summaryrefslogtreecommitdiff
path: root/implementation/security/include
diff options
context:
space:
mode:
Diffstat (limited to 'implementation/security/include')
-rw-r--r--implementation/security/include/policy.hpp2
-rw-r--r--implementation/security/include/policy_manager_impl.hpp177
-rw-r--r--implementation/security/include/security.hpp73
-rw-r--r--implementation/security/include/security_impl.hpp114
4 files changed, 188 insertions, 178 deletions
diff --git a/implementation/security/include/policy.hpp b/implementation/security/include/policy.hpp
index 82f3eb9..3c9760c 100644
--- a/implementation/security/include/policy.hpp
+++ b/implementation/security/include/policy.hpp
@@ -1,4 +1,4 @@
-// Copyright (C) 2014-2020 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+// Copyright (C) 2014-2021 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
diff --git a/implementation/security/include/policy_manager_impl.hpp b/implementation/security/include/policy_manager_impl.hpp
index a5a30ea..4dd3a86 100644
--- a/implementation/security/include/policy_manager_impl.hpp
+++ b/implementation/security/include/policy_manager_impl.hpp
@@ -1,29 +1,48 @@
-// Copyright (C) 2019 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+// Copyright (C) 2019-2021 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#ifndef VSOMEIP_V3_POLICY_MANAGER_IMPL_HPP_
-#define VSOMEIP_V3_POLICY_MANAGER_IMPL_HPP_
+#ifndef VSOMEIP_V3_SECURITY_POLICY_MANAGER_IMPL_HPP_
+#define VSOMEIP_V3_SECURITY_POLICY_MANAGER_IMPL_HPP_
-#include <memory>
+#include <map>
#include <mutex>
+#include <unordered_set>
+#include <vector>
-#include <vsomeip/primitive_types.hpp>
+#include <boost/property_tree/ptree.hpp>
+#include <boost/filesystem.hpp>
+#include <boost/thread.hpp>
+
+#include <vsomeip/export.hpp>
#include <vsomeip/internal/policy_manager.hpp>
+#include <vsomeip/vsomeip_sec.h>
#include "../include/policy.hpp"
-#include "../../configuration/include/configuration_element.hpp"
namespace vsomeip_v3 {
-class policy_manager_impl
- : public policy_manager {
+struct configuration_element;
+
+class VSOMEIP_IMPORT_EXPORT policy_manager_impl
+#ifndef VSOMEIP_DISABLE_SECURITY
+ : public policy_manager
+#endif // !VSOMEIP_DISABLE_SECURITY
+{
public:
- static std::shared_ptr<policy_manager> get();
+ enum class policy_loaded_e : std::uint8_t {
+ POLICY_PATH_FOUND_AND_LOADED = 0x0,
+ POLICY_PATH_FOUND_AND_NOT_LOADED = 0x1,
+ POLICY_PATH_INEXISTENT = 0x2
+ };
- virtual ~policy_manager_impl();
+ static std::shared_ptr<policy_manager_impl> get();
+ policy_manager_impl();
+
+#ifndef VSOMEIP_DISABLE_SECURITY
+ // policy_manager interface
std::shared_ptr<policy> create_policy() const;
void print_policy(const std::shared_ptr<policy> &_policy) const;
@@ -36,8 +55,144 @@ public:
bool is_policy_update_allowed(uint32_t _uid,
std::shared_ptr<policy> &_policy) const;
bool is_policy_removal_allowed(uint32_t _uid) const;
+
+ // extension
+ void load(const configuration_element &_element,
+ const bool _lazy_load = false);
+
+ void update_security_policy(uint32_t _uid, uint32_t _gid, const std::shared_ptr<policy>& _policy);
+ bool remove_security_policy(uint32_t _uid, uint32_t _gid);
+
+ void add_security_credentials(uint32_t _uid, uint32_t _gid,
+ const std::shared_ptr<policy>& _credentials_policy, client_t _client);
+
