Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding TLS authentication #840

Merged
merged 42 commits into from
May 31, 2024
Merged
Changes from 1 commit
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
4456e3f
adding test files
kauncoder Mar 13, 2024
3c84e59
testing cert names
kauncoder Mar 13, 2024
7c8ee21
testing cert authn
kauncoder Mar 13, 2024
a067a77
adding basic authID functionality
kauncoder Mar 18, 2024
4e91772
remove secret files
kauncoder Mar 18, 2024
613086c
add extensibility
kauncoder Mar 19, 2024
e83ca81
add extensibility
kauncoder Mar 19, 2024
fa20fad
add extensibility
kauncoder Mar 19, 2024
bc1558d
adding type constraints
kauncoder Mar 20, 2024
294e0c5
adding level abstraction for authentication info
kauncoder Mar 22, 2024
f512764
adding username authentication
kauncoder Mar 25, 2024
8d048f4
cleaning code
kauncoder Mar 26, 2024
8ed2361
added cfg checks for auth_usrpwd
kauncoder Mar 27, 2024
29760c0
adding test files
kauncoder Mar 13, 2024
339170d
merge with 0.11
kauncoder Apr 22, 2024
39ec2bf
fix error due to vsock
kauncoder Apr 22, 2024
e43aa77
fix test error
kauncoder Apr 23, 2024
0b6b80f
access auth ids in acl interceptor
kauncoder Apr 25, 2024
427733b
add authentication support in acl
kauncoder Apr 25, 2024
78eacc9
added Subject
kauncoder Apr 25, 2024
7ba77b6
adding test files
kauncoder Mar 13, 2024
49143b4
merge with quic changes
kauncoder Apr 25, 2024
310c122
add authn features with acl
kauncoder Apr 26, 2024
b6eb797
remove error
kauncoder Apr 30, 2024
66dc536
add tests for tls and quic
kauncoder May 2, 2024
bfeaa53
add tests for user-password
kauncoder May 2, 2024
84bd03a
merge with latest acl
kauncoder May 2, 2024
0513918
remove format error
kauncoder May 2, 2024
b999a21
ignore tests without testfiles
kauncoder May 3, 2024
ae40b9c
remove shm test errors
kauncoder May 3, 2024
58739b1
remove typos
kauncoder May 3, 2024
bb16d4c
add testfiles for authn
kauncoder May 4, 2024
babdabc
fix testfiles for authn
kauncoder May 4, 2024
b4aaef9
Merge branch 'dev/1.0.0' into authn/testing
oteffahi May 28, 2024
0a03e99
Chore: Code format
oteffahi May 28, 2024
f91e885
Change port numbers to allow tests to run concurrently
oteffahi May 29, 2024
2714ced
Fix TLS and Quic test failures due to subsequent sessions on same por…
oteffahi May 29, 2024
baf4704
Format json configs
oteffahi May 29, 2024
405000a
Remove unused deprecated dependency async-rustls
oteffahi May 31, 2024
84ae20e
Chore: format list of cargo dependencies
oteffahi May 31, 2024
ae7f496
Merge branch 'dev/1.0.0' into authn/testing
oteffahi May 31, 2024
b136812
Fix imports
oteffahi May 31, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
adding type constraints
kauncoder committed Mar 20, 2024
commit bc1558da7788bdd96c5d505bbd24f1d075442b10
7 changes: 2 additions & 5 deletions io/zenoh-link-commons/src/lib.rs
Original file line number Diff line number Diff line change
@@ -48,7 +48,7 @@ pub struct Link {
pub is_reliable: bool,
pub is_streamed: bool,
pub interfaces: Vec<String>,
pub auth_identifier: AuthIdentifier,
pub auth_identifier: AuthId,
}

