Skip to content

[24046] Update security tests to use governance-based encryption configuration (backport #6277)#6396

Open
mergify[bot] wants to merge 1 commit into
2.14.xfrom
mergify/bp/2.14.x/pr-6277
Open

[24046] Update security tests to use governance-based encryption configuration (backport #6277)#6396
mergify[bot] wants to merge 1 commit into
2.14.xfrom
mergify/bp/2.14.x/pr-6277

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify Bot commented May 14, 2026

Description

The properties rtps.participant.rtps_protection_kind, rtps.endpoint.submessage_protection_kind, and rtps.endpoint.payload_protection_kind are not parsed in the Fast-DDS source code. These properties are set in multiple blackbox security tests, but they have no effect on the actual encryption behavior.

The only valid way to configure RTPS/endpoint protection kinds is through the governance file with the Access Control plugin enabled.

The properties rtps.participant.rtps_protection_kind, rtps.endpoint.submessage_protection_kind, and rtps.endpoint.payload_protection_kind are not parsed in the Fast-DDS source code. These properties are set in multiple blackbox security tests, but they have no effect on the actual encryption behavior.

The only valid way to configure RTPS/endpoint protection kinds is through the governance file with the Access Control plugin enabled.

This PR includes the following features:

  • Modify the security Blackbox tests so that the protection kinds are correctly set and, hence, tested.
  • Add parameters to tests so that all combinations between {TRANSPORT, INTRAPROCESS, DATASHARING} and {BEST_EFFORT, RELIABLE} are evaluated along with every security combination
  • Fix BEST_EFFORT tests that were flaky
  • Fix performance tests, whose security set-up was also outdated
  • Test every security setting under larga data too.

@Mergifyio backport 3.4.x 3.3.x 3.2.x

Contributor Checklist

  • Commit messages follow the project guidelines.

  • The code follows the style guidelines of this project.

  • Tests that thoroughly check the new feature have been added/Regression tests checking the bug and its fix have been added; the added tests pass locally

  • N/A: Any new/modified methods have been properly documented using Doxygen.

  • N/A: Any new configuration API has an equivalent XML API (with the corresponding XSD extension)

  • Changes are backport compatible: they do NOT break ABI nor change library core behavior.

  • Changes are API compatible.

  • N/A: New feature has been added to the versions.md file (if applicable).

  • N/A: New feature has been documented/Current behavior is correctly described in the documentation.

  • Applicable backports have been included in the description.

Reviewer Checklist

  • The PR has a milestone assigned.
  • The title and description correctly express the PR's purpose.
  • Check contributor checklist is correct.
  • N/A: If this is a critical bug fix, backports to the critical-only supported branches have been requested.
  • Check CI results: changes do not issue any warning.
  • Check CI results: failing tests are unrelated with the changes.
This is an automatic backport of pull request #6277 done by [Mergify](https://mergify.com).

@emiliocuestaf @mergify
Update security tests to use governance-based encryption configuration (
3f2951f 
#6277)

* Add reliability as a param to security tests

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Prepare XMLs to generate smime files for new tests

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Adding tests with access_sign in topic name

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Add tests for SIGN access in liveliness_protection_kind/rtps_protection_kind

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Add tests for SIGN access in discovery_protection_kind

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Add tests for large data

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Modify performance tests to properly test access security

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Generate SMIME files from XML

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Remove old tests

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Relaxing requirements for best effor tests

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Uncrustify

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Fix some mistakes on the new tests and config files

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Editing performance test files, they are ok now

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Fix compilation issues

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Attempt to fix large_data tests

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Update sign permissions files

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Attempt to fix transport+best_effort test cases

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Skip SIGN tests

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Adding some comments

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Add topic for profiling tests in performance tests xml and smime

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>

* Refs #24046: Delete reliability matrix in test suite

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Avoid overload for clarification

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Update name of tests

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Create common methods to configure plugins

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Make basic test methods independent of Test suite class

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Add common communication test method

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Fix only Auth security tests

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Remove DataSharing from Security tests

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Use common methods for configuration