+ void get_requester_policies(const std::shared_ptr<policy> _policy,
+ std::set<std::shared_ptr<policy> > &_requesters) const;
+ void get_clients(uid_t _uid, gid_t _gid, std::unordered_set<client_t> &_clients) const;
+
+ bool is_policy_extension(const std::string &_path) const;
+ std::string get_policy_extension_path(const std::string &_client_host) const;
+
+ void set_policy_extension_base_path(const std::string &_path);
+ std::string get_security_config_folder(const std::string &its_folder) const;
+ std::string get_policy_extension_path_unlocked(const std::string &_client_host) const;
+
+ policy_loaded_e is_policy_extension_loaded(const std::string &_client_host) const;
+ void set_is_policy_extension_loaded(const std::string &_client_host, const bool _loaded);
+
+private:
+
+ // Configuration
+ void load_policies(const configuration_element &_element);
+ void load_policy(const boost::property_tree::ptree &_tree);
+ void load_policy_body(std::shared_ptr<policy> &_policy,
+ const boost::property_tree::ptree::const_iterator &_tree);
+ void load_credential(const boost::property_tree::ptree &_tree,
+ boost::icl::interval_map<uid_t, boost::icl::interval_set<gid_t> > &_ids);
+ bool load_routing_credentials(const configuration_element &_element);
+ template<typename T_>
+ void load_interval_set(const boost::property_tree::ptree &_tree,
+ boost::icl::interval_set<T_> &_range, bool _exclude_margins = false);
+ void load_security_update_whitelist(const configuration_element &_element);
+ void load_security_policy_extensions(const configuration_element &_element);
+#endif // !VSOMEIP_DISABLE_SECURITY
+
+public:
+ bool is_enabled() const;
+ bool is_audit() const;
+
+ bool check_credentials(client_t _client,
+ const vsomeip_sec_client_t *_sec_client);
+ bool check_routing_credentials(
+ const vsomeip_sec_client_t *_sec_client) const;
+ void set_routing_credentials(uint32_t _uid, uint32_t _gid,
+ const std::string &_name);
+
+ bool is_client_allowed(const vsomeip_sec_client_t *_sec_client,
+ service_t _service, instance_t _instance, method_t _method,
+ bool _is_request_service = false) const;
+ bool is_offer_allowed(const vsomeip_sec_client_t *_sec_client,
+ service_t _service, instance_t _instance) const;
+
+ bool get_sec_client_to_clients_mapping(const vsomeip_sec_client_t *_sec_client,
+ std::set<client_t> &_clients);
+ bool remove_client_to_sec_client_mapping(client_t _client);
+
+ bool get_client_to_sec_client_mapping(client_t _client, vsomeip_sec_client_t &_sec_client);
+ bool store_client_to_sec_client_mapping(client_t _client, const vsomeip_sec_client_t *_sec_client);
+ void store_sec_client_to_client_mapping(const vsomeip_sec_client_t *_sec_client, client_t _client);
+
+private:
+#ifdef _WIN32
+#pragma warning(push)
+#pragma warning(disable : 4251)
+#endif
+#ifndef VSOMEIP_DISABLE_SECURITY
+ mutable boost::shared_mutex any_client_policies_mutex_;
+ std::vector<std::shared_ptr<policy> > any_client_policies_;
+
+ mutable boost::shared_mutex is_client_allowed_cache_mutex_;
+ mutable std::map<std::pair<uid_t, gid_t>,
+ std::set<std::tuple<service_t, instance_t, method_t> >
+ > is_client_allowed_cache_;
+
+ bool policy_enabled_;
+ bool check_credentials_;
+ bool allow_remote_clients_;
+ bool check_whitelist_;
+
+ mutable std::mutex service_interface_whitelist_mutex_;
+ boost::icl::interval_set<service_t> service_interface_whitelist_;
