From 1b6cef0885f3069926e12ce2a06cd405e3520b2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Hern=C3=A1ndez=20Cordero?= Date: Fri, 10 Jan 2025 15:05:57 +0100 Subject: [PATCH 1/3] Config security using enclave ROS argument MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Alejandro Hernández Cordero --- rmw_zenoh_cpp/CMakeLists.txt | 8 ++++++++ rmw_zenoh_cpp/package.xml | 1 + .../src/detail/rmw_context_impl_s.cpp | 20 +++++++++++++++---- .../src/detail/rmw_context_impl_s.hpp | 3 ++- rmw_zenoh_cpp/src/rmw_init.cpp | 3 ++- 5 files changed, 29 insertions(+), 6 deletions(-) diff --git a/rmw_zenoh_cpp/CMakeLists.txt b/rmw_zenoh_cpp/CMakeLists.txt index 732cd470d..6f8e65812 100644 --- a/rmw_zenoh_cpp/CMakeLists.txt +++ b/rmw_zenoh_cpp/CMakeLists.txt @@ -21,9 +21,15 @@ find_package(rcutils REQUIRED) find_package(rosidl_typesupport_fastrtps_c REQUIRED) find_package(rosidl_typesupport_fastrtps_cpp REQUIRED) find_package(rmw REQUIRED) +find_package(rmw_dds_common REQUIRED) find_package(tracetools REQUIRED) find_package(zenoh_cpp_vendor REQUIRED) +if(SECURITY) + find_package(OpenSSL REQUIRED) + set(HAVE_SECURITY 1) +endif() + add_library(rmw_zenoh_cpp SHARED src/detail/attachment_helpers.cpp src/detail/cdr.cpp @@ -68,6 +74,7 @@ target_link_libraries(rmw_zenoh_cpp rosidl_typesupport_fastrtps_c::rosidl_typesupport_fastrtps_c rosidl_typesupport_fastrtps_cpp::rosidl_typesupport_fastrtps_cpp rmw::rmw + rmw_dds_common::rmw_dds_common_library tracetools::tracetools zenohcxx::zenohc ) @@ -79,6 +86,7 @@ target_compile_definitions(rmw_zenoh_cpp RMW_VERSION_MAJOR=${rmw_VERSION_MAJOR} RMW_VERSION_MINOR=${rmw_VERSION_MINOR} RMW_VERSION_PATCH=${rmw_VERSION_PATCH} + HAVE_SECURITY=${HAVE_SECURITY} ) ament_export_targets(export_rmw_zenoh_cpp) diff --git a/rmw_zenoh_cpp/package.xml b/rmw_zenoh_cpp/package.xml index e8b4288ab..997391adc 100644 --- a/rmw_zenoh_cpp/package.xml +++ b/rmw_zenoh_cpp/package.xml @@ -25,6 +25,7 @@ rosidl_typesupport_fastrtps_c rosidl_typesupport_fastrtps_cpp rmw + rmw_dds_common tracetools ament_lint_auto diff --git a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp index 61dd9c8b2..f7b32f3d3 100644 --- a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp +++ b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp @@ -37,6 +37,7 @@ #include "rcpputils/scope_exit.hpp" #include "rmw/error_handling.h" +#include "rmw_dds_common/security.hpp" #include "zenoh_utils.hpp" // Megabytes of SHM to reserve. @@ -52,7 +53,8 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this // Constructor. Data( std::size_t domain_id, - const std::string & enclave) + const std::string & enclave, + const rmw_security_options_t * security_options) : domain_id_(std::move(domain_id)), enclave_(std::move(enclave)), is_shutdown_(false), @@ -67,7 +69,16 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this if (!config.has_value()) { throw std::runtime_error("Error configuring Zenoh session."); } - +#ifdef HAVE_SECURITY + std::unordered_map security_files_paths; + if (rmw_dds_common::get_security_files( + true, "", security_options->security_root_path, security_files_paths)) + { + // TODO(ahcorde): Fill this + } else { + std::cout << "Error getting secutiry data" << std::endl; + } +#endif zenoh::ZResult result; #ifndef _MSC_VER @@ -432,9 +443,10 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this ///============================================================================= rmw_context_impl_s::rmw_context_impl_s( const