Ros2 service crystal

examples/policy_definition.txt

@@ -0,0 +1,30 @@
+## Values used in policy generation
+**ipc_types**: The type of ROS IPC in use, such as service, action, or topic  
+## Definitions
+|name|description|
+|----|-----------|
+|access_permission|The access permission of that node for the specified icp|
+|ipc|Inter-process communication, how messages get from one node to another|
+|ipc identifier|The specific subsystem id to provide access to (topic name, service name...)|
+|ipc types|The inter-process communication subsystem (topics, services...)|
+
+## Options
+Most ipc permissions are given on a client/source basis.
+Parameter permissions are slightly different. These specify whether this node is allowed to read/write to another node.
+|ipc_type|identifier|access permission options|
+|--------|----------|-------------------------|
+|topics|topic name|subscribe, publish|
+|services|service name|request, reply|
+|actions|action name|call, execute|
+|parameters|node_name|read, write|
+
+## Policy yaml file layout
+
+```
+nodes:
+    <node_name>:
+        <ipc_type>:
+            <ipc_identifier>
+                access:
+                    -<access_permissions>
+```

examples/sample_policy.yaml

@@ -1,27 +1,36 @@
 nodes:
   listener:
     topics:
-      chatter:
-        allow: s # can subscribe to chatter
+      /chatter:
+        allow: 
+        - subscribe # can subscribe to chatter
   talker:
     topics:
-      chatter:
-        allow: p # can publish on chatter
+      /chatter:
+        allow: 
+        - publish # can publish on chatter
   listener_py:
     topics:
       #'*':
-      #  allow: s # this would allow the listener to subscribe to all topics
-      chatter:
-        allow: s # can subscribe to chatter
-      chatter2:
-        allow: s # can subscribe to chatter2
+      #  allow:
+      #  - subscribe # this would allow the listener to subscribe to all topics
+      /chatter:
+        allow: 
+        - subscribe # can subscribe to chatter
+      /chatter2:
+        allow: 
+        - subscribe# can subscribe to chatter2
   talker_py:
     topics:
       #'*':
-      #  allow: p # this would allow the talker to publish on all topics
-      chatter:
-        allow: p # allow publishing on chatter
-      chatter2:
-        allow: p # allow publishing on chatter2
-      chatter3:
-        allow: p # allow publishing on chatter3
+      #  allow: 
+      #  - publish # this would allow the talker to publish on all topics
+      /chatter:
+        allow: 
+        -publish # allow publishing on chatter
+      /chatter2:
+        allow: 
+        - publish# allow publishing on chatter2
+      /chatter3:
+        allow: 
+        -publish # allow publishing on chatter3

ros2_security_helper/.gitignore

@@ -0,0 +1,10 @@
+build
+install
+.catkin_workspace
+devel
+.idea
+cmake-build-debug
+.DS_Store
+.catkin_tools
+logs
+

ros2_security_helper/CMakeLists.txt

@@ -0,0 +1,24 @@
+cmake_minimum_required(VERSION 3.1)
+project(ros2_security_helper)
+SET(VERSION "1.0.0")
+
+include(CMakePackageConfigHelpers)
+SET(LIB_INSTALL_DIR lib/)
+SET(INCLUDE_INSTALL_DIR include/)
+SET(SYSCONFIG_INSTALL_DIR share/${PROJECT_NAME})
+
+configure_package_config_file(ros2_security_helperConfig.cmake.in
+    ${CMAKE_CURRENT_BINARY_DIR}/ros2_security_helperConfig.cmake
+    INSTALL_DESTINATION ${LIB_INSTALL_DIR}/ros2_security_helper/cmake
+
+    PATH_VARS INCLUDE_INSTALL_DIR SYSCONFIG_INSTALL_DIR)
+
+write_basic_package_version_file(
+    ${CMAKE_CURRENT_BINARY_DIR}/ros2_security_helperConfigVersion.cmake
+    VERSION ${VERSION}
+    COMPATIBILITY SameMajorVersion )
+
+INSTALL(FILES ${PROJECT_BINARY_DIR}/${PROJECT_NAME}Config.cmake DESTINATION share/${PROJECT_NAME}/cmake)
+INSTALL(FILES ${PROJECT_BINARY_DIR}/${PROJECT_NAME}ConfigVersion.cmake DESTINATION share/${PROJECT_NAME}/cmake)
+INSTALL(FILES GenerateSecurity.cmake DESTINATION share/${PROJECT_NAME}/cmake)
+

