Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security-context -> enclave #612

Merged
merged 3 commits into from
Apr 13, 2020
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion rcl/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ set(${PROJECT_NAME}_sources
src/rcl/subscription.c
src/rcl/time.c
src/rcl/timer.c
src/rcl/validate_security_context_name.c
src/rcl/validate_enclave_name.c
ivanpauno marked this conversation as resolved.
Show resolved Hide resolved
src/rcl/validate_topic_name.c
src/rcl/wait.c
)
Expand Down
3 changes: 2 additions & 1 deletion rcl/include/rcl/arguments.h
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ typedef struct rcl_arguments_t
#define RCL_PARAM_FILE_FLAG "--params-file"
#define RCL_REMAP_FLAG "--remap"
#define RCL_SHORT_REMAP_FLAG "-r"
#define RCL_SECURITY_CONTEXT_FLAG "--security-context"
#define RCL_ENCLAVE_FLAG "--enclave"
ivanpauno marked this conversation as resolved.
Show resolved Hide resolved
#define RCL_SHORT_ENCLAVE_FLAG "-e"
#define RCL_LOG_LEVEL_FLAG "--log-level"
#define RCL_EXTERNAL_LOG_CONFIG_FLAG "--log-config-file"
// To be prefixed with --enable- or --disable-
Expand Down
10 changes: 5 additions & 5 deletions rcl/include/rcl/graph.h
Original file line number Diff line number Diff line change
Expand Up @@ -441,9 +441,9 @@ rcl_get_node_names(
rcutils_string_array_t * node_names,
rcutils_string_array_t * node_namespaces);

/// Return a list of available nodes in the ROS graph, including their security context names.
/// Return a list of available nodes in the ROS graph, including their enclave names.
/**
* An \ref rcl_get_node_names equivalent, but including in its output the security context
* An \ref rcl_get_node_names equivalent, but including in its output the enclave
* name the node is using.
*
* <hr>
Expand All @@ -459,20 +459,20 @@ rcl_get_node_names(
* \param[in] allocator used to control allocation and deallocation of names
* \param[out] node_names struct storing discovered node names
* \param[out] node_namesspaces struct storing discovered node namespaces
* \param[out] security_contexts struct storing discovered node security contexts
* \param[out] enclaves struct storing discovered node enclaves
* \return `RCL_RET_OK` if the query was successful, or
* \return `RCL_RET_BAD_ALLOC` if an error occurred while allocating memory, or
* \return `RCL_RET_ERROR` if an unspecified error occurs.
*/
RCL_PUBLIC
RCL_WARN_UNUSED
rcl_ret_t
rcl_get_node_names_with_security_contexts(
rcl_get_node_names_with_enclaves(
const rcl_node_t * node,
rcl_allocator_t allocator,
rcutils_string_array_t * node_names,
rcutils_string_array_t * node_namespaces,
rcutils_string_array_t * security_contexts);
rcutils_string_array_t * enclaves);

/// Return the number of publishers on a given topic.
/**
Expand Down
6 changes: 3 additions & 3 deletions rcl/include/rcl/security.h
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,9 @@ RCL_PUBLIC
rcl_ret_t
rcl_get_enforcement_policy(rmw_security_enforcement_policy_t * policy);

/// Return the secure root given a security context name.
/// Return the secure root given a enclave name.
/**
* Return the security directory associated with the security context name.
* Return the security directory associated with the enclave name.
*
* The value of the environment variable `ROS_SECURITY_ROOT_DIRECTORY` is used as a root.
* The specific directory to be used, is found from that root using the `name` passed.
Expand All @@ -104,7 +104,7 @@ rcl_get_enforcement_policy(rmw_security_enforcement_policy_t * policy);
* However, this expansion can be overridden by setting the secure directory override environment
* (`ROS_SECURITY_DIRECTORY_OVERRIDE`) variable, allowing users to explicitly specify the exact secure
* root directory to be utilized.
* Such an override is useful for applications where the security context is non-deterministic
* Such an override is useful for applications where the enclave is non-deterministic
* before runtime, or when testing and using additional tools that may not otherwise be easily
* provisioned.
*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,8 @@
// See the License for the specific language governing permissions and
// limitations under the License.