#[async_trait]
@@ -99,10 +99,7 @@ impl From<&LinkMulticast> for Link {
is_reliable: link.is_reliable(),
is_streamed: false,
interfaces: vec![],
auth_identifier: AuthIdentifier {
username: None,
tls_cert_name: None,
},
auth_identifier: AuthId::None,
}
}
}
82 changes: 29 additions & 53 deletions io/zenoh-link-commons/src/unicast.rs
Original file line number Diff line number Diff line change
@@ -20,7 +20,6 @@ use core::{
ops::Deref,
};
use serde::Serialize;
use std::any::Any;
use zenoh_protocol::core::{EndPoint, Locator};
use zenoh_result::ZResult;

@@ -49,7 +48,7 @@ pub trait LinkUnicastTrait: Send + Sync {
fn is_reliable(&self) -> bool;
fn is_streamed(&self) -> bool;
fn get_interface_names(&self) -> Vec<String>;
fn get_auth_identifier(&self) -> AuthIdentifier;
fn get_auth_identifier(&self) -> AuthId;
async fn write(&self, buffer: &[u8]) -> ZResult<usize>;
async fn write_all(&self, buffer: &[u8]) -> ZResult<()>;
async fn read(&self, buffer: &mut [u8]) -> ZResult<usize>;
@@ -118,49 +117,40 @@ pub fn get_ip_interface_names(addr: &SocketAddr) -> Vec<String> {
}
}

#[derive(Clone, Debug, Serialize, Hash, PartialEq, Eq)]

pub struct AuthIdentifier {
pub username: Option<String>,
pub tls_cert_name: Option<String>,
}

//#[derive(Debug, Default, PartialEq)]
#[derive(Clone, Debug, Serialize, Eq, Hash, PartialEq)]
pub enum AuthIdType {
None,
TlsCommonName,
Username,
}

#[derive(Default, Debug, PartialEq, Eq, Hash)]
pub struct Username(String);
// /* need to put restrictions on auth_id values as well */
// pub enum AuthIdValue {
// Tls(String),
// Username(String),
// }
#[derive(Clone, Debug, Serialize, Eq, Hash, PartialEq)]

pub enum AuthId {
None,
TlsCommonName(String),
Username(String),
}

pub struct AuthId {
pub auth_type: AuthIdType,
pub auth_value: Option<Box<dyn Any>>, //downcast in interceptor by auth_id_type
pub trait AuthIdTrait {
fn get_authid(&self) -> AuthId;
}

impl AuthId {
pub fn builder() -> AuthIdBuilder {
AuthIdBuilder::new()
}
pub fn get_type() {} //gets the authId type
}

pub fn get_value() {} //get the authId value to be used in ACL
impl AuthIdTrait for AuthId {
fn get_authid(&self) -> AuthId {
self.clone()
}
}
#[derive(Debug)]
pub struct AuthIdBuilder {
pub auth_type: Option<AuthIdType>,
pub auth_value: Option<Box<dyn Any>>, //downcast in interceptor by auth_id_type
/*
possible values for auth_value: Vec<String> and String (as of now)
*/
pub auth_type: AuthIdType, //HAS to be provided when building
pub auth_value: AuthId, //actual value added to the above type; is None for None type
}
impl Default for AuthIdBuilder {
fn default() -> Self {
@@ -171,41 +161,27 @@ impl Default for AuthIdBuilder {
impl AuthIdBuilder {
pub fn new() -> AuthIdBuilder {
AuthIdBuilder {
auth_type: Some(AuthIdType::None),
auth_value: None,
auth_type: AuthIdType::None,
auth_value: AuthId::None,
}
}

pub fn auth_type(&mut self, auth_type: AuthIdType) -> &mut Self {
self.auth_type(auth_type);
self.auth_type = auth_type;
self
}
pub fn auth_value(&mut self, auth_value: Option<Box<dyn Any>>) -> &mut Self {
// let _ = self.auth_value.insert(auth_value.into());
self.auth_value(auth_value);
pub fn auth_value(&mut self, auth_value: String) -> &mut Self {
let value = auth_value;

match self.auth_type {
AuthIdType::None => self.auth_value = AuthId::None,
AuthIdType::TlsCommonName => self.auth_value = AuthId::TlsCommonName(value),
AuthIdType::Username => self.auth_value = AuthId::Username(value),
};
self
}

pub fn build(&self) -> AuthId {
let auth_type = self.auth_type.clone().unwrap();
let auth_value = &self.auth_value;
AuthId {
auth_type,
auth_value,
}
self.auth_value.clone()
}
}

