From b10501871c56e9e4d892249761ab4c64f6fb0ddb Mon Sep 17 00:00:00 2001
From: Eduardo Ponz Segrelles <eduardoponz@eprosima.com>
Date: Fri, 10 Feb 2023 12:26:31 +0100
Subject: [PATCH] Secure discovery server (#437)

* Refs #15596. Added XML profile for CLI example.

Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>

* Refs #15596. CLI examples updated.

Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>

* Refs #15596. Added note regarding security configuration.

Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>

* Refs #15596. Introduction on discovery server section.

Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>

* Refs #15596: Add security section to discovery server

Signed-off-by: Eduardo Ponz <eduardoponz@eprosima.com>

---------

Signed-off-by: Miguel Company <MiguelCompany@eprosima.com>
Signed-off-by: Eduardo Ponz <eduardoponz@eprosima.com>
Co-authored-by: Miguel Company <MiguelCompany@eprosima.com>
---
 code/XMLTester.xml                          | 68 +++++++++++++++++++++
 docs/fastdds/discovery/discovery_server.rst | 30 +++++++++
 docs/fastddscli/cli/cli.rst                 | 36 +++++++++--
 3 files changed, 130 insertions(+), 4 deletions(-)

diff --git a/code/XMLTester.xml b/code/XMLTester.xml
index fb8c17172..773201047 100644
--- a/code/XMLTester.xml
+++ b/code/XMLTester.xml
@@ -796,6 +796,74 @@
         </builtin>
     </rtps>
 </participant>
+
+<participant profile_name="secure_discovery_server_cli">
+    <rtps>
+        <prefix>44.53.00.5f.45.50.52.4f.53.49.4d.41</prefix>
+        <builtin>
+            <discovery_config>
+                <discoveryProtocol>SERVER</discoveryProtocol>
+            </discovery_config>
+            <metatrafficUnicastLocatorList>
+                <locator>
+                    <udpv4>
+                        <address>0.0.0.0</address>
+                        <port>11811</port>
+                    </udpv4>
+                </locator>
+            </metatrafficUnicastLocatorList>
+        </builtin>
+        <propertiesPolicy>
+            <properties>
+                <!-- Activate Auth:PKI-DH plugin -->
+                <property>
+                    <name>dds.sec.auth.plugin</name>
+                    <value>builtin.PKI-DH</value>
+                </property>
+
+                <!-- Configure Auth:PKI-DH plugin -->
+                <property>
+                    <name>dds.sec.auth.builtin.PKI-DH.identity_ca</name>
+                    <value>file://maincacert.pem</value>
+                </property>
+                <property>
+                    <name>dds.sec.auth.builtin.PKI-DH.identity_certificate</name>
+                    <value>file://appcert.pem</value>
+                </property>
+                <property>
+                    <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
+                    <value>file://appkey.pem</value>
+                </property>
+
+                <!-- Activate Access:Permissions plugin -->
+                <property>
+                    <name>dds.sec.access.plugin</name>
+                    <value>builtin.Access-Permissions</value>
+                </property>
+
+                <!-- Configure Access:Permissions plugin -->
+                <property>
+                    <name>dds.sec.access.builtin.Access-Permissions.permissions_ca</name>
+                    <value>file://maincacet.pem</value>
+                </property>
+                <property>
+                    <name>dds.sec.access.builtin.Access-Permissions.governance</name>
+                    <value>file://governance.smime</value>
+                </property>
+                <property>
+                    <name>dds.sec.access.builtin.Access-Permissions.permissions</name>
+                    <value>file://permissions.smime</value>
+                </property>
+
+                <!-- Activate Crypto:AES-GCM-GMAC plugin -->
+                <property>
+                    <name>dds.sec.crypto.plugin</name>
+                    <value>builtin.AES-GCM-GMAC</value>
+                </property>
+            </properties>
+        </propertiesPolicy>
+    </rtps>
+</participant>
 <!--><-->
 
