From 597f1bd99848e6f0993cc2051ef398150f93bf06 Mon Sep 17 00:00:00 2001
From: Ross Desmond <rddesmon@amazon.com>
Date: Tue, 13 Nov 2018 15:24:18 -0800
Subject: [PATCH] cmake security macro

Add security macro for automagically generating public and private keys
for authentication and encryption.

custom macro use
`ros2_secure_node(NODES node_name_1 node_name_2 ...)`

cr https://code.amazon.com/reviews/CR-3517594
---
 ros2_security_helper/.gitignore               | 10 +++
 ros2_security_helper/CMakeLists.txt           | 24 +++++++
 ros2_security_helper/GenerateSecurity.cmake   | 71 +++++++++++++++++++
 ros2_security_helper/README.txt               | 15 ++++
 ros2_security_helper/package.xml              | 14 ++++
 .../ros2_security_helperConfig.cmake.in       |  8 +++
 6 files changed, 142 insertions(+)
 create mode 100644 ros2_security_helper/.gitignore
 create mode 100644 ros2_security_helper/CMakeLists.txt
 create mode 100644 ros2_security_helper/GenerateSecurity.cmake
 create mode 100644 ros2_security_helper/README.txt
 create mode 100644 ros2_security_helper/package.xml
 create mode 100644 ros2_security_helper/ros2_security_helperConfig.cmake.in

