def generate_artifacts(keystore_path: pathlib.Path = None,
identity_names: List[str] = [],
policy_files: List[pathlib.Path] = []) -> None:
if keystore_path is None:
keystore_path = _utilities.get_keystore_path_from_env()
if keystore_path is None:
return False
if not keystore.is_valid_keystore(keystore_path):
print('%s is not a valid keystore, creating new keystore' %
keystore_path)
keystore.create_keystore(keystore_path)
# Create enclaves for all provided identities
for identity in identity_names:
keystore.create_enclave(keystore_path, identity)
for policy_file in policy_files:
policy_tree = load_policy(policy_file)
enclaves_element = policy_tree.find('enclaves')
for enclave in enclaves_element:
identity_name = enclave.get('path')
if identity_name not in identity_names:
keystore.create_enclave(keystore_path, identity_name)
policy_element = _policy.get_policy_from_tree(
identity_name, policy_tree)
keystore._permission.create_permissions_from_policy_element(
keystore_path, identity_name, policy_element)
def generate_artifacts(keystore_path=None, identity_names=[], policy_files=[]):
if keystore_path is None:
keystore_path = get_keystore_path_from_env()
if keystore_path is None:
return False
if not is_valid_keystore(keystore_path):
print('%s is not a valid keystore, creating new keystore' %
keystore_path)
create_keystore(keystore_path)
# create keys for all provided identities
for identity in identity_names:
if not create_key(keystore_path, identity):
return False
for policy_file in policy_files:
policy_tree = load_policy(policy_file)
profiles_element = policy_tree.find('profiles')
for profile in profiles_element:
identity_name = profile.get('ns').rstrip('/') + '/' + profile.get(
'node')
if identity_name not in identity_names:
if not create_key(keystore_path, identity_name):
return False
policy_element = get_policy_from_tree(identity_name, policy_tree)
create_permissions_from_policy_element(keystore_path,
identity_name,
policy_element)
return True
def generate_artifacts(keystore_path=None, identity_names=[], policy_files=[]):
if keystore_path is None:
keystore_path = _utilities.get_keystore_path_from_env()
if keystore_path is None:
return False
if not _keystore.is_valid_keystore(keystore_path):
print('%s is not a valid keystore, creating new keystore' %
keystore_path)
_keystore.create_keystore(keystore_path)
# create keys for all provided identities
for identity in identity_names:
if not _key.create_key(keystore_path, identity):
return False
for policy_file in policy_files:
policy_tree = load_policy(policy_file)
enclaves_element = policy_tree.find('enclaves')
for enclave in enclaves_element:
identity_name = enclave.get('path')
if identity_name not in identity_names:
if not _key.create_key(keystore_path, identity_name):
return False
policy_element = _policy.get_policy_from_tree(
identity_name, policy_tree)
_permission.create_permissions_from_policy_element(
keystore_path, identity_name, policy_element)
return True
def test_generate_policy_services():
with tempfile.TemporaryDirectory() as tmpdir:
# Create a test-specific context so that generate_policy can still init
context = rclpy.Context()
rclpy.init(context=context)
node = rclpy.create_node('test_generate_policy_services_node',
context=context)
try:
# Create a server and client
node.create_client(Trigger, 'test_generate_policy_services_client')
node.create_service(Trigger,
'test_generate_policy_services_server',
lambda request, response: response)
# Generate the policy for the running node
assert cli.main(argv=[
'security', 'generate_policy',
os.path.join(tmpdir, 'test-policy.xml')
]) == 0
finally:
node.destroy_node()
rclpy.shutdown(context=context)
# Load the policy and pull out allowed replies and requests
policy = load_policy(os.path.join(tmpdir, 'test-policy.xml'))
profile = policy.find(
path=
'profiles/profile[@ns="/"][@node="test_generate_policy_services_node"]'
)
assert profile is not None
service_reply_allowed = profile.find(path='services[@reply="ALLOW"]')
assert service_reply_allowed is not None
service_request_allowed = profile.find(
path='services[@request="ALLOW"]')
assert service_request_allowed is not None
# Verify that the allowed replies include service_server and not service_client
services = service_reply_allowed.findall('service')
assert len([
s for s in services
if s.text == 'test_generate_policy_services_server'
]) == 1
assert len([
s for s in services
if s.text == 'test_generate_policy_services_client'
]) == 0
# Verify that the allowed requests include service_client and not service_server
services = service_request_allowed.findall('service')
assert len([
s for s in services
if s.text == 'test_generate_policy_services_client'
]) == 1
assert len([
s for s in services
if s.text == 'test_generate_policy_services_server'
]) == 0
def get_policy(self, policy_file_path):
if os.path.isfile(policy_file_path):
return load_policy(policy_file_path)
else:
profiles = etree.Element('profiles')
policy = etree.Element('policy')
policy.attrib['version'] = POLICY_VERSION
policy.append(profiles)
return policy
def get_policy(self, policy_file_path: pathlib.Path):
if policy_file_path.is_file():
return load_policy(policy_file_path)
else:
enclaves = etree.Element('enclaves')
policy = etree.Element('policy')
policy.attrib['version'] = POLICY_VERSION
policy.append(enclaves)
return policy
def test_generate_policy_topics():
with tempfile.TemporaryDirectory() as tmpdir:
