def generate_artifacts(keystore_path: pathlib.Path = None, identity_names: List[str] = [], policy_files: List[pathlib.Path] = []) -> None: if keystore_path is None: keystore_path = _utilities.get_keystore_path_from_env() if keystore_path is None: return False if not keystore.is_valid_keystore(keystore_path): print('%s is not a valid keystore, creating new keystore' % keystore_path) keystore.create_keystore(keystore_path) # Create enclaves for all provided identities for identity in identity_names: keystore.create_enclave(keystore_path, identity) for policy_file in policy_files: policy_tree = load_policy(policy_file) enclaves_element = policy_tree.find('enclaves') for enclave in enclaves_element: identity_name = enclave.get('path') if identity_name not in identity_names: keystore.create_enclave(keystore_path, identity_name) policy_element = _policy.get_policy_from_tree( identity_name, policy_tree) keystore._permission.create_permissions_from_policy_element( keystore_path, identity_name, policy_element)
def generate_artifacts(keystore_path=None, identity_names=[], policy_files=[]): if keystore_path is None: keystore_path = get_keystore_path_from_env() if keystore_path is None: return False if not is_valid_keystore(keystore_path): print('%s is not a valid keystore, creating new keystore' % keystore_path) create_keystore(keystore_path) # create keys for all provided identities for identity in identity_names: if not create_key(keystore_path, identity): return False for policy_file in policy_files: policy_tree = load_policy(policy_file) profiles_element = policy_tree.find('profiles') for profile in profiles_element: identity_name = profile.get('ns').rstrip('/') + '/' + profile.get( 'node') if identity_name not in identity_names: if not create_key(keystore_path, identity_name): return False policy_element = get_policy_from_tree(identity_name, policy_tree) create_permissions_from_policy_element(keystore_path, identity_name, policy_element) return True
def generate_artifacts(keystore_path=None, identity_names=[], policy_files=[]): if keystore_path is None: keystore_path = _utilities.get_keystore_path_from_env() if keystore_path is None: return False if not _keystore.is_valid_keystore(keystore_path): print('%s is not a valid keystore, creating new keystore' % keystore_path) _keystore.create_keystore(keystore_path) # create keys for all provided identities for identity in identity_names: if not _key.create_key(keystore_path, identity): return False for policy_file in policy_files: policy_tree = load_policy(policy_file) enclaves_element = policy_tree.find('enclaves') for enclave in enclaves_element: identity_name = enclave.get('path') if identity_name not in identity_names: if not _key.create_key(keystore_path, identity_name): return False policy_element = _policy.get_policy_from_tree( identity_name, policy_tree) _permission.create_permissions_from_policy_element( keystore_path, identity_name, policy_element) return True
def test_generate_policy_services(): with tempfile.TemporaryDirectory() as tmpdir: # Create a test-specific context so that generate_policy can still init context = rclpy.Context() rclpy.init(context=context) node = rclpy.create_node('test_generate_policy_services_node', context=context) try: # Create a server and client node.create_client(Trigger, 'test_generate_policy_services_client') node.create_service(Trigger, 'test_generate_policy_services_server', lambda request, response: response) # Generate the policy for the running node assert cli.main(argv=[ 'security', 'generate_policy', os.path.join(tmpdir, 'test-policy.xml') ]) == 0 finally: node.destroy_node() rclpy.shutdown(context=context) # Load the policy and pull out allowed replies and requests policy = load_policy(os.path.join(tmpdir, 'test-policy.xml')) profile = policy.find( path= 'profiles/profile[@ns="/"][@node="test_generate_policy_services_node"]' ) assert profile is not None service_reply_allowed = profile.find(path='services[@reply="ALLOW"]') assert service_reply_allowed is not None service_request_allowed = profile.find( path='services[@request="ALLOW"]') assert service_request_allowed is not None # Verify that the allowed replies include service_server and not service_client services = service_reply_allowed.findall('service') assert len([ s for s in services if s.text == 'test_generate_policy_services_server' ]) == 1 assert len([ s for s in services if s.text == 'test_generate_policy_services_client' ]) == 0 # Verify that the allowed requests include service_client and not service_server services = service_request_allowed.findall('service') assert len([ s for s in services if s.text == 'test_generate_policy_services_client' ]) == 1 assert len([ s for s in services if s.text == 'test_generate_policy_services_server' ]) == 0
def get_policy(self, policy_file_path): if os.path.isfile(policy_file_path): return load_policy(policy_file_path) else: profiles = etree.Element('profiles') policy = etree.Element('policy') policy.attrib['version'] = POLICY_VERSION policy.append(profiles) return policy
def get_policy(self, policy_file_path: pathlib.Path): if policy_file_path.is_file(): return load_policy(policy_file_path) else: enclaves = etree.Element('enclaves') policy = etree.Element('policy') policy.attrib['version'] = POLICY_VERSION policy.append(enclaves) return policy
