Add certificate and user/password authentication methods to ACL filters

.gitignore

@@ -21,4 +21,6 @@
 
 cargo-timing*.html
 
+#ignore test data
+testfiles
 ci/valgrind-check/*.log

Cargo.toml

@@ -178,6 +178,7 @@ validated_struct = "2.1.0"
 vec_map = "0.8.2"
 webpki-roots = "0.26.0"
 winapi = { version = "0.3.9", features = ["iphlpapi"] }
+x509-parser = "0.16.0"
 z-serial = "0.2.3"
 zenoh-ext = { version = "0.11.0-dev", path = "zenoh-ext" }
 zenoh-shm = { version = "0.11.0-dev", path = "commons/zenoh-shm" }

commons/zenoh-config/src/lib.rs

@@ -106,6 +106,8 @@ pub struct DownsamplingItemConf {
 #[derive(Serialize, Debug, Deserialize, Clone)]
 pub struct AclConfigRules {
     pub interfaces: Option<Vec<String>>,
+    pub cert_common_names: Option<Vec<String>>,
+    pub usernames: Option<Vec<String>>,
     pub key_exprs: Vec<String>,
     pub actions: Vec<Action>,
     pub flows: Option<Vec<InterceptorFlow>>,
@@ -126,6 +128,8 @@ pub struct PolicyRule {
 #[serde(rename_all = "snake_case")]
 pub enum Subject {
     Interface(String),
+    CertCommonName(String),
+    Username(String),
 }
 
 #[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]

io/zenoh-link-commons/src/lib.rs

@@ -50,6 +50,7 @@ pub struct Link {
     pub is_reliable: bool,
     pub is_streamed: bool,
     pub interfaces: Vec<String>,
+    pub auth_identifier: LinkAuthId,
 }
 
 #[async_trait]
@@ -78,6 +79,7 @@ impl From<&LinkUnicast> for Link {
             is_reliable: link.is_reliable(),
             is_streamed: link.is_streamed(),
             interfaces: link.get_interface_names(),
+            auth_identifier: link.get_auth_identifier(),
         }
     }
 }
@@ -98,6 +100,7 @@ impl From<&LinkMulticast> for Link {
             is_reliable: link.is_reliable(),
             is_streamed: false,
             interfaces: vec![],
+            auth_identifier: LinkAuthId::default(),
         }
     }
 }

io/zenoh-link-commons/src/unicast.rs

@@ -20,6 +20,7 @@ use core::{
 use std::net::SocketAddr;
 
 use async_trait::async_trait;
+use serde::Serialize;
 use zenoh_protocol::{
     core::{EndPoint, Locator},
     transport::BatchSize,
@@ -51,6 +52,7 @@ pub trait LinkUnicastTrait: Send + Sync {
     fn is_reliable(&self) -> bool;
     fn is_streamed(&self) -> bool;
     fn get_interface_names(&self) -> Vec<String>;
+    fn get_auth_identifier(&self) -> LinkAuthId;
     async fn write(&self, buffer: &[u8]) -> ZResult<usize>;
     async fn write_all(&self, buffer: &[u8]) -> ZResult<()>;
     async fn read(&self, buffer: &mut [u8]) -> ZResult<usize>;
@@ -118,3 +120,71 @@ pub fn get_ip_interface_names(addr: &SocketAddr) -> Vec<String> {
         }
     }
 }
+
+#[derive(Clone, Debug, Serialize, Hash, PartialEq, Eq)]
+pub enum LinkAuthType {
+    Tls,
+    Quic,
+    None,
+}
+
+#[derive(Clone, Debug, Serialize, Hash, PartialEq, Eq)]
+pub struct LinkAuthId {
+    auth_type: LinkAuthType,
+    auth_value: Option<String>,
+}
+
+impl LinkAuthId {
+    pub fn get_type(&self) -> &LinkAuthType {
+        &self.auth_type
+    }
+    pub fn get_value(&self) -> &Option<String> {
+        &self.auth_value
+    }
+}
+
+impl Default for LinkAuthId {
+    fn default() -> Self {
+        LinkAuthId {
+            auth_type: LinkAuthType::None,
+            auth_value: None,
+        }
+    }
+}
+
+#[derive(Debug)]
+pub struct LinkAuthIdBuilder {
+    pub auth_type: LinkAuthType,    // HAS to be provided when building
+    pub auth_value: Option<String>, // actual value added to the above type; is None for None type
+}
+
+impl Default for LinkAuthIdBuilder {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
+impl LinkAuthIdBuilder {
+    pub fn new() -> LinkAuthIdBuilder {
+        LinkAuthIdBuilder {
+            auth_type: LinkAuthType::None,
+            auth_value: None,
+        }
+    }
+
+    pub fn auth_type(&mut self, auth_type: LinkAuthType) -> &mut Self {
+        self.auth_type = auth_type;
+        self
+    }
+    pub fn auth_value(&mut self, auth_value: Option<String>) -> &mut Self {
+        self.auth_value = auth_value;
+        self
+    }
+
+    pub fn build(&self) -> LinkAuthId {
+        LinkAuthId {
+            auth_type: self.auth_type.clone(),
+            auth_value: self.auth_value.clone(),
+        }
+    }
+}

io/zenoh-links/zenoh-link-quic/Cargo.toml

@@ -30,13 +30,13 @@ base64 = { workspace = true }
 futures = { workspace = true }
 quinn = { workspace = true }
 rustls-native-certs = { workspace = true }
-rustls-pki-types =  { workspace = true }
+rustls-pki-types = { workspace = true }
 rustls-webpki = { workspace = true }
 secrecy = { workspace = true }
 tokio = { workspace = true, features = [
-  "fs",
   "io-util",
   "net",
+  "fs",
   "sync",
   "time",
 ] }
@@ -54,5 +54,6 @@ zenoh-sync = { workspace = true }
 zenoh-util = { workspace = true }
 # Lock due to quinn not supporting rustls 0.22 yet
 rustls = { version = "0.21", features = ["dangerous_configuration", "quic"] }
-tokio-rustls = "0.24.1"
 rustls-pemfile = { version = "1" }
+tokio-rustls = "0.24.1"
+x509-parser = { workspace = true }