Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix(ACL): Apply queryable and subscriber declaration filters on their respective undeclarations #1573

Merged
merged 8 commits into from
Nov 7, 2024
Merged

Fix(ACL): Apply queryable and subscriber declaration filters on their respective undeclarations #1573

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d5adf0f
Apply declaration filters to their respective undeclarations
oteffahi Oct 28, 2024
cafeaba
Populate ext_wire_expr of UndeclareSubscriber and UndeclareQueryable …
oteffahi Oct 30, 2024
740251e
Revert "Populate ext_wire_expr of UndeclareSubscriber and UndeclareQu…
oteffahi Nov 7, 2024
aa4fad2
Add filtering of undeclarations in ingress depending on if key_expr i…
oteffahi Nov 7, 2024
39ab9d2
Change undeclaration log level to trace
oteffahi Nov 7, 2024
bea5aa8
Tidy up undeclaration logs based on PR comments
oteffahi Nov 7, 2024
23258c9
Move log to debug, add clarification comment
oteffahi Nov 7, 2024
4b95736
Fix typo
oteffahi Nov 7, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions zenoh/src/net/routing/dispatcher/pubsub.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,6 @@ pub(crate) fn undeclare_subscription(
node_id: NodeId,
send_declare: &mut SendDeclare,
) {
tracing::debug!("Undeclare subscription {}", face);
let res = if expr.is_empty() {
None
} else {
Expand Down Expand Up @@ -173,7 +172,8 @@ pub(crate) fn undeclare_subscription(
Resource::clean(&mut res);
drop(wtables);
} else {
tracing::error!("{} Undeclare unknown subscriber {}", face, id);
// NOTE: This is expected behavior if subscriber declarations are denied with ingress ACL interceptor.
tracing::debug!("{} Undeclare unknown subscriber {}", face, id);
}
}

Expand Down
3 changes: 2 additions & 1 deletion zenoh/src/net/routing/dispatcher/queries.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,8 @@ pub(crate) fn undeclare_queryable(
Resource::clean(&mut res);
drop(wtables);
} else {
tracing::error!("{} Undeclare unknown queryable {}", face, id);
// NOTE: This is expected behavior if queryable declarations are denied with ingress ACL interceptor.
tracing::debug!("{} Undeclare unknown queryable {}", face, id);
}
}

Expand Down
86 changes: 70 additions & 16 deletions zenoh/src/net/routing/interceptor/access_control.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,26 @@ impl InterceptorTrait for IngressAclEnforcer {
return None;
}
}
NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareSubscriber(_),
..
}) => {
// Undeclaration filtering diverges between ingress and egress:
// Undeclarations in ingress are only filtered if the ext_wire_expr is set.
// If it's not set, we let the undeclaration pass, it will be rejected by the routing logic
// if its associated declaration was denied.
if let Some(key_expr) = key_expr {
if !key_expr.is_empty()
&& self.action(
AclMessage::DeclareSubscriber,
"Undeclare Subscriber (ingress)",
key_expr,
) == Permission::Deny
{
return None;
}
}
}
NetworkBody::Declare(Declare {
body: DeclareBody::DeclareQueryable(_),
..
Expand All @@ -294,6 +314,26 @@ impl InterceptorTrait for IngressAclEnforcer {
return None;
}
}
NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareQueryable(_),
..
}) => {
// Undeclaration filtering diverges between ingress and egress:
// Undeclarations in ingress are only filtered if the ext_wire_expr is set.
// If it's not set, we let the undeclaration pass, it will be rejected by the routing logic
// if its associated declaration was denied.
if let Some(key_expr) = key_expr {
if !key_expr.is_empty()
&& self.action(
AclMessage::DeclareQueryable,
"Undeclare Queryable (ingress)",
key_expr,
) == Permission::Deny
{
return None;
}
}
}
// Unfiltered Declare messages
NetworkBody::Declare(Declare {
body: DeclareBody::DeclareKeyExpr(_),
Expand All @@ -315,14 +355,6 @@ impl InterceptorTrait for IngressAclEnforcer {
| NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareToken(_),
..
})
| NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareQueryable(_),
..
})
| NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareSubscriber(_),
..
}) => {}
// Unfiltered remaining message types
NetworkBody::Interest(_) | NetworkBody::OAM(_) | NetworkBody::ResponseFinal(_) => {}
Expand Down Expand Up @@ -395,6 +427,21 @@ impl InterceptorTrait for EgressAclEnforcer {
return None;
}
}
NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareSubscriber(_),
..
}) => {
// Undeclaration filtering diverges between ingress and egress:
// in egress the keyexpr has to be provided in the RoutingContext
if self.action(
AclMessage::DeclareSubscriber,
"Undeclare Subscriber (egress)",
key_expr?,
) == Permission::Deny
{
return None;
}
}
NetworkBody::Declare(Declare {
body: DeclareBody::DeclareQueryable(_),
..
Expand All @@ -408,6 +455,21 @@ impl InterceptorTrait for EgressAclEnforcer {
return None;
}
}
NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareQueryable(_),
..
}) => {
// Undeclaration filtering diverges between ingress and egress:
// in egress the keyexpr has to be provided in the RoutingContext
if self.action(
AclMessage::DeclareQueryable,
"Undeclare Queryable (egress)",
key_expr?,
) == Permission::Deny
{
return None;
}
}
// Unfiltered Declare messages
NetworkBody::Declare(Declare {
body: DeclareBody::DeclareKeyExpr(_),
Expand All @@ -429,14 +491,6 @@ impl InterceptorTrait for EgressAclEnforcer {
| NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareToken(_),
..
})
| NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareQueryable(_),
..
})
| NetworkBody::Declare(Declare {
body: DeclareBody::UndeclareSubscriber(_),
..
}) => {}
// Unfiltered remaining message types
NetworkBody::Interest(_) | NetworkBody::OAM(_) | NetworkBody::ResponseFinal(_) => {}
fuzzypixelz marked this conversation as resolved.
Show resolved Hide resolved
Expand Down