search

eclipse-cyclonedds / cyclonedds

Eclipse Cyclone DDS project
https://projects.eclipse.org/projects/iot.cyclonedds
Other
854 stars 352 forks source link

Unexpected behavior with permission file - Cannot create topic with deny topic name #1922

Open mirusu400 opened 8 months ago

mirusu400 commented 8 months ago

Hello. While using cyclonedds I got an unexpected behavior with permission.

Expected behavior

When I create a topic rule in governance.xml and add a deny_rule in permissions.xml, Error should be arisen when we call dds_create_writer function.

Current behavior

When having governance.xml and permissions.xml with deny_rule, Errors are arised when dds_create_topic called. (not dds_create_writer function!)

Steps to reproduce


* `permissions.xml`
```xml
<?xml version="1.0" encoding="UTF-8"?> 
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-Security/20170801/omg_shared_ca_permissions.xsd"> 
    <permissions> 
        <grant name="vhljBjPYrHh"> 
            <subject_name>C=US,ST=PA,L=State College,O=PSecLab,CN=vhljBjPYrHh</subject_name> 
            <validity> 
                <not_before>2013-06-01T13:00:00</not_before> 
                <not_after>2038-06-01T13:00:00</not_after> 
            </validity> 
            <allow_rule> 
                <domains> 
                    <id_range> 
                        <min>0</min> 
                        <max>230</max> 
                    </id_range> 
                </domains> 
                <publish> 
                    <topics> 
                        <topic>tHwCnVJYerR</topic> 
                    </topics> 
                </publish> 
                <subscribe> 
                    <topics> 
                        <topic>tHwCnVJYerR</topic> 
                    </topics> 
                </subscribe> 
            </allow_rule> 
            <deny_rule> 
                <domains> 
                    <id_range> 
                        <min>0</min> 
                        <max>230</max> 
                    </id_range> 
                </domains> 
                <publish> 
                    <topics> 
                        <topic>xbereaWTKtY</topic> 
                    </topics> 
                </publish> 
                <subscribe> 
                    <topics> 
                        <topic>xbereaWTKtY</topic> 
                    </topics> 
                </subscribe> 
            </deny_rule> 
            <default>DENY</default> 
        </grant> 
    </permissions> 
</dds> 
// This code should got an error
 dds_entity_t topic = dds_create_topic(participant1, &HelloWorldData_Msg_desc, topic_name.c_str(), NULL, NULL);
 if( topic < 0 ) std::cout << "ERROR: dds_create_topic failed \n";

PoC

eclipse_dds_permission.zip

We can simply test by given poc

mkdir build
cd build
cmake ..
make
./main

Here are output:

ERROR: dds_create_topic failed 
ERROR: dds_create_writer writer failed 
ERROR: dds_create_reader reader failed 
ERROR: dds_write writer failed
eboasson commented 8 months ago

I'm not so sure it is in error, or at least, that it deviates from the spec:

Table 63 ("Actions undertaken by the operations of the bulitin AccessControl plugin") lists for "check_create_topic":

This operation shall use the permissions_handle to retrieve the cached Permissions and Governance information.

If the Governance specifies a topic or topic-expression on the DomainParticipant domain_id matching the Topic name

It does (domain id = 0, so in range of both governance and permissions documents).

with enable_read_access_control set to FALSE or with enable_write_access_control set to FALSE, then the operation shall succeed and return TRUE.

Both are set to TRUE, therefore, continue.

If the Permissions document contains a Grant for the DomainParticipant allowing it to publish the Topic with specified topic_name, then the operation shall succeed and return TRUE.

The permissions document contains a DENY rule for publishing, therefore continue.

If the Permissions document contains a Grant for the DomainParticipant allowing it to subscribe the Topic with specified topic_name, then the operation shall succeed and return TRUE.

The permissions document contains a DENY rule for subscribing, therefore continue ...

Otherwise the operation shall return FALSE.

... and thus deny the creation of the topic.