Merge pull request #72 from ros2/xml_profile

Use XML and XSLT to perform permission transform

SROS2_Linux.md

@@ -72,8 +72,8 @@ ros2 security create_keystore demo_keys
 #### Generate keys and certificates for the talker and listener nodes
 
 ```bash
-ros2 security create_key demo_keys talker
-ros2 security create_key demo_keys listener
+ros2 security create_key demo_keys /talker
+ros2 security create_key demo_keys /listener
 ```
 
 ### Define the SROS2 environment variables
@@ -172,19 +172,19 @@ ros2 run demo_nodes_py listener
 The previous demo used authentication and encryption, but not access control, which means that any authenticated node would be able to publish and subscribe to any data stream (aka topic).
 To increase the level of security in the system, you can define strict limits, known as access control, which restrict what each node is able to do.
 For example, one node would be able to publish to a particular topic, and another node might be able to subscribe to that topic.
-To do this, we will use the sample policy file provided in `examples/sample_policy.yaml`.
+To do this, we will use the sample policy file provided in `examples/sample_policy.xml`.
 
 First, we will copy this sample policy file into our keystore:
 
 ```bash
-curl -sk https://raw.githubusercontent.com/ros2/sros2/master/examples/sample_policy.yaml -o ./demo_keys/policies.yaml
+svn checkout https://github.com/ros2/sros2/trunk/sros2/sros2/test/policies
 ```
 
 And now we will use it to generate the XML permission files expected by the middleware:
 
 ```bash
-ros2 security create_permission demo_keys talker demo_keys/policies.yaml
-ros2 security create_permission demo_keys listener demo_keys/policies.yaml
+ros2 security create_permission demo_keys /talker policies/sample_policy.xml
+ros2 security create_permission demo_keys /listener policies/sample_policy.xml
 ```
 
 These permission files will be stricter than the ones that were used in the previous demo: the nodes will only be allowed to publish or subscribe to the `chatter` topic (and some other topics used for parameters).

SROS2_MacOS.md

@@ -1,4 +1,4 @@
-# Try SROS2 in MacOS 
+# Try SROS2 in MacOS
 
 ## Install OpenSSL
 
@@ -16,15 +16,15 @@ For convenience you can add this export to your bash_profile.
 
 ## Install ROS2
 
-### Install from binaries 
+### Install from binaries
 
 First install ROS2 from binaries following [these instructions](https://github.com/ros2/ros2/wiki/OSX-Install-Binary)
 
 
 Setup your environment:
 ```bash
 source . ~/ros2_install/ros2-osx/setup.bash
-``` 
+```
 
 In the rest of these instructions we assume that every terminal setup the environment as instructed above.
 
@@ -47,7 +47,7 @@ colcon build --symlink-install --cmake-args -DSECURITY=ON
 Setup your environment:
 ```bash
 source ~/ros2_ws/install/setup.bash
-``` 
+```
 
 In the rest of these instructions we assume that every terminal setup the environment as instructed above.
 
@@ -78,8 +78,8 @@ ros2 security create_keystore demo_keys
 #### Generate keys and certificates for the talker and listener nodes
 
 ```bash
-ros2 security create_key demo_keys talker
-ros2 security create_key demo_keys listener
+ros2 security create_key demo_keys /talker
+ros2 security create_key demo_keys /listener
 ```
 
 ### Define the SROS2 environment variables
@@ -138,19 +138,19 @@ ros2 run demo_nodes_cpp talker __node:=not_talker
 The previous demo used authentication and encryption, but not access control, which means that any authenticated node would be able to publish and subscribe to any data stream (aka topic).
 To increase the level of security in the system, you can define strict limits, known as access control, which restrict what each node is able to do.
 For example, one node would be able to publish to a particular topic, and another node might be able to subscribe to that topic.
-To do this, we will use the sample policy file provided in `examples/sample_policy.yaml`.
+To do this, we will use the sample policy file provided in `examples/sample_policy.xml`.
 
