Align product guide (#32)

* Separating RPM build steps cleanly

* Fixing BSL-SIS page name

* More improvements to API docs to align with actual architecture and user needs

* Cleaning up prep CMake options to avoid duplication

* Aligning diagram with user guide

* Address comment about example PPs

Author: BrianSipos

.github/workflows/docs.yaml

@@ -53,7 +53,10 @@ jobs:
       - name: Dependency build
         run: ./build.sh deps
       - name: Prep
-        run: ./build.sh prep -DBUILD_TESTING=OFF -DTEST_MEMCHECK=OFF -DTEST_COVERAGE=OFF -DBUILD_DOCS_API=ON
+        run: >
+          ./build.sh prep
+          -DBUILD_TESTING=OFF -DTEST_MEMCHECK=OFF -DTEST_COVERAGE=OFF
+          -DBUILD_DOCS_API=ON
       - name: Build
         run: |
           ./build.sh --target docs-api-html docs-api-pdf docs-api-misspelling

.github/workflows/packages.yaml

@@ -52,11 +52,12 @@ jobs:
           fetch-depth: 0
           submodules: recursive
       - name: Prep
-        run: ./build.sh prep -DBUILD_LIB=OFF -DBUILD_TESTING=OFF -DBUILD_DOCS_API=OFF -DBUILD_DOCS_MAN=OFF -DBUILD_PACKAGE=ON
+        run: ./build.sh rpm-prep
       - name: Build
-        run: |
-          ./build.sh rpm-build
-      - name: rpmlint Results
+        run: ./build.sh rpm-build
+      - name: Check
+        run: ./build.sh rpm-check
+      - name: Summarize Results
         if: always()
         run: |
           echo "## rpmlint results:" >> $GITHUB_STEP_SUMMARY

CMakeLists.txt

@@ -23,11 +23,11 @@ cmake_minimum_required(VERSION 3.10)
 
 option(BUILD_LIB "Build the library itself" ON)
 option(BUILD_SHARED_LIBS "Build using shared libraries" ON)
-option(BUILD_DOCS_API "Enable API documentation building" OFF)
+option(BUILD_DOCS_API "Enable API documentation building" ON)
 option(BUILD_DOCS_MAN "Enable manpage building" OFF)
-option(BUILD_TESTING "Enable building unit tests" OFF)
-option(TEST_MEMCHECK "Enable test runtime memory checking" OFF)
-option(TEST_COVERAGE "Enable test runtime coverage logging" OFF)
+option(BUILD_TESTING "Enable building unit tests" ON)
+option(TEST_MEMCHECK "Enable test runtime memory checking" ON)
+option(TEST_COVERAGE "Enable test runtime coverage logging" ON)
 option(BUILD_PACKAGE "Enable building package outputs" OFF)
 
 list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")

build.sh

@@ -44,8 +44,10 @@ function usage {
     echo "  install        - Install"
     echo "  lint           - Run clang-tidy code linter"
     echo "  prep [args...] - Generate makefiles with config options"
-    echo "  rpm-build      - Build RPM package"
-    echo "  rpm-container  - Build as RPM package inside container"
+    echo "  rpm-prep       - Prepare for RPM package building"
+    echo "  rpm-build      - Build RPM package after rpm-prep"
+    echo "  rpm-check      - Check RPM packages after rpm-build"
+    echo "  rpm-container  - Build and check RPM packages inside container"
     echo "  run [args...]  - Run a command with the environment vars"
 }
 
@@ -96,12 +98,20 @@ function cmd_prep {
     ./resources/prep.sh "$@"
 }
 
+function cmd_rpm_prep {
+    if ! git describe 2>/dev/null >/dev/null
+    then
+        git config --global --add safe.directory ${PWD}
+    fi
+    ./resources/prep.sh -DBUILD_LIB=OFF -DBUILD_TESTING=OFF -DBUILD_DOCS_API=OFF -DBUILD_DOCS_MAN=OFF -DBUILD_PACKAGE=ON
+}
+
 function cmd_rpm_build {
-    git config --global --add safe.directory ${PWD}
-    ./resources/prep.sh -DBUILD_LIB=NO -DBUILD_TESTING=NO -DBUILD_PACKAGE=YES
     cmake --build build/default --target package_srpm
     cmake --build build/default --target package_rpm
+}
 
