Merge pull request #1 from osrf/security_extension

Add security extensions

Author: gbiggs

.gitignore

@@ -0,0 +1 @@
+__pycache__/

package.xml

@@ -0,0 +1,31 @@
+<?xml version="1.0"?>
+<?xml-model
+  href="http://download.ros.org/schema/package_format2.xsd"
+  schematypens="http://www.w3.org/2001/XMLSchema"?>
+<package format="3">
+  <name>ros2launch_security</name>
+  <version>0.1.0</version>
+  <description>Security extensions for ros2 launch</description>
+  <maintainer email="[email protected]">Ted Kern</maintainer>
+  <license>Apache License 2.0</license>
+  <author email="[email protected]">Geoffrey Biggs</author>
+  <author email="[email protected]">Ted Kern</author>
+
+  <depend>ament_index_python</depend>
+  <depend>ros2launch</depend>
+  <depend>nodl_python</depend>
+  <depend>sros2</depend>
+
+  <test_depend>ament_copyright</test_depend>
+  <test_depend>ament_flake8</test_depend>
+  <test_depend>ament_pep257</test_depend>
+  <test_depend>demo_nodes_py</test_depend>
+  <test_depend>launch_ros</test_depend>
+  <test_depend>python3-pytest</test_depend>
+  <test_depend>ros2launch</test_depend>
+  <test_depend>sros2</test_depend>
+
+  <export>
+    <build_type>ament_python</build_type>
+  </export>
+</package>

pytest.ini

@@ -0,0 +1,2 @@
+[pytest]
+junit_family=xunit2

resource/ros2launch_security

@@ -0,0 +1,20 @@
+# Copyright 2020 Canonical, Ltd.
+# Copyright 2021 Open Source Robotics Foundation, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from . import option
+
+__all__ = [
+    'option'
+]

ros2launch_security/__init__.py

@@ -0,0 +1,20 @@
+# Copyright 2020 Canonical, Ltd.
+# Copyright 2021 Open Source Robotics Foundation, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from . import security
+
+__all__ = [
+    'security'
+]

ros2launch_security/node_action/__init__.py

@@ -0,0 +1,67 @@
+# Copyright 2020 Canonical, Ltd.
+# Copyright 2021 Open Source Robotics Foundation, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import pathlib
+from typing import Dict
+from typing import List
+from typing import Union
+
+from launch.launch_context import LaunchContext
+from launch.substitutions import LocalSubstitution
+from launch.utilities import normalize_to_list_of_substitutions
+from launch_ros.actions.node import Node, NodeActionExtension
+
+import nodl
+import sros2.keystore._enclave
+
+
+class SecurityNodeActionExtension(NodeActionExtension):
+
+    def prepare_for_execute(self, context, ros_specific_arguments, node_action):
+        if context.launch_configurations.get('__secure', None) is not None:
+            cmd_extension = ['--enclave', LocalSubstitution("ros_specific_arguments['enclave']")]
+            cmd_extension = [normalize_to_list_of_substitutions(x) for x in cmd_extension]
+            ros_specific_arguments = self._setup_security(
+                context,
+                ros_specific_arguments,
+                node_action
+            )
+            return cmd_extension, ros_specific_arguments
+        else:
+            return [], ros_specific_arguments
+
+    def _setup_security(
+        self,
+        context: LaunchContext,
+        ros_specific_arguments: Dict[str, Union[str, List[str]]],
+        node_action: Node
+    ) -> None:
+        """Enable encryption, creating a key for the node if necessary."""
+        nodl_node = nodl.get_node_by_executable(
+            package_name=node_action.node_package,
+            executable_name=node_action.node_executable
+        )
+
+        self.__enclave = node_action.node_name.replace(
+            Node.UNSPECIFIED_NODE_NAME, nodl_node.name
+        ).replace(Node.UNSPECIFIED_NODE_NAMESPACE, '')
+
+        sros2.keystore._enclave.create_enclave(
+            keystore_path=pathlib.Path(context.launch_configurations.get('__keystore')),
+            identity=self.__enclave
+        )
+
+        ros_specific_arguments['enclave'] = self.__enclave
+        return ros_specific_arguments

ros2launch_security/node_action/security.py

@@ -0,0 +1,20 @@
+# Copyright 2020 Canonical, Ltd.
+# Copyright 2021 Open Source Robotics Foundation, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from . import security
+
+__all__ = [
+    'security'
+]