std::size_t domain_id, - const std::string & enclave) + const std::string & enclave, + const rmw_security_options_t * security_options) { - data_ = std::make_shared(domain_id, std::move(enclave)); + data_ = std::make_shared(domain_id, std::move(enclave), security_options); data_->init(); } diff --git a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.hpp b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.hpp index a2fdaf5e8..310c3352f 100644 --- a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.hpp +++ b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.hpp @@ -40,7 +40,8 @@ struct rmw_context_impl_s final // check has not succeeded. rmw_context_impl_s( const std::size_t domain_id, - const std::string & enclave); + const std::string & enclave, + const rmw_security_options_t * security_options); ~rmw_context_impl_s(); diff --git a/rmw_zenoh_cpp/src/rmw_init.cpp b/rmw_zenoh_cpp/src/rmw_init.cpp index cb34697c9..647c50665 100644 --- a/rmw_zenoh_cpp/src/rmw_init.cpp +++ b/rmw_zenoh_cpp/src/rmw_init.cpp @@ -110,7 +110,8 @@ rmw_init(const rmw_init_options_t * options, rmw_context_t * context) return RMW_RET_BAD_ALLOC, rmw_context_impl_t, context->actual_domain_id, - std::string(options->enclave) + std::string(options->enclave), + &context->options.security_options ); free_options.cancel(); From 62034f95f969c5a2983634e166d0f0a4645eb48a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Hern=C3=A1ndez=20Cordero?= Date: Mon, 20 Jan 2025 16:51:08 +0100 Subject: [PATCH 2/3] fill transport/link/tls/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Alejandro Hernández Cordero --- .../src/detail/rmw_context_impl_s.cpp | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp index f7b32f3d3..61456ae37 100644 --- a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp +++ b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp @@ -74,7 +74,28 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this if (rmw_dds_common::get_security_files( true, "", security_options->security_root_path, security_files_paths)) { - // TODO(ahcorde): Fill this + config.value().insert_json5("connect/endpoints", "[\"tls/localhost:7447\"]"); + config.value().insert_json5("listen/endpoints", "[\"tls/localhost:0\"]"); + + std::string tls_config = "{\"link\": \n" + "\t\t{ \n" + "\t\t\t\"protocols\": [ \n" + "\t\t\t\t\"tls\" \n" + "\t\t\t], \n" + "\t\t\t\"tls\": { \n" + "\t\t\t\t\"enable_mtls\": true, \n" + "\t\t\t\t\"verify_name_on_connect\": false, \n" + "\t\t\t\t\"root_ca_certificate\": \"" + security_files_paths["IDENTITY_CA"] + "\",\n" + + "\t\t\t\t\"listen_private_key\": \"" + security_files_paths["PRIVATE_KEY"] + "\",\n" + + "\t\t\t\t\"listen_certificate\": \"" + security_files_paths["CERTIFICATE"] + "\",\n" + + "\t\t\t\t\"connect_private_key\": \"" + security_files_paths["PRIVATE_KEY"] + "\",\n" + + "\t\t\t\t\"connect_certificate\": \"" + security_files_paths["CERTIFICATE"] + "\",\n" + + "\t\t\t}, \n" + "\t\t}, \n" + "\t}\n"; + config.value().insert_json5( + "transport", + tls_config); } else { std::cout << "Error getting secutiry data" << std::endl; } From 0cab0b1146955af5651baf74c79d324cf00f9c4a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alejandro=20Hern=C3=A1ndez=20Cordero?