the entity GUID parameter for the particular
type of endpoint and use it as the key field in subsequent processing.
If the parameter is absent, deserialisation fails and the handlers are
never called and the old check is therefore no longer necessary.
Signed-off-by: Erik Boasson <eb@ilities.com>
The initialization of remote participant's key material was not protected
by the remote_participant_crypto lock, which could result in using partially
initialized remote key material. This caused intermittent test failures
with assertions on key_size in crypto_cipher_decrypt_data. This commit fixes
this issue by adding locking for the remote key material.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
expiry tests and add timestamps to test logging to get more stable
test results on Travis and enable analysing timeing issues.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Impement the revoke identity callback in ddsi that is called when
the identity certificate of a participant expires. In case the
identity handle that expires is from a local participant, all
proxy pp connections will be dropped for this participant. In case
the identity that expires is from a remote participant, the
corresponding proxy participant is deleted.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Implement handler for access control on_revoke_permissions. This callback
function disconnects and deletes all proxy participant that are using the
revoked permissions handle (in case of remote permissions expire) and
proxy participant that are connected with a participant for which the
permissions expire (local permissions expire).
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Refactoring security core tests and adding more tests:
- Dynamically generate ca and identity certificates in authentication tests, so that certificate expiry is tested.
Added writing/reading samples to these tests to ensure that nodes can (or cannot) communicate in a specific test case
- Secure communication tests: improved the validation of encryption in wrapper
- Added test for access control plugin settings
- Replaced the in-code test identities (and included ca private keys), added an additional identity
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
Including FreeBSD in preprocessor conditionals for APPLE fixes issues with UDP make_socket, as described in issue #488.
Signed-off-by: Michael Gary Dodson <md403@cam.ac.uk>
The security handshake is started when a node receives an SPDP message. The
SPDP receiver will reply with an SPDP, followed by a dds.sec.auth_request.
Because the initial SPDP sender will receive the auth_request immediately
after (or even before) the SPDP reply message, that node may not have finished
(or not even started) matching the remote writers and therefore it drops
the auth_request message. This results in a time-out in the handshake
process, and the auth_request has to be re-send. To avoid this, a short
(rather arbitrarily chosen, based on local testing) sleep is introduced
before the auth_request message is sent.
Signed-off-by: Dennis Potman <dennis.potman@adlinktech.com>
There exist implementations that advertise security-related
built-endpoints regardless of whether the participant has security
configured. Therefore, the test whether security is enabled for the
participant cannot simply be the presence of such an endpoint, because
the absence of an IDENTITY_TOKEN in the data is then considered an
error.
This commit simply changes the check to requiring the presence of the
endpoint and the presence of the IDENTITY_TOKEN.
Signed-off-by: Erik Boasson <eb@ilities.com>
This fixes some issues with the new discovery data ("plist" topics)
discovered on interoperating with some other DDS implementations:
* The interpretation of a keyhash as if it were a valid sample was wrong
in various ways: inconsistent endianness, incorrect encoding
identifier and a missing sentinel. As Cyclone follows the spec and
always provides a well-formed payload, the problem only surfaces when
interoperating with implementations that expect the recipient to make
do with a keyhash.
* Various paths failed to check for failure causing potential null
pointer dereferences.
Signed-off-by: Erik Boasson <eb@ilities.com>
This is merely a more convenient way of obtaining it: otherwise one has
subscribe to the correct built-in topic, read the sample corresponding
to the entity's instance handle and get the "key" field. That's a bit
of a detour to get the network-wide unique identifier.
Signed-off-by: Erik Boasson <eb@ilities.com>
The former name should be less confusing. Backwards compatibility is
preserved by only adding the sensible name as a typedef.
Signed-off-by: Erik Boasson <eb@ilities.com>
Interpretation of the c.dsign_algo and c.kagree_algo properties must not
assume the binary property to be a null-terminated string.
Signed-off-by: Erik Boasson <eb@ilities.com>