#ifndef RCL__VALIDATE_SECURITY_CONTEXT_NAME_H_
#define RCL__VALIDATE_SECURITY_CONTEXT_NAME_H_
#ifndef RCL__VALIDATE_ENCLAVE_NAME_H_
#define RCL__VALIDATE_ENCLAVE_NAME_H_

#ifdef __cplusplus
extern "C"
Expand All @@ -27,27 +27,27 @@ extern "C"
#include "rcl/types.h"
#include "rcl/visibility_control.h"

#define RCL_SECURITY_CONTEXT_NAME_VALID RMW_NAMESPACE_VALID
#define RCL_SECURITY_CONTEXT_NAME_INVALID_IS_EMPTY_STRING RMW_NAMESPACE_INVALID_IS_EMPTY_STRING
#define RCL_SECURITY_CONTEXT_NAME_INVALID_NOT_ABSOLUTE RMW_NAMESPACE_INVALID_NOT_ABSOLUTE
#define RCL_SECURITY_CONTEXT_NAME_INVALID_ENDS_WITH_FORWARD_SLASH \
#define RCL_ENCLAVE_NAME_VALID RMW_NAMESPACE_VALID
#define RCL_ENCLAVE_NAME_INVALID_IS_EMPTY_STRING RMW_NAMESPACE_INVALID_IS_EMPTY_STRING
#define RCL_ENCLAVE_NAME_INVALID_NOT_ABSOLUTE RMW_NAMESPACE_INVALID_NOT_ABSOLUTE
#define RCL_ENCLAVE_NAME_INVALID_ENDS_WITH_FORWARD_SLASH \
RMW_NAMESPACE_INVALID_ENDS_WITH_FORWARD_SLASH
#define RCL_SECURITY_CONTEXT_NAME_INVALID_CONTAINS_UNALLOWED_CHARACTERS \
#define RCL_ENCLAVE_NAME_INVALID_CONTAINS_UNALLOWED_CHARACTERS \
RMW_NAMESPACE_INVALID_CONTAINS_UNALLOWED_CHARACTERS
#define RCL_SECURITY_CONTEXT_NAME_INVALID_CONTAINS_REPEATED_FORWARD_SLASH \
#define RCL_ENCLAVE_NAME_INVALID_CONTAINS_REPEATED_FORWARD_SLASH \
RMW_NAMESPACE_INVALID_CONTAINS_REPEATED_FORWARD_SLASH
#define RCL_SECURITY_CONTEXT_NAME_INVALID_NAME_TOKEN_STARTS_WITH_NUMBER \
#define RCL_ENCLAVE_NAME_INVALID_NAME_TOKEN_STARTS_WITH_NUMBER \
RMW_NAMESPACE_INVALID_NAME_TOKEN_STARTS_WITH_NUMBER
#define RCL_SECURITY_CONTEXT_NAME_INVALID_TOO_LONG RMW_NAMESPACE_INVALID_TOO_LONG
#define RCL_ENCLAVE_NAME_INVALID_TOO_LONG RMW_NAMESPACE_INVALID_TOO_LONG

#define RCL_SECURITY_CONTEXT_NAME_MAX_LENGTH RMW_NODE_NAME_MAX_NAME_LENGTH
#define RCL_ENCLAVE_NAME_MAX_LENGTH RMW_NODE_NAME_MAX_NAME_LENGTH

/// Determine if a given security context name is valid.
/// Determine if a given enclave name is valid.
/**
* The same rules as \ref rmw_validate_namespace are used.
* The only difference is in the maximum allowed length, which can be up to 255 characters.
*
* \param[in] security_context security_context to be validated
* \param[in] enclave enclave to be validated
* \param[out] validation_result int in which the result of the check is stored
* \param[out] invalid_index index of the input string where an error occurred
* \returns `RMW_RET_OK` on successfully running the check, or
Expand All @@ -57,35 +57,35 @@ extern "C"
RCL_PUBLIC
RCL_WARN_UNUSED
rcl_ret_t
rcl_validate_security_context_name(
const char * security_context,
rcl_validate_enclave_name(
const char * enclave,
int * validation_result,
size_t * invalid_index);

/// Deterimine if a given security context name is valid.
/// Deterimine if a given enclave name is valid.
/**
* This is an overload of \ref rcl_validate_security_context_name with an extra parameter
* for the length of security_context.
* This is an overload of \ref rcl_validate_enclave_name with an extra parameter
* for the length of enclave.
*
* \param[in] security_context The number of characters in security_context.
* \param[in] enclave The number of characters in enclave.
*/
RCL_PUBLIC
RCL_WARN_UNUSED
rcl_ret_t
rcl_validate_security_context_name_with_size(
const char * security_context,
size_t security_context_length,
rcl_validate_enclave_name_with_size(
const char * enclave,
size_t enclave_length,
int * validation_result,
size_t * invalid_index);

/// Return a validation result description, or NULL if unknown or RCL_SECURITY_CONTEXT_NAME_VALID.
/// Return a validation result description, or NULL if unknown or RCL_ENCLAVE_NAME_VALID.
RCL_PUBLIC
RCL_WARN_UNUSED
const char *
rcl_security_context_name_validation_result_string(int validation_result);
rcl_enclave_name_validation_result_string(int validation_result);

