Add certificate and user/password authentication methods to ACL filte…

…rs (#1073)

* adding test files

* testing cert names

* testing cert authn

* adding basic authID functionality

* remove secret files

* add extensibility

* add extensibility

* add extensibility

* adding type constraints

* adding level abstraction for authentication info

* adding username authentication

* cleaning code

* added cfg checks for auth_usrpwd

* adding test files

* fix error due to vsock

* fix test error

* access auth ids in acl interceptor

* add authentication support in acl

* added Subject

* adding test files

* add authn features with acl

* remove error

* add tests for tls and quic

* add tests for user-password

* remove format error

* ignore tests without testfiles

* remove shm test errors

* remove typos

* add testfiles for authn

* fix testfiles for authn

* Chore: Code format

* Change port numbers to allow tests to run concurrently

* Fix TLS and Quic test failures due to subsequent sessions on same port number

* Format json configs

* Remove unused deprecated dependency async-rustls

* Chore: format list of cargo dependencies

* Fix imports

* Fix some styling and format

* Fix feature usage

* Remove unnecessary redefinition of RecvOpenSynOut

* Remove unnecessary clones

* Rewrite return value

* Fix typo

* Implement get_auth_ids for TransportUnicastLowlatency

* Fix disabled access control for certain tests

* Add lowlatency test

* Remove unnecessary warnings

* Check only if interfaces list is empty

Other subject lists (usernames and cert_common_names) can be empty in the current config schema.

* Merge branch 'dev/1.0.0' into authn/testing (squashed)

* Move x509-parser dependency to workspace

* Revert "Check only if interfaces list is empty"

Misinterpreted the code logic when making this change.

This reverts commit f4cc818.

* Change LinkAuthIdBuilder to return Self instead of &mut Self

* Add LinkAuthId::builder()

* chore: Reorder tokio features

* Add LinkAuthId::none()

* Change LinkUnicastTrait.get_auth_identifier to return ref

* Change get_cert_common_name(conn) parameter to ref

* Add license header

* Rename get_auth_identifier to get_auth_id

* Rewrite unnecessary match blocs, add evaluation of get_interface_names_by_addr error

* Use std::env::temp_dir() instead of hardcoded path in zenoh/authentication test

* Change return type with auth_usrpwd feature

* Lint test

* Fix link-vsock implementation of get_auth_id

* Fix authtests filepaths on Ubuntu

* Update default config

* Optimize collecting AuthIds from Links

---------

Co-authored-by: snehilzs <[email protected]>
Co-authored-by: snehilzs <[email protected]>

Cargo.toml

@@ -117,6 +117,7 @@ lz4_flex = "0.11"
 nix = { version = "0.27", features = ["fs"] }
 num_cpus = "1.16.0"
 num-traits = { version = "0.2.17", default-features = false }
+once_cell = "1.19.0"
 ordered-float = "4.1.1"
 panic-message = "0.3.0"
 paste = "1.0.12"
@@ -178,6 +179,7 @@ validated_struct = "2.1.0"
 vec_map = "0.8.2"
 webpki-roots = "0.26.0"
 winapi = { version = "0.3.9", features = ["iphlpapi"] }
+x509-parser = "0.16.0"
 z-serial = "0.2.3"
 zenoh-ext = { version = "0.11.0-dev", path = "zenoh-ext" }
 zenoh-shm = { version = "0.11.0-dev", path = "commons/zenoh-shm" }

DEFAULT_CONFIG.json5

@@ -196,8 +196,17 @@
   //       "key_exprs": [
   //         "test/demo"
   //       ],
+  //       /// Subjects can be interfaces
   //       "interfaces": [
   //         "lo0"
+  //       ],
+  //       /// Subjects can be cert_common_names when using TLS or Quic 
+  //       "cert_common_names": [
+  //         "example.zenoh.io"
+  //       ],
+  //       /// Subjects can be usernames when using user/password authentication
+  //       "usernames": [
+  //         "zenoh-example"
   //       ]
   //     },
   //  ]

commons/zenoh-config/src/lib.rs

@@ -106,6 +106,8 @@ pub struct DownsamplingItemConf {
 #[derive(Serialize, Debug, Deserialize, Clone)]
 pub struct AclConfigRules {
     pub interfaces: Option<Vec<String>>,
+    pub cert_common_names: Option<Vec<String>>,
+    pub usernames: Option<Vec<String>>,
     pub key_exprs: Vec<String>,
     pub actions: Vec<Action>,
     pub flows: Option<Vec<InterceptorFlow>>,
@@ -126,6 +128,8 @@ pub struct PolicyRule {
 #[serde(rename_all = "snake_case")]
 pub enum Subject {
     Interface(String),
+    CertCommonName(String),
+    Username(String),
 }
 