 
diff --git a/docs/fastdds/discovery/discovery_server.rst b/docs/fastdds/discovery/discovery_server.rst
index bbda3fdab..2a3d9453a 100644
--- a/docs/fastdds/discovery/discovery_server.rst
+++ b/docs/fastdds/discovery/discovery_server.rst
@@ -389,3 +389,33 @@ Client side setup
 |    :lines: 2-3,5-40                                                 |
 |    :append: </profiles>                                             |
 +---------------------------------------------------------------------+
+
+.. _DS_security:
+
+Security
+^^^^^^^^
+
+Configuring :ref:`security` on *servers* and *clients* is done the same way as for any other participant.
+This section depicts the limitations imposed by the security enforcement on the communication between
+*clients* and *servers*, and which discovery information is propagated by a *server* depending on the security
+configuration of the *clients* and *servers* to which it is connected.
+
+It is important to note that for enabling a secure discovery when using Discovery Server, *Fast DDS* must be compiled
+with security support (see :ref:`cmake_options`), and the :ref:`domain_governance_doc` must explicitly encrypt the
+discovery.
+
+As in SDP, when using this feature, the Domain Governance Document of all *clients* and *servers* connecting to a
+*server* must match that of the *server*, which implies that all |DomainParticipants| belonging to the same Discovery
+Sever network must configure the discovery protection in the same manner.
+
+Although the *server* mediates the discovery process and creates connections between *clients*, the *clients* themselves
+still go through the PKI (Public Key Infrastructure) exchange in order to have a secure communication between them.
+
+.. important::
+
+  In order to keep the behavior consistent with the QoS Policies, the *server* does not check the
+  :ref:`domainparticipant_permissions_doc` of the |DomainParticipants| that it is connecting.
+
+.. important::
+
+  Security support for Discovery Server is only supported from Fast DDS v2.10.0 onward.
diff --git a/docs/fastddscli/cli/cli.rst b/docs/fastddscli/cli/cli.rst
index ebc25b677..49637c722 100644
--- a/docs/fastddscli/cli/cli.rst
+++ b/docs/fastddscli/cli/cli.rst
@@ -103,6 +103,7 @@ The output is:
 
     ### Server is running ###
       Participant Type:   <SERVER|BACKUP>
+      Security:           <YES|NO>
       Server ID:          <server-id>
       Server GUID prefix: 44.53.<server-id-in-hex>.5f.45.50.52.4f.53.49.4d.41
       Server Addresses:   UDPv4:[<ip-address>]:<port>
@@ -112,6 +113,10 @@ Once the *server* is instantiated, the *clients* can be configured either progra
 :ref:`discovery_server`), or using environment variable ``ROS_DISCOVERY_SERVER`` (see
 :ref:`env_vars_ros_discovery_server`)
 
+.. note::
+  The :ref:`security` configuration of the discovery server should be done through XML.
+  See example below.
+
 .. _cli_discovery_examples:
 
 Examples
@@ -131,6 +136,7 @@ Examples
 
         ### Server is running ###
           Participant Type:   SERVER
+          Security:           NO
           Server ID:          0
           Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv4:[0.0.0.0]:11811
@@ -149,6 +155,7 @@ Examples
 
         ### Server is running ###
           Participant Type:   SERVER
+          Security:           NO
           Server ID:          1
           Server GUID prefix: 44.53.01.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv4:[127.0.0.1]:14520
@@ -179,6 +186,7 @@ Examples
 
         ### Server is running ###
           Participant Type    SERVER
+          Security:           NO
           Server ID:          2
           Server GUID prefix: 44.53.02.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv4:[192.168.36.34]:8783
@@ -205,6 +213,7 @@ Examples
 
         ### Server is running ###
           Participant Type    BACKUP
+          Security:           NO
           Server ID:          3
           Server GUID prefix: 44.53.03.5f.45.50.52.4f.53.49.4d.41
           Server Addresses:   UDPv4:[172.30.144.1]:12345
@@ -222,10 +231,29 @@ Examples
     .. code-block:: bash
 
         ### Server is running ###
-        Participant Type:   SERVER
-        Server ID:          0
-        Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
-        Server Addresses:   UDPv4:[127.0.0.1]:14520
+          Participant Type:   SERVER
+          Security:           NO
+          Server ID:          0
+          Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
+          Server Addresses:   UDPv4:[127.0.0.1]:14520
+
+7.  Launch a secure server with id 0 (first on ``ROS_DISCOVERY_SERVER``)
+    listening on all available interfaces on UDP port '11811'.
+
+    .. code-block:: bash
+
+        fastdds discovery -x secure_discovery_server_cli@[PATH_TO_FILE]/DiscoveryServerCLI.xml
+
+    Output:
+
+    .. code-block:: bash
+
+        ### Server is running ###
+          Participant Type:   SERVER
+          Security:           YES
+          Server ID:          0
+          Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
+          Server Addresses:   UDPv4:[0.0.0.0]:11811
 
 8.  Launch a server with id 0 (first on ``ROS_DISCOVERY_SERVER``) reading
     specific `profile_name` configuration from XML file.