Secure discovery server (#437) (#641)

* Refs #15596. Added XML profile for CLI example. * Refs #15596. CLI examples updated. * Refs #15596. Added note regarding security configuration. * Refs #15596. Introduction on discovery server section. * Refs #15596: Add security section to discovery server --------- Signed-off-by: Miguel Company <MiguelCompany@eprosima.com> Signed-off-by: Eduardo Ponz <eduardoponz@eprosima.com> Co-authored-by: Eduardo Ponz Segrelles <eduardoponz@eprosima.com> Co-authored-by: Miguel Company <MiguelCompany@eprosima.com>
eProsima · Jan 17, 2024 · c84e3a6 · c84e3a6
1 parent 7d3d6cf
commit c84e3a6
Show file tree

Hide file tree

Showing 3 changed files with 130 additions and 4 deletions.
diff --git a/code/XMLTester.xml b/code/XMLTester.xml
@@ -796,6 +796,74 @@
  </builtin>
  </rtps>
 </participant>
+
+<participant profile_name="secure_discovery_server_cli">
+ <rtps>
+ <prefix>44.53.00.5f.45.50.52.4f.53.49.4d.41</prefix>
+ <builtin>
+ <discovery_config>
+ <discoveryProtocol>SERVER</discoveryProtocol>
+ </discovery_config>
+ <metatrafficUnicastLocatorList>
+ <locator>
+ <udpv4>
+ <address>0.0.0.0</address>
+ <port>11811</port>
+ </udpv4>
+ </locator>
+ </metatrafficUnicastLocatorList>
+ </builtin>
+ <propertiesPolicy>
+ <properties>
+ <!-- Activate Auth:PKI-DH plugin -->
+ <property>
+ <name>dds.sec.auth.plugin</name>
+ <value>builtin.PKI-DH</value>
+ </property>
+
+ <!-- Configure Auth:PKI-DH plugin -->
+ <property>
+ <name>dds.sec.auth.builtin.PKI-DH.identity_ca</name>
+ <value>file://maincacert.pem</value>
+ </property>
+ <property>
+ <name>dds.sec.auth.builtin.PKI-DH.identity_certificate</name>
+ <value>file://appcert.pem</value>
+ </property>
+ <property>
+ <name>dds.sec.auth.builtin.PKI-DH.private_key</name>
+ <value>file://appkey.pem</value>
+ </property>
+
+ <!-- Activate Access:Permissions plugin -->
+ <property>
+ <name>dds.sec.access.plugin</name>
+ <value>builtin.Access-Permissions</value>
+ </property>
+
+ <!-- Configure Access:Permissions plugin -->
+ <property>
+ <name>dds.sec.access.builtin.Access-Permissions.permissions_ca</name>
+ <value>file://maincacet.pem</value>
+ </property>
+ <property>
+ <name>dds.sec.access.builtin.Access-Permissions.governance</name>
+ <value>file://governance.smime</value>
+ </property>
+ <property>
+ <name>dds.sec.access.builtin.Access-Permissions.permissions</name>
+ <value>file://permissions.smime</value>
+ </property>
+
+ <!-- Activate Crypto:AES-GCM-GMAC plugin -->
+ <property>
+ <name>dds.sec.crypto.plugin</name>
+ <value>builtin.AES-GCM-GMAC</value>
+ </property>
+ </properties>
+ </propertiesPolicy>
+ </rtps>
+</participant>
 <!--><-->
 
 