 #[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]

io/zenoh-link-commons/src/lib.rs

@@ -50,6 +50,7 @@ pub struct Link {
     pub is_reliable: bool,
     pub is_streamed: bool,
     pub interfaces: Vec<String>,
+    pub auth_identifier: LinkAuthId,
 }
 
 #[async_trait]
@@ -78,6 +79,7 @@ impl From<&LinkUnicast> for Link {
             is_reliable: link.is_reliable(),
             is_streamed: link.is_streamed(),
             interfaces: link.get_interface_names(),
+            auth_identifier: link.get_auth_id().clone(),
         }
     }
 }
@@ -98,6 +100,7 @@ impl From<&LinkMulticast> for Link {
             is_reliable: link.is_reliable(),
             is_streamed: false,
             interfaces: vec![],
+            auth_identifier: LinkAuthId::default(),
         }
     }
 }

io/zenoh-link-commons/src/unicast.rs

@@ -20,6 +20,7 @@ use core::{
 use std::net::SocketAddr;
 
 use async_trait::async_trait;
+use serde::Serialize;
 use zenoh_protocol::{
     core::{EndPoint, Locator},
     transport::BatchSize,
@@ -51,6 +52,7 @@ pub trait LinkUnicastTrait: Send + Sync {
     fn is_reliable(&self) -> bool;
     fn is_streamed(&self) -> bool;
     fn get_interface_names(&self) -> Vec<String>;
+    fn get_auth_id(&self) -> &LinkAuthId;
     async fn write(&self, buffer: &[u8]) -> ZResult<usize>;
     async fn write_all(&self, buffer: &[u8]) -> ZResult<()>;
     async fn read(&self, buffer: &mut [u8]) -> ZResult<usize>;
@@ -118,3 +120,76 @@ pub fn get_ip_interface_names(addr: &SocketAddr) -> Vec<String> {
         }
     }
 }
+
+#[derive(Clone, Debug, Serialize, Hash, PartialEq, Eq)]
+pub enum LinkAuthType {
+    Tls,
+    Quic,
+    None,
+}
+
+#[derive(Clone, Debug, Serialize, Hash, PartialEq, Eq)]
+pub struct LinkAuthId {
+    auth_type: LinkAuthType,
+    auth_value: Option<String>,
+}
+
+impl LinkAuthId {
+    pub const NONE: Self = Self {
+        auth_type: LinkAuthType::None,
+        auth_value: None,
+    };
+    pub fn get_type(&self) -> &LinkAuthType {
+        &self.auth_type
+    }
+    pub fn get_value(&self) -> &Option<String> {
+        &self.auth_value
+    }
+    pub fn builder() -> LinkAuthIdBuilder {
+        LinkAuthIdBuilder::new()
+    }
+}
+
+impl Default for LinkAuthId {
+    fn default() -> Self {
+        LinkAuthId::NONE.clone()
+    }
+}
+
+#[derive(Debug)]
+pub struct LinkAuthIdBuilder {
+    pub auth_type: LinkAuthType,    // HAS to be provided when building
+    pub auth_value: Option<String>, // actual value added to the above type; is None for None type
+}
+
+impl Default for LinkAuthIdBuilder {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl LinkAuthIdBuilder {
+    pub fn new() -> LinkAuthIdBuilder {
+        LinkAuthIdBuilder {
+            auth_type: LinkAuthType::None,
+            auth_value: None,
+        }
+    }
+
+    pub fn auth_type(mut self, auth_type: LinkAuthType) -> Self {
+        self.auth_type = auth_type;
+        self
+    }
+
+    pub fn auth_value(mut self, auth_value: Option<String>) -> Self {
+        self.auth_value = auth_value;
+        self
+    }
+
+    pub fn build(self) -> LinkAuthId {
+        LinkAuthId {
+            auth_type: self.auth_type.clone(),
+            auth_value: self.auth_value.clone(),
+        }
+    }
+}

io/zenoh-links/zenoh-link-quic/Cargo.toml

@@ -30,7 +30,7 @@ base64 = { workspace = true }
 futures = { workspace = true }
 quinn = { workspace = true }
 rustls-native-certs = { workspace = true }
-rustls-pki-types =  { workspace = true }
+rustls-pki-types = { workspace = true }
 rustls-webpki = { workspace = true }
 secrecy = { workspace = true }
 tokio = { workspace = true, features = [
@@ -54,5 +54,6 @@ zenoh-sync = { workspace = true }
 zenoh-util = { workspace = true }
 # Lock due to quinn not supporting rustls 0.22 yet
 rustls = { version = "0.21", features = ["dangerous_configuration", "quic"] }
-tokio-rustls = "0.24.1"
 rustls-pemfile = { version = "1" }
+tokio-rustls = "0.24.1"
+x509-parser = { workspace = true }