# Create a test-specific context so that generate_policy can still init
context = rclpy.Context()
rclpy.init(context=context)
node = rclpy.create_node('test_generate_policy_topics_node',
context=context)
try:
# Create a publisher and subscription
node.create_publisher(Strings, 'test_generate_policy_topics_pub',
1)
node.create_subscription(Strings,
'test_generate_policy_topics_sub',
lambda msg: None, 1)
# Generate the policy for the running node
assert cli.main(argv=[
'security', 'generate_policy',
os.path.join(tmpdir, 'test-policy.xml')
]) == 0
finally:
node.destroy_node()
rclpy.shutdown(context=context)
# Load the policy and pull out the allowed publications and subscriptions
policy = load_policy(os.path.join(tmpdir, 'test-policy.xml'))
profile = policy.find(
path=
'profiles/profile[@ns="/"][@node="test_generate_policy_topics_node"]'
)
assert profile is not None
topics_publish_allowed = profile.find(path='topics[@publish="ALLOW"]')
assert topics_publish_allowed is not None
topics_subscribe_allowed = profile.find(
path='topics[@subscribe="ALLOW"]')
assert topics_subscribe_allowed is not None
# Verify that the allowed publications include topic_pub and not topic_sub
topics = topics_publish_allowed.findall('topic')
assert len([
t for t in topics if t.text == 'test_generate_policy_topics_pub'
]) == 1
assert len([
t for t in topics if t.text == 'test_generate_policy_topics_sub'
]) == 0
# Verify that the allowed subscriptions include topic_sub and not topic_pub
topics = topics_subscribe_allowed.findall('topic')
assert len([
t for t in topics if t.text == 'test_generate_policy_topics_sub'
]) == 1
assert len([
t for t in topics if t.text == 'test_generate_policy_topics_pub'
]) == 0
def test_generate_policy_topics(self, pub_sub_node_name,
pub_sub_node_namespace,
pub_sub_node_enclave, use_daemon):
if use_daemon:
assert self.wait_for(expected_nodes=[
pub_sub_node_namespace + '/' + pub_sub_node_name
],
expected_topics=[
expand_topic_name('~/pub',
pub_sub_node_name,
pub_sub_node_namespace),
expand_topic_name('~/sub',
pub_sub_node_name,
pub_sub_node_namespace),
])
with tempfile.TemporaryDirectory() as tmpdir:
test_policy = pathlib.Path(tmpdir).joinpath('test-policy.xml')
with self.launch_sros2_command(
arguments=['generate_policy',
str(test_policy)]) as gen_command:
assert gen_command.wait_for_shutdown(
timeout=GENERATE_POLICY_TIMEOUT)
assert gen_command.exit_code == launch_testing.asserts.EXIT_OK
# Load the policy and pull out the allowed publications and subscriptions
policy = load_policy(test_policy)
profile = policy.find(
path=f'enclaves/enclave[@path="{pub_sub_node_enclave}"]' +
f'/profiles/profile[@ns="{pub_sub_node_namespace}"]' +
f'[@node="{pub_sub_node_name}"]')
assert profile is not None
topics_publish_allowed = profile.find(
path='topics[@publish="ALLOW"]')
assert topics_publish_allowed is not None
topics_subscribe_allowed = profile.find(
path='topics[@subscribe="ALLOW"]')
assert topics_subscribe_allowed is not None
# Verify that the allowed publications include topic_pub and not topic_sub
topics = topics_publish_allowed.findall('topic')
assert len([t for t in topics if t.text == '~/pub']) == 1
assert len([t for t in topics if t.text == '~/sub']) == 0
# Verify that the allowed subscriptions include topic_sub and not topic_pub
topics = topics_subscribe_allowed.findall('topic')
assert len([t for t in topics if t.text == '~/sub']) == 1
assert len([t for t in topics if t.text == '~/pub']) == 0
def test_generate_policy_services(self, client_srv_node_name,
client_srv_node_namespace,
client_srv_node_enclave, use_daemon):
if use_daemon:
assert self.wait_for(
expected_nodes=[
client_srv_node_namespace + '/' + client_srv_node_name
],
expected_services=[
expand_topic_name('~/client', client_srv_node_name,
client_srv_node_namespace),
expand_topic_name('~/server', client_srv_node_name,
client_srv_node_namespace),
])
with tempfile.TemporaryDirectory() as tmpdir:
test_policy = pathlib.Path(tmpdir).joinpath('test-policy.xml')
with self.launch_sros2_command(
arguments=['generate_policy',
str(test_policy)]) as gen_command:
assert gen_command.wait_for_shutdown(
timeout=GENERATE_POLICY_TIMEOUT)
assert gen_command.exit_code == launch_testing.asserts.EXIT_OK
# Load the policy and pull out allowed replies and requests
policy = load_policy(test_policy)
profile = policy.find(
path=f'enclaves/enclave[@path="{client_srv_node_enclave}"]' +
f'/profiles/profile[@ns="{client_srv_node_namespace}"]' +
f'[@node="{client_srv_node_name}"]')
assert profile is not None
service_reply_allowed = profile.find(
path='services[@reply="ALLOW"]')
assert service_reply_allowed is not None
service_request_allowed = profile.find(
path='services[@request="ALLOW"]')
assert service_request_allowed is not None
# Verify that the allowed replies include service_server and not service_client
services = service_reply_allowed.findall('service')
assert len([s for s in services if s.text == '~/server']) == 1
assert len([s for s in services if s.text == '~/client']) == 0
# Verify that the allowed requests include service_client and not service_server
services = service_request_allowed.findall('service')
assert len([s for s in services if s.text == '~/client']) == 1
assert len([s for s in services if s.text == '~/server']) == 0
def get_policy(name, policy_file_path):
policy_tree = load_policy(policy_file_path)
return get_policy_from_tree(name, policy_tree)
