Use keystore root as security root directory, and not contexts folder (…

…#607) Signed-off-by: Ivan Santiago Paunovic <ivanpauno@ekumenlabs.com>
ros2 · Apr 9, 2020 · 6ca6545 · 6ca6545
1 parent 4a7ba02
commit 6ca6545
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 8 deletions.
diff --git a/rcl/src/rcl/security.c b/rcl/src/rcl/security.c
@@ -109,18 +109,21 @@ char * exact_match_lookup(
   const char * ros_secure_root_env,
   const rcl_allocator_t * allocator)
 {
-  // Perform an exact match for the node/context's name in directory <root dir>/<namespace>.
+  // Perform an exact match for the context name in directory <root dir>.
   char * secure_root = NULL;
   // "/" case when root namespace is explicitly passed in
   if (0 == strcmp(name, "/")) {
     secure_root = rcutils_strdup(ros_secure_root_env, *allocator);
   } else {
-    char * root_path = NULL;
+    char * relative_path = NULL;
+    char * contexts_dir = NULL;
     // Get native path, ignore the leading forward slash
     // TODO(ros2team): remove the hard-coded length, use the length of the root namespace instead
-    root_path = rcutils_to_native_path(name + 1, *allocator);
-    secure_root = rcutils_join_path(ros_secure_root_env, root_path, *allocator);
-    allocator->deallocate(root_path, allocator->state);
+    relative_path = rcutils_to_native_path(name + 1, *allocator);
+    contexts_dir = rcutils_join_path(ros_secure_root_env, "contexts", *allocator);
+    secure_root = rcutils_join_path(contexts_dir, relative_path, *allocator);
+    allocator->deallocate(relative_path, allocator->state);
+    allocator->deallocate(contexts_dir, allocator->state);
   }
   return secure_root;
 }

diff --git a/rcl/test/rcl/test_security.cpp b/rcl/test/rcl/test_security.cpp
@@ -38,6 +38,9 @@
 # define PATH_SEPARATOR "\\"
 #endif
 
+#define TEST_SECURITY_CONTEXT_MULTIPLE_TOKENS \
+  "/group1" PATH_SEPARATOR TEST_SECURITY_CONTEXT
+
 char g_envstring[512] = {0};
 
 static int putenv_wrapper(const char * env_var)
@@ -137,17 +140,21 @@ TEST_F(TestGetSecureRoot, successScenarios_local_exactMatch) {
     TEST_RESOURCES_DIRECTORY TEST_SECURITY_DIRECTORY_RESOURCES_DIR_NAME);
 
   secure_root = rcl_get_secure_root(TEST_SECURITY_CONTEXT_ABSOLUTE, &allocator);
+  ASSERT_NE(nullptr, secure_root);
   std::string secure_root_str(secure_root);
   ASSERT_STREQ(
     TEST_SECURITY_CONTEXT,
     secure_root_str.substr(secure_root_str.size() - strlen(TEST_SECURITY_CONTEXT)).c_str());
 }
 
 TEST_F(TestGetSecureRoot, successScenarios_local_exactMatch_multipleTokensName) {
-  putenv_wrapper(ROS_SECURITY_ROOT_DIRECTORY_VAR_NAME "=" TEST_RESOURCES_DIRECTORY);
+  putenv_wrapper(
+    ROS_SECURITY_ROOT_DIRECTORY_VAR_NAME "="
+    TEST_RESOURCES_DIRECTORY TEST_SECURITY_DIRECTORY_RESOURCES_DIR_NAME);
 
   secure_root = rcl_get_secure_root(
-    TEST_SECURITY_DIRECTORY_RESOURCES_DIR_NAME PATH_SEPARATOR TEST_SECURITY_CONTEXT, &allocator);
+    TEST_SECURITY_CONTEXT_MULTIPLE_TOKENS, &allocator);
+  ASSERT_NE(nullptr, secure_root);
   std::string secure_root_str(secure_root);
   ASSERT_STREQ(
     TEST_SECURITY_CONTEXT,
@@ -217,5 +224,6 @@ TEST_F(TestGetSecureRoot, test_get_security_options) {
   EXPECT_EQ(RMW_SECURITY_ENFORCEMENT_ENFORCE, options.enforce_security);
   EXPECT_STREQ(
     TEST_RESOURCES_DIRECTORY TEST_SECURITY_DIRECTORY_RESOURCES_DIR_NAME
-    PATH_SEPARATOR TEST_SECURITY_CONTEXT, options.security_root_path);
+    PATH_SEPARATOR "contexts" PATH_SEPARATOR TEST_SECURITY_CONTEXT,
+    options.security_root_path);
 }
diff --git a/...directory/dummy_security_context/.gitkeep → .../contexts/dummy_security_context/.gitkeep b/...directory/dummy_security_context/.gitkeep → .../contexts/dummy_security_context/.gitkeep
diff --git a/rcl/test/resources/test_security_directory/contexts/group1/dummy_security_context/.gitkeep b/rcl/test/resources/test_security_directory/contexts/group1/dummy_security_context/.gitkeep