Skip to content

Commit 92f5716

Browse files
authored
Refactor policy provider API and implementation (#148)
* init changes, todo unit tests * Update API, unit tests * update docs * apply format ubuntu * fixups * spelling * const char sonarcloud catch * Initial PR Feedback * apply format ubuntu * sonar issue resolve * apply format ubuntu * Clarify PP API * apply format ubuntu * typo
1 parent f4bda00 commit 92f5716

12 files changed

Lines changed: 705 additions & 649 deletions

src/BPSecLib_Private.h

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1323,12 +1323,12 @@ int BSL_PolicyRegistry_FinalizeActions(const BSL_LibCtx_t *bsl, const BSL_Securi
13231323
const BSL_BundleRef_t *bundle, const BSL_SecurityResponseSet_t *response_output);
13241324

13251325
/// @brief Callback interface to query policy provider to populate the action set
1326-
typedef int (*BSL_PolicyInspect_f)(const void *user_data, BSL_SecurityActionSet_t *output_action_set,
1326+
typedef int (*BSL_PolicyInspect_f)(void *user_data, BSL_SecurityActionSet_t *output_action_set,
13271327
const BSL_BundleRef_t *bundle, BSL_PolicyLocation_e location);
13281328

13291329
/// @brief Callback interface to finalize policy provider over the action set. Finalize should ignore actions from
13301330
/// different policy providers
1331-
typedef int (*BSL_PolicyFinalize_f)(const void *user_data, const BSL_SecurityActionSet_t *output_action_set,
1331+
typedef int (*BSL_PolicyFinalize_f)(void *user_data, const BSL_SecurityActionSet_t *output_action_set,
13321332
const BSL_BundleRef_t *bundle, const BSL_SecurityResponseSet_t *response_output);
13331333

13341334
/// @brief Callback interface for policy provider to shut down and release any resources
@@ -1337,10 +1337,10 @@ typedef void (*BSL_PolicyDeinit_f)(void *user_data);
13371337
/// @brief Descriptor of opaque data and callbacks for Policy Provider.
13381338
struct BSL_PolicyDesc_s
13391339
{
1340-
void *user_data;
1340+
void *user_data; ///< Reference to policy provider -specific data
13411341
BSL_PolicyInspect_f query_fn; ///< Function pointer to query policy
13421342
BSL_PolicyFinalize_f finalize_fn; ///< Function pointer to finalize policy
1343-
BSL_PolicyDeinit_f deinit_fn; ///< Function to deinit the policy provider at termination of BSL.
1343+
BSL_PolicyDeinit_f deinit_fn; ///< Function to deinit the policy provider at termination of BSL context
13441344
};
13451345

13461346
/** Call the underlying security context to perform the given action

src/mock_bpa/agent.c

Lines changed: 8 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -439,7 +439,7 @@ BSL_HostDescriptors_t MockBPA_Agent_Descriptors(MockBPA_Agent_t *agent)
439439
return bpa;
440440
}
441441

442-
int MockBPA_Agent_Init(MockBPA_Agent_t *agent)
442+
int MockBPA_Agent_Init(MockBPA_Agent_t *agent, BSLP_PolicyProvider_t **policy)
443443
{
444444
int retval = 0;
445445

@@ -496,36 +496,35 @@ int MockBPA_Agent_Init(MockBPA_Agent_t *agent)
496496
ASSERT_PROPERTY(0 == BSL_API_RegisterSecurityContext(ctx->bsl, 2, bcb_sec_desc));
497497
}
498498
// TODO find a better way to deal with this
499+
500+
*policy = BSLP_PolicyProvider_Init(1);
501+
agent->appin.policy = *policy;
502+
agent->appout.policy = *policy;
503+
agent->clin.policy = *policy;
504+
agent->clout.policy = *policy;
505+
499506
{
500-
agent->appin.policy = BSL_calloc(1, sizeof(BSLP_PolicyProvider_t));
501-
agent->appin.policy->pp_id = 1;
502507
BSL_PolicyDesc_t policy_callbacks = (BSL_PolicyDesc_t) { .deinit_fn = BSLP_Deinit,
503508
.query_fn = BSLP_QueryPolicy,
504509
.finalize_fn = BSLP_FinalizePolicy,
505510
.user_data = agent->appin.policy };
506511
ASSERT_PROPERTY(BSL_SUCCESS == BSL_API_RegisterPolicyProvider(agent->appin.bsl, 1, policy_callbacks));
507512
}
508513
{
509-
agent->appout.policy = BSL_calloc(1, sizeof(BSLP_PolicyProvider_t));
510-
agent->appout.policy->pp_id = 1;
511514
BSL_PolicyDesc_t policy_callbacks = (BSL_PolicyDesc_t) { .deinit_fn = BSLP_Deinit,
512515
.query_fn = BSLP_QueryPolicy,
513516
.finalize_fn = BSLP_FinalizePolicy,
514517
.user_data = agent->appout.policy };
515518
ASSERT_PROPERTY(BSL_SUCCESS == BSL_API_RegisterPolicyProvider(agent->appout.bsl, 1, policy_callbacks));
516519
}
517520
{
518-
agent->clin.policy = BSL_calloc(1, sizeof(BSLP_PolicyProvider_t));
519-
agent->clin.policy->pp_id = 1;
520521
BSL_PolicyDesc_t policy_callbacks = (BSL_PolicyDesc_t) { .deinit_fn = BSLP_Deinit,
521522
.query_fn = BSLP_QueryPolicy,
522523
.finalize_fn = BSLP_FinalizePolicy,
523524
.user_data = agent->clin.policy };
524525
ASSERT_PROPERTY(BSL_SUCCESS == BSL_API_RegisterPolicyProvider(agent->clin.bsl, 1, policy_callbacks));
525526
}
526527
{
527-
agent->clout.policy = BSL_calloc(1, sizeof(BSLP_PolicyProvider_t));
528-
agent->clout.policy->pp_id = 1;
529528
BSL_PolicyDesc_t policy_callbacks = (BSL_PolicyDesc_t) { .deinit_fn = BSLP_Deinit,
530529
.query_fn = BSLP_QueryPolicy,
531530
.finalize_fn = BSLP_FinalizePolicy,