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Run with both reliability tests with RTPS or submessage encryption or sign

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Templatize test_basic_secure_communication method

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Do not run best_effort large data tests

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Uncrustify

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Fix Windows build

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Enable othercacert in 'fill_access'

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

* Refs #24046: Reduce large data tests

Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>

---------

Signed-off-by: Emilio Cuesta <emiliocuesta@eprosima.com>
Signed-off-by: Carlos Ferreira González <carlosferreira@eprosima.com>
Co-authored-by: Carlos Ferreira González <carlosferreira@eprosima.com>
(cherry picked from commit a1d550b)

# Conflicts:
#	test/blackbox/common/BlackboxTestsSecurity.cpp
#	test/performance/video/main_VideoTest.cpp
@mergify mergify Bot added the conflicts Backport PR wich git cherry pick failed label May 14, 2026
@mergify
Copy link
Copy Markdown
Contributor Author

mergify Bot commented May 14, 2026

Cherry-pick of a1d550b has failed:

On branch mergify/bp/2.14.x/pr-6277
Your branch is up to date with 'origin/2.14.x'.

You are currently cherry-picking commit a1d550b29.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   test/certs/governance_disable_discovery_disable_access_encrypt.smime
	modified:   test/certs/governance_disable_discovery_disable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_disable_access_none.smime
	modified:   test/certs/governance_disable_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_disable_discovery_disable_access_sign.smime
	new file:   test/certs/governance_disable_discovery_disable_access_sign_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_enable_access_encrypt.smime
	modified:   test/certs/governance_disable_discovery_enable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_enable_access_none.smime
	modified:   test/certs/governance_disable_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_disable_discovery_enable_access_sign.smime
	new file:   test/certs/governance_disable_discovery_enable_access_sign_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_disable_access_encrypt.smime
	modified:   test/certs/governance_enable_discovery_disable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_disable_access_none.smime
	modified:   test/certs/governance_enable_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_enable_discovery_disable_access_sign.smime
	new file:   test/certs/governance_enable_discovery_disable_access_sign_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_enable_access_encrypt.smime
	modified:   test/certs/governance_enable_discovery_enable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_enable_access_none.smime
	modified:   test/certs/governance_enable_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_enable_discovery_enable_access_sign.smime
	new file:   test/certs/governance_enable_discovery_enable_access_sign_dds_sec.xml
	new file:   test/certs/governance_only_auth.smime
	new file:   test/certs/governance_only_auth.xml
	new file:   test/certs/governance_performance_tests.smime
	new file:   test/certs/governance_performance_tests.xml
	new file:   test/certs/governance_sign_discovery_disable_access_encrypt.smime
	new file:   test/certs/governance_sign_discovery_disable_access_encrypt_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_disable_access_none.smime
	new file:   test/certs/governance_sign_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_disable_access_sign.smime
	new file:   test/certs/governance_sign_discovery_disable_access_sign_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_encrypt.smime
	new file:   test/certs/governance_sign_discovery_enable_access_encrypt_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_none.smime
	new file:   test/certs/governance_sign_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_sign.smime
	new file:   test/certs/governance_sign_discovery_enable_access_sign_dds_sec.xml
	modified:   test/certs/permissions.smime
	modified:   test/certs/permissions_dds_sec.xml
	new file:   test/certs/permissions_performance_tests.smime
	new file:   test/certs/permissions_performance_tests.xml
	modified:   test/performance/latency/main_LatencyTest.cpp
	modified:   test/performance/throughput/main_ThroughputTest.cpp
	modified:   test/profiling/main_MemoryTest.cpp

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   test/blackbox/common/BlackboxTestsSecurity.cpp
	both modified:   test/performance/video/main_VideoTest.cpp

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

@mergify mergify Bot mentioned this pull request May 14, 2026
Merged
11 tasks
@cferreiragonz cferreiragonz added this to the v2.14.7 milestone May 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

conflicts Backport PR wich git cherry pick failed

Projects

None yet

Milestone

v2.14.7

Development

Successfully merging this pull request may close these issues.

2 participants

@cferreiragonz @emiliocuestaf