-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[test_security] test access control policies #238
Comments
@mikaelarguedas , I was planning on implementing something like this soon. Perhaps we could check the correctness of the implementation by exhaustively testing the access control system given a global policy definition. Simply, we could manifest a policy definition into what the transport expects, synthesize a ROS graph representation (perhaps adversely every node tries to connect with all other nodes via any subsystem), then attempt to realize the graph representation using the transport. By logging or auditing the allowed and denied events, we should assert that the two sets of allowed and denied connections are equivalent to those as would be generated by evaluating the graph representation against the policy definition statically. In detail, perhaps the graph representation could be formalized by constructing a bipartite graph between subjects (ros nodes, as namespaced) and objects (ros subsitems, like topics/services/etc..), and so emulating the topology of an arbitrary ROS2 graph. We could then generate/load graph representations that may or may not be completely comply semantically (i.e. erlevent of the transport) with the global policy definition. We then feed the edges from a graph representation through the policy definition to generate a synthetic labeled set of allowed and denied connections. Next we could generate transport specific artifacts that manifest the global policy definition, relative for each subject, then autidit the outcome of deploying the graph representation by using the transport of choice. This could be done all at once or more resably via pairwise enumeration. Then we simply compare the allow/deny sets from the synthetic and transport test cases to ensure they are equivalent. From there we could easily classify any false positives or negatives in the transport enforcement of the policy. As for any soundness or completeness, I'm not sure we'd ever be able to guarantee either if the policy permission are formulation of complex regular expressions rather than exact strings. But for exact string expressions, finite sized graphs, and a representation that provides global test coverage for a given policy (and all permissions entailed), this might provided a reasonable exhaustive benchmark. |
With regards to realizing a graph representation into real ROS2 nodes, which test example should I look at for programmatically testing and creating nodes and subsystems? |
This is tracking the parts of
test_security
not implemented in #230#230 tests authentication and encryption in various scenarios but doesnt test access control.
Tests for access control should:
ros2 security
tool to generate keys, certificates, governance and permission files for these testsThe text was updated successfully, but these errors were encountered: