ros2-web-bridge icon indicating copy to clipboard operation
ros2-web-bridge copied to clipboard

Published 20 hours ago verified publisher icon RobotWebTools

Add Authentication feature

Open kenny-y opened this issue 7 years ago • 2 comments

op auth - optional authentication information can be passed via the rosbridge protocol to authenticate a client connection. This information should come from some trusted third-party authenticator.

According to the rosbridge Protocol Specification document

  • Any server that enabled authentication should wait for this request to come in first before accepting any other op code from the client.
  • Once the request comes in, it would verify the information (in a ROS system, using rosauth; however, the verification method is not tied to ROS).
  • If the authentication is good, the connection would be kept and rosbridge would function as normal. If the authentication is bad, the connection would be severed.
  • In the case that authentication is not enabled on the server, this op code can be ignored.

Note: The rosbridge for ROS 1.0 project depends on this rosauth to do authentication

import rospy
from rosauth.srv import Authentication

    def on_message(self, message):
        cls = self.__class__
        # check if we need to authenticate
        if cls.authenticate and not self.authenticated:
            try:
                msg = json.loads(message)
                if msg['op'] == 'auth':
                    # check the authorization information
                    auth_srv = rospy.ServiceProxy('authenticate', Authentication)
                    resp = auth_srv(msg['mac'], msg['client'], msg['dest'],
                                                  msg['rand'], rospy.Time(msg['t']), msg['level'],
                                                  rospy.Time(msg['end']))
                    self.authenticated = resp.authenticated
                    if self.authenticated:
                        rospy.loginfo("Client %d has authenticated.", self.protocol.client_id)
                        return
                # if we are here, no valid authentication was given
                rospy.logwarn("Client %d did not authenticate. Closing connection.",
                              self.protocol.client_id)
                self.close()
            except:
                # proper error will be handled in the protocol class
                self.protocol.incoming(message)
        else:
            # no authentication required
            self.protocol.incoming(message)

The service definition:

# MAC string given by the client
string mac
# IP of the client
string client
# IP of the destination
string dest
# Random string given by the client
string rand
# Time of the authorization request given by the client
time t
# User level as a string given by the client
string level
# End time of the client's session given by the client
time end
---
# If the user has proper authentication
bool authenticated

kenny-y avatar Dec 21 '17 05:12 kenny-y

There are 2 ways to do it based on preliminary analysis:

  1. wait for ROS 2.0 equivalent of rosauth and call into it
  2. write the similar logic of rosauth (< 150 lines of C++ code) in JavaScript

@minggangw WDYT?

kenny-y avatar Dec 22 '17 07:12 kenny-y

I look through the features of the next release, which will happen in summer 2018, security improvements section mentions the authentication.

minggangw avatar Dec 22 '17 08:12 minggangw