Skip to content

Commit

Permalink
add authentication support in acl
Browse files Browse the repository at this point in the history
  • Loading branch information
@kauncoder
kauncoder committed Apr 25, 2024
1 parent 0b6b80f commit 427733b
Show file tree
Hide file tree
Showing 3 changed files with 71 additions and 59 deletions.
4 changes: 3 additions & 1 deletion commons/zenoh-config/src/lib.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,9 @@ pub struct DownsamplingItemConf {

#[derive(Serialize, Debug, Deserialize, Clone)]
pub struct AclConfigRules {
pub interfaces: Vec<String>,
pub interfaces: Option<Vec<String>>,
pub cert_common_names: Option<Vec<String>>,
pub usernames: Option<Vec<String>>,
pub key_exprs: Vec<String>,
pub actions: Vec<Action>,
pub flows: Vec<InterceptorFlow>,
Expand Down
80 changes: 33 additions & 47 deletions zenoh/src/net/routing/interceptor/access_control.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,20 +39,19 @@ pub struct AclEnforcer {
enforcer: Arc<PolicyEnforcer>,
}
#[derive(Clone, Debug)]
pub struct Interface {
pub struct AuthnSubject {
id: usize,
name: String,
}

struct EgressAclEnforcer {
policy_enforcer: Arc<PolicyEnforcer>,
interface_list: Vec<Interface>,
auth_ids: Vec<AuthId>,
subject: Vec<AuthnSubject>,
zid: ZenohId,
}
struct IngressAclEnforcer {
policy_enforcer: Arc<PolicyEnforcer>,
interface_list: Vec<Interface>,
auth_ids: Vec<AuthId>,
subject: Vec<AuthnSubject>,
zid: ZenohId,
}

Expand Down Expand Up @@ -84,34 +83,37 @@ impl InterceptorFactoryTrait for AclEnforcer {
&self,
transport: &TransportUnicast,
) -> (Option<IngressInterceptor>, Option<EgressInterceptor>) {
let mut auth_ids = vec![];
let mut authn_ids = vec![];
if let Ok(ids) = transport.get_auth_ids() {
auth_ids = ids.clone();
// for id in ids {
// match id {
// AuthId::CertCommonName(name) => {
// println!("certificate common name {}", name);
// }
// AuthId::Username(name) => {
// println!("user name {}", name);
// }
// AuthId::None => {
// println!("No id was found, will use interface values");
// }
// }
// }
let enforcer = self.enforcer.clone();
for auth_id in ids {
match auth_id {
AuthId::CertCommonName(name) => {
let subject = &Subject::CertCommonName(name.clone());
if let Some(val) = enforcer.subject_map.get(subject) {
authn_ids.push(AuthnSubject { id: *val, name });
}
}
AuthId::Username(name) => {
let subject = &Subject::Username(name.clone());
if let Some(val) = enforcer.subject_map.get(subject) {
authn_ids.push(AuthnSubject { id: *val, name });
}
}
AuthId::None => {}
}
}
}
match transport.get_zid() {
Ok(zid) => {
let mut interface_list: Vec<Interface> = Vec::new();
match transport.get_links() {
Ok(links) => {
for link in links {
let enforcer = self.enforcer.clone();
for face in link.interfaces {
let subject = &Subject::Interface(face.clone());
if let Some(val) = enforcer.subject_map.get(subject) {
interface_list.push(Interface {
authn_ids.push(AuthnSubject {
id: *val,
name: face,
});
Expand All @@ -126,15 +128,13 @@ impl InterceptorFactoryTrait for AclEnforcer {
}
let ingress_interceptor = Box::new(IngressAclEnforcer {
policy_enforcer: self.enforcer.clone(),
interface_list: interface_list.clone(),
zid,
auth_ids: auth_ids.clone(),
subject: authn_ids.clone(),
});
let egress_interceptor = Box::new(EgressAclEnforcer {
policy_enforcer: self.enforcer.clone(),
interface_list: interface_list.clone(),
zid,
auth_ids,
subject: authn_ids,
});
match (
self.enforcer.interface_enabled.ingress,
Expand Down Expand Up @@ -305,18 +305,15 @@ impl InterceptorTrait for EgressAclEnforcer {
}
pub trait AclActionMethods {
fn policy_enforcer(&self) -> Arc<PolicyEnforcer>;
fn interface_list(&self) -> Vec<Interface>;
fn zid(&self) -> ZenohId;
fn flow(&self) -> InterceptorFlow;
fn auth_ids(&self) -> Vec<AuthId>;
fn authn_ids(&self) -> Vec<AuthnSubject>;
fn action(&self, action: Action, log_msg: &str, key_expr: &str) -> Permission {
let policy_enforcer = self.policy_enforcer();
let interface_list = self.interface_list();
let auth_ids = self.auth_ids();
println!("auth_ids are : {:?}", auth_ids);
let authn_ids: Vec<AuthnSubject> = self.authn_ids();
let zid = self.zid();
let mut decision = policy_enforcer.default_permission;
for subject in &interface_list {
for subject in &authn_ids {
match policy_enforcer.policy_decision_point(subject.id, self.flow(), action, key_expr) {
Ok(Permission::Allow) => {
tracing::trace!(
Expand Down Expand Up @@ -362,39 +359,28 @@ impl AclActionMethods for EgressAclEnforcer {
fn policy_enforcer(&self) -> Arc<PolicyEnforcer> {
self.policy_enforcer.clone()
}