#ifdef __cplusplus
}
#endif

#endif // RCL__VALIDATE_SECURITY_CONTEXT_NAME_H_
#endif // RCL__VALIDATE_ENCLAVE_NAME_H_
60 changes: 30 additions & 30 deletions rcl/src/rcl/arguments.c
Original file line number Diff line number Diff line change
Expand Up @@ -190,21 +190,21 @@ _rcl_parse_param_file(
rcl_params_t * params,
char ** param_file);

/// Parse a security context argument.
/// Parse an enclave argument.
/**
* \param[in] arg the argument to parse
* \param[in] allocator an allocator to use
* \param[in,out] security_context parsed security context
* \return RCL_RET_OK if a valid security context was parsed, or
* \param[in,out] enclave parsed security enclave
* \return RCL_RET_OK if a valid security enclave was parsed, or
* \return RCL_RET_BAD_ALLOC if an allocation failed, or
* \return RLC_RET_ERROR if an unspecified error occurred.
*/
RCL_LOCAL
rcl_ret_t
_rcl_parse_security_context(
_rcl_parse_enclave(
const char * arg,
rcl_allocator_t allocator,
char ** security_context);
char ** enclave);

#define RCL_ENABLE_FLAG_PREFIX "--enable-"
#define RCL_DISABLE_FLAG_PREFIX "--disable-"
Expand Down Expand Up @@ -495,33 +495,33 @@ rcl_parse_arguments(
goto fail;
}

// Attempt to parse argument as a security context
if (strcmp(RCL_SECURITY_CONTEXT_FLAG, argv[i]) == 0) {
// Attempt to parse argument as a security enclave
if (strcmp(RCL_ENCLAVE_FLAG, argv[i]) == 0 || strcmp(RCL_SHORT_ENCLAVE_FLAG, argv[i]) == 0) {
if (i + 1 < argc) {
if (NULL != args_impl->security_context) {
if (NULL != args_impl->enclave) {
RCUTILS_LOG_DEBUG_NAMED(
ROS_PACKAGE_NAME, "Overriding security context name : %s\n",
args_impl->security_context);
allocator.deallocate(args_impl->security_context, allocator.state);
args_impl->security_context = NULL;
ROS_PACKAGE_NAME, "Overriding security enclave : %s\n",
args_impl->enclave);
allocator.deallocate(args_impl->enclave, allocator.state);
args_impl->enclave = NULL;
}
if (RCL_RET_OK == _rcl_parse_security_context(
argv[i + 1], allocator, &args_impl->security_context))
if (RCL_RET_OK == _rcl_parse_enclave(
argv[i + 1], allocator, &args_impl->enclave))
{
RCUTILS_LOG_DEBUG_NAMED(
ROS_PACKAGE_NAME, "Got security context : %s\n",
args_impl->security_context);
ROS_PACKAGE_NAME, "Got enclave: %s\n",
args_impl->enclave);
++i; // Skip flag here, for loop will skip value.
continue;
}
rcl_error_string_t prev_error_string = rcl_get_error_string();
rcl_reset_error();
RCL_SET_ERROR_MSG_WITH_FORMAT_STRING(
"Couldn't parse security context name: '%s %s'. Error: %s", argv[i], argv[i + 1],
"Couldn't parse enclave name: '%s %s'. Error: %s", argv[i], argv[i + 1],
prev_error_string.str);
} else {
RCL_SET_ERROR_MSG_WITH_FORMAT_STRING(
"Couldn't parse trailing %s flag. No security context path provided.", argv[i]);
"Couldn't parse trailing %s flag. No enclave path provided.", argv[i]);
}
ret = RCL_RET_INVALID_ROS_ARGS;
goto fail;
Expand Down Expand Up @@ -920,16 +920,16 @@ rcl_arguments_copy(
}
}
}
char * security_context_copy = rcutils_strdup(args->impl->security_context, allocator);
if (args->impl->security_context && !security_context_copy) {
char * enclave_copy = rcutils_strdup(args->impl->enclave, allocator);
if (args->impl->enclave && !enclave_copy) {
if (RCL_RET_OK != rcl_arguments_fini(args_out)) {
RCL_SET_ERROR_MSG("Error while finalizing arguments due to another error");
} else {
RCL_SET_ERROR_MSG("Error while copying security context argument");
RCL_SET_ERROR_MSG("Error while copying enclave argument");
}
return RCL_RET_BAD_ALLOC;
}
args_out->impl->security_context = security_context_copy;
args_out->impl->enclave = enclave_copy;
return RCL_RET_OK;
}

