// Copyright 2016 Proyectos y Sistemas de Mantenimiento SL (eProsima).
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
/*!
* @file Authentication.h
*/
#ifndef _FASTDDS_RTPS_SECURITY_AUTHENTICATION_AUTHENTICATION_H_
#define _FASTDDS_RTPS_SECURITY_AUTHENTICATION_AUTHENTICATION_H_
#include <fastdds/rtps/security/common/Handle.h>
#include <fastdds/rtps/security/common/SharedSecretHandle.h>
#include <fastdds/rtps/common/Guid.h>
#include <fastdds/rtps/attributes/RTPSParticipantAttributes.h>
#include <fastdds/rtps/security/exceptions/SecurityException.h>
#include <fastdds/rtps/common/Token.h>
#include <fastdds/rtps/common/CDRMessage_t.h>
#include <fastdds/rtps/security/authentication/Handshake.h>
#include <cstdint>
namespace eprosima {
namespace fastrtps {
namespace rtps {
namespace security {
class Logging;
enum ValidationResult_t : uint32_t
{
VALIDATION_OK = 0,
VALIDATION_FAILED,
VALIDATION_PENDING_RETRY,
VALIDATION_PENDING_HANDSHAKE_REQUEST,
VALIDATION_PENDING_HANDSHAKE_MESSAGE,
VALIDATION_OK_WITH_FINAL_MESSAGE
};
class Authentication;
class AuthenticationListener
{
virtual bool on_revoke_identity(Authentication& plugin,
const IdentityHandle& handle,
SecurityException& exception) = 0;
};
class Authentication
{
public:
virtual ~Authentication() = default;
/*!
* @brief Validates the identity of the local RTPSParticipant.
* @param local_identity_handle (out) A handle that can be used to locally refer to the Authenticated
* Participant in subsequent interactions with the Authentication plugin.
* @param adjusted_participant_key (out) The GUID_t that the implementation shall use to uniquely identify the
* RTPSParticipant on the network.
* @param domain_id The Domain Id of the RTPSParticipant.
* @param participant_attr The RTPSParticipantAttributes of the RTPSParticipant.
* @param candidate_participant_key The GUID_t that the DDS implementation would have used to uniquely identify
* the RTPSParticipant if the Security plugins were not enabled.
* @param exception (out) A SecurityException object.
* @return Validation status.
*/
virtual ValidationResult_t validate_local_identity(IdentityHandle** local_identity_handle,
GUID_t& adjusted_participant_key,
const uint32_t domain_id,
const RTPSParticipantAttributes& participant_attr,
const GUID_t& candidate_participant_key,
SecurityException& exception) = 0;
/*!
* @brief Initiates the process of validating the identity of the discovered remote RTPSParticipant, represented
* as an IdentityToken object.
* @param remote_identity_handle (out) A handle that can be used to locally refer to the remote Authenticated
* Participant in subsequent interactions with the AuthenticationPlugin.
* @param local_identity_handle A handle to the local RTPSParticipant requesting the remote participant to be
* validate.
* @param remote_identity_token A token received as part of ParticipantProxyData, representing the
* identity of the remote DomainParticipant.
* @param remote_participant_key
* @param exception (out) A SecurityException object.
* @result Validation status.
*/
virtual ValidationResult_t validate_remote_identity(IdentityHandle** remote_identity_handle,
const IdentityHandle& local_identity_handle,
const IdentityToken& remote_identity_token,
const GUID_t& remote_participant_key,
SecurityException& exception) = 0;
/*!
* @brief This operation is used to initiate a handshake.
* @param handshake_handle (out) A handle returned by the Authentication plugin used to keep the state of the
* handshake.
* @param handshake_message (out) A HandshakeMessageToken to be sent using the BuiltinParticipantMessageWriter.
* @param initiator_identity_handle Handle to the local participant that originated the handshake.
* @param replier_identity_handle Handle to the remote participant whose identity is being validated.
* @param cdr_participant_data Participant's data.
* @param exception (out) A SecurityException object.
* @result Validation status.
*/
virtual ValidationResult_t begin_handshake_request(HandshakeHandle** handshake_handle,
HandshakeMessageToken** handshake_message,
const IdentityHandle& initiator_identity_handle,
IdentityHandle& replier_identity_handle,
const CDRMessage_t& cdr_participant_data,
SecurityException& exception) = 0;
/*!
* @brief This operation shall be invoked by the implementation in reaction to the reception of the initial
* handshake message that originated on a RTPSParticipant that called the begin_handshake_request operation.
* @param handshake_handle (out) A handle returned by the Authentication Plugin used to keep the state of the
* handshake.
* @param handshake_message_out (out) A HandshakeMessageToken containing a message to be sent using the
* BuiltinParticipantMessageWriter.