src/mock_bpa/agent.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -149,7 +149,7 @@ BSL_HostDescriptors_t MockBPA_Agent_Descriptors(MockBPA_Agent_t *agent);
149149
* @param[out] agent The agent to initialize.
150150
* @return Zero if successful.
151151
*/
152-
int MockBPA_Agent_Init(MockBPA_Agent_t *agent);
152+
int MockBPA_Agent_Init(MockBPA_Agent_t *agent, BSLP_PolicyProvider_t **policy);
153153

154154
/** Clean up the mock BPA for the current process.
155155
*

src/mock_bpa/mock_bpa.c

Lines changed: 6 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,8 @@
4444
static BSL_HostEID_t app_eid;
4545
static BSL_HostEID_t sec_eid;
4646
/// Agent for this process
47-
static MockBPA_Agent_t agent;
47+
static MockBPA_Agent_t agent;
48+
static BSLP_PolicyProvider_t *policy;
4849

4950
static int ingest_netaddr(struct sockaddr_in *addr, const char *arg)
5051
{
@@ -115,7 +116,7 @@ int main(int argc, char **argv)
115116
}
116117
mock_bpa_LogOpen();
117118
BSL_CryptoInit();
118-
if ((res = MockBPA_Agent_Init(&agent)))
119+
if ((res = MockBPA_Agent_Init(&agent, &policy)))
119120
{
120121
BSL_LOG_ERR("Failed to initialize mock BPA, error %d", res);
121122
retval = 2;
@@ -172,30 +173,12 @@ int main(int argc, char **argv)
172173
break;
173174
case 'p':
174175
{
175-
// TODO better way to handle this
176-
int anyerr = 0;
177-
anyerr += abs(mock_bpa_handle_policy_config(optarg, agent.appin.policy, &policy_registry));
178-
anyerr += abs(mock_bpa_handle_policy_config(optarg, agent.appout.policy, &policy_registry));
179-
anyerr += abs(mock_bpa_handle_policy_config(optarg, agent.clin.policy, &policy_registry));
180-
anyerr += abs(mock_bpa_handle_policy_config(optarg, agent.clout.policy, &policy_registry));
181-
if (anyerr)
182-
{
183-
retval = 1;
184-
}
185-
176+
retval = !!(mock_bpa_handle_policy_config(optarg, policy, &policy_registry));
186177
break;
187178
}
188179
case 'j':
189180
{
190-
int anyerr = 0;
191-
anyerr += abs(mock_bpa_register_policy_from_json(optarg, agent.appin.policy, &policy_registry));
192-
anyerr += abs(mock_bpa_register_policy_from_json(optarg, agent.appout.policy, &policy_registry));
193-
anyerr += abs(mock_bpa_register_policy_from_json(optarg, agent.clin.policy, &policy_registry));
194-
anyerr += abs(mock_bpa_register_policy_from_json(optarg, agent.clout.policy, &policy_registry));
195-
if (anyerr)
196-
{
197-
retval = 1;
198-
}
181+
retval = !!(mock_bpa_register_policy_from_json(optarg, policy, &policy_registry));
199182
break;
200183
}
201184
case 'k':
@@ -251,6 +234,7 @@ int main(int argc, char **argv)
251234
}
252235