Expand Down Expand Up @@ -977,7 +977,7 @@ rcl_arguments_fini(
args->impl->num_param_files_args = 0;
args->impl->parameter_files = NULL;
}
args->impl->allocator.deallocate(args->impl->security_context, args->impl->allocator.state);
args->impl->allocator.deallocate(args->impl->enclave, args->impl->allocator.state);

if (NULL != args->impl->external_log_config_file) {
args->impl->allocator.deallocate(
Expand Down Expand Up @@ -1807,17 +1807,17 @@ _rcl_parse_external_log_config_file(
}

rcl_ret_t
_rcl_parse_security_context(
_rcl_parse_enclave(
const char * arg,
rcl_allocator_t allocator,
char ** security_context)
char ** enclave)
{
RCL_CHECK_ARGUMENT_FOR_NULL(arg, RCL_RET_INVALID_ARGUMENT);
RCL_CHECK_ARGUMENT_FOR_NULL(security_context, RCL_RET_INVALID_ARGUMENT);
RCL_CHECK_ARGUMENT_FOR_NULL(enclave, RCL_RET_INVALID_ARGUMENT);

*security_context = rcutils_strdup(arg, allocator);
if (NULL == *security_context) {
RCL_SET_ERROR_MSG("Failed to allocate memory for security context name");
*enclave = rcutils_strdup(arg, allocator);
if (NULL == *enclave) {
RCL_SET_ERROR_MSG("Failed to allocate memory for enclave name");
return RCL_RET_BAD_ALLOC;
}
return RCL_RET_OK;
Expand Down Expand Up @@ -1925,7 +1925,7 @@ _rcl_allocate_initialized_arguments_impl(rcl_arguments_t * args, rcl_allocator_t
args_impl->log_stdout_disabled = false;
args_impl->log_rosout_disabled = false;
args_impl->log_ext_lib_disabled = false;
args_impl->security_context = NULL;
args_impl->enclave = NULL;
args_impl->allocator = *allocator;

return RCL_RET_OK;
Expand Down
4 changes: 2 additions & 2 deletions rcl/src/rcl/arguments_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,8 @@ typedef struct rcl_arguments_impl_t
/// A boolean value indicating if the external lib handler should be used for log output
bool log_ext_lib_disabled;

/// Security context to be used.
char * security_context;
/// Enclave to be used.
char * enclave;

/// Allocator used to allocate objects in this struct
rcl_allocator_t allocator;
Expand Down
18 changes: 9 additions & 9 deletions rcl/src/rcl/graph.c
Original file line number Diff line number Diff line change
Expand Up @@ -340,12 +340,12 @@ rcl_get_node_names(
}

rcl_ret_t
rcl_get_node_names_with_security_contexts(
rcl_get_node_names_with_enclaves(
const rcl_node_t * node,
rcl_allocator_t allocator,
rcutils_string_array_t * node_names,
rcutils_string_array_t * node_namespaces,
rcutils_string_array_t * security_contexts)
rcutils_string_array_t * enclaves)
{
if (!rcl_node_is_valid(node)) {
return RCL_RET_NODE_INVALID; // error already set
Expand All @@ -368,21 +368,21 @@ rcl_get_node_names_with_security_contexts(
RCL_SET_ERROR_MSG("node_namespaces is not null");
return RCL_RET_INVALID_ARGUMENT;
}
RCL_CHECK_ARGUMENT_FOR_NULL(security_contexts, RCL_RET_INVALID_ARGUMENT);
if (security_contexts->size != 0) {
RCL_SET_ERROR_MSG("security_contexts size is not zero");
RCL_CHECK_ARGUMENT_FOR_NULL(enclaves, RCL_RET_INVALID_ARGUMENT);
if (enclaves->size != 0) {
RCL_SET_ERROR_MSG("enclaves size is not zero");
return RCL_RET_INVALID_ARGUMENT;
}
if (security_contexts->data) {
RCL_SET_ERROR_MSG("security_contexts is not null");
if (enclaves->data) {
RCL_SET_ERROR_MSG("enclaves is not null");
return RCL_RET_INVALID_ARGUMENT;
}
(void)allocator; // to be used in rmw_get_node_names in the future
rmw_ret_t rmw_ret = rmw_get_node_names_with_security_contexts(
rmw_ret_t rmw_ret = rmw_get_node_names_with_enclaves(
rcl_node_get_rmw_handle(node),
node_names,
node_namespaces,
security_contexts);
enclaves);
return rcl_convert_rmw_ret_to_rcl_ret(rmw_ret);
}

Expand Down
Loading