+
+ mutable std::mutex uid_whitelist_mutex_;
+ boost::icl::interval_set<uint32_t> uid_whitelist_;
+
+ mutable std::mutex policy_base_path_mutex_;
+ std::string policy_base_path_;
+
+ mutable boost::shared_mutex policy_extension_paths_mutex_;
+ //map[hostname, pair[path, map[complete path with UID/GID, control loading]]
+ std::map<std::string, std::pair<std::string, std::map<std::string, bool>>> policy_extension_paths_;
+#endif // !VSOMEIP_DISABLE_SECURITY
+
+ bool is_configured_;
+ bool check_routing_credentials_;
+
+ mutable std::mutex routing_credentials_mutex_;
+ std::pair<uint32_t, uint32_t> routing_credentials_;
+
+ mutable std::mutex ids_mutex_;
+ std::map<client_t, vsomeip_sec_client_t> ids_;
+
+ struct vsomeip_sec_client_comparator_t {
+ bool operator()(const vsomeip_sec_client_t &_lhs, const vsomeip_sec_client_t &_rhs) const {
+ if (_lhs.client_type < _rhs.client_type) {
+ return true;
+ } else if (_lhs.client_type == _rhs.client_type) {
+ switch (_lhs.client_type) {
+ case VSOMEIP_CLIENT_UDS:
+ return ((_lhs.client.uds_client.user < _rhs.client.uds_client.user)
+ || ((_lhs.client.uds_client.user == _rhs.client.uds_client.user)
+ && (_lhs.client.uds_client.group < _rhs.client.uds_client.group)));
+ case VSOMEIP_CLIENT_TCP:
+ return ((_lhs.client.ip_client.ip < _rhs.client.ip_client.ip)
+ || ((_lhs.client.ip_client.ip == _rhs.client.ip_client.ip)
+ && (_lhs.client.ip_client.port < _rhs.client.ip_client.port)));
+ default:
+ ;
+ }
+ }
+ return false;
+ }
+ };
+
+ mutable std::mutex sec_client_to_clients_mutex_;
+ std::map<vsomeip_sec_client_t, std::set<client_t>, vsomeip_sec_client_comparator_t> sec_client_to_clients_;
+#ifdef _WIN32
+#pragma warning(pop)
+#endif
};
} // namespace vsomeip_v3
-#endif // VSOMEIP_V3_POLICY_MANAGER_IMPL_HPP_
+#endif // VSOMEIP_V3_SECURITY_POLICY_MANAGER_IMPL_HPP_
diff --git a/implementation/security/include/security.hpp b/implementation/security/include/security.hpp
index 03406c6..1affb0c 100644
--- a/implementation/security/include/security.hpp
+++ b/implementation/security/include/security.hpp
@@ -1,65 +1,34 @@
-// Copyright (C) 2019 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
+// Copyright (C) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#ifndef VSOMEIP_V3_SECURITY_SECURITY_HPP_
-#define VSOMEIP_V3_SECURITY_SECURITY_HPP_
+#ifndef VSOMEIP_V3_SECURITY_HPP_
+#define VSOMEIP_V3_SECURITY_HPP_
-#include <memory>
-#include <unordered_set>
-
-#include <vsomeip/payload.hpp>
-#include <vsomeip/primitive_types.hpp>
+#include <vsomeip/export.hpp>
+#include <vsomeip/vsomeip_sec.h>
namespace vsomeip_v3 {
-struct configuration_element;
-
-class security {
+class VSOMEIP_IMPORT_EXPORT security {
public:
- VSOMEIP_EXPORT static std::shared_ptr<security> get();
-
- virtual ~security() {};
-
- virtual void load(const configuration_element &_element) = 0;
-
- virtual bool is_enabled() const = 0;
- virtual bool is_audit() const = 0;
-
- virtual bool check_credentials(client_t _client, uid_t _uid, gid_t _gid) = 0;
- virtual bool check_routing_credentials(client_t _client,
- uint32_t _uid, uint32_t _gid) const = 0;
-
- virtual bool is_client_allowed(uint32_t _uid, uint32_t _gid, client_t _client,
- service_t _service, instance_t _instance, method_t _method,
- bool _is_request_service = false) const = 0;
- virtual bool is_remote_client_allowed() const = 0;
