Skip to content

Commit

Permalink
Added Access Control for Network Interface (#683)
Browse files Browse the repository at this point in the history
* Code move

* Code move

* Use RoutingContext type

* Structs split

* Renaming

* Visibility

* Move ingress/egress filters out of pubsub

* Make hat abstract

* Abstract missing close_face fn

* Duplicate hat

* Move Primitives

* Move link_id into HatFace

* Change face initialization

* Interceptors

* Interceptor types renaming

* Rename RoutingContext

* Add RoutingContext and LoggerInterceptor

* Interceptors can access the Config at construction

* Split linkstate and p2p peer hats

* Simplify HatTrait init function

* Hats cleanup

* Reintroduce routes precomputation

* Improve routes precomputation

* Reintroduce matching pulls precomputation

* Perf improvements

* Perf improvements

* Remove files wrongly reintroduced by merge

* Fix complete_n build

* Remove useless checks

* Fix OAM handling

* Remove commented code

* Simplified routes computation hats api

* Move matching pulls computation out of hats

* Fix query routes update

* Fix copy-paste error

* Renaming

* Add missing query routes deactivations

* Refactor code

* Improve perfromances

* WIP: added pep pdp points

* WIP:added interceptor code and PEP logic

* WIP:added datastructures for policy and PDP logic

* WIP:first basic acl prototype

* WIP:first acl prototype

* WIP:first acl prototype

* WIP:ACL phase 1

* WIP:ACL phase 1

* WIP:Modified ACL for attributes

* WIP:Modified ACL for attributes

* WIP:Cleaned code

* WIP:merging code

* WIP:adding config conditions

* WIP:merging with DS

* WIP:moved rules into config file

* WIP:moved rules into config file

* WIP:merging changes

* Revert "WIP:merging changes"

This reverts commit 50c9f0e.

* WIP:merging new changes

* WIP:merging new changes

* WIP:ACL with networkinterface

* WIP:ACL with networkinterface

* WIP:ACL with networkinterface

* WIP:ACL with networkinterface

* WIP:Added multi-interface funcionality

* WIP: Improved code design for ACL

* WIP: Modified for new config style

* WIP: Modified for new config style

* WIP: Added changes for default behaviour

* WIP: Added changes for default behaviour

* WIP: Added changes for default behaviour

* WIP: Cleaning code

* WIP: Config changes after discussion

* WIP: Config changes after discussion

* WIP: Adding Queryable

* WIP: Adding key-expr caching

* Cleaning config file

* made review changes

* made review changes

* adding review changes for logs and removing bool values

* adding review changes

* adding actions for both ingress and egress

* adding ingress and egress flow

* cleaning code

* adding tests

* cleaning policy code

* acl tests for queryable

* replaced nested Vec with structs

* fixed queryable test issue

* fixed cache downcast error

* fixed interface issue in tests

* move acl config out of transport

* move acl config out of transport

* clean tests code

* clean tests code

* clean config file

* clean config file

* clean code

* resolve conflicts

* resolve conflicts issues

* refactor code

* refactor code

* refactor code

* refactor code for review changes

* refactor code for review changes

* fix acl tests issue

* fix acl tests issue

* fix acl tests issue

* fix acl tests issue

* fix acl tests issue

* resolve merge conflicts

* Update DEFAULT_CONFIG.json5

Co-authored-by: Alexander <[email protected]>

* change acl to access_control for clarity

* fix: Remove sync-lockfiles workflow (#925)

* modify actions values in config file

* remove [ACCESS LOG] string from the logs

* Remove [ACCESS LOG] from logging

* rework access control logging

* Add ingress/egress logs

* add interface name in access logs

* Fix log level

* Add missing header

* Add missing header files

---------

Co-authored-by: OlivierHecart <[email protected]>
Co-authored-by: Alexander <[email protected]>
Co-authored-by: Mahmoud Mazouz <[email protected]>
Co-authored-by: Luca Cominardi <[email protected]>
  • Loading branch information
5 people authored Apr 16, 2024
1 parent 3537ee6 commit 23c5932
Show file tree
Hide file tree
Showing 15 changed files with 1,337 additions and 21 deletions.
11 changes: 6 additions & 5 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -219,4 +219,4 @@ debug = false # If you want debug symbol in release mode, set the env variab
lto = "fat"
codegen-units = 1
opt-level = 3
panic = "abort"
panic = "abort"
26 changes: 24 additions & 2 deletions DEFAULT_CONFIG.json5
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,30 @@
// ],
// },
// ],