+function cmd_rpm_check {
     # Package scanning
     cd build/default/pkg/rpmbuild
     for PKG in RPMS/x86_64/*.rpm
@@ -202,9 +212,15 @@ case "$1" in
     prep)
         cmd_prep "$@"
         ;;
+    rpm-prep)
+        cmd_rpm_prep
+        ;;
     rpm-build)
         cmd_rpm_build
         ;;
+    rpm-check)
+        cmd_rpm_check
+        ;;
     rpm-container)
         cmd_rpm_container
         ;;

docs/api/UserGuide.md docs/api/00-mainpage.mddocs/api/UserGuide.md renamed to docs/api/00-mainpage.md

@@ -1,4 +1,4 @@
-@page userguide User Guide (BPA Developer)
+@mainpage Introduction
 <!--
 Copyright (c) 2025 The Johns Hopkins University Applied Physics
 Laboratory LLC.
@@ -21,22 +21,20 @@ the prime contract 80NM0018D0004 between the Caltech and NASA under
 subcontract 1700763.
 -->
 
-This page covers the using BPSecLib from the perspective of the **Application Programmer**, or more specifically, the BPA developer.
+This documentation is for the detailed BPSec Library (BSL) application programming interface (API) in the C language.
+This is an implementation of RFC 9172 @cite rfc9172 functionality and RFC 9173 @cite rfc9173 default security contexts.
 
-# BPA Interaction
+For details about installation, maintenance, and compile-time use of the BSL, see the _BSL Product Guide_ @cite bsl_prod_guide.
+For details about higher-level run-time use patterns, see the _BSL User Guide_ @cite bsl_user_guide.
 
- - Notes.
-
----
-
-This page discusses information about the structure of the BSL but not its actual APIs.
-
-# Library Architecture
+# Library Architecture {#bsl-arch}
 
 The BSL as a whole is separated into two primary layers of implementation: an API-centric abstract _Frontend_ library and a host-binding concrete _Backend_ library.
 
-The Frontend library provides the service API for the BSL to be called by its associated BPA as needed and for stable public APIs used by Policy Provider implementations and Security Context implementations.
-The Backend library implements forward-declared structs and functions from the Frontend using specific concrete data containers, algorithms, etc.
+The Frontend library provides the service API for the BSL to be called by its associated [BPA integration](@ref bpa-integrators) and for stable public APIs used by [Policy Provider implementations](@ref policy-providers) and [Security Context implementations](@ref security-contexts).
+The Backend library implements forward-declared structs and functions from the Frontend using specific concrete data containers, algorithms, _etc._
+
+The BSL source repository also contains @ref example-pps and @ref example-default-scs to actually exercise the BSL during testing, and a @ref mock-bpa which allows as-built integration testing of the BSL using a pseudo-daemon process.
 
 @dot
 digraph example {
@@ -71,4 +69,37 @@ The BSL is written for the C99 language @cite ISO:9899:1999 excluding any compil
 
 The Dynamic Backend relies on the POSIX.1-2008 @cite IEEE:1003.1-2008 standard for operating system abstraction, and M*LIB @cite lib:mlib for heap-allocated data containers.
 
+The example default security contexts use the OpenSSL library @cite lib:openssl for all cryptographic functions, including random number generation.
+This allows these security contexts to be FIPS-140 @cite NIST:FIPS-140-3 compliant.
+
 BSL unit tests use the Unity library @cite lib:unity for test execution and assertions.
+
+
+@defgroup frontend Frontend
+@brief Files in the Frontend library of the BSL.
+
+This provides the abstract APIs used for the BSL service interface and APIs used by Policy Provider implementations and Security Context implementations.
+
+
+@defgroup backend_dyn Dynamic Backend
+@brief Files in the Dynamic Backend library of the BSL.
+
+This is the concrete implementation of a backend using dynamic heap-allocated containers and registries.
+It uses POSIX APIs to provide necessary Host functions for the BSL, and OpenSSL APIs to provide crypto functions for the BSL.
+
+
+@defgroup example_pp Example Policy Provider
+@brief Implementation of a simple rule-based policy provider.
+
+This group contains files used by the Example Policy Provider library included with the BSL.
+
+
+@defgroup example_security_context Default Security Contexts
+@brief Implementation of the default security contexts using the BSL crypto API.
+
+This group contains files used by the Default Security Contexts library included with the BSL.
+
+@defgroup mock_bpa Example/Mock BP Agent
+@brief Files used in the Mock BPA used for testing.
+
+The Mock BPA performs whole-bundle encoding and decoding (CODEC) functions, but no other stateful bundle processing.

docs/api/InterfaceSpec.md docs/api/01-bsl-sis.mddocs/api/InterfaceSpec.md renamed to docs/api/01-bsl-sis.md

@@ -1,4 +1,4 @@
-@page BSL Interface Specification
+@page bsl-sis BSL Interface Specification (SIS)
 <!--
 Copyright (c) 2025 The Johns Hopkins University Applied Physics
 Laboratory LLC.
@@ -22,7 +22,7 @@ subcontract 1700763.
 -->
 This document functions as the AMMOS MiMTAR required interface specification.
 
-Bundle Protocol Security Library (BPSec Lib) Software Interface Specification
+Bundle Protocol Security Library (BPSec Lib) Software Interface Specification (SIS)
 =============================================================================
 
 ***Prepared By: The Johns Hopkins University Applied Physics Laboratory (JHU/APL)***
@@ -46,7 +46,7 @@ Bundle Protocol Security Library (BPSec Lib) Software Interface Specification
 | Configuration ID (CI)           | 681.2                               |
 | Element                         | Multi-Mission Control System (MMCS) |
 | Program Set                     | Bundle Protocol Security (BPSec)    |
-| Version                         | 0.0                                 |
+| Version                         | 1.0                                 |
 
 ## 1.2: Purpose
 

docs/api/02-bpa-integrators.md

@@ -0,0 +1,85 @@
+@page bpa-integrators BPA Integrator Topics
+<!--
+Copyright (c) 2025 The Johns Hopkins University Applied Physics
+Laboratory LLC.
+
+This file is part of the Bundle Protocol Security Library (BSL).
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+This work was performed for the Jet Propulsion Laboratory, California
+Institute of Technology, sponsored by the United States Government under
+the prime contract 80NM0018D0004 between the Caltech and NASA under
+subcontract 1700763.
+-->
+
+This page covers the using BSL from the perspective of a BPA developer integrating the BSL through its _service interface_.
+
+# BPA--BSL Interactions
+
+A BPA interacts with the BSL through two distinct interfaces:
+
+ * A **[service interface](@ref bsl-service-api)** provided by the BSL, which is called by the BPA when security processing of a bundle is needed
+ * A **[callback interface](@ref bpa-callback-api)** provided by the BPA
+
+@dot "BPA--BSL Interfaces" width=500pt
+digraph bpa_interfaces {
+    rankdir=TB;
+    node [shape=record, fontname=Helvetica, fontsize=12];
+
+    bpa [ label="BPA" ];
+    bsl [ label="BSL" ];
+
+    bpa -> bsl [ xlabel="BSL Service API" ];
+    bsl -> bpa [ xlabel="BPA Callback API" ];
+}
+@enddot
+
+# BSL Service API {#bsl-service-api}
+
+Each runtime instance of the BSL is isolated for thread safety within a host-specific struct referenced by a [BSL_LibCtx_t](@ref BSL_LibCtx_s) pointer.
+
+The runtime instance is used by the BPA via the BSL _service interface_ to process bundles at each of the following four security interaction points within the BPA's bundle workflow.
+When invoked from the BPA, all BSL activities will occur within the context of a single bundle which is referenced by a ::BSL_BundleRef_t pointer.
+
+Details of how the BSL processing order relates to other BPA processing of bundles along the BPA's workflow are left to the BPA integration.
+
+* After bundle **transmission** from an application source, indicated by ::BSL_POLICYLOCATION_APPIN
+* Before bundle **delivery** to an application destination, indicated by ::BSL_POLICYLOCATION_APPOUT
+* After bundle **reception** via a CLA, indicated by ::BSL_POLICYLOCATION_CLIN
+* Before bundle **forwarding** via a CLA, indicated by ::BSL_POLICYLOCATION_CLOUT
+
+These are shown for a notional BPA in the diagram below, where each edge indicates one of the four interaction points listed above.
+
+@dot "BPA Interaction Points" width=500pt
+digraph bpa_interaction {
+    rankdir=LR;
+    node [shape=record, fontname=Helvetica, fontsize=12];
+
+    process [ label="Bundle Dispatch\nand Forwarding" ];
+    appin [ label="Application\nTransmission" ];
+    appout [ label="Application\nDelivery" ];
+    clin [ label="CLA\nReception" ];
+    clout [ label="CLA\nForwarding" ];
+
+    appin -> process [ label="BSL Call\n(APPIN)" ];
+    process -> appout [ label="BSL Call\n(APPOUT)" ];
+    clin -> process [ label="BSL Call\n(CLIN)" ];
+    process -> clout [ label="BSL Call\n(CLOUT)" ];
+}
+@enddot
+
+# BPA Callback API {#bpa-callback-api}
+
+Separate from the API used to call into the BSL to initiate security processing, the BSL relies on specific functions provided by the BPA to do its normal processing.
+Some of these functions are for introspecting and manipulating specific bundle or block contents, others are for encoding and decoding EID and EID Pattern values.
+
+The BSL dynamic backend declares a set of functions which are delegated to the BPA, which are registered in the dynamic backend using the ::BSL_HostDescriptors_t struct and the BSL_HostDescriptors_Set() function.

