search

ros2 / sros2

tools to generate and distribute keys for SROS 2
Apache License 2.0
89 stars 44 forks source link

Unable to find enclave as long as the enclave name is not "talker" #269

Closed victomteng1997 closed 3 years ago

victomteng1997 commented 3 years ago

Bug report

Required Info:

Bug description

Was trying to do access control through SROS2. Followed the tutorial on linux and it works well. The directory structure is shown below. 

~/sros2_demo$ ls
demo_keys  policies
~/sros2_demo/demo_keys$ ls
enclaves  private  public
~/sros2_demo/demo_keys/enclaves/talker_listener$ ls
listener  talker

I then tried to create a new enclave with name test_talker. It works well.

~/sros2_demo$ ros2 security create_key demo_keys /talker_listener/test_talker
creating key for identity: '/talker_listener/test_talker'
creating cert and key
creating permission

/sros2_demo$ ros2 run demo_nodes_cpp talker --ros-args --enclave /talker_listener/test_talker
[INFO] [1624003828.482095644] [rcl]: Found security directory: /home/gelei/sros2_demo/demo_keys/enclaves/talker_listener/test_talker
[INFO] [1624003829.524871118] [talker]: Publishing: 'Hello World: 1'

I can create policy on the old talker enclave:

~/sros2_demo$ ros2 security create_permission demo_keys /talker_listener/talker policies/sample.policy.xml
creating permission file for identity: '/talker_listener/talker'
creating permission

But I cannot create policy on this new enclave, as shown below. May anyone help to check on that? 

~/sros2_demo$ ros2 security create_permission demo_keys /talker_listener/test_talker policies/sample.policy.xml
unable to find enclave "/talker_listener/test_talker"
~/sros2_demo$ ls demo_keys/enclaves/talker_listener/
listener  talker  test_talker

Seems like this problem happens as long as the enclave name is not "talker" or "listener". Is it because of some hard-coded section in the policy file?

victomteng1997 commented 3 years ago

I think I know the issue: https://github.com/ros2/sros2/blob/02c141d11b3e4bc79f54d3433c648aa97b7f685a/sros2/sros2/api/_artifact_generation.py

This error is reported when the enclave parameter is not in the policy subjects described in the policy file (enclaves_element) element. To resolve the problem, the talker_listener.policy.xml should be modified. Anyway, the error message is a bit misleading.