- virtual bool is_offer_allowed(uint32_t _uid, uint32_t _gid, client_t _client,
- service_t _service, instance_t _instance) const = 0;
-
- virtual void update_security_policy(uint32_t _uid, uint32_t _gid,
- const std::shared_ptr<policy>& _policy) = 0;
- virtual bool remove_security_policy(uint32_t _uid, uint32_t _gid) = 0;
-
- virtual bool get_uid_gid_to_client_mapping(std::pair<uint32_t, uint32_t> _uid_gid,
- std::set<client_t> &_clients) = 0;
- virtual bool remove_client_to_uid_gid_mapping(client_t _client) = 0;
-
- virtual bool get_client_to_uid_gid_mapping(client_t _client,
- std::pair<uint32_t, uint32_t> &_uid_gid) = 0;
-
- virtual bool store_client_to_uid_gid_mapping(client_t _client,
- uint32_t _uid, uint32_t _gid) = 0;
- virtual void store_uid_gid_to_client_mapping(uint32_t _uid, uint32_t _gid,
- client_t _client) = 0;
-
- virtual void get_requester_policies(const std::shared_ptr<policy> _policy,
- std::set<std::shared_ptr<policy> > &_requesters) const = 0;
- virtual void get_clients(uid_t _uid, gid_t _gid,
- std::unordered_set<client_t> &_clients) const = 0;
+ static bool load();
+
+ static decltype(&vsomeip_sec_policy_initialize) initialize;
+ static decltype(&vsomeip_sec_policy_authenticate_router) authenticate_router;
+ static decltype(&vsomeip_sec_policy_is_client_allowed_to_offer) is_client_allowed_to_offer;
+ static decltype(&vsomeip_sec_policy_is_client_allowed_to_request) is_client_allowed_to_request;
+ static decltype(&vsomeip_sec_policy_is_client_allowed_to_access_member) is_client_allowed_to_access_member;
+
+private:
+ static decltype(vsomeip_sec_policy_initialize) default_initialize;
+ static decltype(vsomeip_sec_policy_authenticate_router) default_authenticate_router;
+ static decltype(vsomeip_sec_policy_is_client_allowed_to_offer) default_is_client_allowed_to_offer;
+ static decltype(vsomeip_sec_policy_is_client_allowed_to_request) default_is_client_allowed_to_request;
+ static decltype(vsomeip_sec_policy_is_client_allowed_to_access_member) default_is_client_allowed_to_access_member;
};
} // namespace vsomeip_v3
-#endif // VSOMEIP_V3_SECURITY_SECURITY_HPP_
+#endif // VSOMEIP_V3_SECURITY_HPP_
diff --git a/implementation/security/include/security_impl.hpp b/implementation/security/include/security_impl.hpp
deleted file mode 100644
index dfeea6b..0000000
--- a/implementation/security/include/security_impl.hpp
+++ /dev/null
@@ -1,114 +0,0 @@
-// Copyright (C) 2019 Bayerische Motoren Werke Aktiengesellschaft (BMW AG)
-// This Source Code Form is subject to the terms of the Mozilla Public
-// License, v. 2.0. If a copy of the MPL was not distributed with this
-// file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-#ifndef VSOMEIP_V3_SECURITY_IMPL_HPP_
-#define VSOMEIP_V3_SECURITY_IMPL_HPP_
-
-#include <map>
-#include <mutex>
-#include <vector>
-
-#include <boost/property_tree/ptree.hpp>
-
-#include "../include/policy.hpp"
-#include "../include/security.hpp"
-
-namespace vsomeip_v3 {
-
-class security_impl :
- public security {
-public:
- static std::shared_ptr<security_impl> get();
-
- security_impl();
-
- void load(const configuration_element &_element);
-
- bool is_enabled() const;
- bool is_audit() const;
-
- bool check_credentials(client_t _client, uid_t _uid, gid_t _gid);
- bool check_routing_credentials(client_t _client, uint32_t _uid, uint32_t _gid) const;