diff --git a/ros2_security_helper/.gitignore b/ros2_security_helper/.gitignore
new file mode 100644
index 00000000..c79aae26
--- /dev/null
+++ b/ros2_security_helper/.gitignore
@@ -0,0 +1,10 @@
+build
+install
+.catkin_workspace
+devel
+.idea
+cmake-build-debug
+.DS_Store
+.catkin_tools
+logs
+
diff --git a/ros2_security_helper/CMakeLists.txt b/ros2_security_helper/CMakeLists.txt
new file mode 100644
index 00000000..7e91a83c
--- /dev/null
+++ b/ros2_security_helper/CMakeLists.txt
@@ -0,0 +1,24 @@
+cmake_minimum_required(VERSION 3.1)
+project(ros2_security_helper)
+SET(VERSION "1.0.0")
+
+include(CMakePackageConfigHelpers)
+SET(LIB_INSTALL_DIR lib/)
+SET(INCLUDE_INSTALL_DIR include/)
+SET(SYSCONFIG_INSTALL_DIR share/${PROJECT_NAME})
+
+configure_package_config_file(ros2_security_helperConfig.cmake.in
+    ${CMAKE_CURRENT_BINARY_DIR}/ros2_security_helperConfig.cmake
+    INSTALL_DESTINATION ${LIB_INSTALL_DIR}/ros2_security_helper/cmake
+
+    PATH_VARS INCLUDE_INSTALL_DIR SYSCONFIG_INSTALL_DIR)
+
+write_basic_package_version_file(
+    ${CMAKE_CURRENT_BINARY_DIR}/ros2_security_helperConfigVersion.cmake
+    VERSION ${VERSION}
+    COMPATIBILITY SameMajorVersion )
+
+INSTALL(FILES ${PROJECT_BINARY_DIR}/${PROJECT_NAME}Config.cmake DESTINATION share/${PROJECT_NAME}/cmake)
+INSTALL(FILES ${PROJECT_BINARY_DIR}/${PROJECT_NAME}ConfigVersion.cmake DESTINATION share/${PROJECT_NAME}/cmake)
+INSTALL(FILES GenerateSecurity.cmake DESTINATION share/${PROJECT_NAME}/cmake)
+
diff --git a/ros2_security_helper/GenerateSecurity.cmake b/ros2_security_helper/GenerateSecurity.cmake
new file mode 100644
index 00000000..eab773bc
--- /dev/null
+++ b/ros2_security_helper/GenerateSecurity.cmake
@@ -0,0 +1,71 @@
+# Macro for setting up security
+
+macro(ros2_create_keystore)
+    IF (NOT SECURITY)
+        return()
+    endif()
+    find_program(PROGRAM ros2)
+    if (DEFINED ENV{ROS_SECURITY_ROOT_DIRECTORY})
+        set(SECURITY_KEYSTORE $ENV{ROS_SECURITY_ROOT_DIRECTORY})
+    else()
+        SET(SECURITY_KEYSTORE ${DEFAULT_KEYSTORE})
+    endif()
+    message(STATUS "Keystore located at ${SECURITY_KEYSTORE}")
+    IF (NOT EXISTS ${SECURITY_KEYSTORE})
+        message(STATUS "Creating keystore directory")
+        file(MAKE_DIRECTORY ${SECURITY_KEYSTORE})
+    endif()
+
+    # Check to see if the security keystore already has already been created
+    file(GLOB RESULT "${SECURITY_KEYSTORE}/")
+    list(LENGTH RESULT RES_LEN)
+    if(${RES_LEN} EQUAL 0)
+        message(STATUS "Creating keystore directory")
+        execute_process (
+	        COMMAND ${PROGRAM} security create_keystore ${SECURITY_KEYSTORE}
+	    )
+    endif()
+endmacro()
+
+macro(ros2_secure_node)
+    # ros2_secure_node(NODES <node_1> <node_2>...<node_n>)
+
+    # NODES (macro multi-arg) takes the node names for which keys will be generated
+    # SECURITY (cmake arg) if not define or OFF, will not generate key/keystores
+    # ROS_SECURITY_ROOT_DIRECTORY (env variable) will the location of the keystore
+    # POLICY_FILE (cmake arg) if defined, will compile policies by node name into the access private certificates (e.g POLICY_FILE=/etc/policies/<policy.yaml>, Generate: <node_name> /etc/policies/<policy.yaml>)
+    IF (NOT SECURITY)
+        message(STATUS "Not generating security files")
+        return()
+    endif()
+    find_program(PROGRAM ros2)
+    if (NOT PROGRAM)
+        message("Unable to find ros2cli, have you sourced your ros setup files?")
+        return()
+    endif()
+    ros2_create_keystore()
+    set(multiValueArgs NODES)
+    cmake_parse_arguments(ros2_secure_node "" "" "${multiValueArgs}" ${ARGN} )
+    foreach(node ${ros2_secure_node_NODES})
+        message(STATUS "${PROGRAM} security create_key ${SECURITY_KEYSTORE} ${node} ${policy}")
+        execute_process (
+            COMMAND ${PROGRAM} security create_key ${SECURITY_KEYSTORE} ${node} 
+        )
+        if (POLICY_FILE)
+            if (EXISTS ${POLICY_FILE})
+                set(policy ${POLICY_FILE})
+                message(STATUS "Executing: ${PROGRAM} security create_permission ${SECURITY_KEYSTORE} ${node} ${policy}")
+                execute_process (
+                    COMMAND ${PROGRAM} security create_permission ${SECURITY_KEYSTORE} ${node} ${policy}
+                    RESULT_VARIABLE POLICY_RESULT
+                    ERROR_VARIABLE POLICY_ERROR
+                    )
+                if (NOT ${POLICY_RESULT} EQUAL 0)
+                    message("Unable to generate policy for ${node} in ${policy}")
+                    message("${POLICY_ERROR}")
+                endif()
+            endif()
+        endif()
+    endforeach(node)
+endmacro()
+
diff --git a/ros2_security_helper/README.txt b/ros2_security_helper/README.txt
new file mode 100644
index 00000000..aa5d6d09
--- /dev/null
+++ b/ros2_security_helper/README.txt
@@ -0,0 +1,15 @@
+# Security Helper
+Add node authentication, cryptography, and access control security keys using a cmake macro.
+
+In package.xml add:  
+`<depend>ros2_security_helpers</depend>`
+In CMakeLists add:  
+`find_package(ros2_security_helpers REQUIRED)`
+Then use the macro:  
+    # ros2_secure_node(NODES <node_1> <node_2>...<node_n>)
+
+    # NODES (macro multi-arg) takes the node names for which keys will be generated
+    # SECURITY (cmake arg) if not define or OFF, will not generate key/keystores
+    # ROS_SECURITY_ROOT_DIRECTORY (env variable) will the location of the keystore
+    # POLICY_FILE (cmake arg) if defined, will compile policies by node name into the access private certificates (e.g POLICY_FILE=/etc/policies/<policy.yaml>, Generate: <node_name> /etc/policies/<policy.yaml>) **if defined, all nodes must have a policy defined for them**
+
diff --git a/ros2_security_helper/package.xml b/ros2_security_helper/package.xml
new file mode 100644
index 00000000..7fb12963
--- /dev/null
+++ b/ros2_security_helper/package.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+    <package format="2">
+    <name>ros2_security_helper</name>
+    <version>1.0.0</version>
+    <description>Common AWS SDK utilities, intended for use by ROS packages using the AWS SDK.</description>
+    <author email="aws-b9-platform@amazon.com">AWS B9 Team</author>
+    <maintainer email="aws-b9-platform@amazon.com">AWS B9 Team</maintainer>
+    <license>Apache 2.0</license>
+    
+    <buildtool_depend>cmake</buildtool_depend>
+    <export>
+    <build_type>cmake</build_type>
+    </export>
+</package>
diff --git a/ros2_security_helper/ros2_security_helperConfig.cmake.in b/ros2_security_helper/ros2_security_helperConfig.cmake.in
new file mode 100644
index 00000000..276f017f
--- /dev/null
+++ b/ros2_security_helper/ros2_security_helperConfig.cmake.in
@@ -0,0 +1,8 @@
+# Compute paths
+
+set(DEFAULT_KEYSTORE keys)
+set(ros2_security_helperBASE_DIR "${CMAKE_CURRENT_LIST_DIR}/../../..")
+set(DEFAULT_SECURE_FOLDER "${ros2_security_helperBASE_DIR}/ros2_security")
+
+include("${CMAKE_CURRENT_LIST_DIR}/GenerateSecurity.cmake")
+