diff --git a/docs/fastdds/discovery/discovery_server.rst b/docs/fastdds/discovery/discovery_server.rst
@@ -389,3 +389,33 @@ Client side setup
 | :lines: 2-3,5-40 |
 | :append: </profiles> |
 +---------------------------------------------------------------------+
+
+.. _DS_security:
+
+Security
+^^^^^^^^
+
+Configuring :ref:`security` on *servers* and *clients* is done the same way as for any other participant.
+This section depicts the limitations imposed by the security enforcement on the communication between
+*clients* and *servers*, and which discovery information is propagated by a *server* depending on the security
+configuration of the *clients* and *servers* to which it is connected.
+
+It is important to note that for enabling a secure discovery when using Discovery Server, *Fast DDS* must be compiled
+with security support (see :ref:`cmake_options`), and the :ref:`domain_governance_doc` must explicitly encrypt the
+discovery.
+
+As in SDP, when using this feature, the Domain Governance Document of all *clients* and *servers* connecting to a
+*server* must match that of the *server*, which implies that all |DomainParticipants| belonging to the same Discovery
+Sever network must configure the discovery protection in the same manner.
+
+Although the *server* mediates the discovery process and creates connections between *clients*, the *clients* themselves
+still go through the PKI (Public Key Infrastructure) exchange in order to have a secure communication between them.
+
+.. important::
+
+ In order to keep the behavior consistent with the QoS Policies, the *server* does not check the
+ :ref:`domainparticipant_permissions_doc` of the |DomainParticipants| that it is connecting.
+
+.. important::
+
+ Security support for Discovery Server is only supported from Fast DDS v2.10.0 onward.
diff --git a/docs/fastddscli/cli/cli.rst b/docs/fastddscli/cli/cli.rst
@@ -103,6 +103,7 @@ The output is:
 
  ### Server is running ###
  Participant Type: <SERVER|BACKUP>
+ Security: <YES|NO>
  Server ID: <server-id>
  Server GUID prefix: 44.53.<server-id-in-hex>.5f.45.50.52.4f.53.49.4d.41
  Server Addresses: UDPv4:[<ip-address>]:<port>
@@ -112,6 +113,10 @@ Once the *server* is instantiated, the *clients* can be configured either progra
 :ref:`discovery_server`), or using environment variable ``ROS_DISCOVERY_SERVER`` (see
 :ref:`env_vars_ros_discovery_server`)
 
+.. note::
+ The :ref:`security` configuration of the discovery server should be done through XML.
+ See example below.
+
 .. _cli_discovery_examples:
 
 Examples
@@ -131,6 +136,7 @@ Examples
 
  ### Server is running ###
  Participant Type: SERVER
+ Security: NO
  Server ID: 0
  Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
  Server Addresses: UDPv4:[0.0.0.0]:11811
@@ -149,6 +155,7 @@ Examples
 
  ### Server is running ###
  Participant Type: SERVER
+ Security: NO
  Server ID: 1
  Server GUID prefix: 44.53.01.5f.45.50.52.4f.53.49.4d.41
  Server Addresses: UDPv4:[127.0.0.1]:14520
@@ -179,6 +186,7 @@ Examples
 
  ### Server is running ###
  Participant Type SERVER
+ Security: NO
  Server ID: 2
  Server GUID prefix: 44.53.02.5f.45.50.52.4f.53.49.4d.41
  Server Addresses: UDPv4:[192.168.36.34]:8783
@@ -205,6 +213,7 @@ Examples
 
  ### Server is running ###
  Participant Type BACKUP
+ Security: NO
  Server ID: 3
  Server GUID prefix: 44.53.03.5f.45.50.52.4f.53.49.4d.41
  Server Addresses: UDPv4:[172.30.144.1]:12345
@@ -222,10 +231,29 @@ Examples
  .. code-block:: bash
 
  ### Server is running ###
- Participant Type: SERVER
- Server ID: 0
- Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
- Server Addresses: UDPv4:[127.0.0.1]:14520
+ Participant Type: SERVER
+ Security: NO
+ Server ID: 0
+ Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
+ Server Addresses: UDPv4:[127.0.0.1]:14520
+
+7. Launch a secure server with id 0 (first on ``ROS_DISCOVERY_SERVER``)
+ listening on all available interfaces on UDP port '11811'.
+
+ .. code-block:: bash
+
+ fastdds discovery -x secure_discovery_server_cli@[PATH_TO_FILE]/DiscoveryServerCLI.xml
+
+ Output:
+
+ .. code-block:: bash
+
+ ### Server is running ###
+ Participant Type: SERVER
+ Security: YES
+ Server ID: 0
+ Server GUID prefix: 44.53.00.5f.45.50.52.4f.53.49.4d.41
+ Server Addresses: UDPv4:[0.0.0.0]:11811
 
 8. Launch a server with id 0 (first on ``ROS_DISCOVERY_SERVER``) reading
  specific `profile_name` configuration from XML file.