Timezone aware datetimes + remove hack from #209

[mikaelarguedas]

This PR (basically a redo of #210) does:

• Set timezone to UTC explicitly in all security artifacts
  • this allows to remove the -1 day hack from start valid date a day before to account for timezone mismatch #209
  • I don't think it fixes any kind of issue and would assume the issue have been fixed on the connext side in version 6
  • But I think it's more explicit and doesnt hurt
• Make python datetime object timezone-aware, as this will be mandatory in future versions of python and reduces unexpected behaviors

I dont have a connext setup (license plugins etc right now) and the ROS 2 CI machines seem to be UTC so maybe they wont reflect the issue. If a reviewer that is behind UTC and has the right setup can give it a try that'd be awesome

[mikaelarguedas]

@marcoag @clalancette is it possible to launch a round of CI for this PR please 🙏

[ahcorde]

• Linux
• Linux-aarch64
• Windows

[mikaelarguedas]

@ruffsl interested in having your feedback on this.

(all info in the description of the PR)

[mikaelarguedas]

CI on WIndows is failing because CI is using a lower version of Python than the one defined in REP-2000.
More details at ros-infrastructure/ros2-cookbooks#69

[clalancette]

CI on WIndows is failing because CI is using a lower version of Python than the one defined in REP-2000.
More details at ros-infrastructure/ros2-cookbooks#69

I commented over there, but in short, we are not going to be able to update Python. So we'll have to figure out another solution.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.38%. Comparing base (1d36b11) to head (df3fdee).
⚠️ Report is 1 commits behind head on rolling.

Additional details and impacted files

@@             Coverage Diff             @@
##           rolling     #300      +/-   ##
===========================================
- Coverage    88.94%   88.38%   -0.56%     
===========================================
  Files           24       24              
  Lines          615      620       +5     
  Branches        64       66       +2     
===========================================
+ Hits           547      548       +1     
- Misses          50       52       +2     
- Partials        18       20       +2     

Flag	Coverage Δ
unittests	88.38% <ø> (-0.56%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[mikaelarguedas]

@ahcorde @clalancette is it possible to launch CI on that version to see if Windows is happy with it ?

[mikaelarguedas]

• Linux

• Linux-aarch64

• Windows

• Windows debug

[ruffsl]

Do we want to use +00:00 or Z here?

From the OP ticket:

The time zone may be specified as Z (UTC) or (+|-)hh:mm.

• Use current time as default start validity time for certs and permissions #211 (comment)

Not sure if this (formatting choice) was the original point of issue here.

[mikaelarguedas]

Yeah I initially tried this 2754240 but one of the issues is that Python has pretty limited support for it.

The ability to parse a string in that format appeared in Python 3.11.
And even in Python 3.12, the printing in isoformat is not configurable and outputs the +HH:MM.

I guess we can revisit if the testing of this with connext show the issue still exists with version 6.0.1.

[ruffsl]

Sad to read about that window holding back and blocking the python REP updates, given the Qt release changes. I hope the latest minor release of cryptography is still secure and up-to-date for all platforms. :<

[ruffsl]

I'm kind of the opinion if it still broken for a DDS vendor by now, then that's more concerning. I've no longer have an active licence, but I could go ask for a renewal to verify this if you'd like.

[mikaelarguedas]

yeah so its a bit tricky,

the version shipped with the Jazzy binaries fails to run the launcher:

/opt/rti.com/rti_connext_dds-6.0.1/bin/rtilauncher
Gtk-Message: 09:06:35.729: Failed to load module "canberra-gtk-module"
No RTI workspace was created.
Please contact RTI Support (https://support.rti.com)

The only one I saw available on their website is 7.3.0.

And 7.3.0 is not API compatible with 6.0.1 so I cannot launch nodes

I could try to install the rtipkg from commandline but not sure where to download them if not from the rti website or launcher..

---

Maybe someone at Open Robotics could give this PR a try ? (as osrf has both license and installer backed up)

@clalancette do you know anyone we could reach out for that could test this ?

---

So there is a larger issue here, how do people install connext with security plugins for any active ROS 2 distro ?