 First, we will copy this sample policy file into our keystore:
 
 ```bash
-curl -sk https://raw.githubusercontent.com/ros2/sros2/master/examples/sample_policy.yaml -o ./demo_keys/policies.yaml
+svn checkout https://github.com/ros2/sros2/trunk/sros2/sros2/test/policies
 ```
 
 And now we will use it to generate the XML permission files expected by the middleware:
 
 ```bash
-ros2 security create_permission demo_keys talker demo_keys/policies.yaml
-ros2 security create_permission demo_keys listener demo_keys/policies.yaml
+ros2 security create_permission demo_keys /talker policies/sample_policy.xml
+ros2 security create_permission demo_keys /listener policies/sample_policy.xml
 ```
 
 These permission files will be stricter than the ones that were used in the previous demo: the nodes will only be allowed to publish or subscribe to the `chatter` topic (and some other topics used for parameters).

SROS2_Windows.md

@@ -49,8 +49,8 @@ ros2 security create_keystore demo_keys
 #### Generate keys and certificates for the talker and listener nodes
 
 ```bat
-ros2 security create_key demo_keys talker
-ros2 security create_key demo_keys listener
+ros2 security create_key demo_keys /talker
+ros2 security create_key demo_keys /listener
 ```
 
 If `unable to write 'random state'` appears then set the environment variable `RANDFILE`.
@@ -110,7 +110,7 @@ These nodes will be communicating using authentication and encryption!
 If you look at the packet contents on e.g. Wireshark, the messages will be encrypted.
 
 Note: You can switch between the C++ (demo_nodes_cpp) and Python (demo_nodes_py) packages arbitrarily.
- 
+
 These nodes are able to communicate because we have created the appropriate keys and certificates for them.
 However, other nodes will not be able to communicate, e.g. the following invocation will fail to start a node with a name that is not associated with valid keys/certificates:
 
@@ -124,19 +124,19 @@ ros2 run demo_nodes_cpp talker __node:=not_talker
 The previous demo used authentication and encryption, but not access control, which means that any authenticated node would be able to publish and subscribe to any data stream (aka topic).
 To increase the level of security in the system, you can define strict limits, known as access control, which restrict what each node is able to do.
 For example, one node would be able to publish to a particular topic, and another node might be able to subscribe to that topic.
-To do this, we will use the sample policy file provided in `examples/sample_policy.yaml`.
+To do this, we will use the sample policy file provided in `examples/sample_policy.xml`.
 
 First, we will copy this sample policy file into our keystore:
 
 ```bat
-curl -k https://raw.githubusercontent.com/ros2/sros2/master/examples/sample_policy.yaml -o .\demo_keys\policies.yaml
+svn checkout https://github.com/ros2/sros2/trunk/sros2/sros2/test/policies
 ```
 
 And now we will use it to generate the XML permission files expected by the middleware:
 
 ```bat
-ros2 security create_permission demo_keys talker demo_keys/policies.yaml
-ros2 security create_permission demo_keys listener demo_keys/policies.yaml
+ros2 security create_permission demo_keys /talker policies/sample_policy.xml
+ros2 security create_permission demo_keys /listener policies/sample_policy.xml
 ```
 
 These permission files will be stricter than the ones that were used in the previous demo: the nodes will only be allowed to publish or subscribe to the `chatter` topic (and some other topics used for parameters).

sros2/package.xml

@@ -13,6 +13,7 @@
   <depend>ros2cli</depend>
 
   <exec_depend>openssl</exec_depend>
+  <exec_depend>python3-lxml</exec_depend>
 
   <test_depend>ament_copyright</test_depend>
   <test_depend>ament_flake8</test_depend>

sros2/setup.py

@@ -1,6 +1,23 @@
+import os
+
 from setuptools import find_packages
 from setuptools import setup
 
+
+def package_files(directory):
+    paths = []
+    for (path, directories, filenames) in os.walk(directory):
+        for filename in filenames:
+            paths.append(os.path.join('..', path, filename))
+    return paths
+
+
+extra_files = []
+extra_files.extend(package_files('sros2/policy/defaults'))
+extra_files.extend(package_files('sros2/policy/schemas'))
+extra_files.extend(package_files('sros2/policy/templates'))
+
+
 setup(
     name='sros2',
     version='0.6.2',
@@ -40,7 +57,10 @@
             ':CreatePermissionVerb',
             'distribute_key = sros2.verb.distribute_key:DistributeKeyVerb',
             'list_keys = sros2.verb.list_keys:ListKeysVerb',
-            'generate_permissions = sros2.verb.generate_permissions:GeneratePermissionsVerb',
+            'generate_policy = sros2.verb.generate_policy:GeneratePolicyVerb',
         ],
-    }
+    },
+    package_data={
+        'sros2': extra_files,
+    },
 )