docs/api/03-policy-providers.md

@@ -0,0 +1,35 @@
+@page policy-providers Policy Provider Topics
+<!--
+Copyright (c) 2025 The Johns Hopkins University Applied Physics
+Laboratory LLC.
+
+This file is part of the Bundle Protocol Security Library (BSL).
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+This work was performed for the Jet Propulsion Laboratory, California
+Institute of Technology, sponsored by the United States Government under
+the prime contract 80NM0018D0004 between the Caltech and NASA under
+subcontract 1700763.
+-->
+
+This page covers the using BSL from the perspective of a developer of a new Policy Provider (PP) for the BSL.
+
+# Policy Provider Callback API {#pp-callback-api}
+
+The BSL dynamic backend declares a set of functions which are delegated to each PP instance and are registered in the backend using the [BSL_PolicyDesc_t](@ref BSL_PolicyDesc_s).
+These functions include some bookkeeping of the PP instance itself (associated user data and deinit function).
+
+The operational focus of the PP callbacks are functions used by the BSL to:
+ * **Inspect** the contents of a bundle and determine if any security operations need to be performed (as BSL_PolicyDesc_s::query_fn).
+   This will likely involve introspecting block-level and field-level data from the bundle via the @ref bpa-callback-api.
+ * **Finalize** (handle the conclusion of) any requested security operations (as BSL_PolicyDesc_s::finalize_fn).
+   This will likely involve bundle or block manipulation depending upon the success or failure of the operation to execute (by its associated [Security Context](@ref sc-callback-api).

docs/api/03-security-contexts.md

@@ -0,0 +1,33 @@
+@page security-contexts Security Context Topics
+<!--
+Copyright (c) 2025 The Johns Hopkins University Applied Physics
+Laboratory LLC.
+
+This file is part of the Bundle Protocol Security Library (BSL).
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+    http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+This work was performed for the Jet Propulsion Laboratory, California
+Institute of Technology, sponsored by the United States Government under
+the prime contract 80NM0018D0004 between the Caltech and NASA under
+subcontract 1700763.
+-->
+
+This page covers the using BSL from the perspective of a developer of a new Security Context (SC) for the BSL.
+
+# Security Context Callback API {#sc-callback-api}
+
+The BSL dynamic backend declares a set of functions which are delegated to each SC instance and are registered in the backend using the [BSL_SecCtxDesc_t](@ref BSL_SecCtxDesc_s).
+These functions include some bookkeeping of the SC instance itself (associated user data and deinit function).
+
+The operational focus of the SC callbacks are functions used by the BSL to:
+ * **Validate** the options for a specific security operation associated with the SC (as BSL_SecCtxDesc_s::validate).
+ * **Execute** a specific security operation associated with the SC (as BSL_SecCtxDesc_s::execute).