[mikaelarguedas]

@ahcorde Hey there 👋

The PR I dont have the ability to test myself we were chatting about offline today

[fujitatomoya]

this is the only concern before merge, everything else looks good to me.

[sloretz]

@marcoag mind giving this a try with connect? 🧇

[fujitatomoya]

lgtm with green CI

[fujitatomoya]

this is the only concern before merge, everything else looks good to me.

[mikaelarguedas]

@sloretz @marcoag @fujitatomoya I rebased this, anyone has the ability to test it on Connext so we can decide if we merge this or if we need to downscope it ?

Thanks 🙏

[fujitatomoya]

@mikaelarguedas how about starting CI? that should include the test with ConnextDDS, right?

[fujitatomoya]

Pulls: #300
Gist: https://gist.githubusercontent.com/fujitatomoya/5410ada7801c7d53b9da50e950b6a99a/raw/5c2aeef052ae70656b4f52357d2f2d49421701c0/ros2.repos
BUILD args: --packages-above-and-dependencies sros2
TEST args: --packages-above sros2
ROS Distro: rolling
Job: ci_launcher
ci_launcher ran: https://ci.ros2.org/job/ci_launcher/15976

• Linux
• Linux-aarch64
• Linux-rhel
• Windows

[clalancette]

I'm not a huge fan of using semver and parsing the version number here. What we've done elsewhere is to be conditional on the API we want existing. In this case, I think we could do something more like:

if hasattr(cert_content, 'not_valid_before_utc'):
    kwargs = ...
else:
   kwargs = ...

(this also means we don't add another dependency to this package, which I'm always a fan of)

What do you think?

[mikaelarguedas]

My original take was to get rid of comments stating which version was needed while keeping an easy way to track from which version legacy code could be removed.

I considered parsing the version string but it seemed more hacky than using a maintained package dedicated to that.

---

I am happy to update the code accordingly if this is the recommended approach. It is explicit in terms of what API is needed.

My only concern is that it hides the version of the module we're actually requiring for this API to be used. Which often leads to confusion or extra work when we ask "from what version can we get rid of this legacy code?" (similar to #347).

In which case I would add back a comment stating version numbers wherever the check are performed.

Would you prefer that to the current approach ? (I'm fine either way 👍)

---

It would look like this

    # TODO use `not_valid_before_utc` unconditionally once cryptography 42 is available on all target platforms
    if hasattr(cert_content, 'not_valid_before_utc'):
        cert_not_valid_before_value = cert.not_valid_before_utc
    else:
        cert_not_valid_before_value = cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)

    # TODO use `not_valid_after_utc` unconditionally once cryptography 42 is available on all target platforms
    if hasattr(cert_content, 'not_valid_after_utc'):
        cert_not_valid_after_value = cert.not_valid_after_utc
    else:
        cert_not_valid_after_value = cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)

v.s. current state:

    if _utilities.cryptography_version().major >= 42:
        cert_not_valid_before_value = cert.not_valid_before_utc
        cert_not_valid_after_value = cert.not_valid_after_utc
    else:
        cert_not_valid_before_value = cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
        cert_not_valid_after_value = cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)

[clalancette]

In which case I would add back a comment stating version numbers wherever the check are performed.

Would you prefer that to the current approach ? (I'm fine either way 👍)

Yeah, I think that would be better rather than adding the new dependency. Thanks!

[mikaelarguedas]

Done in df3fdee

[clalancette]

This looks good to me, thanks! I'll run CI on it next.

[clalancette]

Pulls: #300
Gist: https://gist.githubusercontent.com/clalancette/e34124a7f2e103824edb0b48ec20078c/raw/01711b92e4e8c5cd5d3935c696cf5f6cc2ca6d8b/ros2.repos
BUILD args: --packages-above-and-dependencies sros2
TEST args: --packages-above sros2
ROS Distro: rolling
Job: ci_launcher
ci_launcher ran: https://ci.ros2.org/job/ci_launcher/16645

• Linux
• Linux-aarch64
• Linux-rhel
• Windows