def test_generate_policy_topics(): with tempfile.TemporaryDirectory() as tmpdir: # Create a test-specific context so that generate_policy can still init context = rclpy.Context() rclpy.init(context=context) node = rclpy.create_node('test_generate_policy_topics_node', context=context) try: # Create a publisher and subscription node.create_publisher(Strings, 'test_generate_policy_topics_pub', 1) node.create_subscription(Strings, 'test_generate_policy_topics_sub', lambda msg: None, 1) # Generate the policy for the running node assert cli.main(argv=[ 'security', 'generate_policy', os.path.join(tmpdir, 'test-policy.xml') ]) == 0 finally: node.destroy_node() rclpy.shutdown(context=context) # Load the policy and pull out the allowed publications and subscriptions policy = load_policy(os.path.join(tmpdir, 'test-policy.xml')) profile = policy.find( path= 'profiles/profile[@ns="/"][@node="test_generate_policy_topics_node"]' ) assert profile is not None topics_publish_allowed = profile.find(path='topics[@publish="ALLOW"]') assert topics_publish_allowed is not None topics_subscribe_allowed = profile.find( path='topics[@subscribe="ALLOW"]') assert topics_subscribe_allowed is not None # Verify that the allowed publications include topic_pub and not topic_sub topics = topics_publish_allowed.findall('topic') assert len([ t for t in topics if t.text == 'test_generate_policy_topics_pub' ]) == 1 assert len([ t for t in topics if t.text == 'test_generate_policy_topics_sub' ]) == 0 # Verify that the allowed subscriptions include topic_sub and not topic_pub topics = topics_subscribe_allowed.findall('topic') assert len([ t for t in topics if t.text == 'test_generate_policy_topics_sub' ]) == 1 assert len([ t for t in topics if t.text == 'test_generate_policy_topics_pub' ]) == 0
def test_generate_policy_topics(self, pub_sub_node_name, pub_sub_node_namespace, pub_sub_node_enclave, use_daemon): if use_daemon: assert self.wait_for(expected_nodes=[ pub_sub_node_namespace + '/' + pub_sub_node_name ], expected_topics=[ expand_topic_name('~/pub', pub_sub_node_name, pub_sub_node_namespace), expand_topic_name('~/sub', pub_sub_node_name, pub_sub_node_namespace), ]) with tempfile.TemporaryDirectory() as tmpdir: test_policy = pathlib.Path(tmpdir).joinpath('test-policy.xml') with self.launch_sros2_command( arguments=['generate_policy', str(test_policy)]) as gen_command: assert gen_command.wait_for_shutdown( timeout=GENERATE_POLICY_TIMEOUT) assert gen_command.exit_code == launch_testing.asserts.EXIT_OK # Load the policy and pull out the allowed publications and subscriptions policy = load_policy(test_policy) profile = policy.find( path=f'enclaves/enclave[@path="{pub_sub_node_enclave}"]' + f'/profiles/profile[@ns="{pub_sub_node_namespace}"]' + f'[@node="{pub_sub_node_name}"]') assert profile is not None topics_publish_allowed = profile.find( path='topics[@publish="ALLOW"]') assert topics_publish_allowed is not None topics_subscribe_allowed = profile.find( path='topics[@subscribe="ALLOW"]') assert topics_subscribe_allowed is not None # Verify that the allowed publications include topic_pub and not topic_sub topics = topics_publish_allowed.findall('topic') assert len([t for t in topics if t.text == '~/pub']) == 1 assert len([t for t in topics if t.text == '~/sub']) == 0 # Verify that the allowed subscriptions include topic_sub and not topic_pub topics = topics_subscribe_allowed.findall('topic') assert len([t for t in topics if t.text == '~/sub']) == 1 assert len([t for t in topics if t.text == '~/pub']) == 0
def test_generate_policy_services(self, client_srv_node_name, client_srv_node_namespace, client_srv_node_enclave, use_daemon): if use_daemon: assert self.wait_for( expected_nodes=[ client_srv_node_namespace + '/' + client_srv_node_name ], expected_services=[ expand_topic_name('~/client', client_srv_node_name, client_srv_node_namespace), expand_topic_name('~/server', client_srv_node_name, client_srv_node_namespace), ]) with tempfile.TemporaryDirectory() as tmpdir: test_policy = pathlib.Path(tmpdir).joinpath('test-policy.xml') with self.launch_sros2_command( arguments=['generate_policy', str(test_policy)]) as gen_command: assert gen_command.wait_for_shutdown( timeout=GENERATE_POLICY_TIMEOUT) assert gen_command.exit_code == launch_testing.asserts.EXIT_OK # Load the policy and pull out allowed replies and requests policy = load_policy(test_policy) profile = policy.find( path=f'enclaves/enclave[@path="{client_srv_node_enclave}"]' + f'/profiles/profile[@ns="{client_srv_node_namespace}"]' + f'[@node="{client_srv_node_name}"]') assert profile is not None service_reply_allowed = profile.find( path='services[@reply="ALLOW"]') assert service_reply_allowed is not None service_request_allowed = profile.find( path='services[@request="ALLOW"]') assert service_request_allowed is not None # Verify that the allowed replies include service_server and not service_client services = service_reply_allowed.findall('service') assert len([s for s in services if s.text == '~/server']) == 1 assert len([s for s in services if s.text == '~/client']) == 0 # Verify that the allowed requests include service_client and not service_server services = service_request_allowed.findall('service') assert len([s for s in services if s.text == '~/client']) == 1 assert len([s for s in services if s.text == '~/server']) == 0
def get_policy(name, policy_file_path): policy_tree = load_policy(policy_file_path) return get_policy_from_tree(name, policy_tree)