eclipse-zenoh · Mallets · Jul 24, 2024 · Jul 24, 2024 · Jul 23, 2024 · Jul 23, 2024
diff --git a/DEFAULT_CONFIG.json5 b/DEFAULT_CONFIG.json5
@@ -199,7 +199,8 @@
   //       /// Id has to be unique within the rule set
   //       "id": "rule1",
   //       "messages": [
-  //         "put", "query", "declare_subscriber", "declare_queryable"
+  //         "put", "delete", "declare_subscriber", 
+  //         "query", "reply", "declare_queryable",
   //       ],
   //       "flows":["egress","ingress"],
   //       "permission": "allow",
@@ -210,7 +211,8 @@
   //     {
   //       "id": "rule2",
   //       "messages": [
-  //         "put", "query", "declare_subscriber", "declare_queryable"
+  //         "put", "delete", "declare_subscriber", 
+  //         "query", "reply", "declare_queryable",
   //       ],
   //       "flows":["ingress"],
   //       "permission": "allow",

diff --git a/commons/zenoh-config/src/lib.rs b/commons/zenoh-config/src/lib.rs
@@ -166,9 +166,11 @@ pub struct PolicyRule {
 #[serde(rename_all = "snake_case")]
 pub enum AclMessage {
     Put,
+    Delete,
     DeclareSubscriber,
     Query,
     DeclareQueryable,
+    Reply,
 }
 
 #[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]

diff --git a/zenoh/src/net/routing/dispatcher/queries.rs b/zenoh/src/net/routing/dispatcher/queries.rs
@@ -718,7 +718,7 @@ pub(crate) fn route_send_response(
                         ext_tstamp,
                         ext_respid,
                     },
-                    "".to_string(), // @TODO provide the proper key expression of the response for interceptors
+                    key_expr.to_string(),
                 ));
         }
         None => tracing::warn!(

diff --git a/zenoh/src/net/routing/interceptor/access_control.rs b/zenoh/src/net/routing/interceptor/access_control.rs
@@ -26,7 +26,7 @@ use zenoh_config::{
 };
 use zenoh_protocol::{
     core::ZenohIdProto,
-    network::{Declare, DeclareBody, NetworkBody, NetworkMessage, Push, Request},
+    network::{Declare, DeclareBody, NetworkBody, NetworkMessage, Push, Request, Response},
     zenoh::{PushBody, RequestBody},
 };
 use zenoh_result::ZResult;
@@ -243,6 +243,16 @@ impl InterceptorTrait for IngressAclEnforcer {
                     return None;
                 }
             }
+            NetworkBody::Push(Push {
+                payload: PushBody::Del(_),
+                ..
+            }) => {
+                if self.action(AclMessage::Delete, "Delete (ingress)", key_expr?)
+                    == Permission::Deny
+                {
+                    return None;
+                }
+            }
             NetworkBody::Request(Request {
                 payload: RequestBody::Query(_),
                 ..
@@ -278,7 +288,44 @@ impl InterceptorTrait for IngressAclEnforcer {
                     return None;
                 }
             }
-            _ => {}
+            NetworkBody::Response(Response { .. }) => {
+                if self.action(AclMessage::Reply, "Reply (ingress)", key_expr?) == Permission::Deny
+                {
+                    return None;
+                }
+            }
+            // Unfiltered Declare messages
+            NetworkBody::Declare(Declare {
+                body: DeclareBody::DeclareKeyExpr(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::DeclareFinal(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::DeclareToken(_),
+                ..
+            }) => {}
+            // Unfiltered Undeclare messages
+            NetworkBody::Declare(Declare {
+                body: DeclareBody::UndeclareKeyExpr(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::UndeclareToken(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::UndeclareQueryable(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::UndeclareSubscriber(_),
+                ..
+            }) => {}
+            // Unfiltered remaining message types
+            NetworkBody::Interest(_) | NetworkBody::OAM(_) | NetworkBody::ResponseFinal(_) => {}
         }
         Some(ctx)
     }
@@ -313,6 +360,15 @@ impl InterceptorTrait for EgressAclEnforcer {
                     return None;
                 }
             }
+            NetworkBody::Push(Push {
+                payload: PushBody::Del(_),
+                ..
+            }) => {
+                if self.action(AclMessage::Delete, "Delete (egress)", key_expr?) == Permission::Deny
+                {
+                    return None;
+                }
+            }
             NetworkBody::Request(Request {
                 payload: RequestBody::Query(_),
                 ..
@@ -347,7 +403,43 @@ impl InterceptorTrait for EgressAclEnforcer {
                     return None;
                 }
             }
-            _ => {}
+            NetworkBody::Response(Response { .. }) => {
+                if self.action(AclMessage::Reply, "Reply (egress)", key_expr?) == Permission::Deny {
+                    return None;
+                }
+            }
+            // Unfiltered Declare messages
+            NetworkBody::Declare(Declare {
+                body: DeclareBody::DeclareKeyExpr(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::DeclareFinal(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::DeclareToken(_),
+                ..
+            }) => {}
+            // Unfiltered Undeclare messages
+            NetworkBody::Declare(Declare {
+                body: DeclareBody::UndeclareKeyExpr(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::UndeclareToken(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::UndeclareQueryable(_),
+                ..
+            })
+            | NetworkBody::Declare(Declare {
+                body: DeclareBody::UndeclareSubscriber(_),
+                ..
+            }) => {}
+            // Unfiltered remaining message types
+            NetworkBody::Interest(_) | NetworkBody::OAM(_) | NetworkBody::ResponseFinal(_) => {}
         }
         Some(ctx)
     }

diff --git a/zenoh/src/net/routing/interceptor/authorization.rs b/zenoh/src/net/routing/interceptor/authorization.rs
@@ -184,25 +184,31 @@ impl PermissionPolicy {
 struct ActionPolicy {
     query: PermissionPolicy,
     put: PermissionPolicy,
+    delete: PermissionPolicy,
     declare_subscriber: PermissionPolicy,
     declare_queryable: PermissionPolicy,
+    reply: PermissionPolicy,
 }
 
 impl ActionPolicy {
     fn action(&self, action: AclMessage) -> &PermissionPolicy {
         match action {
             AclMessage::Query => &self.query,
             AclMessage::Put => &self.put,
+            AclMessage::Delete => &self.delete,
             AclMessage::DeclareSubscriber => &self.declare_subscriber,
             AclMessage::DeclareQueryable => &self.declare_queryable,
+            AclMessage::Reply => &self.reply,
         }
     }
     fn action_mut(&mut self, action: AclMessage) -> &mut PermissionPolicy {
         match action {
             AclMessage::Query => &mut self.query,
             AclMessage::Put => &mut self.put,
+            AclMessage::Delete => &mut self.delete,
             AclMessage::DeclareSubscriber => &mut self.declare_subscriber,
             AclMessage::DeclareQueryable => &mut self.declare_queryable,
+            AclMessage::Reply => &mut self.reply,
         }
     }
 }