= Date: Fri, 4 Apr 2025 21:35:15 +0200 Subject: [PATCH 3/3] Use rmw_security_common package (#434) * Use rmw_security_common package Signed-off-by: Alejandro Hernandez Cordero * use rmw_security_common Signed-off-by: Alejandro Hernandez Cordero * Feedback Signed-off-by: Alejandro Hernandez Cordero --------- Signed-off-by: Alejandro Hernandez Cordero Signed-off-by: Michael Carroll Co-authored-by: Michael Carroll --- rmw_zenoh_cpp/CMakeLists.txt | 5 +- rmw_zenoh_cpp/package.xml | 2 +- .../src/detail/rmw_context_impl_s.cpp | 48 +++++++++++++------ .../src/detail/rmw_context_impl_s.hpp | 2 +- rmw_zenoh_cpp/src/rmw_init.cpp | 2 +- 5 files changed, 38 insertions(+), 21 deletions(-) diff --git a/rmw_zenoh_cpp/CMakeLists.txt b/rmw_zenoh_cpp/CMakeLists.txt index f1561ec76..734418f4f 100644 --- a/rmw_zenoh_cpp/CMakeLists.txt +++ b/rmw_zenoh_cpp/CMakeLists.txt @@ -22,13 +22,12 @@ find_package(rcutils REQUIRED) find_package(rosidl_typesupport_fastrtps_c REQUIRED) find_package(rosidl_typesupport_fastrtps_cpp REQUIRED) find_package(rmw REQUIRED) -find_package(rmw_dds_common REQUIRED) +find_package(rmw_security_common REQUIRED) find_package(rmw_test_fixture REQUIRED) find_package(tracetools REQUIRED) find_package(zenoh_cpp_vendor REQUIRED) if(SECURITY) - find_package(OpenSSL REQUIRED) set(HAVE_SECURITY 1) endif() @@ -76,7 +75,7 @@ target_link_libraries(rmw_zenoh_cpp rosidl_typesupport_fastrtps_c::rosidl_typesupport_fastrtps_c rosidl_typesupport_fastrtps_cpp::rosidl_typesupport_fastrtps_cpp rmw::rmw - rmw_dds_common::rmw_dds_common_library + rmw_security_common::rmw_security_common_library tracetools::tracetools zenohcxx::zenohc ) diff --git a/rmw_zenoh_cpp/package.xml b/rmw_zenoh_cpp/package.xml index 9fb271431..f2aac3c52 100644 --- a/rmw_zenoh_cpp/package.xml +++ b/rmw_zenoh_cpp/package.xml @@ -25,7 +25,7 @@ rosidl_typesupport_fastrtps_c rosidl_typesupport_fastrtps_cpp rmw - rmw_dds_common + rmw_security_common rmw_test_fixture tracetools diff --git a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp index bcd15824d..2fb58c95e 100644 --- a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp +++ b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.cpp @@ -37,7 +37,7 @@ #include "rcpputils/scope_exit.hpp" #include "rmw/error_handling.h" -#include "rmw_dds_common/security.hpp" +#include "rmw_security_common/security.hpp" #include "zenoh_utils.hpp" // Megabytes of SHM to reserve. @@ -54,7 +54,7 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this Data( std::size_t domain_id, const std::string & enclave, - const rmw_security_options_t * security_options) + const rmw_security_options_t & security_options) : domain_id_(std::move(domain_id)), enclave_(std::move(enclave)), is_shutdown_(false), @@ -70,9 +70,24 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this throw std::runtime_error("Error configuring Zenoh session."); } #ifdef HAVE_SECURITY - std::unordered_map security_files_paths; - if (rmw_dds_common::get_security_files( - true, "", security_options->security_root_path, security_files_paths)) + rcutils_allocator_t allocator = rcutils_get_default_allocator(); + rcutils_string_map_t security_files = rcutils_get_zero_initialized_string_map(); + rcutils_ret_t ret = rcutils_string_map_init(&security_files, 0, allocator); + + auto scope_exit = rcpputils::make_scope_exit( + [&security_files]() { + rcutils_ret_t ret = rcutils_string_map_fini(&security_files); + if (ret != RMW_RET_OK) { + throw std::runtime_error("Failed to fini string map for security."); + } + }); + + if (ret != RMW_RET_OK) { + throw std::runtime_error("Failed to initialize string map for security."); + } + + if (get_security_files_support_pkcs( + false, "", security_options.security_root_path, &security_files) == RMW_RET_OK) { config.value().insert_json5("connect/endpoints", "[\"tls/localhost:7447\"]"); config.value().insert_json5("listen/endpoints", "[\"tls/localhost:0\"]"); @@ -85,19 +100,22 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this "\t\t\t\"tls\": { \n" "\t\t\t\t\"enable_mtls\": true, \n" "\t\t\t\t\"verify_name_on_connect\": false, \n" - "\t\t\t\t\"root_ca_certificate\": \"" + security_files_paths["IDENTITY_CA"] + "\",\n" + - "\t\t\t\t\"listen_private_key\": \"" + security_files_paths["PRIVATE_KEY"] + "\",\n" + - "\t\t\t\t\"listen_certificate\": \"" + security_files_paths["CERTIFICATE"] + "\",\n" + - "\t\t\t\t\"connect_private_key\": \"" + security_files_paths["PRIVATE_KEY"] + "\",\n" + - "\t\t\t\t\"connect_certificate\": \"" + security_files_paths["CERTIFICATE"] + "\",\n" + + "\t\t\t\t\"root_ca_certificate\": \"" + std::string(rcutils_string_map_get(&security_files, + "IDENTITY_CA")) + "\",\n" + + "\t\t\t\t\"listen_private_key\": \"" + std::string(rcutils_string_map_get(&security_files, + "PRIVATE_KEY")) + "\",\n" + + "\t\t\t\t\"listen_certificate\": \"" + std::string(rcutils_string_map_get(&security_files, + "CERTIFICATE")) + "\",\n" + + "\t\t\t\t\"connect_private_key\": \"" + std::string(rcutils_string_map_get(&security_files, + "PRIVATE_KEY")) + "\",\n" + + "\t\t\t\t\"connect_certificate\": \"" + std::string(rcutils_string_map_get(&security_files, + "CERTIFICATE")) + "\",\n" + "\t\t\t}, \n" "\t\t}, \n" "\t}\n"; config.value().insert_json5( "transport", tls_config); - } else { - std::cout << "Error getting secutiry data" << std::endl; } #endif zenoh::ZResult result; @@ -132,8 +150,8 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this constexpr int64_t ticks_between_print(std::chrono::milliseconds(1000) / sleep_time); do { zenoh::ZResult result; - const auto zids = this->session_->get_routers_z_id(&result); - if (result == Z_OK && !zids.empty()) { + this->session_->get_routers_z_id(&result); + if (result == Z_OK) { break; } if ((connection_attempts % ticks_between_print) == 0) { @@ -474,7 +492,7 @@ class rmw_context_impl_s::Data final : public std::enable_shared_from_this rmw_context_impl_s::rmw_context_impl_s( const std::size_t domain_id, const std::string & enclave, - const rmw_security_options_t * security_options) + const rmw_security_options_t & security_options) { data_ = std::make_shared(domain_id, std::move(enclave), security_options); data_->init(); diff --git a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.hpp b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.hpp index 310c3352f..044c4092b 100644 --- a/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.hpp +++ b/rmw_zenoh_cpp/src/detail/rmw_context_impl_s.hpp @@ -41,7 +41,7 @@ struct rmw_context_impl_s final rmw_context_impl_s( const std::size_t domain_id, const std::string & enclave, - const rmw_security_options_t * security_options); + const rmw_security_options_t & security_options); ~rmw_context_impl_s(); diff --git a/rmw_zenoh_cpp/src/rmw_init.cpp b/rmw_zenoh_cpp/src/rmw_init.cpp index 647c50665..947e542e3 100644 --- a/rmw_zenoh_cpp/src/rmw_init.cpp +++ b/rmw_zenoh_cpp/src/rmw_init.cpp @@ -111,7 +111,7 @@ rmw_init(const rmw_init_options_t * options, rmw_context_t * context) rmw_context_impl_t, context->actual_domain_id, std::string(options->enclave), - &context->options.security_options + context->options.security_options ); free_options.cancel();