* @param handshake_message_in A HandshakeMessageToken containing a message received from the
* BuiltinParticipantMessageReader.
* @param initiator_identity_handle Handle to the remote participant that originated the handshake.
* @param replier_identity_handle Handle to the local participant that is initiaing the handshake.
* @param cdr_participant_data Participant's CDRMessage.
* @param exception A SecurityException object.
* @result Validation status.
*/
virtual ValidationResult_t begin_handshake_reply(
HandshakeHandle** handshake_handle,
HandshakeMessageToken** handshake_message_out,
HandshakeMessageToken&& handshake_message_in,
IdentityHandle& initiator_identity_handle,
const IdentityHandle& replier_identity_handle,
const CDRMessage_t& cdr_participant_data,
SecurityException& exception) = 0;
/*!
* @brief This operation is used to continue a handshake.
* @param handshake_message_out (out) A HandshakeMessageToken containing the message_data that should be
* place in a ParticipantStatelessMessage to be sent using the BuiltinParticipantMessageWriter.
* @param handshake_message_in The HandshakeMessageToken contained in the message_data attribute of the
* ParticipantStatelessMessage received.
* @param handshake_handle Handle returned by a correspoing previous call to begin_handshake_request or
* begin_handshake_reply.
* @param exception A SecurityException object.
* @return Validation status.
*/
virtual ValidationResult_t process_handshake(
HandshakeMessageToken** handshake_message_out,
HandshakeMessageToken&& handshake_message_in,
HandshakeHandle& handshake_handle,
SecurityException& exception) = 0;
/*!
* @brief Retrieve the SharedSecretHandle resulting with a successfully completed handshake.
* @param handshake_handle Handle returned bu a corresponding previous call to begin_handshake_request or
* begin_handshake_reply, which has successfully complete the handshake operations.
* @param exception SecurityException object
* @return SharedSecretHandle.
*/
virtual SharedSecretHandle* get_shared_secret(
const HandshakeHandle& handshake_handle,
SecurityException& exception) = 0;
/*!
* @brief Sets the AuthenticationListener that the Authentication plugin will use to notify the infrastructure
* of events relevant to the Authentication of RTPSParticipants.
* @param listener An AuthenticationListener object to be attached to the Authentication object.
* @param exception (out) A SecurityException object.
*/
virtual bool set_listener(AuthenticationListener* listener,
SecurityException& exception) = 0;
virtual bool get_identity_token(IdentityToken** identity_token,
const IdentityHandle& handle,
SecurityException& exception) = 0;
/*!
* @brief Returns the IdentityToken object to the plugin so it can be disposed of.
* @param token An IdentityToken issued by the plugin on a prior call to get_identity_token.
* @param exception (out) A SecurityException object.
*/
virtual bool return_identity_token(IdentityToken* token,
SecurityException& exception) = 0;
/*!
* @brief Returns the Handshakehandle object to the plugin so it can be disposed of.
* @param handshake_handle A HandshakeHandle issued by the plugin on a prior call to begin_handshake_request or
* begin_handshake_reply.
* @param exception (out) A SecurityException object.
*/
virtual bool return_handshake_handle(HandshakeHandle* handshake_handle,
SecurityException& exception) = 0;
/*!
* @brief Returns the IdentityHandle object to the plugin so it can be disposed of.
* @param identity_handle An IdentityHandle issued by the plugin on a prior call to validate_local_identity or
* validate_remote_identity.
* @param exception (out) A SecurityException object.
*/
virtual bool return_identity_handle(IdentityHandle* identity_handle,
SecurityException& exception) = 0;
/*!
* @brief Returns the SharedSecretHandle object to the plugin so it can be disposed of.
* @param sharedsecret_handle An SharedSecretHandle issued by the plugin on a prior call to get_shared_secret.
* @param exception (out) A SecurityException object.
*/
virtual bool return_sharedsecret_handle(SharedSecretHandle* sharedsecret_handle,
SecurityException& exception) = 0;
virtual bool set_permissions_credential_and_token(IdentityHandle& identity_handle,
PermissionsCredentialToken& permissions_credential_token,
SecurityException& ex) = 0;
virtual bool get_authenticated_peer_credential_token(PermissionsCredentialToken **token,
const IdentityHandle& identity_handle, SecurityException& exception) = 0;
virtual bool return_authenticated_peer_credential_token(PermissionsCredentialToken* token,
SecurityException& ex) = 0;
bool set_logger(Logging* logger,
SecurityException& /*exception*/)
{
logger_ = logger;
return true;
}
protected:
const Logging* get_logger() const
{
return logger_;
}
private:
Logging* logger_ = nullptr;
};
} //namespace security
} //namespace rtps
} //namespace fastrtps
} //namespace eprosima
#endif // _FASTDDS_RTPS_SECURITY_AUTHENTICATION_AUTHENTICATION_H_