[24046] Update security tests to use governance-based encryption configuration

[emiliocuestaf]

Description

The properties rtps.participant.rtps_protection_kind, rtps.endpoint.submessage_protection_kind, and rtps.endpoint.payload_protection_kind are not parsed in the Fast-DDS source code. These properties are set in multiple blackbox security tests, but they have no effect on the actual encryption behavior.

The only valid way to configure RTPS/endpoint protection kinds is through the governance file with the Access Control plugin enabled.

The properties rtps.participant.rtps_protection_kind, rtps.endpoint.submessage_protection_kind, and rtps.endpoint.payload_protection_kind are not parsed in the Fast-DDS source code. These properties are set in multiple blackbox security tests, but they have no effect on the actual encryption behavior.

The only valid way to configure RTPS/endpoint protection kinds is through the governance file with the Access Control plugin enabled.

This PR includes the following features:

• Modify the security Blackbox tests so that the protection kinds are correctly set and, hence, tested.
• Add parameters to tests so that all combinations between {TRANSPORT, INTRAPROCESS, DATASHARING} and {BEST_EFFORT, RELIABLE} are evaluated along with every security combination
• Fix BEST_EFFORT tests that were flaky
• Fix performance tests, whose security set-up was also outdated
• Test every security setting under larga data too.

@Mergifyio backport 3.4.x 3.3.x 3.2.x

Contributor Checklist

• Commit messages follow the project guidelines.
• The code follows the style guidelines of this project.
• Tests that thoroughly check the new feature have been added/Regression tests checking the bug and its fix have been added; the added tests pass locally
• N/A: Any new/modified methods have been properly documented using Doxygen.
• N/A: Any new configuration API has an equivalent XML API (with the corresponding XSD extension)
• Changes are backport compatible: they do NOT break ABI nor change library core behavior.
• Changes are API compatible.
• N/A: New feature has been added to the versions.md file (if applicable).
• N/A: New feature has been documented/Current behavior is correctly described in the documentation.
• Applicable backports have been included in the description.

Reviewer Checklist

• The PR has a milestone assigned.
• The title and description correctly express the PR's purpose.
• Check contributor checklist is correct.
• N/A: If this is a critical bug fix, backports to the critical-only supported branches have been requested.
• Check CI results: changes do not issue any warning.
• Check CI results: failing tests are unrelated with the changes.

[mergify]

🧪 CI Insights

Here's what we observed from your CI run for efe835d.

❌ Job Failures

Pipeline	Job	Health on master	Retries	🔍 CI Insights	📄 Logs
Fast DDS Windows CI	windows-ci / fastdds_test (RelWithDebInfo, examples), v142		0	View	View
	windows-ci / fastdds_test (RelWithDebInfo, unittest-II), v142		0	View	View
	windows-ci / fastdds_test (RelWithDebInfo, unittest-II), v143		0	View	View

[cferreiragonz]

New changes:

• Added common methods for configuration.
• In preparation for [24364 & 24365] Add UBSan workflow and solve its errors #6386 I also configured all three plugins of Security in only Authorization tests (some test might still require to configure missing plugins but I will end this task in [24364 & 24365] Add UBSan workflow and solve its errors #6386, like ValidateAuthenticationHandshakePropertiesParsing).
• Updated governance files because of a change of the test name and, thus, the topic name.
• Removed DATASHARING from the Test suite.
• Tests now only run for both reliability kinds if data_protection_kind or rtps_protection_kind is configured
• Tests now only run for INTRAPROCESS if access_control is being tested.

[emiliocuestaf]

Looks good to me (I can't approve this PR). A few comments:

• I don't think we need to test larga data in every test
• The CI seemed to exhaust all the resources in the Windows machine. This last run worked fine, but I'm a bit worried this behaviour arises again.
• It seems we fixed the mac security tests 👌

[cferreiragonz]

I consider failed tests unrelated. Alternative build is fixed by: #6393

[MiguelCompany]

@Mergifyio backport 3.4.x 3.2.x 2.14.x

[mergify]

backport 3.4.x 3.2.x 2.14.x

✅ Backports have been created

Details

• #6394 [24046] Update security tests to use governance-based encryption configuration (backport #6277) has been created for branch 3.4.x but encountered conflicts

Cherry-pick of a1d550b has failed:

On branch mergify/bp/3.4.x/pr-6277
Your branch is up to date with 'origin/3.4.x'.