// pub trait AuthIdTrait<Id, Builder> {
// fn builder() -> Builder {
// Builder::default()
// }
// fn get_type() {} //gets the authId type

// fn get_value() {} //get the authId value to be used in ACL
// }

//
// pub trait AuthIdValue {
// //define features to restrict auth_value behaviour
// }
63 changes: 34 additions & 29 deletions io/zenoh-links/zenoh-link-quic/src/unicast.rs
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
use async_rustls::server;
//
// Copyright (c) 2023 ZettaScale Technology
//
@@ -33,8 +34,8 @@ use std::sync::Arc;
use std::time::Duration;
use zenoh_core::zasynclock;
use zenoh_link_commons::{
get_ip_interface_names, AuthIdentifier, LinkManagerUnicastTrait, LinkUnicast, LinkUnicastTrait,
ListenersUnicastIP, NewLinkChannelSender,
get_ip_interface_names, AuthId, AuthIdBuilder, AuthIdType, LinkManagerUnicastTrait,
LinkUnicast, LinkUnicastTrait, ListenersUnicastIP, NewLinkChannelSender,
};
use zenoh_protocol::core::{EndPoint, Locator};
use zenoh_result::{bail, zerror, ZError, ZResult};
@@ -47,7 +48,7 @@ pub struct LinkUnicastQuic {
dst_locator: Locator,
send: AsyncMutex<quinn::SendStream>,
recv: AsyncMutex<quinn::RecvStream>,
auth_identifier: Option<AuthIdentifier>,
auth_identifier: AuthId,
}

impl LinkUnicastQuic {
@@ -57,7 +58,7 @@ impl LinkUnicastQuic {
dst_locator: Locator,
send: quinn::SendStream,
recv: quinn::RecvStream,
auth_identifier: Option<AuthIdentifier>,
auth_identifier: AuthId,
) -> LinkUnicastQuic {
// Build the Quic object
LinkUnicastQuic {
@@ -160,14 +161,15 @@ impl LinkUnicastTrait for LinkUnicastQuic {
fn is_streamed(&self) -> bool {
true
}
fn get_auth_identifier(&self) -> AuthIdentifier {
match &self.auth_identifier {
Some(identifier) => identifier.clone(),
None => AuthIdentifier {
username: None,
tls_cert_name: None,
},
}
fn get_auth_identifier(&self) -> AuthId {
self.auth_identifier.clone()
// match &self.auth_identifier {
// Some(identifier) => identifier.clone(),
// None => AuthIdentifier {
// username: None,
// tls_cert_name: None,
// },
// }
}
}

@@ -309,7 +311,7 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic {
.await
.map_err(|e| zerror!("Can not create a new QUIC link bound to {}: {}", host, e))?;

let mut test_auth_id: Option<AuthIdentifier> = None;
let mut auth_id = AuthId::None;

let pi = &quic_conn.peer_identity().unwrap();
match pi.downcast_ref::<Vec<rustls::Certificate>>() {
@@ -323,13 +325,10 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic {
.next()
.and_then(|cn| cn.as_str().ok())
.unwrap();
let auth_identifier = AuthIdentifier {
username: None,
tls_cert_name: Some(subject_name.to_string()),
};

