diff options
Diffstat (limited to 'implementation/security/include')
-rw-r--r-- | implementation/security/include/policy.hpp | 2 | ||||
-rw-r--r-- | implementation/security/include/policy_manager_impl.hpp | 177 | ||||
-rw-r--r-- | implementation/security/include/security.hpp | 73 | ||||
-rw-r--r-- | implementation/security/include/security_impl.hpp | 114 |
4 files changed, 188 insertions, 178 deletions
diff --git a/implementation/security/include/policy.hpp b/implementation/security/include/policy.hpp index 82f3eb9..3c9760c 100644 --- a/implementation/security/include/policy.hpp +++ b/implementation/security/include/policy.hpp @@ -1,4 +1,4 @@ -// Copyright (C) 2014-2020 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +// Copyright (C) 2014-2021 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) // This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. diff --git a/implementation/security/include/policy_manager_impl.hpp b/implementation/security/include/policy_manager_impl.hpp index a5a30ea..4dd3a86 100644 --- a/implementation/security/include/policy_manager_impl.hpp +++ b/implementation/security/include/policy_manager_impl.hpp @@ -1,29 +1,48 @@ -// Copyright (C) 2019 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +// Copyright (C) 2019-2021 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) // This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. -#ifndef VSOMEIP_V3_POLICY_MANAGER_IMPL_HPP_ -#define VSOMEIP_V3_POLICY_MANAGER_IMPL_HPP_ +#ifndef VSOMEIP_V3_SECURITY_POLICY_MANAGER_IMPL_HPP_ +#define VSOMEIP_V3_SECURITY_POLICY_MANAGER_IMPL_HPP_ -#include <memory> +#include <map> #include <mutex> +#include <unordered_set> +#include <vector> -#include <vsomeip/primitive_types.hpp> +#include <boost/property_tree/ptree.hpp> +#include <boost/filesystem.hpp> +#include <boost/thread.hpp> + +#include <vsomeip/export.hpp> #include <vsomeip/internal/policy_manager.hpp> +#include <vsomeip/vsomeip_sec.h> #include "../include/policy.hpp" -#include "../../configuration/include/configuration_element.hpp" namespace vsomeip_v3 { -class policy_manager_impl - : public policy_manager { +struct configuration_element; + +class VSOMEIP_IMPORT_EXPORT policy_manager_impl +#ifndef VSOMEIP_DISABLE_SECURITY + : public policy_manager +#endif // !VSOMEIP_DISABLE_SECURITY +{ public: - static std::shared_ptr<policy_manager> get(); + enum class policy_loaded_e : std::uint8_t { + POLICY_PATH_FOUND_AND_LOADED = 0x0, + POLICY_PATH_FOUND_AND_NOT_LOADED = 0x1, + POLICY_PATH_INEXISTENT = 0x2 + }; - virtual ~policy_manager_impl(); + static std::shared_ptr<policy_manager_impl> get(); + policy_manager_impl(); + +#ifndef VSOMEIP_DISABLE_SECURITY + // policy_manager interface std::shared_ptr<policy> create_policy() const; void print_policy(const std::shared_ptr<policy> &_policy) const; @@ -36,8 +55,144 @@ public: bool is_policy_update_allowed(uint32_t _uid, std::shared_ptr<policy> &_policy) const; bool is_policy_removal_allowed(uint32_t _uid) const; + + // extension + void load(const configuration_element &_element, + const bool _lazy_load = false); + + void update_security_policy(uint32_t _uid, uint32_t _gid, const std::shared_ptr<policy>& _policy); + bool remove_security_policy(uint32_t _uid, uint32_t _gid); + + void add_security_credentials(uint32_t _uid, uint32_t _gid, + const std::shared_ptr<policy>& _credentials_policy, client_t _client); + + void get_requester_policies(const std::shared_ptr<policy> _policy, + std::set<std::shared_ptr<policy> > &_requesters) const; + void get_clients(uid_t _uid, gid_t _gid, std::unordered_set<client_t> &_clients) const; + + bool is_policy_extension(const std::string &_path) const; + std::string get_policy_extension_path(const std::string &_client_host) const; + + void set_policy_extension_base_path(const std::string &_path); + std::string get_security_config_folder(const std::string &its_folder) const; + std::string get_policy_extension_path_unlocked(const std::string &_client_host) const; + + policy_loaded_e is_policy_extension_loaded(const std::string &_client_host) const; + void set_is_policy_extension_loaded(const std::string &_client_host, const bool _loaded); + +private: + + // Configuration + void load_policies(const configuration_element &_element); + void load_policy(const boost::property_tree::ptree &_tree); + void load_policy_body(std::shared_ptr<policy> &_policy, + const boost::property_tree::ptree::const_iterator &_tree); + void load_credential(const boost::property_tree::ptree &_tree, + boost::icl::interval_map<uid_t, boost::icl::interval_set<gid_t> > &_ids); + bool load_routing_credentials(const configuration_element &_element); + template<typename T_> + void load_interval_set(const boost::property_tree::ptree &_tree, + boost::icl::interval_set<T_> &_range, bool _exclude_margins = false); + void load_security_update_whitelist(const configuration_element &_element); + void load_security_policy_extensions(const configuration_element &_element); +#endif // !VSOMEIP_DISABLE_SECURITY + +public: + bool is_enabled() const; + bool is_audit() const; + + bool check_credentials(client_t _client, + const vsomeip_sec_client_t *_sec_client); + bool check_routing_credentials( + const vsomeip_sec_client_t *_sec_client) const; + void set_routing_credentials(uint32_t _uid, uint32_t _gid, + const std::string &_name); + + bool is_client_allowed(const vsomeip_sec_client_t *_sec_client, + service_t _service, instance_t _instance, method_t _method, + bool _is_request_service = false) const; + bool is_offer_allowed(const vsomeip_sec_client_t *_sec_client, + service_t _service, instance_t _instance) const; + + bool get_sec_client_to_clients_mapping(const vsomeip_sec_client_t *_sec_client, + std::set<client_t> &_clients); + bool remove_client_to_sec_client_mapping(client_t _client); + + bool get_client_to_sec_client_mapping(client_t _client, vsomeip_sec_client_t &_sec_client); + bool store_client_to_sec_client_mapping(client_t _client, const vsomeip_sec_client_t *_sec_client); + void store_sec_client_to_client_mapping(const vsomeip_sec_client_t *_sec_client, client_t _client); + +private: +#ifdef _WIN32 +#pragma warning(push) +#pragma warning(disable : 4251) +#endif +#ifndef VSOMEIP_DISABLE_SECURITY + mutable boost::shared_mutex any_client_policies_mutex_; + std::vector<std::shared_ptr<policy> > any_client_policies_; + + mutable boost::shared_mutex is_client_allowed_cache_mutex_; + mutable std::map<std::pair<uid_t, gid_t>, + std::set<std::tuple<service_t, instance_t, method_t> > + > is_client_allowed_cache_; + + bool policy_enabled_; + bool check_credentials_; + bool allow_remote_clients_; + bool check_whitelist_; + + mutable std::mutex service_interface_whitelist_mutex_; + boost::icl::interval_set<service_t> service_interface_whitelist_; + + mutable std::mutex uid_whitelist_mutex_; + boost::icl::interval_set<uint32_t> uid_whitelist_; + + mutable std::mutex policy_base_path_mutex_; + std::string policy_base_path_; + + mutable boost::shared_mutex policy_extension_paths_mutex_; + //map[hostname, pair[path, map[complete path with UID/GID, control loading]] + std::map<std::string, std::pair<std::string, std::map<std::string, bool>>> policy_extension_paths_; +#endif // !VSOMEIP_DISABLE_SECURITY + + bool is_configured_; + bool check_routing_credentials_; + + mutable std::mutex routing_credentials_mutex_; + std::pair<uint32_t, uint32_t> routing_credentials_; + + mutable std::mutex ids_mutex_; + std::map<client_t, vsomeip_sec_client_t> ids_; + + struct vsomeip_sec_client_comparator_t { + bool operator()(const vsomeip_sec_client_t &_lhs, const vsomeip_sec_client_t &_rhs) const { + if (_lhs.client_type < _rhs.client_type) { + return true; + } else if (_lhs.client_type == _rhs.client_type) { + switch (_lhs.client_type) { + case VSOMEIP_CLIENT_UDS: + return ((_lhs.client.uds_client.user < _rhs.client.uds_client.user) + || ((_lhs.client.uds_client.user == _rhs.client.uds_client.user) + && (_lhs.client.uds_client.group < _rhs.client.uds_client.group))); + case VSOMEIP_CLIENT_TCP: + return ((_lhs.client.ip_client.ip < _rhs.client.ip_client.ip) + || ((_lhs.client.ip_client.ip == _rhs.client.ip_client.ip) + && (_lhs.client.ip_client.port < _rhs.client.ip_client.port))); + default: + ; + } + } + return false; + } + }; + + mutable std::mutex sec_client_to_clients_mutex_; + std::map<vsomeip_sec_client_t, std::set<client_t>, vsomeip_sec_client_comparator_t> sec_client_to_clients_; +#ifdef _WIN32 +#pragma warning(pop) +#endif }; } // namespace