fn interface_list(&self) -> Vec<Interface> {
self.interface_list.clone()
}

fn zid(&self) -> ZenohId {
self.zid
}
fn flow(&self) -> InterceptorFlow {
InterceptorFlow::Egress
}

fn auth_ids(&self) -> Vec<AuthId> {
self.auth_ids.clone()
fn authn_ids(&self) -> Vec<AuthnSubject> {
self.subject.clone()
}
}

impl AclActionMethods for IngressAclEnforcer {
fn policy_enforcer(&self) -> Arc<PolicyEnforcer> {
self.policy_enforcer.clone()
}

fn interface_list(&self) -> Vec<Interface> {
self.interface_list.clone()
}

fn zid(&self) -> ZenohId {
self.zid
}
fn flow(&self) -> InterceptorFlow {
InterceptorFlow::Ingress
}
fn auth_ids(&self) -> Vec<AuthId> {
self.auth_ids.clone()
fn authn_ids(&self) -> Vec<AuthnSubject> {
self.subject.clone()
}
}
46 changes: 35 additions & 11 deletions zenoh/src/net/routing/interceptor/authorization.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -199,17 +199,41 @@ impl PolicyEnforcer {
) -> ZResult<PolicyInformation> {
let mut policy_rules: Vec<PolicyRule> = Vec::new();
for config_rule in config_rule_set {
for subject in &config_rule.interfaces {
for flow in &config_rule.flows {
for action in &config_rule.actions {
for key_expr in &config_rule.key_exprs {
policy_rules.push(PolicyRule {
subject: Subject::Interface(subject.clone()),
key_expr: key_expr.clone(),
action: *action,
permission: config_rule.permission,
flow: *flow,
})
for flow in &config_rule.flows {
for action in &config_rule.actions {
for key_expr in &config_rule.key_exprs {
if let Some(interface_list) = config_rule.interfaces.clone() {
for interface_subject in interface_list {
policy_rules.push(PolicyRule {
subject: Subject::Interface(interface_subject.clone()),
key_expr: key_expr.clone(),
action: *action,
permission: config_rule.permission,
flow: *flow,
});
}
}
if let Some(cert_name_list) = config_rule.cert_common_names.clone() {
for cert_name_subject in cert_name_list {
policy_rules.push(PolicyRule {
subject: Subject::CertCommonName(cert_name_subject.clone()),
key_expr: key_expr.clone(),
action: *action,
permission: config_rule.permission,
flow: *flow,
});
}
}
if let Some(username_list) = config_rule.usernames.clone() {
for username_subject in username_list {
policy_rules.push(PolicyRule {
subject: Subject::Username(username_subject.clone()),
key_expr: key_expr.clone(),
action: *action,
permission: config_rule.permission,
flow: *flow,
});
}
}
}
}
Expand Down

0 comments on commit 427733b

Please sign in to comment.