You are currently cherry-picking commit a1d550b2.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   test/certs/governance_disable_discovery_disable_access_encrypt.smime
	modified:   test/certs/governance_disable_discovery_disable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_disable_access_none.smime
	modified:   test/certs/governance_disable_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_disable_discovery_disable_access_sign.smime
	new file:   test/certs/governance_disable_discovery_disable_access_sign_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_enable_access_encrypt.smime
	modified:   test/certs/governance_disable_discovery_enable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_enable_access_none.smime
	modified:   test/certs/governance_disable_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_disable_discovery_enable_access_sign.smime
	new file:   test/certs/governance_disable_discovery_enable_access_sign_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_disable_access_encrypt.smime
	modified:   test/certs/governance_enable_discovery_disable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_disable_access_none.smime
	modified:   test/certs/governance_enable_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_enable_discovery_disable_access_sign.smime
	new file:   test/certs/governance_enable_discovery_disable_access_sign_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_enable_access_encrypt.smime
	modified:   test/certs/governance_enable_discovery_enable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_enable_access_none.smime
	modified:   test/certs/governance_enable_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_enable_discovery_enable_access_sign.smime
	new file:   test/certs/governance_enable_discovery_enable_access_sign_dds_sec.xml
	new file:   test/certs/governance_only_auth.smime
	new file:   test/certs/governance_only_auth.xml
	new file:   test/certs/governance_performance_tests.smime
	new file:   test/certs/governance_performance_tests.xml
	new file:   test/certs/governance_sign_discovery_disable_access_encrypt.smime
	new file:   test/certs/governance_sign_discovery_disable_access_encrypt_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_disable_access_none.smime
	new file:   test/certs/governance_sign_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_disable_access_sign.smime
	new file:   test/certs/governance_sign_discovery_disable_access_sign_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_encrypt.smime
	new file:   test/certs/governance_sign_discovery_enable_access_encrypt_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_none.smime
	new file:   test/certs/governance_sign_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_sign.smime
	new file:   test/certs/governance_sign_discovery_enable_access_sign_dds_sec.xml
	modified:   test/certs/permissions.smime
	modified:   test/certs/permissions_dds_sec.xml
	new file:   test/certs/permissions_performance_tests.smime
	new file:   test/certs/permissions_performance_tests.xml
	modified:   test/performance/latency/main_LatencyTest.cpp
	modified:   test/performance/throughput/main_ThroughputTest.cpp
	modified:   test/performance/video/main_VideoTest.cpp
	modified:   test/profiling/main_MemoryTest.cpp

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   test/blackbox/common/BlackboxTestsSecurity.cpp

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

• #6395 [24046] Update security tests to use governance-based encryption configuration (backport #6277) has been created for branch 3.2.x but encountered conflicts

Cherry-pick of a1d550b has failed:

On branch mergify/bp/3.2.x/pr-6277
Your branch is up to date with 'origin/3.2.x'.

You are currently cherry-picking commit a1d550b29.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   test/certs/governance_disable_discovery_disable_access_encrypt.smime
	modified:   test/certs/governance_disable_discovery_disable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_disable_access_none.smime
	modified:   test/certs/governance_disable_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_disable_discovery_disable_access_sign.smime
	new file:   test/certs/governance_disable_discovery_disable_access_sign_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_enable_access_encrypt.smime
	modified:   test/certs/governance_disable_discovery_enable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_enable_access_none.smime
	modified:   test/certs/governance_disable_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_disable_discovery_enable_access_sign.smime
	new file:   test/certs/governance_disable_discovery_enable_access_sign_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_disable_access_encrypt.smime
	modified:   test/certs/governance_enable_discovery_disable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_disable_access_none.smime
	modified:   test/certs/governance_enable_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_enable_discovery_disable_access_sign.smime
	new file:   test/certs/governance_enable_discovery_disable_access_sign_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_enable_access_encrypt.smime
	modified:   test/certs/governance_enable_discovery_enable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_enable_access_none.smime
	modified:   test/certs/governance_enable_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_enable_discovery_enable_access_sign.smime
	new file:   test/certs/governance_enable_discovery_enable_access_sign_dds_sec.xml
	new file:   test/certs/governance_only_auth.smime
	new file:   test/certs/governance_only_auth.xml
	new file:   test/certs/governance_performance_tests.smime
	new file:   test/certs/governance_performance_tests.xml
	new file:   test/certs/governance_sign_discovery_disable_access_encrypt.smime
	new file:   test/certs/governance_sign_discovery_disable_access_encrypt_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_disable_access_none.smime
	new file:   test/certs/governance_sign_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_disable_access_sign.smime
	new file:   test/certs/governance_sign_discovery_disable_access_sign_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_encrypt.smime
	new file:   test/certs/governance_sign_discovery_enable_access_encrypt_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_none.smime
	new file:   test/certs/governance_sign_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_sign.smime
	new file:   test/certs/governance_sign_discovery_enable_access_sign_dds_sec.xml
	modified:   test/certs/permissions.smime
	modified:   test/certs/permissions_dds_sec.xml
	new file:   test/certs/permissions_performance_tests.smime
	new file:   test/certs/permissions_performance_tests.xml
	modified:   test/performance/latency/main_LatencyTest.cpp
	modified:   test/performance/throughput/main_ThroughputTest.cpp
	modified:   test/performance/video/main_VideoTest.cpp
	modified:   test/profiling/main_MemoryTest.cpp