ros2_security_helper/GenerateSecurity.cmake

@@ -0,0 +1,71 @@
+# Macro for setting up security
+
+macro(ros2_create_keystore)
+    IF (NOT SECURITY)
+        return()
+    endif()
+    find_program(PROGRAM ros2)
+    if (DEFINED ENV{ROS_SECURITY_ROOT_DIRECTORY})
+        set(SECURITY_KEYSTORE $ENV{ROS_SECURITY_ROOT_DIRECTORY})
+    else()
+        SET(SECURITY_KEYSTORE ${DEFAULT_KEYSTORE})
+    endif()
+    message(STATUS "Keystore located at ${SECURITY_KEYSTORE}")
+    IF (NOT EXISTS ${SECURITY_KEYSTORE})
+        message(STATUS "Creating keystore directory")
+        file(MAKE_DIRECTORY ${SECURITY_KEYSTORE})
+    endif()
+
+    # Check to see if the security keystore already has already been created
+    file(GLOB RESULT "${SECURITY_KEYSTORE}/")
+    list(LENGTH RESULT RES_LEN)
+    if(${RES_LEN} EQUAL 0)
+        message(STATUS "Creating keystore directory")
+        execute_process (
+	        COMMAND ${PROGRAM} security create_keystore ${SECURITY_KEYSTORE}
+	    )
+    endif()
+endmacro()
+
+macro(ros2_secure_node)
+    # ros2_secure_node(NODES <node_1> <node_2>...<node_n>)
+
+    # NODES (macro multi-arg) takes the node names for which keys will be generated
+    # SECURITY (cmake arg) if not define or OFF, will not generate key/keystores
+    # ROS_SECURITY_ROOT_DIRECTORY (env variable) will the location of the keystore
+    # POLICY_FILE (cmake arg) if defined, will compile policies by node name into the access private certificates (e.g POLICY_FILE=/etc/policies/<policy.yaml>, Generate: <node_name> /etc/policies/<policy.yaml>)
+    IF (NOT SECURITY)
+        message(STATUS "Not generating security files")
+        return()
+    endif()
+    find_program(PROGRAM ros2)
+    if (NOT PROGRAM)
+        message("Unable to find ros2cli, have you sourced your ros setup files?")
+        return()
+    endif()
+    ros2_create_keystore()
+    set(multiValueArgs NODES)
+    cmake_parse_arguments(ros2_secure_node "" "" "${multiValueArgs}" ${ARGN} )
+    foreach(node ${ros2_secure_node_NODES})
+        message(STATUS "${PROGRAM} security create_key ${SECURITY_KEYSTORE} ${node} ${policy}")
+        execute_process (
+            COMMAND ${PROGRAM} security create_key ${SECURITY_KEYSTORE} ${node} 
+        )
+        if (POLICY_FILE)
+            if (EXISTS ${POLICY_FILE})
+                set(policy ${POLICY_FILE})
+                message(STATUS "Executing: ${PROGRAM} security create_permission ${SECURITY_KEYSTORE} ${node} ${policy}")
+                execute_process (
+                    COMMAND ${PROGRAM} security create_permission ${SECURITY_KEYSTORE} ${node} ${policy}
+                    RESULT_VARIABLE POLICY_RESULT
+                    ERROR_VARIABLE POLICY_ERROR
+                    )
+                if (NOT ${POLICY_RESULT} EQUAL 0)
+                    message("Unable to generate policy for ${node} in ${policy}")
+                    message("${POLICY_ERROR}")
+                endif()
+            endif()
+        endif()
+    endforeach(node)
+endmacro()
+

ros2_security_helper/README.txt

@@ -0,0 +1,15 @@
+# Security Helper
+Add node authentication, cryptography, and access control security keys using a cmake macro.
+
+In package.xml add:  
+`<depend>ros2_security_helpers</depend>`
+In CMakeLists add:  
+`find_package(ros2_security_helpers REQUIRED)`
+Then use the macro:  
+    # ros2_secure_node(NODES <node_1> <node_2>...<node_n>)
+
+    # NODES (macro multi-arg) takes the node names for which keys will be generated
+    # SECURITY (cmake arg) if not define or OFF, will not generate key/keystores
+    # ROS_SECURITY_ROOT_DIRECTORY (env variable) will the location of the keystore
+    # POLICY_FILE (cmake arg) if defined, will compile policies by node name into the access private certificates (e.g POLICY_FILE=/etc/policies/<policy.yaml>, Generate: <node_name> /etc/policies/<policy.yaml>) **if defined, all nodes must have a policy defined for them**
+

ros2_security_helper/package.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+    <package format="2">
+    <name>ros2_security_helper</name>
+    <version>1.0.0</version>
+    <description>Common AWS SDK utilities, intended for use by ROS packages using the AWS SDK.</description>
+    <author email="aws-b9-platform@amazon.com">AWS B9 Team</author>
+    <maintainer email="aws-b9-platform@amazon.com">AWS B9 Team</maintainer>
+    <license>Apache 2.0</license>
+
+    <buildtool_depend>cmake</buildtool_depend>
+    <export>
+    <build_type>cmake</build_type>
+    </export>
+</package>

ros2_security_helper/ros2_security_helperConfig.cmake.in

@@ -0,0 +1,8 @@
+# Compute paths
+
+set(DEFAULT_KEYSTORE keys)
+set(ros2_security_helperBASE_DIR "${CMAKE_CURRENT_LIST_DIR}/../../..")
+set(DEFAULT_SECURE_FOLDER "${ros2_security_helperBASE_DIR}/ros2_security")
+
+include("${CMAKE_CURRENT_LIST_DIR}/GenerateSecurity.cmake")
+

setup.py

@@ -40,6 +40,7 @@
             ':CreatePermissionVerb',
             'distribute_key = sros2.verb.distribute_key:DistributeKeyVerb',
             'list_keys = sros2.verb.list_keys:ListKeysVerb',
+            'generate_permissions = sros2.verb.generate_permissions:GeneratePermissionsVerb',
         ],
     }
 )