search

eclipse-zenoh / zenoh

zenoh unifies data in motion, data in-use, data at rest and computations. It carefully blends traditional pub/sub with geo-distributed storages, queries and computations, while retaining a level of time and space efficiency that is well beyond any of the mainstream stacks.
https://zenoh.io
Other
1.44k stars 151 forks source link

ACL rules don't apply correctly when locator listens on multiple interfaces #1159

Closed oteffahi closed 3 months ago

oteffahi commented 3 months ago

Describe the bug

When the listener locator matches multiple interfaces, ACL rules can allow traffic which should be denied on a specific interface in certain edge-cases. This is because the current code logic loops on interfaces looking for at least one explicit allow without checking the message's destination interface.

To reproduce

  1. Run z_sub example with listener on all interfaces: cargo run --example z_sub -- -c config.json5 -l tcp/0.0.0.0:7447 --no-multicast-scouting with following config file: 
    {
access_control: {
"enabled": true,
"default_permission": "deny",
"rules": [
  { // allow outgoing "declare_subscriber" on en0 and lo0
    "actions": [
      "declare_subscriber"
    ],
    "flows":["egress"],
    "permission": "allow",
    "key_exprs": [
      "demo/example/**"
    ],
    "interfaces": [
      "en0", "lo0"
    ]
  },
  { // allow incoming "put" on en0
    "actions": [
      "put"
    ],
    "flows":["ingress"],
    "permission": "allow",
    "key_exprs": [
      "demo/example/**"
    ],
    "interfaces": [
      "en0"
    ]
  },
]
},   
}
  2. Run z_pub example with localhost endpoint: cargo run --example z_pub -- -e tcp/127.0.0.1:7447 --no-multicast-scouting

System info

oteffahi commented 3 months ago

It looks like this issue is linked to #1093, and was fixed by #1123. At the moment it still applies to UDP: https://github.com/eclipse-zenoh/zenoh/issues/1126