println!("server side quic auth_identifier: {:?}", auth_identifier);
test_auth_id = Some(auth_identifier);
auth_id = AuthIdBuilder::new()
.auth_type(AuthIdType::TlsCommonName)
.auth_value(subject_name.to_string())
.build();
}
}
None => {
@@ -343,7 +342,7 @@ impl LinkManagerUnicastTrait for LinkManagerUnicastQuic {
endpoint.into(),
send,
recv,
test_auth_id,
auth_id,
));
Ok(LinkUnicast(link))
}
@@ -546,7 +545,7 @@ async fn accept_task(
}
};
println!("the accept function is also called before check");
let mut test_auth_id: Option<AuthIdentifier> = None;
let mut auth_id = AuthId::None;
{
let new_conn = quic_conn.clone();
let server_name = new_conn
@@ -567,17 +566,23 @@ async fn accept_task(
.as_ref()
.unwrap()
.clone();
let auth_identifier = AuthIdentifier {
username: None,
tls_cert_name: Some(server_name.to_string()),
};

auth_id = AuthIdBuilder::new()
.auth_type(AuthIdType::TlsCommonName)
.auth_value(server_name.to_string())
.build();
// Ok(auth_id)
// let auth_identifier = AuthId {
// username: None,
// tls_cert_name: Some(server_name.to_string()),
// };

println!(
"From conncetion, server_name {:?} and protocol_deets {:?}",
server_name, protocol_deets
);
println!("client side quic auth_identifier: {:?}", auth_identifier);
test_auth_id = Some(auth_identifier);
println!("client side quic auth_identifier: {:?}", auth_id);
//auth_id = Some(auth_id);

// if let Some(cert_info) = new_conn.peer_identity() {
// //use cert info
@@ -620,7 +625,7 @@ async fn accept_task(
Locator::new(QUIC_LOCATOR_PREFIX, dst_addr.to_string(), "")?,
send,
recv,
test_auth_id,
auth_id,
));

// Communicate the new link to the initial transport manager
9 changes: 3 additions & 6 deletions io/zenoh-links/zenoh-link-serial/src/unicast.rs
Original file line number Diff line number Diff line change
@@ -25,7 +25,7 @@ use std::sync::{Arc, RwLock};
use std::time::Duration;
use zenoh_core::{zasynclock, zread, zwrite};
use zenoh_link_commons::{
AuthIdentifier, ConstructibleLinkManagerUnicast, LinkManagerUnicastTrait, LinkUnicast,
AuthId, ConstructibleLinkManagerUnicast, LinkManagerUnicastTrait, LinkUnicast,
LinkUnicastTrait, NewLinkChannelSender,
};
use zenoh_protocol::core::{EndPoint, Locator};
@@ -206,11 +206,8 @@ impl LinkUnicastTrait for LinkUnicastSerial {
fn is_streamed(&self) -> bool {
false
}
fn get_auth_identifier(&self) -> AuthIdentifier {
AuthIdentifier {
username: None,
tls_cert_name: None,
}
fn get_auth_identifier(&self) -> AuthId {
AuthId::None
}
}

9 changes: 3 additions & 6 deletions io/zenoh-links/zenoh-link-tcp/src/unicast.rs
Original file line number Diff line number Diff line change
@@ -22,7 +22,7 @@ use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::Arc;
use std::time::Duration;
use zenoh_link_commons::{
get_ip_interface_names, AuthIdentifier, LinkManagerUnicastTrait, LinkUnicast, LinkUnicastTrait,
get_ip_interface_names, AuthId, LinkManagerUnicastTrait, LinkUnicast, LinkUnicastTrait,
ListenersUnicastIP, NewLinkChannelSender, BIND_INTERFACE,
};
use zenoh_protocol::core::{EndPoint, Locator};
@@ -156,11 +156,8 @@ impl LinkUnicastTrait for LinkUnicastTcp {
fn is_streamed(&self) -> bool {
true
}
fn get_auth_identifier(&self) -> AuthIdentifier {
AuthIdentifier {
username: None,
tls_cert_name: None,
}
fn get_auth_identifier(&self) -> AuthId {
AuthId::None
}
}

Loading