253236
mock_bpa_policy_registry_deinit(&policy_registry);
237+
BSLP_PolicyProvider_Deinit(policy);
254238
MockBPA_Agent_Deinit(&agent);
255239
BSL_HostEID_Deinit(&sec_eid);
256240
BSL_HostEID_Deinit(&app_eid);

src/mock_bpa/policy_config.c

Lines changed: 37 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -28,14 +28,6 @@
2828
#include "policy_config.h"
2929
#include "text_util.h"
3030

31-
static BSL_HostEIDPattern_t mock_bpa_util_get_eid_pattern_from_text(const char *text)
32-
{
33-
BSL_HostEIDPattern_t pat;
34-
BSL_HostEIDPattern_Init(&pat);
35-
ASSERT_PROPERTY(0 == BSL_HostEIDPattern_DecodeFromText(&pat, text));
36-
return pat;
37-
}
38-
3931
int mock_bpa_rfc9173_bcb_cek(unsigned char *buf, int len)
4032
{
4133
if (len == 12) // IV
@@ -66,12 +58,9 @@ int mock_bpa_register_policy_from_json(const char *pp_cfg_file_path, BSLP_Policy
6658
BSL_PolicyLocation_e policy_loc_enum;
6759
BSL_PolicyAction_e policy_action_enum;
6860

69-
const char *src_str;
70-
const char *dest_str;
71-
const char *sec_src_str;
72-
BSL_HostEIDPattern_t src_eid;
73-
BSL_HostEIDPattern_t dest_eid;
74-
BSL_HostEIDPattern_t sec_src_eid;
61+
const char *src_str;
62+
const char *dest_str;
63+
const char *sec_src_str;
7564

7665
const char *rule_id_str;
7766

@@ -170,35 +159,32 @@ int mock_bpa_register_policy_from_json(const char *pp_cfg_file_path, BSLP_Policy
170159
{
171160
src_str = json_string_value(src);
172161
BSL_LOG_DEBUG(" src : %s", src_str);
173-
src_eid = mock_bpa_util_get_eid_pattern_from_text(src_str);
174162
}
175163
else
176164
{
177-
src_eid = mock_bpa_util_get_eid_pattern_from_text("*:**");
165+
src_str = "*:**";
178166
}
179167

180168
json_t *dest = json_object_get(filter, "dest");
181169
if (dest)
182170
{
183171
dest_str = json_string_value(dest);
184172
BSL_LOG_DEBUG(" dest : %s", dest_str);
185-
dest_eid = mock_bpa_util_get_eid_pattern_from_text(dest_str);
186173
}
187174
else
188175
{
189-
dest_eid = mock_bpa_util_get_eid_pattern_from_text("*:**");
176+
dest_str = "*:**";
190177
}
191178

192179
json_t *sec_src = json_object_get(filter, "sec_src");
193180
if (sec_src)
194181
{
195182
sec_src_str = json_string_value(sec_src);
196183
BSL_LOG_DEBUG(" sec_src : %s", sec_src_str);
197-
sec_src_eid = mock_bpa_util_get_eid_pattern_from_text(sec_src_str);
198184
}
199185
else
200186
{
201-
sec_src_eid = mock_bpa_util_get_eid_pattern_from_text("*:**");
187+
sec_src_str = "*:**";
202188
}
203189

204190
// check tgt (target block type)
@@ -522,32 +508,34 @@ int mock_bpa_register_policy_from_json(const char *pp_cfg_file_path, BSLP_Policy
522508
}
523509
}
524510

525-
BSLP_PolicyPredicate_t *predicate = &policy->predicates[policy->predicate_count++];
526-
BSLP_PolicyPredicate_Init(predicate, policy_loc_enum, src_eid, sec_src_eid, dest_eid);
511+
BSLP_PolicyPredicate_t predicate;
512+
BSLP_PolicyPredicate_InitFrom(&predicate, policy_loc_enum, src_str, sec_src_str, dest_str);
527513

528-
BSLP_PolicyRule_t *rule = &policy->rules[policy->rule_count++];
529-
BSLP_PolicyRule_Init(rule, rule_id_str, predicate, sec_ctx_id, sec_role, sec_block_type, target_block_type,
530-
policy_action_enum);
514+
BSLP_PolicyRule_t rule;
515+
BSLP_PolicyRule_InitFrom(&rule, rule_id_str, sec_ctx_id, sec_role, sec_block_type, target_block_type,
516+
policy_action_enum);
531517

532518
// TODO validate params_got
533519
(void)params_got;
534520

535521
if (sec_ctx_id == 2) // BCB
536522
{
537-
BSLP_PolicyRule_CopyParam(rule, params->param_aes_variant);
523+
BSLP_PolicyRule_CopyParam(&rule, params->param_aes_variant);
538524
if (sec_role == BSL_SECROLE_SOURCE)
539525
{
540-
BSLP_PolicyRule_CopyParam(rule, params->param_aad_scope_flag);
526+
BSLP_PolicyRule_CopyParam(&rule, params->param_aad_scope_flag);
541527
BSL_Crypto_SetRngGenerator(mock_bpa_rfc9173_bcb_cek);
542528
}
543529
}
544530
else
545531
{
546-
BSLP_PolicyRule_CopyParam(rule, params->param_sha_variant);
547-
BSLP_PolicyRule_CopyParam(rule, params->param_integ_scope_flag);
532+
BSLP_PolicyRule_CopyParam(&rule, params->param_sha_variant);
533+
BSLP_PolicyRule_CopyParam(&rule, params->param_integ_scope_flag);
548534
}
549-
BSLP_PolicyRule_CopyParam(rule, params->param_test_key);
550-
BSLP_PolicyRule_CopyParam(rule, params->param_use_wrapped_key);
535+
BSLP_PolicyRule_CopyParam(&rule, params->param_test_key);
536+
BSLP_PolicyRule_CopyParam(&rule, params->param_use_wrapped_key);
537+
538+
BSLP_PolicyProvider_AddRule(policy, &rule, &predicate);
551539
}
552540

553541
json_decref(root);
@@ -688,44 +676,46 @@ static void mock_bpa_register_policy(const bsl_mock_policy_configuration_t polic
688676
break;
689677
}
690678

691-
BSL_HostEIDPattern_t eid_src_pat;
679+
const char *eid_src_pat_str;
692680
if (policy_ignore)
693681
{
694682
BSL_LOG_INFO("Creating src eid pattern to match none - bundle should be ignored!");
695-
eid_src_pat = mock_bpa_util_get_eid_pattern_from_text("");
683+
eid_src_pat_str = "";
696684
}
697685
else
698686
{
699-
eid_src_pat = mock_bpa_util_get_eid_pattern_from_text("*:**");
687+
eid_src_pat_str = "*:**";
700688
}
701689

702690
// Create a rule to verify security block at APP/CLA Ingress
703691
char policybits_str[100];
704692
snprintf(policybits_str, 100, "Policy: %x", policy_bits);
705-
BSLP_PolicyPredicate_t *predicate_all_in = &policy->predicates[policy->predicate_count++];
706-
BSLP_PolicyPredicate_Init(predicate_all_in, policy_loc_enum, eid_src_pat,
707-
mock_bpa_util_get_eid_pattern_from_text("*:**"),
708-
mock_bpa_util_get_eid_pattern_from_text("*:**"));
709-
BSLP_PolicyRule_t *rule_all_in = &policy->rules[policy->rule_count++];
710-
BSLP_PolicyRule_Init(rule_all_in, policybits_str, predicate_all_in, sec_context, sec_role_enum, sec_block_emum,
711-
bundle_block_enum, policy_action_enum);
693+
694+
BSLP_PolicyPredicate_t predicate_all_in;
695+
BSLP_PolicyPredicate_InitFrom(&predicate_all_in, policy_loc_enum, eid_src_pat_str, "*:**", "*:**");
696+
697+
BSLP_PolicyRule_t rule_all_in;
698+
BSLP_PolicyRule_InitFrom(&rule_all_in, policybits_str, sec_context, sec_role_enum, sec_block_emum,
699+
bundle_block_enum, policy_action_enum);
712700

713701
if (sec_block_emum == BSL_SECBLOCKTYPE_BCB)
714702
{
715-
BSLP_PolicyRule_CopyParam(rule_all_in, params->param_aes_variant);
703+
BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_aes_variant);
716704
if (sec_role_enum == BSL_SECROLE_SOURCE)
717705
{
718-
BSLP_PolicyRule_CopyParam(rule_all_in, params->param_aad_scope_flag);
706+
BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_aad_scope_flag);
719707
BSL_Crypto_SetRngGenerator(mock_bpa_rfc9173_bcb_cek);
720708
}
721709
}
722710
else
723711
{
724-
BSLP_PolicyRule_CopyParam(rule_all_in, params->param_sha_variant);
725-
BSLP_PolicyRule_CopyParam(rule_all_in, params->param_integ_scope_flag);
712+
BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_sha_variant);
713+
BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_integ_scope_flag);
726714
}
727-
BSLP_PolicyRule_CopyParam(rule_all_in, params->param_use_wrapped_key);
728-
BSLP_PolicyRule_CopyParam(rule_all_in, params->param_test_key);
715+
BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_use_wrapped_key);
716+
BSLP_PolicyRule_CopyParam(&rule_all_in, params->param_test_key);
717+
718+
BSLP_PolicyProvider_AddRule(policy, &rule_all_in, &predicate_all_in);
729719
}
730720

731721
int mock_bpa_handle_policy_config(const char *policies, BSLP_PolicyProvider_t *policy, mock_bpa_policy_registry_t *reg)

0 commit comments

Comments
 (0)