-
- bool is_client_allowed(uint32_t _uid, uint32_t _gid, client_t _client,
- service_t _service, instance_t _instance, method_t _method,
- bool _is_request_service = false) const;
- bool is_offer_allowed(uint32_t _uid, uint32_t _gid, client_t _client,
- service_t _service, instance_t _instance) const;
-
- void update_security_policy(uint32_t _uid, uint32_t _gid, const std::shared_ptr<policy>& _policy);
- bool remove_security_policy(uint32_t _uid, uint32_t _gid);
-
- void add_security_credentials(uint32_t _uid, uint32_t _gid,
- const std::shared_ptr<policy>& _credentials_policy, client_t _client);
-
- bool is_remote_client_allowed() const;
-
- bool is_policy_update_allowed(uint32_t _uid, std::shared_ptr<policy> &_policy) const;
-
- bool is_policy_removal_allowed(uint32_t _uid) const;
-
- bool parse_policy(const byte_t* &_buffer, uint32_t &_buffer_size,
- uint32_t &_uid, uint32_t &_gid, const std::shared_ptr<policy> &_policy) const;
-
- bool get_uid_gid_to_client_mapping(std::pair<uint32_t, uint32_t> _uid_gid, std::set<client_t> &_clients);
- bool remove_client_to_uid_gid_mapping(client_t _client);
-
- bool get_client_to_uid_gid_mapping(client_t _client, std::pair<uint32_t, uint32_t> &_uid_gid);
- bool store_client_to_uid_gid_mapping(client_t _client, uint32_t _uid, uint32_t _gid);
- void store_uid_gid_to_client_mapping(uint32_t _uid, uint32_t _gid, client_t _client);
-
- void get_requester_policies(const std::shared_ptr<policy> _policy,
- std::set<std::shared_ptr<policy> > &_requesters) const;
- void get_clients(uid_t _uid, gid_t _gid, std::unordered_set<client_t> &_clients) const;
-
-private:
-
- // Configuration
- void load_policies(const configuration_element &_element);
- void load_policy(const boost::property_tree::ptree &_tree);
- void load_policy_body(std::shared_ptr<policy> &_policy,
- const boost::property_tree::ptree::const_iterator &_tree);
- void load_credential(const boost::property_tree::ptree &_tree,
- boost::icl::interval_map<uid_t, boost::icl::interval_set<gid_t> > &_ids);
- bool load_routing_credentials(const configuration_element &_element);
- template<typename T_>
- void load_interval_set(const boost::property_tree::ptree &_tree,
- boost::icl::interval_set<T_> &_range, bool _exclude_margins = false);
- void load_security_update_whitelist(const configuration_element &_element);
-
-private:
- client_t routing_client_;
-
- mutable std::mutex ids_mutex_;
- mutable std::mutex uid_to_clients_mutex_;
-
- std::vector<std::shared_ptr<policy> > any_client_policies_;
-
- mutable std::mutex any_client_policies_mutex_;
- std::map<client_t, std::pair<uint32_t, uint32_t> > ids_;
- std::map<std::pair<uint32_t, uint32_t>, std::set<client_t> > uid_to_clients_;
-
- bool policy_enabled_;
- bool check_credentials_;
- bool check_routing_credentials_;
- bool allow_remote_clients_;
- bool check_whitelist_;
-
- mutable std::mutex service_interface_whitelist_mutex_;
- boost::icl::interval_set<service_t> service_interface_whitelist_;
-
- mutable std::mutex uid_whitelist_mutex_;
- boost::icl::interval_set<uint32_t> uid_whitelist_;
-
- mutable std::mutex routing_credentials_mutex_;
- std::pair<uint32_t, uint32_t> routing_credentials_;
-
- bool is_configured_;
-};
-
-} // namespace vsomeip_v3
-
-#endif // VSOMEIP_V3_SECURITY_IMPL_HPP_
View Lorry Controller Status