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   test/blackbox/common/BlackboxTestsSecurity.cpp

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally

• #6396 [24046] Update security tests to use governance-based encryption configuration (backport #6277) has been created for branch 2.14.x but encountered conflicts

Cherry-pick of a1d550b has failed:

On branch mergify/bp/2.14.x/pr-6277
Your branch is up to date with 'origin/2.14.x'.

You are currently cherry-picking commit a1d550b29.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   test/certs/governance_disable_discovery_disable_access_encrypt.smime
	modified:   test/certs/governance_disable_discovery_disable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_disable_access_none.smime
	modified:   test/certs/governance_disable_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_disable_discovery_disable_access_sign.smime
	new file:   test/certs/governance_disable_discovery_disable_access_sign_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_enable_access_encrypt.smime
	modified:   test/certs/governance_disable_discovery_enable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_disable_discovery_enable_access_none.smime
	modified:   test/certs/governance_disable_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_disable_discovery_enable_access_sign.smime
	new file:   test/certs/governance_disable_discovery_enable_access_sign_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_disable_access_encrypt.smime
	modified:   test/certs/governance_enable_discovery_disable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_disable_access_none.smime
	modified:   test/certs/governance_enable_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_enable_discovery_disable_access_sign.smime
	new file:   test/certs/governance_enable_discovery_disable_access_sign_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_enable_access_encrypt.smime
	modified:   test/certs/governance_enable_discovery_enable_access_encrypt_dds_sec.xml
	modified:   test/certs/governance_enable_discovery_enable_access_none.smime
	modified:   test/certs/governance_enable_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_enable_discovery_enable_access_sign.smime
	new file:   test/certs/governance_enable_discovery_enable_access_sign_dds_sec.xml
	new file:   test/certs/governance_only_auth.smime
	new file:   test/certs/governance_only_auth.xml
	new file:   test/certs/governance_performance_tests.smime
	new file:   test/certs/governance_performance_tests.xml
	new file:   test/certs/governance_sign_discovery_disable_access_encrypt.smime
	new file:   test/certs/governance_sign_discovery_disable_access_encrypt_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_disable_access_none.smime
	new file:   test/certs/governance_sign_discovery_disable_access_none_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_disable_access_sign.smime
	new file:   test/certs/governance_sign_discovery_disable_access_sign_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_encrypt.smime
	new file:   test/certs/governance_sign_discovery_enable_access_encrypt_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_none.smime
	new file:   test/certs/governance_sign_discovery_enable_access_none_dds_sec.xml
	new file:   test/certs/governance_sign_discovery_enable_access_sign.smime
	new file:   test/certs/governance_sign_discovery_enable_access_sign_dds_sec.xml
	modified:   test/certs/permissions.smime
	modified:   test/certs/permissions_dds_sec.xml
	new file:   test/certs/permissions_performance_tests.smime
	new file:   test/certs/permissions_performance_tests.xml
	modified:   test/performance/latency/main_LatencyTest.cpp
	modified:   test/performance/throughput/main_ThroughputTest.cpp
	modified:   test/profiling/main_MemoryTest.cpp

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   test/blackbox/common/BlackboxTestsSecurity.cpp
	both modified:   test/performance/video/main_VideoTest.cpp

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally