access auth ids in acl interceptor

eclipse-zenoh · Apr 25, 2024 · 0b6b80f · 0b6b80f
1 parent e43aa77
commit 0b6b80f
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 101 deletions.
diff --git a/commons/zenoh-config/src/lib.rs b/commons/zenoh-config/src/lib.rs
@@ -123,6 +123,8 @@ pub struct PolicyRule {
 #[serde(rename_all = "snake_case")]
 pub enum Subject {
     Interface(String),
+    CertCommonName(String),
+    Username(String),
 }
 
 #[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]

diff --git a/zenoh/src/net/routing/interceptor/access_control.rs b/zenoh/src/net/routing/interceptor/access_control.rs
@@ -31,6 +31,8 @@ use zenoh_protocol::{
     network::{Declare, DeclareBody, NetworkBody, NetworkMessage, Push, Request},
     zenoh::{PushBody, RequestBody},
 };
+use zenoh_transport::unicast::authentication::AuthId;
+
 use zenoh_result::ZResult;
 use zenoh_transport::{multicast::TransportMulticast, unicast::TransportUnicast};
 pub struct AclEnforcer {
@@ -44,11 +46,13 @@ pub struct Interface {
 struct EgressAclEnforcer {
     policy_enforcer: Arc<PolicyEnforcer>,
     interface_list: Vec<Interface>,
+    auth_ids: Vec<AuthId>,
     zid: ZenohId,
 }
 struct IngressAclEnforcer {
     policy_enforcer: Arc<PolicyEnforcer>,
     interface_list: Vec<Interface>,
+    auth_ids: Vec<AuthId>,
     zid: ZenohId,
 }
 
@@ -80,6 +84,23 @@ impl InterceptorFactoryTrait for AclEnforcer {
         &self,
         transport: &TransportUnicast,
     ) -> (Option<IngressInterceptor>, Option<EgressInterceptor>) {
+        let mut auth_ids = vec![];
+        if let Ok(ids) = transport.get_auth_ids() {
+            auth_ids = ids.clone();
+            // for id in ids {
+            //     match id {
+            //         AuthId::CertCommonName(name) => {
+            //             println!("certificate common name {}", name);
+            //         }
+            //         AuthId::Username(name) => {
+            //             println!("user name {}", name);
+            //         }
+            //         AuthId::None => {
+            //             println!("No id was found, will use interface values");
+            //         }
+            //     }
+            // }
+        }
         match transport.get_zid() {
             Ok(zid) => {
                 let mut interface_list: Vec<Interface> = Vec::new();
@@ -107,11 +128,13 @@ impl InterceptorFactoryTrait for AclEnforcer {
                     policy_enforcer: self.enforcer.clone(),
                     interface_list: interface_list.clone(),
                     zid,
+                    auth_ids: auth_ids.clone(),
                 });
                 let egress_interceptor = Box::new(EgressAclEnforcer {
                     policy_enforcer: self.enforcer.clone(),
                     interface_list: interface_list.clone(),
                     zid,
+                    auth_ids,
                 });
                 match (
                     self.enforcer.interface_enabled.ingress,
@@ -285,9 +308,12 @@ pub trait AclActionMethods {
     fn interface_list(&self) -> Vec<Interface>;
     fn zid(&self) -> ZenohId;
     fn flow(&self) -> InterceptorFlow;
+    fn auth_ids(&self) -> Vec<AuthId>;
     fn action(&self, action: Action, log_msg: &str, key_expr: &str) -> Permission {
         let policy_enforcer = self.policy_enforcer();
         let interface_list = self.interface_list();
+        let auth_ids = self.auth_ids();
+        println!("auth_ids are : {:?}", auth_ids);
         let zid = self.zid();
         let mut decision = policy_enforcer.default_permission;
         for subject in &interface_list {
@@ -347,6 +373,10 @@ impl AclActionMethods for EgressAclEnforcer {
     fn flow(&self) -> InterceptorFlow {
         InterceptorFlow::Egress
     }
+
+    fn auth_ids(&self) -> Vec<AuthId> {
+        self.auth_ids.clone()
+    }
 }
 
 impl AclActionMethods for IngressAclEnforcer {
@@ -364,4 +394,7 @@ impl AclActionMethods for IngressAclEnforcer {
     fn flow(&self) -> InterceptorFlow {
         InterceptorFlow::Ingress
     }
+    fn auth_ids(&self) -> Vec<AuthId> {
+        self.auth_ids.clone()
+    }
 }
diff --git a/zenoh/src/net/routing/interceptor/mod.rs b/zenoh/src/net/routing/interceptor/mod.rs
@@ -32,9 +32,7 @@ use zenoh_result::ZResult;
 use zenoh_transport::{multicast::TransportMulticast, unicast::TransportUnicast};
 
 pub mod downsampling;
-pub mod testing_interceptor;
 use crate::net::routing::interceptor::downsampling::downsampling_interceptor_factories;
-use crate::net::routing::interceptor::testing_interceptor::new_test_interceptor;
 
 pub(crate) trait InterceptorTrait {
     fn compute_keyexpr_cache(&self, key_expr: &KeyExpr<'_>) -> Option<Box<dyn Any + Send + Sync>>;
@@ -67,7 +65,6 @@ pub(crate) fn interceptor_factories(config: &Config) -> ZResult<Vec<InterceptorF
     // res.push(Box::new(LoggerInterceptor {}));
     res.extend(downsampling_interceptor_factories(config.downsampling())?);
     res.extend(acl_interceptor_factories(config.access_control())?);
-    res.extend(new_test_interceptor()?);
     Ok(res)
 }
 

diff --git a/zenoh/src/net/routing/interceptor/testing_interceptor.rs b/zenoh/src/net/routing/interceptor/testing_interceptor.rs