-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run test_security on CycloneDDS as well #408
Conversation
0101d65
to
5faefa0
Compare
This is still blocked on the security plugins to land on the default branch of cyclonedds. @eboasson do you know if there a specific ticket or thread to subscribe to to get notified when the security plugins get merged? |
@mikaelarguedas sorry this fell by the wayside ... I seem to be really bad at closing tickets promptly, but eclipse-cyclonedds/cyclonedds#132 should be closed when it gets merged in. I'm working my way through ticking the boxes for doing the 0.6.0 release based on current master, and once that's done the security support code will be merged into master and the process for 0.7.0 started. With the usual caveats about estimates, next week seems likely. |
That's awesome thanks |
5faefa0
to
e1b7fe4
Compare
e1b7fe4
to
2bb4fcc
Compare
Tried running security_tests on the latest cyclonedds code but the tests failed with
Using eclipse-cyclonedds/cyclonedds#548 the test gets passed that error but still fails the tests with another error:
|
cc @kyrofa (not sure if editing existing comments with new mentions sends notifications) |
When I see that error I typically just rebuild my workspace 🙈 . It's the most unclear thing I've ever seen. On a slightly more helpful note, looks like it's coming from here. Would need some more insight into why |
Signed-off-by: Mikael Arguedas <mikael.arguedas@gmail.com>
2bb4fcc
to
3a414a3
Compare
As discussed in last Security WG, this has been rebased and retested.
We can see it selects the correct enclave for both the publisher and the subscriber but fails at topic creation time. It fails when creating the DDS topic for the publisher here. Not clear why though |
So true ... The domanid issue I ran into was just that. A a forced rebuild of
<dds xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.omg.org/spec/DDS-SECURITY/20170901/omg_shared_ca_governance.xsd">
<domain_access_rules>
<domain_rule>
<domains>
<id>0</id>
</domains>
<allow_unauthenticated_participants>false</allow_unauthenticated_participants>
<enable_join_access_control>true</enable_join_access_control>
<discovery_protection_kind>ENCRYPT</discovery_protection_kind>
<liveliness_protection_kind>ENCRYPT</liveliness_protection_kind>
<rtps_protection_kind>SIGN</rtps_protection_kind>
<topic_access_rules>
<topic_rule>
<topic_expression>*</topic_expression>
<enable_discovery_protection>true</enable_discovery_protection>
<enable_liveliness_protection>true</enable_liveliness_protection>
<enable_read_access_control>true</enable_read_access_control>
<enable_write_access_control>true</enable_write_access_control>
<metadata_protection_kind>ENCRYPT</metadata_protection_kind>
<data_protection_kind>ENCRYPT</data_protection_kind>
</topic_rule>
</topic_access_rules>
</domain_rule>
</domain_access_rules>
</dds>
...
<allow_rule>
<domains>
<id>108</id>
</domains>
<publish>
...
|
I have found it: the generated permissions document doesn't include the "ros_discovery_topic", therefore the access control plugin rejects creating that topic. It reports it in the trace, just not on stderr, and that really can use some refinement. After a CI run with a few hacks to get a lot more output:
My local build has the allow "ros_discovery_topic" rule in the permissions document. The difference with the CI run appears to be that the CI run excluded Fast-RTPS. |
Thanks @eboasson for looking into this into details! The Out of curiosity, how did you get this logging info ? did you have to configure extra logging or was it in the generated test file as is ? |
I hacked it ... you can get tons of details from Cyclone by enabling tracing, but for now you have to do that with an environment variable (CYCLONEDDS_URI) and I couldn't quickly find a way to set that in a CI build. However, enabling its traces only gets you the message and as it still didn't make (much) sense to me, I also did a hack in the code to simply print the permissions document ... Like this:
and
|
On a related note: I have planned the Cyclone 0.7.0 release (so with the support for security) for the 6th and will propose a PR for Foxy to switch to the new release. Hopefully it will be accepted! |
Great noting that somewhere for future debugging sessions
That's awesome, I'll work on getting a matching release of sros2 so security features can be used in environments that have only rmw_cyclonedds_cpp installed and not the other rmw implementations |
Signed-off-by: Mikael Arguedas <mikael.arguedas@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Though I wonder what improved the test time compared to past test history on Jenkins.
Can you clarify which test times you are referring to and comparing to ? |
I was just a perusing through some of the security connection tests, and saw a few ~7 sec tests plummet to sub second, though the drop was from several cycles all. Perhaps it's just outliers from cpu load on the VM worker. |
I believe this is representative of how long it takes to spin up, connect, tear down a node with connext (slow) vs fastrtps and cyclone (fast). |
@mjcarroll or other maintainers, do you think we can get this one merged ? |
@nuclearsandwich Do you think we can get this one reviewed/merged as well ? |
@SidFaber FYI this branch can be used for testing ros2/rmw_cyclonedds#123.
As of ros2/rmw_cyclonedds@bca0852 there are still some cases failing.