// /// configure access control (ACL) rules
// access_control: {
// ///[true/false] acl will be activated only if this is set to true
// "enabled": false,
// ///[deny/allow] default permission is deny (even if this is left empty or not specified)
// "default_permission": "deny",
// ///rule set for permissions allowing or denying access to key-expressions
// "rules":
// [
// {
// "actions": [
// "put", "get", "declare_subscriber", "declare_queryable"
// ],
// "flows":["egress","ingress"],
// "permission": "allow",
// "key_exprs": [
// "test/demo"
// ],
// "interfaces": [
// "lo0"
// ]
// },
// ]
//},
/// Configure internal transport parameters
transport: {
unicast: {
Expand Down Expand Up @@ -318,7 +341,6 @@
shared_memory: {
enabled: false,
},
/// Access control configuration
auth: {
/// The configuration of authentification.
/// A password implies a username is required.
Expand Down
10 changes: 10 additions & 0 deletions commons/zenoh-config/src/defaults.rs
Original file line number Diff line number Diff line change
Expand Up @@ -221,6 +221,16 @@ impl Default for SharedMemoryConf {
}
}

impl Default for AclConfig {
fn default() -> Self {
Self {
enabled: false,
default_permission: Permission::Deny,
rules: None,
}
}
}

pub const DEFAULT_CONNECT_TIMEOUT_MS: ModeDependentValue<i64> =
ModeDependentValue::Dependent(ModeValues {
client: Some(0),
Expand Down
55 changes: 52 additions & 3 deletions commons/zenoh-config/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,9 @@ impl Zeroize for SecretString {

pub type SecretValue = Secret<SecretString>;

#[derive(Debug, Deserialize, Serialize, Clone)]
#[derive(Debug, Deserialize, Serialize, Clone, Copy)]
#[serde(rename_all = "lowercase")]
pub enum DownsamplingFlow {
pub enum InterceptorFlow {
Egress,
Ingress,
}
Expand All @@ -97,7 +97,48 @@ pub struct DownsamplingItemConf {
/// A list of interfaces to which the downsampling will be applied.
pub rules: Vec<DownsamplingRuleConf>,
/// Downsampling flow direction: egress, ingress
pub flow: DownsamplingFlow,
pub flow: InterceptorFlow,
}

#[derive(Serialize, Debug, Deserialize, Clone)]
pub struct AclConfigRules {
pub interfaces: Vec<String>,
pub key_exprs: Vec<String>,
pub actions: Vec<Action>,
pub flows: Vec<InterceptorFlow>,
pub permission: Permission,
}

#[derive(Clone, Serialize, Debug, Deserialize)]
pub struct PolicyRule {
pub subject: Subject,
pub key_expr: String,
pub action: Action,
pub permission: Permission,
pub flow: InterceptorFlow,
}

#[derive(Serialize, Debug, Deserialize, Eq, PartialEq, Hash, Clone)]
#[serde(untagged)]
#[serde(rename_all = "snake_case")]
pub enum Subject {
Interface(String),
}

#[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]
#[serde(rename_all = "snake_case")]
pub enum Action {
Put,
DeclareSubscriber,
Get,
DeclareQueryable,
}

#[derive(Clone, Copy, Debug, Serialize, Deserialize, Eq, Hash, PartialEq)]
#[serde(rename_all = "lowercase")]
pub enum Permission {
Allow,
Deny,
}

pub trait ConfigValidator: Send + Sync {
Expand Down Expand Up @@ -431,6 +472,7 @@ validated_struct::validator! {
known_keys_file: Option<String>,
},
},

},
/// Configuration of the admin space.
pub adminspace: #[derive(Default)]
Expand All @@ -456,6 +498,13 @@ validated_struct::validator! {
/// Configuration of the downsampling.
downsampling: Vec<DownsamplingItemConf>,

///Configuration of the access control (ACL)
pub access_control: AclConfig {
pub enabled: bool,
pub default_permission: Permission,
pub rules: Option<Vec<AclConfigRules>>
},

/// A list of directories where plugins may be searched for if no `__path__` was specified for them.
/// The executable's current directory will be added to the search paths.
plugins_search_dirs: Vec<String>, // TODO (low-prio): Switch this String to a PathBuf? (applies to other paths in the config as well)
Expand Down
3 changes: 2 additions & 1 deletion zenoh/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ transport_tls = ["zenoh-transport/transport_tls"]
transport_udp = ["zenoh-transport/transport_udp"]
transport_unixsock-stream = ["zenoh-transport/transport_unixsock-stream"]
transport_ws = ["zenoh-transport/transport_ws"]
transport_vsock= ["zenoh-transport/transport_vsock"]
transport_vsock = ["zenoh-transport/transport_vsock"]
unstable = []
default = [
"auth_pubkey",
Expand All @@ -66,6 +66,7 @@ default = [
[dependencies]
tokio = { workspace = true, features = ["rt", "macros", "time"] }
tokio-util = { workspace = true }
ahash = { workspace = true }
async-trait = { workspace = true }
base64 = { workspace = true }
const_format = { workspace = true }
Expand Down
Loading

0 comments on commit 23c5932

Please sign in to comment.