WIP:ACL phase 1

examples/examples/z_pub_thr.rs

@@ -28,7 +28,7 @@ fn main() {
         prio = p.try_into().unwrap();
     }
 
-    let payload_size = args.payload_size;
+    let payload_size: usize = 1024;
 
     let data: Value = (0..payload_size)
         .map(|i| (i % 10) as u8)

rules.json5

@@ -15,7 +15,7 @@
         },
         "ke": "demo/example/zenoh-rs-pub",
         "action": "Write",
-        "permission": false
+        "permission": true
     },
     {
         "sub": {

rules_test_thr.json5

@@ -0,0 +1,38 @@
+[
+    {
+        "sub": {
+            "id": "aaa3b411006ad57868988f9fec672a31",
+            "attributes": null
+        },
+        "ke": "test/thr",
+        "action": "Write",
+        "permission": true
+    },
+    {
+        "sub": {
+            "id": "bbb3b411006ad57868988f9fec672a31",
+            "attributes": null
+        },
+        "ke": "test/thr",
+        "action": "Read",
+        "permission": true
+    },
+    {
+        "sub": {
+            "id": "aaabbb11006ad57868988f9fec672a31",
+            "attributes": null
+        },
+        "ke": "test/thr",
+        "action": "Read",
+        "permission": true
+    },
+    {
+        "sub": {
+            "id": "aaabbb11006ad57868988f9fec672a31",
+            "attributes": null
+        },
+        "ke": "test/thr",
+        "action": "Write",
+        "permission": true
+    }
+]

zenoh/src/net/routing/interceptor/authz.rs

@@ -56,7 +56,6 @@ impl ValueMerge for Permissions {
     fn merge_mut(&mut self, _other: &Self) {}
 }
 
-//type KeTree = AclTrie;
 type KeTree = Trie<Acl, Permissions>;
 
 #[derive(Clone, Debug, Serialize, Deserialize, Eq, PartialEq, Hash)]
@@ -168,7 +167,7 @@ impl PolicyEnforcer {
            creates the policy hashmap with the ke-tries for ke matching
            should have polic-type in the mix here...need to verify
         */
-        let rule_set = Self::policy_resource_point("rules.json5").unwrap();
+        let rule_set = Self::policy_resource_point("rules_test_thr.json5").unwrap();
         let pe = Self::build_policy_map(rule_set).expect("policy not established");
         //also should start the logger here
         Ok(pe)
@@ -220,6 +219,7 @@ impl PolicyEnforcer {
                     collects result from PDP and then uses that allow/deny output to block or pass the msg to routing table
         */
 
+        //get keyexpression and zid for the request; attributes will be added at this point (phase 2)
         let ke = new_ctx.ke;
         let zid = new_ctx.zid.unwrap();
         //build subject
@@ -243,7 +243,7 @@ impl PolicyEnforcer {
                     policy list is be a hashmap of (subject,action)->ketries (test and discuss)
         */
 
-        //extract subject and action from request and create subact [this will be our key for hashmap]
+        //get subject and action from request and create subact [this will be our key for hashmap]
         let subact = SubAct(request.sub, request.action);
         let ke = request.obj;
         match self.0.get(&subact) {
@@ -264,7 +264,7 @@ impl PolicyEnforcer {
         /*
            input: path to rules.json file
            output: loads the appropriate policy into the memory and returns back a vector of rules;
-           * might also be the point to select AC type (ACL, ABAC etc)??
+           * might also be the point to select AC type (ACL, ABAC etc)?? *
         */
         #[derive(Serialize, Deserialize, Clone)]
         struct Rules(Vec<Rule>);

zenoh/src/net/routing/interceptor/mod.rs

@@ -19,6 +19,8 @@
 //! [Click here for Zenoh's documentation](../zenoh/index.html)
 //!
 mod authz;
+use std::sync::Arc;
+
 use self::authz::{Action, NewCtx};
 
 use super::RoutingContext;
@@ -62,8 +64,9 @@ pub(crate) fn interceptor_factories(_config: &Config) -> Vec<InterceptorFactory>
     println!("the interceptor is initialized");
 
     let policy_enforcer = PolicyEnforcer::init().expect("error setting up access control");
+    let pe = Arc::new(policy_enforcer);
     //store the enforcer instance for use in rest of the sessions
-    vec![Box::new(AclEnforcer { e: policy_enforcer })]
+    vec![Box::new(AclEnforcer { e: pe })]
 }
 
 pub(crate) struct InterceptorsChain {
@@ -159,7 +162,7 @@ impl InterceptorFactoryTrait for LoggerInterceptor {
 }
 
 pub(crate) struct AclEnforcer {
-    e: PolicyEnforcer,
+    e: Arc<PolicyEnforcer>,
 }
 
 impl InterceptorFactoryTrait for AclEnforcer {
@@ -200,7 +203,7 @@ impl InterceptorFactoryTrait for AclEnforcer {
 
 pub(crate) struct IngressAclEnforcer {
     //  e: Option<PolicyEnforcer>,
-    e: PolicyEnforcer,
+    e: Arc<PolicyEnforcer>,
 }
 
 impl InterceptorTrait for IngressAclEnforcer {
@@ -227,7 +230,7 @@ impl InterceptorTrait for IngressAclEnforcer {
 }
 
 pub(crate) struct EgressAclEnforcer {
-    e: PolicyEnforcer,
+    e: Arc<PolicyEnforcer>,
     zid: Option<ZenohId>,
 }
 
@@ -236,7 +239,7 @@ impl InterceptorTrait for EgressAclEnforcer {
         &self,
         ctx: RoutingContext<NetworkMessage>,
     ) -> Option<RoutingContext<NetworkMessage>> {
-        //intercept msg and send it to PEP
+        //  intercept msg and send it to PEP
         if let NetworkBody::Push(push) = ctx.msg.body.clone() {
             if let zenoh_protocol::zenoh::PushBody::Put(_put) = push.payload {
                 let e = &self.e;