ros2launch_security/option/__init__.py

@@ -0,0 +1,147 @@
+# Copyright 2020 Canonical, Ltd.
+# Copyright 2021 Open Source Robotics Foundation, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+import pathlib
+from tempfile import TemporaryDirectory
+from typing import Optional
+from typing import Tuple
+
+import launch
+from ros2launch.option import OptionExtension
+import sros2.keystore._keystore
+
+
+class NoKeystoreProvidedError(Exception):
+    """Exception raised when a keystore is not provided."""
+
+    def __init__(self):
+        super().__init__(('--no-create-keystore was specified and '
+                          'no keystore was provided'))
+
+
+class NonexistentKeystoreError(Exception):
+    """Exception raised when keystore is not on disk."""
+
+    def __init__(self, keystore_path: pathlib.Path):
+        super().__init__(('--no-create-keystore was specified and '
+                          f'the keystore "{keystore_path}" '
+                          'does not exist'))
+
+
+class InvalidKeystoreError(Exception):
+    """Exception raised when provided keystore isn't valid."""
+
+    def __init__(self, keystore_path: pathlib.Path):
+        super().__init__(('--no-create-keystore was specified and '
+                          f'the keystore "{keystore_path}" is not initialized. \n\t'
+                          f'(Try running: ros2 security create_keystore {keystore_path})'))
+
+
+class SecurityOption(OptionExtension):
+
+    def add_arguments(self, parser, cli_name, *, argv=None):
+        sec_args = parser.add_argument_group(
+            title='security',
+            description='Security-related arguments'
+        )
+        arg = sec_args.add_argument(
+            '--secure',
+            metavar='keystore',
+            nargs='?',
+            const='',
+            help=('Launch with ROS 2 security features using the specified keystore directory. '
+                  'Will set up an ephemeral keystore if one is not specified.'),
+        )
+        try:
+            arg.completer = DirectoriesCompleter()  # argcomplete is optional
+        except NameError:
+            pass
+
+        sec_args.add_argument(
+            '--no-create-keystore',
+            dest='create_keystore',
+            action='store_false',
+            help='Disable automatic keystore creation and/or initialization'
+        )
+
+    def prelaunch(
+        self,
+        launch_description: launch.LaunchDescription,
+        args
+    ) -> Tuple[launch.LaunchDescription, '_Keystore']:
+        if args.secure is None:
+            return (launch_description,)
+        keystore_path = pathlib.Path(args.secure) if args.secure != '' else None
+        keystore = _Keystore(keystore_path=keystore_path, create_keystore=args.create_keystore)
+
+        launch_description = launch.LaunchDescription(
+            [
+                launch.actions.DeclareLaunchArgument(
+                    name='__keystore', default_value=str(keystore.path)
+                ),
+                launch.actions.DeclareLaunchArgument(
+                    name='__secure', default_value='true'
+                ),
+                launch.actions.SetEnvironmentVariable(
+                    name='ROS_SECURITY_KEYSTORE', value=str(keystore.path)
+                ),
+                launch.actions.SetEnvironmentVariable(
+                    name='ROS_SECURITY_STRATEGY',
+                    value='Enforce'),
+                launch.actions.SetEnvironmentVariable(name='ROS_SECURITY_ENABLE', value='true'),
+            ]
+            + launch_description.entities
+        )
+
+        return launch_description, keystore
+
+
+class _Keystore:
+    """
+    Object that contains a keystore.
+
+    If a transient keystore is created, contains the temporary directory, assuring
+    it is destroyed alongside the _Keystore object.
+    """
+
+    def __init__(self, *, keystore_path: Optional[pathlib.Path], create_keystore: bool):
+        if not create_keystore:
+            if keystore_path is None:
+                raise NoKeystoreProvidedError()
+            if not keystore_path.exists():
+                raise NonexistentKeystoreError(keystore_path)
+            if not sros2.keystore._keystore.is_valid_keystore(keystore_path):
+                raise InvalidKeystoreError(keystore_path)
+
+        # If keystore path is blank, create a transient keystore
+        if keystore_path is None:
+            self._temp_keystore = TemporaryDirectory()
+            self._keystore_path = pathlib.Path(self._temp_keystore.name)
+        else:
+            self._keystore_path = keystore_path
+        self._keystore_path = self._keystore_path.resolve()
+        # If keystore is not initialized, create a keystore
+        if not self._keystore_path.is_dir():
+            self._keystore_path.mkdir()
+        if not sros2.keystore._keystore.is_valid_keystore(self._keystore_path):
+            sros2.keystore._keystore.create_keystore(self._keystore_path)
+
+    @property
+    def path(self) -> pathlib.Path:
+        return self._keystore_path
+
+    def __str__(self) -> str:
+        return str(self._keystore_path)

ros2launch_security/option/security.py

@@ -0,0 +1,4 @@
+[develop]
+script-dir=$base/lib/test_ros2launch
+[install]
+install-scripts=$base/lib/test_ros2launch