vsomeip_v3 -#endif // VSOMEIP_V3_POLICY_MANAGER_IMPL_HPP_ +#endif // VSOMEIP_V3_SECURITY_POLICY_MANAGER_IMPL_HPP_ diff --git a/implementation/security/include/security.hpp b/implementation/security/include/security.hpp index 03406c6..1affb0c 100644 --- a/implementation/security/include/security.hpp +++ b/implementation/security/include/security.hpp @@ -1,65 +1,34 @@ -// Copyright (C) 2019 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) +// Copyright (C) 2022 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) // This Source Code Form is subject to the terms of the Mozilla Public // License, v. 2.0. If a copy of the MPL was not distributed with this // file, You can obtain one at http://mozilla.org/MPL/2.0/. -#ifndef VSOMEIP_V3_SECURITY_SECURITY_HPP_ -#define VSOMEIP_V3_SECURITY_SECURITY_HPP_ +#ifndef VSOMEIP_V3_SECURITY_HPP_ +#define VSOMEIP_V3_SECURITY_HPP_ -#include <memory> -#include <unordered_set> - -#include <vsomeip/payload.hpp> -#include <vsomeip/primitive_types.hpp> +#include <vsomeip/export.hpp> +#include <vsomeip/vsomeip_sec.h> namespace vsomeip_v3 { -struct configuration_element; - -class security { +class VSOMEIP_IMPORT_EXPORT security { public: - VSOMEIP_EXPORT static std::shared_ptr<security> get(); - - virtual ~security() {}; - - virtual void load(const configuration_element &_element) = 0; - - virtual bool is_enabled() const = 0; - virtual bool is_audit() const = 0; - - virtual bool check_credentials(client_t _client, uid_t _uid, gid_t _gid) = 0; - virtual bool check_routing_credentials(client_t _client, - uint32_t _uid, uint32_t _gid) const = 0; - - virtual bool is_client_allowed(uint32_t _uid, uint32_t _gid, client_t _client, - service_t _service, instance_t _instance, method_t _method, - bool _is_request_service = false) const = 0; - virtual bool is_remote_client_allowed() const = 0; - virtual bool is_offer_allowed(uint32_t _uid, uint32_t _gid, client_t _client, - service_t _service, instance_t _instance) const = 0; - - virtual void update_security_policy(uint32_t _uid, uint32_t _gid, - const std::shared_ptr<policy>& _policy) = 0; - virtual bool remove_security_policy(uint32_t _uid, uint32_t _gid) = 0; - - virtual bool get_uid_gid_to_client_mapping(std::pair<uint32_t, uint32_t> _uid_gid, - std::set<client_t> &_clients) = 0; - virtual bool remove_client_to_uid_gid_mapping(client_t _client) = 0; - - virtual bool get_client_to_uid_gid_mapping(client_t _client, - std::pair<uint32_t, uint32_t> &_uid_gid) = 0; - - virtual bool store_client_to_uid_gid_mapping(client_t _client, - uint32_t _uid, uint32_t _gid) = 0; - virtual void store_uid_gid_to_client_mapping(uint32_t _uid, uint32_t _gid, - client_t _client) = 0; - - virtual void get_requester_policies(const std::shared_ptr<policy> _policy, - std::set<std::shared_ptr<policy> > &_requesters) const = 0; - virtual void get_clients(uid_t _uid, gid_t _gid, - std::unordered_set<client_t> &_clients) const = 0; + static bool load(); + + static decltype(&vsomeip_sec_policy_initialize) initialize; + static decltype(&vsomeip_sec_policy_authenticate_router) authenticate_router; + static decltype(&vsomeip_sec_policy_is_client_allowed_to_offer) is_client_allowed_to_offer; + static decltype(&vsomeip_sec_policy_is_client_allowed_to_request) is_client_allowed_to_request; + static decltype(&vsomeip_sec_policy_is_client_allowed_to_access_member) is_client_allowed_to_access_member; + +private: + static decltype(vsomeip_sec_policy_initialize) default_initialize; + static decltype(vsomeip_sec_policy_authenticate_router) default_authenticate_router; + static decltype(vsomeip_sec_policy_is_client_allowed_to_offer) default_is_client_allowed_to_offer; + static decltype(vsomeip_sec_policy_is_client_allowed_to_request) default_is_client_allowed_to_request; + static decltype(vsomeip_sec_policy_is_client_allowed_to_access_member) default_is_client_allowed_to_access_member; }; } // namespace vsomeip_v3 -#endif // VSOMEIP_V3_SECURITY_SECURITY_HPP_ +#endif // VSOMEIP_V3_SECURITY_HPP_ diff --git a/implementation/security/include/security_impl.hpp b/implementation/security/include/security_impl.hpp deleted file mode 100644 index dfeea6b..0000000 --- a/implementation/security/include/security_impl.hpp +++ /dev/null @@ -1,114 +0,0 @@ -// Copyright (C) 2019 Bayerische Motoren Werke Aktiengesellschaft (BMW AG) -// This Source Code Form is subject to the terms of the Mozilla Public -// License, v. 2.0. If a copy of the MPL was not distributed with this -// file, You can obtain one at http://mozilla.org/MPL/2.0/. - -#ifndef VSOMEIP_V3_SECURITY_IMPL_HPP_ -#define VSOMEIP_V3_SECURITY_IMPL_HPP_ - -#include <map> -#include <mutex> -#include <vector> - -#include <boost/property_tree/ptree.hpp> - -#include "../include/policy.hpp" -#include "../include/security.hpp" - -namespace vsomeip_v3 { - -class security_impl : - public security { -public: - static std::shared_ptr<security_impl> get(); - - security_impl(); - - void load(const configuration_element &_element); - - bool is_enabled() const; - bool is_audit() const; - - bool check_credentials(client_t _client, uid_t _uid, gid_t _gid); - bool check_routing_credentials(client_t _client, uint32_t _uid, uint32_t _gid) const; - - bool is_client_allowed(uint32_t _uid, uint32_t _gid, client_t _client, - service_t _service, instance_t _instance, method_t _method, - bool _is_request_service = false) const; - bool is_offer_allowed(uint32_t _uid, uint32_t _gid, client_t _client, - service_t _service, instance_t _instance) const; - - void update_security_policy(uint32_t _uid, uint32_t _gid, const std::shared_ptr<policy>& _policy); - bool remove_security_policy(uint32_t _uid, uint32_t _gid); - - void add_security_credentials(uint32_t _uid, uint32_t _gid, - const std::shared_ptr<policy>& _credentials_policy, client_t _client); - - bool is_remote_client_allowed() const; - - bool is_policy_update_allowed(uint32_t _uid, std::shared_ptr<policy> &_policy) const; - - bool is_policy_removal_allowed(uint32_t _uid) const; - - bool parse_policy(const byte_t* &_buffer, uint32_t &_buffer_size, - uint32_t &_uid, uint32_t &_gid, const std::shared_ptr<policy> &_policy) const; - - bool get_uid_gid_to_client_mapping(std::pair<uint32_t, uint32_t> _uid_gid, std::set<client_t> &_clients); - bool remove_client_to_uid_gid_mapping(client_t _client); - - bool get_client_to_uid_gid_mapping(client_t _client, std::pair<uint32_t, uint32_t> &_uid_gid); - bool store_client_to_uid_gid_mapping(client_t _client, uint32_t _uid, uint32_t _gid); - void store_uid_gid_to_client_mapping(uint32_t _uid, uint32_t _gid, client_t _client); - - void get_requester_policies(const std::shared_ptr<policy> _policy, - std::set<std::shared_ptr<policy> > &_requesters) const; - void get_clients(uid_t _uid, gid_t _gid, std::unordered_set<client_t> &_clients) const; - -private: - - // Configuration - void load_policies(const configuration_element &_element); - void load_policy(const boost::property_tree::ptree &_tree); - void load_policy_body(std::shared_ptr<policy> &_policy, - const boost::property_tree::ptree::const_iterator &_tree); - void load_credential(const boost::property_tree::ptree &_tree, - boost::icl::interval_map<uid_t, boost::icl::interval_set<gid_t> > &_ids); - bool load_routing_credentials(const configuration_element &_element); - template<typename T_> - void load_interval_set(const boost::property_tree::ptree &_tree, - boost::icl::interval_set<T_> &_range, bool _exclude_margins = false); - void load_security_update_whitelist(const configuration_element &_element); - -private: - client_t routing_client_; - - mutable std::mutex ids_mutex_; - mutable std::mutex uid_to_clients_mutex_; - - std::vector<std::shared_ptr<policy> > any_client_policies_; - - mutable std::mutex any_client_policies_mutex_; - std::map<client_t, std::pair<uint32_t, uint32_t> > ids_; - std::map<std::pair<uint32_t, uint32_t>, std::set<client_t> > uid_to_clients_; - - bool policy_enabled_; - bool check_credentials_; - bool check_routing_credentials_; - bool allow_remote_clients_; - bool check_whitelist_; - - mutable std::mutex service_interface_whitelist_mutex_; - boost::icl::interval_set<service_t> service_interface_whitelist_; - - mutable std::mutex uid_whitelist_mutex_; - boost::icl::interval_set<uint32_t> uid_whitelist_; - - mutable std::mutex routing_credentials_mutex_; - std::pair<uint32_t, uint32_t> routing_credentials_; - - bool is_configured_; -}; - -} // namespace vsomeip_v3 - -#endif // VSOMEIP_V3_SECURITY_IMPL_HPP_ |